High level diff of iOS 26.3 beta3 vs. iOS 26.3 RC 🎉

https://github.com/blacktop/ipsw-diffs/blob/main/26_3_23D5114d__vs_26_3_23D125/README.md

@glyph i wrote about it maybe 6 years ago but I'm thinking of revisiting it

the 6-years-ago comics:

- the same origin policy: https://wizardzines.com/comics/same-origin-policy/
- why we have the same origin policy: https://wizardzines.com/comics/why-same-origin-matters/
- cors: https://wizardzines.com/comics/cors/

@algernon I'm recommending this because of the "how to make using it easy" part. The repos I linked are just examples, the APIs defined by these libraries are the gist.

@algernon sodium/tink

https://github.com/project-oak/tink-rust
https://github.com/jedisct1/libsodium-rs

(not sure if pure rust implementations are available)

TIL In #Proxmox when you *move* a disk, the original one doesn't get deleted but remains attached to the VM as "unused". Space gets only freed up in the original storage when you remove it from the VM.

#ProTip

It seems Windows can't even launch its terminal properly, this issue is open for >5 years:

https://github.com/microsoft/terminal/issues/4750

@cR0w @ai6yr It's John McLane vs helicopter

@bagder People probably pay less attention than you think (this is a general rule of thumb of mine), they may still assume there is monetary reward even without H1. IMO you should give it some time.

4 February 1917 | A Polish Jewish dancer Franciszka Mann was born. She was most probably the woman who on 23 October 1943, inside the undressing room of gas chamber II at Auschwitz II-Birkenau, seized SS man Josef Schillinger’s pistol, shot him & wounded SS man Wilhelm Emmerich.
---

A podcast about this and other cases of resistance at Auschwitz: https://www.auschwitz.org/en/education/e-learning/podcast/different-cases-of-organized-resistance-at-auschwitz/

the guy and his AI found three uses of memcmp() in TLS code and insisted it was a "CRITICAL" side-channel security vulnerability.

A 2-second check of those three uses told us it was not real.

byebye George

Switching away from Hackerone is not a guarantee... Here we go.

@algernon Maybe `components` conflicts with OpenAPI's schema? https://swagger.io/docs/specification/v3_0/components/

Learning #Rust made me a better #Python programmer.

Not because I write Rust at work. Because Rust forced me to think about things I'd been ignoring and I never realized this fact.

Also came across this today. Wasn't already in the ruleset, so I fixed that.

FreePBX Authenticated Command Injection - testconnection SSH functionality.

https://theyhack.me/CVE-2025-64328-FreePBX-Authenticated-Command-Injection/

[RSS] Micropatches released for Microsoft Excel Remote Code Execution Vulnerability (CVE-2025-62203)

https://blog.0patch.com/2026/02/micropatches-released-for-microsoft.html

Patch diffing + RCA for clfs.sys can take awhile.

I gave the diff + binary to a local LLM.

It mapped the UAF path, race condition, all IOCTLs in <20 min

LLMs don't replace the work, they are momentum.

New blog post following the UAF trail of CVE-2025-29824:

https://clearbluejar.github.io/posts/how-llms-feed-your-re-habit-following-the-uaf-trail-in-clfs/

Dirty Ptrace: Exploiting Undocumented Behaviors in Kernel mmap Handlers

Talk by Xingyu Jin and Martijn Bogaard about a new type of logical bugs in kernel driver mmap handlers exploitable via the ptrace functionality.

Authors found multiple Android vendor drivers affected by the issue. They also wrote an exploit for the IMG DXT GPU driver to escalate privileges on Pixel 10.

Video: https://www.youtube.com/watch?v=yAUJFrPjfCI
Slides: https://powerofcommunity.net/2025/slide/x-84592.pdf

Does anybody know, by any rare chance, what #Firefox settings might cause CORS errors? Since last week I'm unable to access, for example, a local #Jellyfin instance with Firefox due to this problem, as it causes a lot of CORS errors (same origin policy).

I have already tried changing "Enhanced Tracking Protection" settings: they are ignored.

I have also already tried creating a new fresh Firefox profile. It works, but as soon as I synchronise it with my Mozilla account, it fails again.

NEW: French Police searched the local X offices as part of a criminal investigation for several crimes, including possession and distribution of child sexual abuse material.

Paris prosecutor's office also announced that it summond Elon Musk and former X CEO Linda Yaccarino for questioning.

https://techcrunch.com/2026/02/03/french-police-search-x-office-in-paris-summons-elon-musk-for-questioning/