@badkeys My educated guess is they couldn't fit larger keys into their DNS records...

I reported an insecure DKIM key to Deutsche Telekom / T-Systems. They first asked me to further explain things (not sure why 'Here's your DKIM private key' needs more explanation, but whatever...). Then they told me it's out of scope for their bugbounty.

I guess then there's really no reason not to tell you: They have a 384 bit RSA DKIM key configured at: dkim._domainkey.t-systems.nl

384 bit RSA is... how shall I put it? I think 512 bit is the lowest RSA key size that was ever really used. 384 bit RSA is crackable in a few hours on a modern PC (using cado-nfs). The private key is:
-----BEGIN RSA PRIVATE KEY-----
MIHxAgEAAjEAtTliQYV2Xvx1OGkDyOL799BTFEuobY2dn2AgtiKCQgrh78NVK1JK
j0yRXgNnPpGBAgMBAAECMF0t+TBZUCi8xATSMij7VLTxv5Xi5OIXesNiXOKtYIRP
LkpYfR5PggaMScfbmqSssQIZAMwOhm9d7Y7Qi7I2j1AlYbiqdtqO54T7FQIZAONa
9dJFkC6lM3EPXR+0SZ4dqwwpiM0nvQIYYgz8thi5JK264ohq9sTvnu9yKvUN9I09
AhgfgMYZKcxtujRjkSZtMzUUNLYzzDmJe90CGDKwqcBI0v9ChaR8WHht+/chMdxj
7ez94w==
-----END RSA PRIVATE KEY-----

@wdormann I'd agree with that, but I don't know what level of control apps have on mobile.

@Mer__edith

@wdormann As I understand they "knowing why" (as of now) doesn't imply this was *expected* behavior before.

I'd compare the persistent (not self-deleting) messages dilemma to secure deletion: below the next architectural boundary you can't really decide what's happening to your data ("were the bits of that file really deleted from the disk?"), but in special cases you take extra steps to prevent leaks ("let's overwrite a bunch of times, hopefully it helps").

@Mer__edith

I wrote up in the TLS mailing list why I think composite signatures (ML-DSA + ECDSA/RSA) are a net negative, will hurt the ecosystem, and should not be implemented.

Hybrid key exchange was simple and self-contained. Hybrid signatures would be a mountain of complexity in code responsible for half of sev:crit in crypto libraries since 2020.

https://mailarchive.ietf.org/arch/msg/tls/oh3jmmkHzHdp1hk4R4M9QjkmvBk/

watt-hours per password

Our C/C++ code review challenge closes April 17.

The new Testing Handbook chapter covers memory safety, integer errors, type confusion, kernel modules, Windows usermode, and seccomp sandbox escapes through manual code review.

Analyze the vulnerable programs, explain how to exploit them, and submit a writeup. First 10 correct entries win swag.

https://trailofbits.com/c-whats-wrong-challenge/

The Salt Typhoon hack ended the debate on safe lawful access. State-sponsored attackers didn't just breach networks; they explicitly targeted mandated wiretap systems. Backdoors don't just weaken security; they become the ultimate prize for advanced adversaries. 1/2

Thank you for being a valued Streaming Service+ subscriber. Your monthly plan is increasing from $9.99 to $24.99. This price adjustment reflects our continued investment in canceling your favourite shows after one season, removing titles from the library without warning, and building a worse user interface. Note: Your tier now includes ads. To remove them, upgrade to our new Ultra Premium Platinum plan ($39.99/mo). Btw your password can no longer be shared with the people you live with.

Thank you to the company that owns the drivers license embedded into my cybernetic companion animal for emailing me on an address I haven't used since she was born to remind me that access to her identity chip has been sold to an insurance company and any desperate attempts to recover her will now be accompanied by informative articles

CRITICAL: if you are running Mosaic 2.4 on a VAX/VMS system, please be aware of this RCE that GPT-5.4 just found and exploited!

This might be my favourite weird car yet.
The Puli (also called the Puli Pinguin) was a microcar made in Hungary between 1986–1998. The more powerful electric version maxxed out at 7.4 kW (9.9 HP). Hold onto your hats!
https://en.wikipedia.org/wiki/Puli_(car)
#WeirdCarMastodon

The full TyphoonCon 2026 conference agenda is now live:
https://typhooncon.com/full-2026-agenda-sessions

Join us May 28-29 in Seoul for a highly curated program focused on advanced offensive security. From vulnerability research to real-world exploitation.

🎟️ Tickets are going fast - secure your spot now

OTD 1989: #SunMicrosystems announces the SPARCstation 1, aka Sun 4/60, aka "Campus".
Also first use of SBus.

https://theretroweb.com/motherboards/s/sun-sparcstation-1

The AI slop security reporting is basically extinct. It almost does not happen anymore. At all.

@bagder Slop finds a way

"I am submitting this via direct email as I am currently unable to use the HackerOne platform due to account restrictions for new reporters."

In case someone was wondering what happens when we try to make it harder for new accounts to submit new reports.

🤔Ever wondered how your favorite tools work under the hood? During our work on SightHouse, we dug into BSIM, Ghidra's Binary function SIMilarity engine.

Many tools have been built around it, yet its internals remained undocumented. Until now 👇
https://blog.quarkslab.com/bsim-explained-once-and-for-all.html

I'm like 99% sure that strings is the best reverse engineering tool.

My kinda hot take on the Mythos stuff is really that there is so little money in offensive research that it's still not really that hard to find bugs. These AI companies are operating with budgets that make the entire offensive research of all big tech combined look like a joke