let's pour one to -fbounds-safety 🔥🌸
https://tech.lgbt/@fay59/115900565326279983

A 0-click exploit chain for the Pixel 9 /by @natashenka

Part 1.:
https://projectzero.google/2026/01/pixel-0-click-part-1.html

Part 2.:
https://projectzero.google/2026/01/pixel-0-click-part-2.html

Part 3.:
https://projectzero.google/2026/01/pixel-0-click-part-3.html

"I hope you're fine and healthy. The reason I am writing this mail is to share a few of my experiments and research I've done to come up with a reasonable stack pivot detection for the Syd kernel. TL;DR I have failed and I have learned a lot."

https://www.openwall.com/lists/oss-security/2026/01/10/1

Messages like this give me some hope in humanity <3

New.

Mandiant: Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables #Google #infosec

Updated Cisco advisory. "Rudolph, the red-nosed reindeer ...." 🎵 🎶 🎧

"There are no workarounds identified that directly mitigate the risk concerning this attack campaign, but administrators can view and follow the guidance provided in the Recommendations section of this advisory."

Cisco: CVE-2025-20393, critical: Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4 @TalosSecurity #infosec #Cisco #vulnerability

@cR0w

[RSS] CVE-2026-20965: Cymulate Research Labs Discovers Token Validation Flaw that Leads to Tenant-Wide RCE in Azure Windows Admin Center

https://cymulate.com/blog/cve-2026-20965-azure-windows-admin-center-tenant-wide-rce/

Nariman Gharib, an #Iran cyber-espionage expert (on exile):

Obtained #Starlink terminal debug data from Iran during the ongoing internet shutdown.

The telemetry shows direct evidence of GPS spoofing: the dish detected 18 #GPS satellites with valid signal lock, but activated its anti-spoofing countermeasures (inhibitGps: true). This isn’t simple jamming; the government appears to be broadcasting fake GPS signals to confuse terminals.

The impact: 20%+ sustained packet loss, connection never stabilized after 24 minutes, bandwidth restricted, and beam pointing ~1° off target. Starlink stayed online but was barely usable.

The anti-spoofing detection works, but SpaceX’s fallback positioning can’t currently maintain normal performance under electronic warfare.

First documented technical evidence of state-level GPS spoofing against consumer satellite internet.

https://github.com/narimangharib/starlink-iran-gps-spoofing/blob/main/starlink-iran.md

New vulnerability report from Talos:

Epic Games Store Installation DLL Hijacking Privilege Escalation Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2279

CVE-2025-61973

Still going to argue that https://gitlab.com/mjg59/linux/-/commit/13cd6ec5e0e99124dd730156a4d921b20f192e2d would maybe be the most security per lines of code this decade

#Ghidra 12.0.1 released, Change History:

https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_12.0.1_build/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md

@joxean @Xilokar ...but I meant this mostly as a joke :)

@joxean @Xilokar malware, obviously! I'd also consider Electron itself as packing and I'm pretty sure there are other "IP protection" schemes under the hood...

@joxean does MS Teams count?

One question: have you seen recently packed software (malware or some proprietary application) that isn't Windows PE files? Like, I don't know, Linux ELFs, or MacOS MACH-O files, or Android apks.
#malware #packers

@algernon Most people don't have that much attention to detail (e.g. does the link I just posted work?)

@soatok Not 100% related, but are there sane alternatives for the openssl *command*? It's always a pain to look up subcommands and arguments, so I might as well just learn a new (set of) tool(s) for key and certificate manipulation.

RE: https://furry.engineer/@soatok/115896145424737173

As a professional source code reviewer, I gotta agree with “We cannot overstate the extent to which just reading the OpenSSL source code has become miserable.” The answer to “how does OpenSSL—” is always “I don’t know and I don’t have six months to find out.” This is not true of alternative libraries with the same functionality.

@grammargirl Similar experience: 70+ yo person having to deal with expired X.509 certificates (.gov.hu app) - what are these devs smoking??

I'm helping an elderly person with a patient portal, and wow, there are about 4 different problems ranging from unclear instructions to pages that don't work well when the phone is zoomed in enough for an older person to actually read the text.

Plus, the iPhone keeps popping up unhelpful gunk.

This person isn't particularly afraid of technology either, but they literally can't do it.

I now think every web developer should be forced to walk through their processes with an 85-year-old.