Just stop using LastPass already, folks.

https://blog.lastpass.com/posts/klue-supply-chain-incident-and-lastpass-response

When EPA isn't EPA'ing: What Tools Like Certify, Certipy and checkMSSQLStatus.py miss https://www.abdulmhsblog.com/posts/pitfallswithepa/

Note to self: if you think extensions will be sufficient to distinguish between files in a directory, start reorganizing into subdirectories

Slides from my #Troopers26 talk "Get in Loser, We're Upgrading the Internet -- Lessons from Deploying Post-Quantum Cryptography across Akamai's global Content Delivery Network"

https://www.netmeister.org/misc/troopers26.pdf

This malware is pretty cool, it took me a while to get to the 4th obfuscation layer myself in IDA even when using a deobfuscation plugin myself, mixes its own obfuscated code deep in legitimate "goodware" code, uses lots of MBAs, has anti-VM tricks. High quality malware.

https://www.elastic.co/security-labs/oxloader-malware-loader-infostealer

#malware #ida #reversing #reverseengineering

https://www.twitch.tv/curlhacker is live, the presentation starts in a few minutes

all the hackerone reports for the curl 8.21.0 vulnerabilities are now public

Keeping the Web Open and Private in the Bot Era

In which an AI peddler suggests that to solve the bot problem we should perhaps enact some funky workaround that involves such reputable companies and projects like Cloudflare, Mozilla Firefox, Google Chrome, and Microsoft Edge (all of them ran by companies staunchly resisting the root cause of the Crawler problem: AI).

If we'd all just use PACT, we would be able to efficiently block the bots! Except, of course, if you're running an unsupported browser, and have not sent enough signals back home that you're a human.

But sure, sure. Lets use a klunky workaround that doesn't exist, wouldn't work, instead of addressing the problem in the first place.

How utterly predictable, how utterly disappointing nevertheless.

#algernonReviewsHackerNews

Common PKCS#7 / CMS parsing issues in OpenSSL, WolfSSL, Bouncy Castle, & GnuPG

https://blog.calif.io/p/how-to-format-a-ciphertext

From this oss-sec thread:
https://seclists.org/oss-sec/2026/q2/1000

CVE-2026-34182 CVE-2026-5500

This is a fun one :)

[CVE-2026-50160] Hoppscotch: Unauthenticated JWT Secret Overwrite

https://seclists.org/oss-sec/2026/q2/1007

"The POST /v1/onboarding/config endpoint allows an unauthenticated attacker to inject arbitrary InfraConfig keys including JWT_SECRET and SESSION_SECRET"

RE: https://rivals.space/@fedilucie/116795256258407496

I heard Joe Armstrong give a talk for forty minutes once and I walked out permanently converted to this way of thinking. Use queues. Queues only. NULL was not a billion-dollar mistake, NULL can be made sanitary. Memory-sharing multithreading was the billion dollar mistake.

New vulnerability report from Talos:

GeoVision GV-VMS V20 GV-Cloud memory corruption vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2026-2411

CVE-2026-12488

My client is a caregiver to their mother, who has little access to short term memory. My client explains that the tv has just updated and reorganized its Home Screen. She knew how to access her shows on the old Home Screen. Now, every time she powers up the tv, she’s deluged with ads and trending slop and has to relearn how to use the device to find her shows, from scratch, as if starting over again for the first time. This is now a nightly half-hour ordeal. The update was mandatory. They were never given an option to keep the system she knew.

Chopping vegetables has worked the same way for fifty thousand years. Why do these assholes think they have the right to change how a tv works?

#MoveSlowAndFixThings

We updated our public report repository and there is now lots of new material.

Here you are, meanwhile 253 pentest reports, summary reports and papers:

https://github.com/cure53/Publications/tree/master#publications

Microsoft's 6-year-old Zerologon patches use AES-CFB8 incorrectly. The novel Onelogon attack provides two ways to take over a vulnerable AD account in apx 30 minutes. #AESCFB8fail #WONTFIX https://softsec.link/woot26.onelogon @al3x-n3ff.bsky.social @hlt @cao

@opencollective is following @bagder's "summer of bliss" initiative: we are pausing our security bounty program for the summer.

We are also considering adding a rule when we come back to limit the number of paid reports per researcher per week: we'll only pay for the first 3 reports. We hope this will encourage people to prioritize meaningful reports and cut down on the sloppy stuff.

First, cookie banners are not "perceived as excessive EU regulation", but as bad and unenforcable (unenforced?) regulation. There is a difference!

"the tracking industry is so terrified of consumers being able to simply say ‘no’ that, after a bit of lobbying, everyone gives in." -> if you expect the corporations to behave irrationally (i.e. not lobbying for their interests), you are going to have a bad time - as demonstrated by cookie banners. Why not put pressure on those in the EU who were bought by Google and Meta?

@noybeu

RE: https://mastodon.social/@noybeu/116798116428582650

I'm sorry.

With about $180 of off-the-shelf hardware, HotWire https://sickcell6000.github.io/HotWire/ steals charging billed to victims, and drains an EV's batteries until they won't start - demonstrated on production cars and live public charging networks.
Paper and presentation at WOOT'26.
Preprint: https://sickcell6000.github.io/HotWire/2026_WOOT_paper_HotWire.pdf