@alex the AI datacenter scraping situation is getting really bad. I think there are some that appear to now be routing through residential proxy networks to evade IP bans. Not sure if that's what you're seeing.

Useful explainer on the latest Citrix shenanigans, including verifying exposure and hunting/forensics recommendations

https://www.picussecurity.com/resource/blog/cve-2026-3055-cve-2026-4368-inside-the-netscaler-citrixbleed-3-memory-overread

NetScaler is doing it again. Third time in three years we're patching memory leaks that hand attackers your session tokens on a plate. CISA's already got it on the emergency list. If you run one, stop reading this and patch now.

https://cybersec.picussecurity.com/s/cve-2026-3055-cve-2026-4368-inside-the-netscaler-citrixbleed-3-memory-overread-26799

A Tennessee man who hacked the US Supreme Court was sentenced to twelve months of probation.

Nicholas Moore hacked the US' highest court in 2023 and leaked documents on an Instagram account named @ihackthegovernment.

https://www.courtlistener.com/docket/72124298/united-states-v-moore/

ABSTRACT/RAGEKID2.GIF

I finally managed to write something about my recently deceased dear friend Felix 'Fx' Lindner.

https://phenoelit.de/fx.html#Halvar

Abstract verbalizations about personal liberty, freedom of the press, and so on, will not be convincing in most parts of the world.

AIs have been finding bugs and vulnerabilities in #curl for some time.

Is it work to fix those? Yes.

Has someone paid for this? Partially (wolfSSL and @sovtechfund)

Are the AIs annoying? Yes, very.

Could humans find the same bugs? Yes, if they‘d somehow avoid being bored to death through it.

Was there something „heartbleed“ like? No.

Were there lots of C mistakes? No, logic bugs mostly.

Do AIs run out of steam? Yes. After a while a model stops finding things. Findings differ per model.

It’s International Haiku Day apparently and so for today’s poetry offering, here are a few assorted haiku.

[RSS] Virtual Memory Area Management From Red Black Trees To Maple Trees

https://jinjucat.github.io/Virtual-Memory-Area-Management-from-Red-Black-Trees-to-Maple-Trees/

I've been uploading #hacking magazines from #China, some of which have been removed for reasons I don't understand, to Internet Archive. This is a decent scan of an issue of Hacker Defence (or Hacker Defence Line?) from I think the early to mid 00s.
#hacker #history
https://archive.org/details/hacker_defence_unknown

Micropatches released for Windows Error Reporting Service Elevation of Privilege Vulnerability (CVE-2026-20817)
https://blog.0patch.com/2026/04/micropatches-released-for-windows-error.html

@lcamtuf @diyelectromusic No Starch complained multiple times about Amazon selling counterfeits, I had good experience with blackwells.co.uk when ordering overseas tech books from EU.

The cat's out of the bag! My latest book, "The Secret Life of Circuits", is available in early access:

https://lcamtuf.coredump.cx/blog/secret/

It's the reference I wish I had when I was starting out. Electrons to embedded systems, 290+ color illustrations and 420+ pages of well-explained theory.

New Post: Debugging - WinDBG(X) Automation & Scripting - Part 1 https://www.corelan.be/index.php/2026/04/17/debugging-windbgx-automation-scripting-part-1/

RE: https://infosec.exchange/@attackanddefense/116418875523198922

Q1 2026 was a very strong quarter for Firefox Security & Privacy.

some highlights:
- We expanded AI-assisted vulnerability discovery through our collaboration with Anthropic, helping identify and fix a high number of real security issues.
- We shipped the Sanitizer API in Firefox 148, making Firefox the first browser to support this stronger defense against XSS.

More in the newsletter linked below :)

Current stats:

* Bugs found in target: 1
* Bugs found in bug discovery tools: 4

RE: https://ec.social-network.europa.eu/@EUCommission/116408720976324749

Doesn't work without a Google/Apple-tied device btw. There is absolutely no story for how this would work on a desktop, anything without a Google/Apple account, or open source OS at all either.

@dsp @badkeys That's a limitation of DNS, and management UI's can make configuring larger strings quite frustrating. My favorite is when parts of the base64 gibberish are mixed up in the DNS response so you can see that there is something that *looks like* your public key, yet it won't verify your messages.