RE: https://rivals.space/@fedilucie/116795256258407496

I heard Joe Armstrong give a talk for forty minutes once and I walked out permanently converted to this way of thinking. Use queues. Queues only. NULL was not a billion-dollar mistake, NULL can be made sanitary. Memory-sharing multithreading was the billion dollar mistake.

New vulnerability report from Talos:

GeoVision GV-VMS V20 GV-Cloud memory corruption vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2026-2411

CVE-2026-12488

My client is a caregiver to their mother, who has little access to short term memory. My client explains that the tv has just updated and reorganized its Home Screen. She knew how to access her shows on the old Home Screen. Now, every time she powers up the tv, she’s deluged with ads and trending slop and has to relearn how to use the device to find her shows, from scratch, as if starting over again for the first time. This is now a nightly half-hour ordeal. The update was mandatory. They were never given an option to keep the system she knew.

Chopping vegetables has worked the same way for fifty thousand years. Why do these assholes think they have the right to change how a tv works?

#MoveSlowAndFixThings

We updated our public report repository and there is now lots of new material.

Here you are, meanwhile 253 pentest reports, summary reports and papers:

https://github.com/cure53/Publications/tree/master#publications

Microsoft's 6-year-old Zerologon patches use AES-CFB8 incorrectly. The novel Onelogon attack provides two ways to take over a vulnerable AD account in apx 30 minutes. #AESCFB8fail #WONTFIX https://softsec.link/woot26.onelogon @al3x-n3ff.bsky.social @hlt @cao

@opencollective is following @bagder's "summer of bliss" initiative: we are pausing our security bounty program for the summer.

We are also considering adding a rule when we come back to limit the number of paid reports per researcher per week: we'll only pay for the first 3 reports. We hope this will encourage people to prioritize meaningful reports and cut down on the sloppy stuff.

First, cookie banners are not "perceived as excessive EU regulation", but as bad and unenforcable (unenforced?) regulation. There is a difference!

"the tracking industry is so terrified of consumers being able to simply say ‘no’ that, after a bit of lobbying, everyone gives in." -> if you expect the corporations to behave irrationally (i.e. not lobbying for their interests), you are going to have a bad time - as demonstrated by cookie banners. Why not put pressure on those in the EU who were bought by Google and Meta?

@noybeu

RE: https://mastodon.social/@noybeu/116798116428582650

I'm sorry.

With about $180 of off-the-shelf hardware, HotWire https://sickcell6000.github.io/HotWire/ steals charging billed to victims, and drains an EV's batteries until they won't start - demonstrated on production cars and live public charging networks.
Paper and presentation at WOOT'26.
Preprint: https://sickcell6000.github.io/HotWire/2026_WOOT_paper_HotWire.pdf

OpenAI shipped a telemetry system that logs more than the actual work being done. Codex burning through SSDs at a rate of ~640 TB/year – one user hit 37 TB written in 21 days. On a consumer SSD
that’s full drive death in under a year. https://github.com/openai/codex/issues/28224

Every iPhone with an A12 or A13 chip - XS/XR, 11, 2020 SE - has an unpatchable SecureROM exploit. The root bug is in Synopsys’s USB controller, and is exploitable. Requires physical access. Solution: buy a new iPhone. https://ps.tc/pages/blog-usbliter8.html

In the last years, I wrote up some of the advice I often found myself giving to other founders, and a general list of lessons I learnt doing two companies, zynamics and optimyze. The full article - still work-in-progress - is here:

https://thomasdullien.github.io/guides/entrepreneurship/

New Cisco RCE was fixed https://ssd-disclosure.com/cisco-unified-communications-manager-arbitrary-file-write-to-rce/

[RSS] Apple Container Internal[s]

https://u1f383.github.io/container/2026/06/23/Apple-Container-Internal.html

System/38 blog post

A nice write up by one of the club members, who also takes very nice pictures of computers:

https://crusty.computer/?p=89

[RSS] Out of Shift: How a Shared State Bug in V8's AsmJS Parser Broke the Ubercage

https://blog.exodusintel.com/2026/06/22/out-of-shift-how-a-shared-state-bug-in-v8s-asmjs-parser-broke-the-ubercage/

I read a story about how Hungary's first semiconductor plant burned down, and how lucky the city population was as the dangerous chemicals (SiH2Cl2 was mentioned) were blown by the wind toward uninhibited areas.

https://telex.hu/g7/vallalat/2026/05/24/katasztrofa-tanulsagok-mikroelektronikai-vallalat-felvezetogyarto-uzem-40-ev

Completely unrelated to recent events I wonder if such chemicals are still in use in similar plants?

It's not a bug, it's a feature flag

About to put together a version of this for the 70s.
https://realhackhistory.org/2023/03/16/hackers-as-portrayed-in-80s-news-print-media/