This is an important bit in the #Cloudflare post (emphasis mine):

"Our data analysis focuses on traffic from Internet properties on Cloudflare’s free plan, which *includes leaked credentials detection as a built-in feature.*"

We have released the files for the research that led to CVE-2024-36904. It contains the codes, the original kernel source, the patch and the modified kernel source that help to trigger the KASAN splat. If you want to play with the vulnerability, you can use the files.

https://github.com/alleleintel/research/tree/master/CVE-2024-36904/

There's another Office "intentional crash" detected by @expmon_ (background for the 1st one: https://www.linkedin.com/posts/haifeili_if-you-need-a-real-world-office-sample-triggering-activity-7304034115706597376-eVnM), it's a bit different (as I just quickly analyzed) but I'd like to leave it to anyone who is interested in investigating. :)

https://pub.expmon.com/analysis/254228/

So, Cloudflare analyzed passwords people are using to log in to sites they protect and discovered lots of re-use.

Let me put the important words in uppercase.

So, CLOUDFLARE ANALYZED PASSWORDS PEOPLE ARE USING to LOG IN to sites THEY PROTECT and DISCOVERED lots of re-use.

[Edit with H/T: https://benjojo.co.uk/u/benjojo/h/cR4dJWj3KZltPv3rqX]

https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/

#cloudflare #password #cybersecurity

Question to the Fediverse:

I'm looking for a mailing list / newsgroup solution (it can be SaaS or self hosted).

I need a couple things:
- Easy subscribe and unsubscribe functions
- Ability to send out mass emails to subscribers (basic functionality)

- Most important... and this is the weird part... I need all the subscribers to be able to "reply all" or to email the list as a whole, to also send messages to everyone. But I don't want them to be able to see everyone on the list.

I need an oldschool mailing list proper, where people can track the threads and replies, right.

All the marketing email lists are only top-down - the emailer mails all the recipients, but there is no allowing the recipients to email each other.

The best I have found is GNU MailMain: https://www.gnu.org/software/mailman/

Does anyone know any other examples?

Edit to add better nomenclature (my brain is not forming words right now):
- Allows for email discussion
- Allows for email threading
- Email Newsgroup - that's a good one

Editing to add answers to my own question:
- GNU Mailman: https://www.gnu.org/software/mailman/
- Gaggle Email: https://gaggle.email (cheers @zebbm)
- Groups io: https://groups.io (cheers @TNLNYC )
- Gray Duck Mail: https://grayduckmail.com
- mlmmj: https://mlmmj.org

@0xtdec @tante personal experience: when I served 403 to crawlers, they came back in disguise: no longer identifying themselves, and from entirely different ip ranges.

Same happened when I served them a static page.

Ever since I trapped them in a maze, apart from alibaba, they do not disguise themselves - and alibaba never identified itself in the first place.

So IME, a maze helps keeping them honest and busy. It does eat resources, but a LOT less than if I'd let them through.

I also ratelimit them at 100req/sec. If there are 100req/sec incoming into the maze, then everyone routed there gets 429'd. Normal visitors do not.

I wrote a summary of my experience running a maze since mid January: https://chronicles.mad-scientist.club/tales/a-season-on-iocaine/

My savings were massive: over 50gb traffic saved daily on my forge alone. Less cpu and ram used for anything that isn't served directly from the filesystem. And the rate limiting on top of this saves even more - more than the cpu & ram cost of garbage generation over serving static files.

@nemo Original article with comments from Signal: https://therecord.media/signal-no-longer-cooperating-with-ukraine

I feel like the message of Sir Tim Berners-Lee's latest op-ed in the Financial Times may suffer from its medium.

But don't worry, you can read his pitch for Solid here:

https://archive.ph/4Vvms

Happy St Patrick’s Day! I hope you get lucky like the Irish. Or something.

qbasic (1992): opens with the option to view help or jump straight into programming.

qb64 (2025): opens with a warning that any program you make with it will be falsely flagged by your antivirus as malware.

We heard you needed some more time, so we wanted to let you cook.

We decided to push the Phrack 72 CFP deadline back until June 15th.

Stay tuned for upcoming Phrack events.

Print this flyer out and give it to someone IRL!!

🚨 LABScon Replay: Investigative journalist Kim Zetter interviews Microsoft VP David Weston on Windows security, AI, secure dev practices, and the company's reaction to the CrowdStrike outage. @kimzetter @dwizzzlemsft

https://youtu.be/7ne9e0YUrQI?si=w2qTa1NNakOJqadP

SAMLStorm: Critical Authentication Bypass in xml-crypto and Node.js libraries https://workos.com/blog/samlstorm

Just spent 6 hours in an ER (I'm fine) and witnessed, in no particular order:

A nurse bit by a patient

A patient screaming MURDERERS from an exam room

Two nurses patiently dressing and re-dessing an elderly man who kept stripping

Someone yelling at a student doctor about wait times

Urine being spilled on the floor

Someone yelling "the patient made a run for it!"

A patient trying to call the cops on doctors

Whatever we think hospital workers should be paid, it's not enough.

#HealthCare

My first watchTowr post is out! It was my first take on a CMS solution and I was able to get some interesting pre-auth RCE chains on Kentico Xperience. 😎

"In today's post, we dive into Kentico's Xperience CMS - highlighting multiple Authentication Bypass vulns chained with a post-auth RCE..."

https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/

The first TUI disassemble and debugger I used which I spent lots of time in there for reversing viruses and understand better the internals of the DOS operating system was HACK from the nocash dude. I'm always happy to find its website up and use it in dosbox https://problemkaputt.de/hack.htm #reverseengineering #tui

CVE-2025-24016: Unsafe Deserialization Vulnerability in Wazuh Leading to Remote Code Execution https://cvereports.com/cve-2025-24016-unsafe-deserialization-vulnerability-in-wazuh-leading-to-remote-code-execution/

De-google-ify Internet

Amazing campaign by the French not-for-profit association Framasoft.

The De-google-ify Internet project offers 26 ethical and alternative online tools that may be used by everyone.

They build open source alternatives to many Google services like Youtube, Agenda, Docs, Forms, Maps etc, as well other services to replace Doodle, Facebook Event, Github, Zoom, Slack and much more!

Check their beautiful website, watch the videos to know more about their work and follow them here in Mastodon:

@Framasoft

https://degooglisons-internet.org/

#europe #opensource #europeanalternatives #EUtech #boycott #degoogle #google

HT @fere you can make Notepad more efficient by turning off AI and related friends.

My question is:
Before I turned these off, what was Notepad doing and when would it be done?

If the answer to the second question is "never", somebody at Microsoft should use this as a good time to take a moment to think about what they're doing, and why.

What unholy mess is this? Do I need to install VS Code now to edit a text file?