@martinvermeer @oivaeskola

Every time I lock my bike to a wall loop I fear a topologist will appear and prove my bike is not attached to the loop, or in fact, not even locked

#cycling

Blasting Past iOS 18

https://blog.dfsec.com/ios/2025/05/30/blasting-past-ios-18/

(Corrected link)

Hot take: ISO standards do not meaningfully matter to me, because an extremely impoverished, unbanked person cannot freely access their contents from a smartphone or library computer.

Therefore, I go out of my way to avoid referring to them or relying on them in anyway.

Edge group policy ADMX is truly a masterpiece of bad-faith fuckery even by Microsoft standards: misleading, obfuscation, omission, outright lying.

Top 3 favorites so far:
1. Setting to disable the ChatGPT sidebar is called "Show Hubs Sidebar". Obviously, it is not under the "Generational AI" subfolder.
2. There are a number of "AI assistance" settings tucked under Settings > Languages in the UI. "Collaborate with Copilot" doesn't have a GPO item (forum answer from MS droid suggests that someone "forgot" it).
3. Three separate settings to prevent Edge from running in the background and "preloading" things, in three different folders.

Also, I'm pretty sure I've said this before, but I'll say it again:

Part of your job as a senior is to tell your juniors about your fuckups. The embarrassing cringe reckless and lazy bullshit that you did when you were new, and the various times you brought down Prod. We ALL did it sometime. And then tell them: the moment you realized you fucked up, I know, the impulse is to try and cover it up, but don't do it. Come to the seniors you trust, and they'll help you unfuck it, and fight management tooth and claw like mamma and pappa bears to defend you from any shitheads in management. Because that's what our seniors did to us.

It seems #IBMi ACS users keep strugling with Win11 hardenings:

https://www.ibm.com/support/pages/node/7180720?myns=swgother&mynp=OCSWG60&mync=A&cm_sp=swgother-_-OCSWG60-_-A

Here's my previous analysis of the problem:

https://blog.silentsignal.eu/2025/01/21/ibm-acs-password-dump/

@aerique Mozilla is preparing for a world where the US government (rightly) forces them to do without 90+% of their revenue. Rather than getting disgusted at them, why don't we urge the EU to support them and even do something crazy like take seats on their board or something? Could happen... maybe? Mozilla and this fork you want to make will die without support.

[RSS] Achieving Persistent Client-Side Attacks with a Single WeChat Message

https://www.darknavy.org/blog/achieving_persistent_client_side_attacks_with_a_single_wechat_message/

[oss-security] CVE-2025-48734: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default

https://www.openwall.com/lists/oss-security/2025/05/28/6

I wonder if the now restricted behavior is useful for #deserialization gadgets (I couldn't find references to declaredClass abuse, but haven't finished my coffee yet either...)?

[oss-security]

CVE-2025-46701: Apache Tomcat: Security constraint bypass for CGI scripts

https://www.openwall.com/lists/oss-security/2025/05/29/4

I think "GCI" is a typo in the message (CGIServlet.java is patched), although found the same typo elsewhere in the documentation...

@keenancrane I wanted to mention those piggies, glad this design was not lost in time (had think really hard where I saw a similar concept, and it was about 25 years ago) :)

Decomplexification - making #curl use simpler code

https://daniel.haxx.se/blog/2025/05/29/decomplexification/

@mttaggart Also, write-only syntax choices that e.g. require counting different kinds of brackets with your fingers...

The more mental energy you expend parsing a programming language's syntax, the less you have available for parsing a program's logic—or creating it yourself. This is why core fluency is so important; it frees up your own compute cycles for more important work.

It's also another reason why "vibe coding" is so toxic. It robs you of the opportunity to gain that fluency.

[RSS] Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis

https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/

[RSS] exploits.club Weekly Newsletter 73 - AI Finds Bugs, MTE Bypasses, Old Jailbreaks, and More

https://blog.exploits.club/exploits-club-weekly-newsletter-73-ai-finds-bugs-mte-bypasses-old-jailbreaks-and-more/

"[Qualys] discovered a vulnerability in apport [...], and a similar vulnerability in systemd-coredump [...]: a race condition that allows a local attacker to crash a SUID program and gain read access to the resulting core dump"

https://www.openwall.com/lists/oss-security/2025/05/29/3

CVE-2025-5054 CVE-2025-4598

Google’s search quality has declined, filled with spam and low-quality results, while it maintains dominance through default placements. Cory Doctorow highlights Kagi as a superior alternative, offering cleaner, more relevant search outcomes. Though it requires a subscription, Kagi provides a user-focused experience that recaptures the efficiency Google once had.

I personally HAPPILY pay for @kagihq.

#Kagi #enshittification #tech #privacy

https://pluralistic.net/2024/04/04/teach-me-how-to-shruggie/#kagi

SentinelOne still down, approaching three hours. It doesn’t look like they have an official status page so https://sentinelonestatus.com/ is all ya got.