75% of web traffic flows through Google's Chromium. Apple controls Safari. American companies control how billions access the web.

Building a competitive browser alternative: ~€50-70M annually, 3-4 years. @servo proves it's technically possible with a small team.

The challenge isn't technical, it's institutional: can democratic societies coordinate long-term tech projects?

Read more: https://tarakiyee.com/digital-sovereignty-in-practice-web-browsers-as-a-reality-check/
#DigitalSovereignty

Some professional news:

1. I’m now a Special Rapporteur for the Cyber Resilience Act.

2. My company is hiring EU subcontractors with network and security expertise!

Bow Shock Systems won a contract with ETSI to lead development of "vertical" cybersecurity standards for specific products. I'm leading the one for operating systems.

We're looking for people with technical expertise and leadership ability to lead three other verticals.

1/n

#fediHire

'On November 28th, 2012, Randall Munroe published an xkcd comic that was a calendar in which the size of each date was proportional to how often each date is referenced by its ordinal name (…) "In months other than September, the 11th is mentioned substantially less often than any other date. It's been that way since long before 9/11 and I have no idea why." After digging into the raw data, I believe I have figured out why.'

https://drhagen.com/blog/the-missing-11th-of-the-month/

A Scanner for Arduino-Powered Book Archiving

https://hackaday.com/2025/06/29/a-scanner-for-arduino-powered-book-archiving/

It is ridiculously hot in Europe, unbearably so, and yet we are building systems which are needlessly complex and power-hungry.

Something is very wrong with us.

Interesting links of the week:

Strategy:

* https://www.enisa.europa.eu/publications/the-eu-cybersecurity-index-2024 - EU's 2024 cyber security index
* https://assets.publishing.service.gov.uk/media/67cad8b18c1076c796a45c25/Cyber_Security_Sectoral_Analysis_Report_2025.pdf - HMG cyber security sectoral analysis 2025
* https://www.nao.org.uk/wp-content/uploads/2025/01/government-cyber-resilience.pdf - NAO paper on making UK more resilient
* https://www.ncsc.gov.uk/collection/security-principles-protecting-most-sensitive-personal-information-in-datasets - NCSC ideas on protecting data
* https://www.wired.com/story/how-to-protest-safely-surveillance-digital-privacy/ - protest early, protest safely, protest often

Threats:

* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/umbrella-stand/ncsc-mar-umbrella_stand.pdf - NCSC exposes UMBRELLA STAND
* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/shoe-rack-tipper/ncsc-tip-shoe_rack.pdf - ... and SHOE RACK
* https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia - GOOG reports on how Russia is targetting academics

Exploitation:

* https://sud0ru.ghost.io/windows-inter-process-communication-a-deep-dive-beyond-the-surface-part-4/ - a nice set of posts on Windows IPC's attack surface
* https://eprint.iacr.org/2025/1042 - whacking Falcons with a hammer
* https://forums.oracle.com/ords/r/apexds/community/q?question=interpositioning-in-java-2701 - had your caffeine? seamlessly injecting into Java

Hard hacks:

* https://skemman.is/handle/1946/50456 - emulating icey routers

Hardening:

* https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html - calling cc safely
* https://spiffe.io/docs/latest/spiffe-about/community-presentations/ - better authentication primitives for bots
* https://workos.com/blog/mcp-authorization-in-5-easy-oauth-specs - bring OAuth to MCP

Nerd:

* https://www.metoffice.gov.uk/forms/name-our-storms-call-for-names - so you want to work in marketing for storms
* https://activitypub.academy - so you want to learn about how the Fediverse works?

#security, #research

We’re going the wrong way! How to abuse symlinks and get LPE in Windows https://cicada-8.medium.com/were-going-the-wrong-way-how-to-abuse-symlinks-and-get-lpe-in-windows-0c598b99125b

Interesting Git repos of the week:

Strategy:

* https://github.com/timb-machine/security-research-governance-toolkit - I started releasing Portcullis' old security research governance toolkit

Detection:

* https://github.com/sandflysecurity/sandfly-forensic-scripts - @SandflySecurity have release scripts for collecting Linux artefacts

Exploitation:

* https://github.com/stealth/injectso - @steaith demonstrates how to inject .so files into running processes at will
* https://github.com/NeffIsBack/wsuks - have you ever wanted to MITM WSUS?

Data:

* https://github.com/public-api-lists/public-api-lists - does what it says on the tin

Development:

* https://github.com/sapdragon/syscalls-cpp - headers for direct syscall invocation

#security, #research, #code

Actively exploited vulnerability in CVE-2024-54085 in AMI MegaRAC gives attackers extraordinary control over server fleets by allowing a remote attacker to create an admin account without any authentication:
👇
https://arstechnica.com/security/2025/06/active-exploitation-of-ami-management-tool-imperils-thousands-of-servers/

What's not to love about third-party software injecting itself into Firefox and causing crashes in the Rust standard library?

https://github.com/rust-lang/rust/issues/143078