Chrome’s AppBound Cookie Encryption Bypassed via Side-Channel Timing Attack https://www.cyberark.com/resources/threat-research-blog/c4-bomb-blowing-up-chromes-appbound-cookie-encryption

AI Slop is strong on HackerOne. After some break when Daniel added the "AI disclosure" questions, people are back now (and ignoring it).

Such a silly world.

once you have mastery, you can half ass things correctly, because you know which half of the ass you need

System says I’m low on memory. Let’s see what Activity Monitor says…

I’m sorry, my *wallpaper* is using *how much* RAM?!? WTAF?!?

#3109 - Dehumidifier

75% of web traffic flows through Google's Chromium. Apple controls Safari. American companies control how billions access the web.

Building a competitive browser alternative: ~€50-70M annually, 3-4 years. @servo proves it's technically possible with a small team.

The challenge isn't technical, it's institutional: can democratic societies coordinate long-term tech projects?

Read more: https://tarakiyee.com/digital-sovereignty-in-practice-web-browsers-as-a-reality-check/
#DigitalSovereignty

Some professional news:

1. I’m now a Special Rapporteur for the Cyber Resilience Act.

2. My company is hiring EU subcontractors with network and security expertise!

Bow Shock Systems won a contract with ETSI to lead development of "vertical" cybersecurity standards for specific products. I'm leading the one for operating systems.

We're looking for people with technical expertise and leadership ability to lead three other verticals.

1/n

#fediHire

'On November 28th, 2012, Randall Munroe published an xkcd comic that was a calendar in which the size of each date was proportional to how often each date is referenced by its ordinal name (…) "In months other than September, the 11th is mentioned substantially less often than any other date. It's been that way since long before 9/11 and I have no idea why." After digging into the raw data, I believe I have figured out why.'

https://drhagen.com/blog/the-missing-11th-of-the-month/

A Scanner for Arduino-Powered Book Archiving

https://hackaday.com/2025/06/29/a-scanner-for-arduino-powered-book-archiving/

It is ridiculously hot in Europe, unbearably so, and yet we are building systems which are needlessly complex and power-hungry.

Something is very wrong with us.

Interesting links of the week:

Strategy:

* https://www.enisa.europa.eu/publications/the-eu-cybersecurity-index-2024 - EU's 2024 cyber security index
* https://assets.publishing.service.gov.uk/media/67cad8b18c1076c796a45c25/Cyber_Security_Sectoral_Analysis_Report_2025.pdf - HMG cyber security sectoral analysis 2025
* https://www.nao.org.uk/wp-content/uploads/2025/01/government-cyber-resilience.pdf - NAO paper on making UK more resilient
* https://www.ncsc.gov.uk/collection/security-principles-protecting-most-sensitive-personal-information-in-datasets - NCSC ideas on protecting data
* https://www.wired.com/story/how-to-protest-safely-surveillance-digital-privacy/ - protest early, protest safely, protest often

Threats:

* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/umbrella-stand/ncsc-mar-umbrella_stand.pdf - NCSC exposes UMBRELLA STAND
* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/shoe-rack-tipper/ncsc-tip-shoe_rack.pdf - ... and SHOE RACK
* https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia - GOOG reports on how Russia is targetting academics

Exploitation:

* https://sud0ru.ghost.io/windows-inter-process-communication-a-deep-dive-beyond-the-surface-part-4/ - a nice set of posts on Windows IPC's attack surface
* https://eprint.iacr.org/2025/1042 - whacking Falcons with a hammer
* https://forums.oracle.com/ords/r/apexds/community/q?question=interpositioning-in-java-2701 - had your caffeine? seamlessly injecting into Java

Hard hacks:

* https://skemman.is/handle/1946/50456 - emulating icey routers

Hardening:

* https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html - calling cc safely
* https://spiffe.io/docs/latest/spiffe-about/community-presentations/ - better authentication primitives for bots
* https://workos.com/blog/mcp-authorization-in-5-easy-oauth-specs - bring OAuth to MCP

Nerd:

* https://www.metoffice.gov.uk/forms/name-our-storms-call-for-names - so you want to work in marketing for storms
* https://activitypub.academy - so you want to learn about how the Fediverse works?

#security, #research

We’re going the wrong way! How to abuse symlinks and get LPE in Windows https://cicada-8.medium.com/were-going-the-wrong-way-how-to-abuse-symlinks-and-get-lpe-in-windows-0c598b99125b