Jurisdiction Is Nearly Irrelevant to the Security of Encrypted Messaging Apps

Every time I lightly touch on this point, I always get someone who insists on arguing with me about it, so I thought it would be worth making a dedicated, singular-focused blog post about this topic without worrying too much about tertiary matters. Here's the TL;DR: If you actually built your cryptography properly, you shouldn't give a shit which country hosts the ciphertext for your…

http://soatok.blog/2025/07/09/jurisdiction-is-nearly-irrelevant-to-the-security-of-encrypted-messaging-apps/

If you have a machine with PKEY support and somewhat recent Linux kernel you can now play around with hardware support for the V8 sandbox. When active, JS + Wasm code has no write permissions outside the sandbox address space. To enable, simply set `v8_enable_sandbox_hardware_support = true` at build time.

It's not (yet) meant for production use, but should offer a preliminary look at where things might be heading. See https://crbug.com/350324877 for more details.

Feedback welcome! :)

More links to information about the IBM Power11, that was announced yesterday.
💙 #IBMi #rpgpgm #IBMChampion
https://www.rpgpgm.com/2025/07/more-details-about-power11.html

New by Security Explorations:

"eSIM Security - We broke security of Kigen eUICC card with GSMA consumer certificates installed into it."

https://security-explorations.com/esim-security.html

🔓⏫ After compromising every endpoint within an organization, our “Caught in the FortiNet” blog series comes to an end with one more thing.
Read more about FortiClient's XPC mistake that allows local privilege escalation to root on macOS:

https://www.sonarsource.com/blog/caught-in-the-fortinet-how-attackers-can-exploit-forticlient-to-compromise-organizations-3-3?utm_medium=social&utm_source=mastodon&utm_campaign=research&utm_content=blog-caught-in-the-fortinet-080725-&utm_term=&s_category=Organic&s_source=Social%20Media&s_origin=social

#appsec #security #vulnerability

[RSS] Privilege Escalation Using TPQMAssistant.exe on Lenovo

https://trustedsec.com/blog/cve-2025-1729-privilege-escalation-using-tpqmassistant-exe

The #Adobe patches may be late, but 130 new CVEs from #Microsoft, there's still plenty to talk about. Join @TheDustinChilds as he covers the release and point out why it's a bad month to be a SQL Server admin. https://www.zerodayinitiative.com/blog/2025/7/8/the-july-2025-security-update-review

#Adobe has (finally!) released their updates for July. 13 bulletins addressing 60 CVEs in various products. Nothing is listed as under active attack. The patch blog has bee updated with all the details. https://www.zerodayinitiative.com/blog/2025/7/8/the-july-2025-security-update-review

This is exactly what the internet is for.

Give lengthy and incomprehensible explanations when questioned.

Operating a Certificate Transparency log is now within reach of many organizations.

I wrote up the requirements: essentially one small server process, a couple people, and the capacity to host 3-5 TB of static files. https://words.filippo.io/run-sunlight/

I'd love to chat with anyone who's considering running one!

@lcamtuf websites are boomer, what we need are anime style videos: https://m.youtube.com/watch?v=u0aoByec99Q

[RSS] Dubious security vulnerability: If I perform this complex series of manual steps, I can crash a program I am running

https://devblogs.microsoft.com/oldnewthing/20250707-00/?p=111351

@cR0w Oh, that's s surprising, thanks for clarifying for me! Still, my concern is given their track record I'm not sure the priorities are right.

@cR0w CWE-613 -> someone thought it's a good idea to run a 3-day pentest on a commercially available product, then demanded support to fix all Low's

@tychotithonus I guess it's about requiring signing for the SMB client?

[RSS] Linux kernel double-free to LPE

https://ssd-disclosure.com/ssd-advisory-linux-kernel-pipapo-set-double-free-lpe/

@gsuberland 0xbadc0ffee0ddf00d #IBMi

[RSS] [CVE-2025-32461] Tiki Wiki CMS Groupware <= 28.3 Two SSTI Vulnerabilities

https://karmainsecurity.com/KIS-2025-03

[RSS] How I Discovered a Libpng Vulnerability 11 Years After It Was Patched

https://blog.himanshuanand.com/posts/discovered-a-libpng-vulnerability-11-years-after-it-was-patched/