The thing I like about writing blogposts is that I need to verify everything I say, so I usually find a few small errors and learn a couple of new things in the process. A lot of work but a very good learning exercise.

The slides from my keynote yesterday at the Open Source Summit Europe: https://www.slideshare.net/slideshow/giants-standing-on-the-shoulders-of-by-daniel-stenberg/282693094

"giants, standing on the shoulders of"

While waiting for the video to become available. I have no idea when that will happen.

#USB keyboards can't interrupt the CPU themselves, but the USB controller continuously polls them and will interrupt it on their behalf. Loudly.

#keyboard #shitpost

@meluzzy You are not wrong, it's just static linking is preferred in a lot of deployment cases. On Windows specifically, DLL Hell remains a thing, although now side-by-side assemblies aim to solve that issue (in a pretty convoluted way IMO). I think to some extent handling bugs arising from different library versions on different Linux distros is even worse - IIRC that's a reason why Go (used on a bazillion servers of Google) links statically by default. Also, for ad-hoc tasks like debugging it's much better to drop a single-file util that just works than mess with the configuration of the system through the package manager/winstaller.

There are surely more pro-con arguments, the point is that we have different ways for linking because use-cases differ, and both methods have their place.

I FINALLY got a chance to chat with James Kettle @albinowax and hear about his latest research, with a cool caption "HTTP/1.1 Must Die" 😎 Mind-blowing work including desync attacks and critical vulnerabilities affecting websites & CDNs... and a demo! https://youtu.be/n3Bw8CASnHE

@raptor Please contribute to https://github.com/v-p-b/codeql-cheat-sheet if you can ;)

@windsheep @raptor "CodeQL CLI users can enable this feature starting with version 2.21.4 by using the build-mode: none flag" As I understand the feature is also available for on-prem stuff (this won't help if you want to scan your private stuff on GH ofc)

An example of algorithmic resistance

This is great news 🤩 I guess it’s about time to start learning CodeQL seriously

#CodeQL can be enabled at scale on C/C++ repositories in public preview using build-free #scanning

https://github.blog/changelog/2025-06-03-codeql-can-be-enabled-at-scale-on-c-c-repositories-in-public-preview-using-build-free-scanning/

[RSS] postMessaged and Compromised

https://msrc.microsoft.com/blog/2025/08/postmessaged-and-compromised/

"a deep dive into the risks of misconfigured postMessage handlers""

“Stack Overflow data reveals the hidden productivity tax of 'almost right' AI code | VentureBeat”

https://venturebeat.com/ai/stack-overflow-data-reveals-the-hidden-productivity-tax-of-almost-right-ai-code/

> AI tools don’t just produce obviously broken code. They generate plausible solutions that require significant developer intervention to become production-ready. This creates a particularly insidious productivity problem.

::sighs::

Google publishes security research on #GitHub, but instead of commiting to a repository they issue Security Advisories for a somewhat random repo:

https://github.com/google/security-research/security

Is there a way to clone this data as a #Git repository (from a service named after the aforementioned SCM system)?

[RSS] When CTF Meets Bug Bounty: A Critical UXSS in Opera Browser

https://medium.com/@renwa/when-ctf-meets-bug-bounty-a-critical-uxss-in-opera-browser-ee16f389e555?source=rss-3f8ae70e3957------2

[RSS] SQLite: Integer truncation in findOrCreateAggInfoColumn

https://github.com/google/security-research/security/advisories/GHSA-qj7j-3jp8-8ccv

CVE-2025-6965

I should write a summarizer for @talosvulns...

Until then, it's worth to check out the latest image parser bugs:

https://talosintelligence.com/vulnerability_reports/

@troed Yeah I've been planning the same for some time, only problem is that my DNS situation is...complicated :P

@cR0w @LinuxAndYarn @ligniform @catsalad That sneaky "You&Me" watermark raises more questions than any other part of the pic

@G33KatWork @Mimoja Or a servlet container??

@wader it's a lie.

@TarkabarkaHolgy The survival rate of storytellers and their tales is quite surprising.

(ICYMI that's 456533 crows)