@neodyme /cc @stf

▶️ We built a proof-of-concept post-quantum FIDO authenticator. It's phishing- AND quantum-resistant.
✅️ Bonus: it even outperforms Google's prototype. 👀
Full write-up here: https://neodyme.io/en/blog/pqc-fido/

[RSS] Becoming a Kernel Developer (1/3): Posting Your First Patch

https://www.linaro.org/blog/becoming-a-kernel-developer-part1-posting-your-first-patch/

R.I.P. Bishop :,(

🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.

Our analysis of the malware: https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

#NodeJS #JavaScript

I've updated my #VulnerabilityResearch and #ReverseEngineering tools to use the latest version of @binarly_io award-winning #idalib #Rust bindings, which support @HexRaysSA IDA Pro 9.2 and their freshly open-sourced SDK.

#Rhabdomancer - Vulnerability research assistant that locates calls to potentially insecure API functions in a binary file.
https://github.com/0xdea/rhabdomancer

#Haruspex - Vulnerability research assistant that extracts pseudo-code from the IDA Hex-Rays decompiler.
https://github.com/0xdea/haruspex

#Augur - Reverse engineering assistant that extracts strings and related pseudo-code from a binary file.
https://github.com/0xdea/augur

For additional details:
https://security.humanativaspa.it/streamlining-vulnerability-research-with-ida-pro-and-rust/

1900s: Computers allow me to do things.
Early 2000s: Computers do things for me.
Now: Computers do things to me.

🚨 New advisory was just published! 🚨

A path traversal in LG webOS TV allows unauthenticated file downloads, leading to an authentication bypass for the secondscreen.gateway service, which could lead to a full device takeover.
This vulnerability was disclosed during our TyphoonPWN 2025 LG Category and won first place:
https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass-and-full-device-takeover/

"Abusing an 0day to steal the data that fuels macOS AI"

"In a nutshell, plugins can only access files when the Spotlight subsystem requests it and, in theory, should only return extracted information back to Spotlight—nobody else! But is Apple’s sandboxing sufficient? 🤔

Today, we’ll present a 0-day that leverages a bug from almost a decade ago(!) — one that can still be exploited from a Spotlight plugin, even on macOS Tahoe, to access TCC-protected files, including sensitive databases that log user and system behaviors that can power Apple’s AI features 😈"

https://objective-see.org/blog/blog_0x81.html

#macos #apple #macos26 #cybersecurity #infosec

https://github.com/AFLplusplus/unicornafl/blob/main/src/target.rs#L92-L108

This is the future, guys

@tmr232 just use regex

"sorry we used your data to throw an election and rob hundreds of millions of people of their privacy. here's twenty eight dollars as a sorry"

RE//verse 2026 CFP is open! Want to be apart of the lineup? Submit your talk: https://sessionize.com/reverse-2026

Still looking for a winter con to attend? RE//verse returns to Florida in March! You don't want to miss out. Get your tickets here: https://shop.binary.ninja/collections/re-verse-admissions-requires-sales-tax/products/re-verse-2026-admission

[RSS] Why is the name of the Microsoft Wireless Notebook Presenter Mouse 8000 hard-coded into the Bluetooth drivers?

https://devblogs.microsoft.com/oldnewthing/20250915-00/?p=111599

Since #Microsoft does not care, and the grace period is over, here is the Hardened Runtime bypass they introduced through .NET MAUI on #macOS. All applications built with it are vulnerable. The #vulnerability has existed probably since 2019.

https://afine.com/breaking-hardened-runtime-the-0-day-microsoft-delivered-to-macos/

As the person that founded the most high profile Black instance in the fedi and still develops safety tools for this environment, there is still a lot of resistance in the fedi in accepting how massively it failed Black and Brown internet folks.

I don’t mind the technical discussions between ATProtocol and Activity Pub because they both have stuff to learn from each other, but the fedi damaged reputation isn’t due to technical concerns.

The fedi has a *terrible* reputation to the point people are choosing a corporate option they know is bad over a free one.

Folks really need to think about what that means.

I regularly talk to folks who left the fedi and they *consistently* say the bigoted harassment they faced on the fedi is the *worst they’ve experienced* online. These aren’t people that are unfamiliar with how digital communities work. These are veteran digital citizens that are accustomed to bad faith engagement on the web.

Fortunately, the rise of Blacksky and other independent installs are rendering Bluesky irrelevant as it continues to enshitify, but the fedi needs to accept its utter failure in regards to safety and moderation is a central reason why we are talking about Bluesky at all.

I do believe it’s possible for the fedi to still be a major player in social media.

But it has to be real about why many people believe Bluesky is the lesser evil.

During the weekend I learned you can achieve TRAMP-like behavior (editing remote files with local editor) in #Neovim with netrw. Only problem was reauthentication without passwordless key files, but SSH ControlMaster can solve that \o/

https://neovim.io/doc/user/pi_netrw.html

https://news.ycombinator.com/item?id=2183699