Now those gpg.fail people made me find similar vulns elsewhere (console control character injection). By "elsewhere" I mean... my own code.
Opinions wanted: should "input can inject console output with ansi and control chars" always be considered a vuln/CVE?
(I'll fix it in any case, I'm just wondering if I should do all the "security release/advisory/request CVE/..." stuff.)

@bert_hubert @signalapp This is exactly why I think sharing some actual unmet requirements would be a good idea.

(FTR I was told they also used GCP as a fallback which apparently didn't work too well)

Thinking back to last year I remembered the us-east-1 outage, how it affected Signal and how some of the users freaked out that they have to rely on US hyperscalers.

Wouldn't it be useful if @signalapp (and maybe similar providers) published their infra requirements with little crosses and ticks, so alternative providers could aim for "good enough for Signal" service levels?

Related articles by @bert_hubert :

https://berthub.eu/articles/posts/the-european-cloud-ladder/

[RSS] Reverse Engineering the Miele Diagnostic Interface

https://medusalix.github.io/posts/miele-interface/

[RSS] Understanding and mitigating a stack overflow in [Raymond Chen's custom] task sequencer

https://devblogs.microsoft.com/oldnewthing/20251231-00/?p=111950

C++ coroutine debugging

[RSS] Detect Go's silent arithmetic bugs with go-panikint

https://blog.trailofbits.com/2025/12/31/detect-gos-silent-arithmetic-bugs-with-go-panikint/

TyphoonCon 2026 Early Bird tickets now on sale!

Dive into exploits, reverse engineering and cutting-edge insights in offensive security. May 28-29 in Seoul, South Korea

🎟️ Limited tickets available: https://www.eventbrite.com/e/typhooncon-2026-tickets-1968561639857

The Normalization of Deviance in AI

https://embracethered.com/blog/posts/2025/the-normalization-of-deviance-in-ai/

@kstrlworks Thanks for the detailed answer, this makes sense! (also it turns out I can't read, but you got the point)

The next days #39c3 https://media.ccc.de thx ukeer

Question to people more knowledgeable about #BSD systems (primarily #FreeBSD, but the more answers the merrier)!

On Linux, I can use ipset (or nftables sets) to create a set of IP addresses I can match against with one rule. Like:

# ipset create test-set iphash
# iptables -I INPUT -m set --match-set test-set src -j DROP

This would drop any and all source addresses that I add to test-set in the future, without having to update INPUT. It also does some magic hashing thing to make all this efficient.

The reason I want this is because I'll be adding a lot of unique IPs to this set (about half a million, if not more). When adding them directly to iptables, the Linux kernel was very unhappy about that. But with a set? Worked like a charm.

Can pf or any other packet filter tool on the BSDs do something similar? Allow me to block a very large number of unique IPs?

Blocking ASNs or ranges is not feasible, I need to block unique IPs.

Bonus points if it can automatically expire entries that were added or updated N seconds ago.

Boosts appreciated.

I recently bought something from poshmark.com, for the first time. While I haven't heard of them before, I figure with credit card protections as they are in the US, there's really no harm with giving it a shot.

Within about 30 minutes of placing my order, I got a not-very-good phishing email from purchase-orders@loyverse[.]com, claiming to be "Poshmark".
The first time in my life that I've received a phish from somebody claiming to be Poshmark.

My wonders at this point:

• Is Poshmark currently breached?
• Is Poshmark unknowingly leaking the email addresses of people who purchase through their site?
• Is Poshmark knowingly leaking the email addresses of people who purchase through their site? Sub-wonder: If true, is this publicly known?
• Is the person whose Poshmark listing I purchased from either compromised or malicious?

🤔

@rickoooooo @embedding_shapes One of my secondary desktop runs NixOS and it's perfectly usable as long as you are willing to spend some extra time to look up docs when you introduce some more serious change (e.g. new HW). "I need to just get something done real quick" is exactly the way junk gets piled up, but IME NixOS educates you to either use a temporary install or setup things in containers/VMs that will probably pay off in the long run (I also have a VM host, so this may be easier to do for me).

MDN is more than just a resource. It's a community of developers, contributors, and learners passionate about web development.

Contribute to,
📚 MDN documentation
🤝 Help other devs
💟 Localize content
📝 Review or write on MDN

Start now 👇
https://developer.mozilla.org/en-US/community

@kstrlworks What are "development numbers"?

MongoDB have a blog out about #MongoBleed

Notably:

- Internal find at MongoDB

- they notified customers of the issue and patch availability on December 23rd

- A security vendor published technical details on December 24th, Christmas Eve

- Somebody at Elastic, a direct competitor, published an exploit with full secret extraction feature on December 25th, Christmas Day

That was an impossible situation for orgs - the security industry poured fire on them and set their own customers on fire.

Happy 0 January 2026 to all you nerds.

The US Treasury has lifted sanctions on three executives tied to spyware maker Intellexa, reversing a designation imposed by the Biden administration in 2024 (Suzanne Smalley/The Record)

https://therecord.media/treasury-sanctions-intellexa-removed
http://www.techmeme.com/251230/p18#a251230p18

BTW, glitching the early UART boot path that is fuse protected gives you access to very early nvidia-only key material that is locked down pretty early during the normal boot path. Every single other key on the TX2 is either derived from the FEK1 or FEK2 depending on a fuse bit. Default seems to be FEK2.

SHA1(FEK1) = 9d00fe0637b15de7b417c740a6210d19932c7eb4
SHA1(FEK2) = 0e0fdef7a31d32aaf0fee77679e065652daecb44

I initially did all this to reverse engineer the Denver microcode, however I never could make sense of the instruction set encoding. If anyone wants to tackle this, I can decrypt both microcode stages - seemingly a loader and the final JIT and I more or less completely reverse engineered MB1 that loads the Denver microcode.

/cc @elise

https://media.ccc.de/v/39c3-making-the-magic-leap-past-nvidia-s-secure-bootchain-and-breaking-some-tesla-autopilots-along-the-way

If you're interested in obscure details of the microcode in the Intel 8087 floating-point chip, I have a new blog post...
https://www.righto.com/2025/12/8087-microcode-conditions.html