“Move fast and break kings.” I love @pluralistic and his rallying cry: https://pluralistic.net/2026/01/01/39c3/

Bonne année 2026 à tout le monde !

N'oubliez pas que l'appel à soumission est en ligne et que la date limite pour envoyer vos articles est le 18 janvier.

https://www.sstic.org/2026/cfp/

#sstic #sstic2026

@hanno As another datapoint, MOTW bypasses worth CVE's at MS (e.g. CVE-2025-24061). It's not the same ofc. as an automatic control is bypassed in such cases, but at the same time users could choose to bypass the control after a warning (which the CVE also bypasses).

@murb @bert_hubert @signalapp Great, that can be a checkbox then! I'm also sure that support/M.W. didn't have to deal with as many angry Europeans if the us-east-1 only affected users over the pond :)

@filippo @freddy @hanno I'll save this thread under "even your vendor doesn't approve CVSS" for future reference

@embedding_shapes @rickoooooo nix-shell works though, leaving you with tasks that are too complex for that but don't justify a container. Now I'm sure that can be a deal-breaker too, but it's worth keeping in mind that there is room for ad-hoc tasks.

@rislandr I had an account, forgot the pw, couldn't reregister the last time I tried...

@hanno I'm bringing this up exactly because when CVSS will be assigned it will either show 0.0 or some really weird non-sense. The former would be likely a better, but still misleading scenario,. My bet is on MITRE publishing some non-sense though.

@hanno Not saying it's not a vulnerability but I think you won't be able to score this with CVSS that would make CVE registration weird.

Now those gpg.fail people made me find similar vulns elsewhere (console control character injection). By "elsewhere" I mean... my own code.
Opinions wanted: should "input can inject console output with ansi and control chars" always be considered a vuln/CVE?
(I'll fix it in any case, I'm just wondering if I should do all the "security release/advisory/request CVE/..." stuff.)

@bert_hubert @signalapp This is exactly why I think sharing some actual unmet requirements would be a good idea.

(FTR I was told they also used GCP as a fallback which apparently didn't work too well)

Thinking back to last year I remembered the us-east-1 outage, how it affected Signal and how some of the users freaked out that they have to rely on US hyperscalers.

Wouldn't it be useful if @signalapp (and maybe similar providers) published their infra requirements with little crosses and ticks, so alternative providers could aim for "good enough for Signal" service levels?

Related articles by @bert_hubert :

https://berthub.eu/articles/posts/the-european-cloud-ladder/

[RSS] Reverse Engineering the Miele Diagnostic Interface

https://medusalix.github.io/posts/miele-interface/

[RSS] Understanding and mitigating a stack overflow in [Raymond Chen's custom] task sequencer

https://devblogs.microsoft.com/oldnewthing/20251231-00/?p=111950

C++ coroutine debugging

[RSS] Detect Go's silent arithmetic bugs with go-panikint

https://blog.trailofbits.com/2025/12/31/detect-gos-silent-arithmetic-bugs-with-go-panikint/

TyphoonCon 2026 Early Bird tickets now on sale!

Dive into exploits, reverse engineering and cutting-edge insights in offensive security. May 28-29 in Seoul, South Korea

🎟️ Limited tickets available: https://www.eventbrite.com/e/typhooncon-2026-tickets-1968561639857

The Normalization of Deviance in AI

https://embracethered.com/blog/posts/2025/the-normalization-of-deviance-in-ai/

@kstrlworks Thanks for the detailed answer, this makes sense! (also it turns out I can't read, but you got the point)

The next days #39c3 https://media.ccc.de thx ukeer

Question to people more knowledgeable about #BSD systems (primarily #FreeBSD, but the more answers the merrier)!

On Linux, I can use ipset (or nftables sets) to create a set of IP addresses I can match against with one rule. Like:

# ipset create test-set iphash
# iptables -I INPUT -m set --match-set test-set src -j DROP

This would drop any and all source addresses that I add to test-set in the future, without having to update INPUT. It also does some magic hashing thing to make all this efficient.

The reason I want this is because I'll be adding a lot of unique IPs to this set (about half a million, if not more). When adding them directly to iptables, the Linux kernel was very unhappy about that. But with a set? Worked like a charm.

Can pf or any other packet filter tool on the BSDs do something similar? Allow me to block a very large number of unique IPs?

Blocking ASNs or ranges is not feasible, I need to block unique IPs.

Bonus points if it can automatically expire entries that were added or updated N seconds ago.

Boosts appreciated.