My first blog post on Windows Administrator Protection is out. https://projectzero.google/2026/26/windows-administrator-protection.html probably the most interesting and complex bug out of the 9 I found, but that doesn't mean the rest weren't interesting as well, stay tuned :D

RE: https://infosec.exchange/@briankrebs/115962508398912420

This might actually be the point where I just refuse to go.

Not getting an Apple/Google-sanctioned phone with SafetyNet in order to enter a country.

[RSS] Bypassing Windows Administrator Protection

https://projectzero.google/2026/26/windows-administrator-protection.html

[RSS] More Scope Injection for Fun and Profit (or, why those security updates broke your functions) [ColdFusion]

https://www.hoyahaxa.com/2026/01/more-scope-injection-for-fun-and-profit.html

[RSS] Districton 1 Slides - Control the Variables and You Control the Code: Language-Level Vulnerabilities in Adobe ColdFusion

https://www.hoyahaxa.com/2026/01/districton-1-slides-control-variables.html

[RSS] After reporting vulnerabilities found in MDT, Microsoft chose to retire the service rather than fix the issues... Admins should follow the defensive recommendations to mitigate the issues if they choose to continue using the software or can't migrate to a different solution.

https://specterops.io/blog/2026/01/21/task-failed-successfully-microsofts-immediate-retirement-of-mdt/

Sign-up and first information are now live!
Save the date and start working on your productions!
https://2026.revision-party.net/

🆕 The URL Pattern API is Newly Available!

Use it to match and extract parts of URLs, no need to reinvent routing logic. Supports literals, wildcards, named groups, and even regex constraints.

Learn how it works 👇
https://developer.mozilla.org/en-US/docs/Web/API/URL_Pattern_API

it sounds like the Log4J bug-bounty might soon close as well: https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/comment-page-1/#comment-27393

Meta drops appeal against court ruling requiring non-algorithmic social media timelines https://nltimes.nl/2026/01/26/meta-drops-appeal-court-ruling-requiring-non-algorithmic-social-media-timelines

Hands-Free Lockpicking: Critical Vulnerabilities in dormakaba’s Physical Access Control System https://sec-consult.com/blog/detail/hands-free-lockpicking-critical-vulnerabilities-in-dormakabas-physical-access-control-system/

The end of the #curl bug-bounty

https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/

Frankly: binaries are the thing that executes on your system and embody the truth of software behaviour, and with modern technology it's often *easier* to determine that truth through the binary than through the source code (throw the "login" app from Reflections on Trusting Trust into Ghidra and you'd learn the truth even if the source code wouldn't tell you that)

The presumption that free software is sufficient or necessary to ensure all software you depend on is trustworthy is simultaneously naive and ignorant of what software is capable of. The only realistic way to develop trust in software is to trust the people who write it, and development processes associated with free software make that trust easier.

The other day it was cows using tools, today its penguins using satellite imagery.

@csepp I recently got reminded of that guy who wrote a web server in bash and was like "OK, basically bash was invented for text processing"...then had to write a script and realized that whitespace just messes up everything so yeah, that guy's a legend

https://www.youtube.com/watch?v=L967hYylZuc

Oh! just learned that Kathleen Kennedy stepped down \o/ I still won't ever pay for a SW movie again though.

When playing chess against the computer I always feel like Wookie

Microsoft is investigating reports that some Windows 11 devices are failing to boot with "UNMOUNTABLE_BOOT_VOLUME" errors after installing the January 2026 Patch Tuesday security updates.

https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-windows-11-boot-failures-after-january-updates/

@halfbyte I'm with you and while I also believe deep in their hearts enterprise IT teams do want "robust and reliable" providers, I also have good reason to believe that C-level incentive to "avoid onboarding another provider with procurement and whatnot" is much stronger.

If you can't provide *everything* you will eventually be replaced with someone who does.