https://www.c0t0d0s0.org/blog/tarxpathology.html

I sat through way too many #pentest interviews where the candidates had no clue about the fundamentals of web security, like the Same-Origin Policy.

If you want to make a career of finding flaws in (web)apps, do yourself a favor and read @b0rk's HTTP zine:

https://wizardzines.com/comics/same-origin-policy/

While waiting for the upcoming release of #IDAPro 9.3 by @HexRaysSA, I have made some updates and bug fixes to my idalib-based headless IDA #plugins rhabdomancer, haruspex, and augur.

Check out the changelogs for all the details and enjoy!

https://hnsecurity.it/blog/streamlining-vulnerability-research-with-the-idalib-rust-bindings-for-ida-9-2/

@xabd Could you ELI5 how this sw (or LinkTree) is different from a HTML(+CSS) page with links on it?

High level diff of iOS 26.3 beta3 vs. iOS 26.3 RC 🎉

https://github.com/blacktop/ipsw-diffs/blob/main/26_3_23D5114d__vs_26_3_23D125/README.md

@glyph i wrote about it maybe 6 years ago but I'm thinking of revisiting it

the 6-years-ago comics:

- the same origin policy: https://wizardzines.com/comics/same-origin-policy/
- why we have the same origin policy: https://wizardzines.com/comics/why-same-origin-matters/
- cors: https://wizardzines.com/comics/cors/

@algernon I'm recommending this because of the "how to make using it easy" part. The repos I linked are just examples, the APIs defined by these libraries are the gist.

@algernon sodium/tink

https://github.com/project-oak/tink-rust
https://github.com/jedisct1/libsodium-rs

(not sure if pure rust implementations are available)

TIL In #Proxmox when you *move* a disk, the original one doesn't get deleted but remains attached to the VM as "unused". Space gets only freed up in the original storage when you remove it from the VM.

#ProTip

It seems Windows can't even launch its terminal properly, this issue is open for >5 years:

https://github.com/microsoft/terminal/issues/4750

@cR0w @ai6yr It's John McLane vs helicopter

@bagder People probably pay less attention than you think (this is a general rule of thumb of mine), they may still assume there is monetary reward even without H1. IMO you should give it some time.

4 February 1917 | A Polish Jewish dancer Franciszka Mann was born. She was most probably the woman who on 23 October 1943, inside the undressing room of gas chamber II at Auschwitz II-Birkenau, seized SS man Josef Schillinger’s pistol, shot him & wounded SS man Wilhelm Emmerich.
---

A podcast about this and other cases of resistance at Auschwitz: https://www.auschwitz.org/en/education/e-learning/podcast/different-cases-of-organized-resistance-at-auschwitz/

the guy and his AI found three uses of memcmp() in TLS code and insisted it was a "CRITICAL" side-channel security vulnerability.

A 2-second check of those three uses told us it was not real.

byebye George

Switching away from Hackerone is not a guarantee... Here we go.

@algernon Maybe `components` conflicts with OpenAPI's schema? https://swagger.io/docs/specification/v3_0/components/

Learning #Rust made me a better #Python programmer.

Not because I write Rust at work. Because Rust forced me to think about things I'd been ignoring and I never realized this fact.

Also came across this today. Wasn't already in the ruleset, so I fixed that.

FreePBX Authenticated Command Injection - testconnection SSH functionality.

https://theyhack.me/CVE-2025-64328-FreePBX-Authenticated-Command-Injection/

[RSS] Micropatches released for Microsoft Excel Remote Code Execution Vulnerability (CVE-2025-62203)

https://blog.0patch.com/2026/02/micropatches-released-for-microsoft.html