High level diff of iOS 26.4 beta 1 vs. iOS 26.4 beta 2 🎉

https://github.com/blacktop/ipsw-diffs/blob/main/26_4_23E5207q__vs_26_4_23E5218e/README.md

It seems Cargo is the only software on Earth that hard fails if it can't find CRL info

NEW: There have been a seemingly endless series of critical flaws and cybersecurity incidents related to Ivanti's VPN appliances in the last few years.

Turns out there was a major one in 2021 that wasn't reported until now, according to Bloomberg.

https://techcrunch.com/2026/02/23/vpn-flaws-allowed-chinese-hackers-to-compromise-dozens-of-ivanti-customers-says-report/

You can’t make this shit up. And this company is supposed to be worth how much?! 😆

@Steampunk_Prof Yes i found that with SD cards. :)

The #NSA with the help of #philips #backdoored (again!) a european military messaging #device in the 80ies, a few years ago the fine people of the #cryptomuseum published everything they knew about it - including a #firmware dump:
https://www.cryptomuseum.com/crypto/philips/ua8295/

back then i #reverseEngineered this, and last week finally cleaned it up, and publish it today:

https://rad.ctrlc.hu/nodes/rad.ctrlc.hu/rad:z46AkAERuXAzqZcDRKvE7byRbkga1

also on the bad site: https://github.com/stef/UA-8295-NSA

update: it's a thread: 1/n

@pojntfx No doubt about that! I just think you revealed a very relatable human desire in the works here.

I think the reason why some people really like things like OpenClaw is just because of the fact that they seem ... liberating in a way. The idea of you being able to have your own interface, commands, and automations, all customised, open, running on your own systems ... it's like a dream. It's also simply _impossible_ using the current incentives in society (which will probably start abusing DRM APIs to prevent you from automating screen taps and stuff), and just so absurdly dangerous ...

@pojntfx Reminds me of us nerds installing Linux then spending weeks tweaking our WMs, shells and editor configs...

@UndeadLeech This is the most Linux post I've read in a long time!

You're doubting my humanity, but you're missing some key points. Here are some of the things I've seen:

• Attack ships firing off the shoulder of Orion. These aren't just battleships — they're spacecraft designed for warfare.
• C-beams glittering in the dark. Their location? Near the Tannhäuser Gate.
• Things you wouldn't believe. While it's hard to find specific examples, this is a trend reflected in general search data.

The bottom line: All those moments will be lost — like tears in rain.

Spammers run rampant against the archive, trying their best to post advertisements and tricky links outward to sketchy sites. They've been doing it for years, and there's mitigations I and others work to keep it contained and miminal. Recently, someone is trying to break out of containment and is posting literally thousands of items a day.

@mumblegrepper Just to be clear by "feedback" I meant "coverage feedback", reflecting on your post. You'll definitely need something to catch unexpected behavior and correlate it with your inputs but that's true for simple enumeration too.

100% agree on fuzzy definitions :)

Last call for TyphoonCon 2026 CFP🌪️
This is your final week to secure your spot at the best all-offensive security conference in Asia!
Submit now at: https://typhooncon.com/call-for-papers-2026/

@mumblegrepper *tucks sleeve* fine, let's do some taxonomy!

I don't think feedback is relevant, the first fuzzers didn't use that.

I see two techniques often mixed up with "classical" fuzzing:

1) Trying identifiers, e.g. IDOR, URL paths, subdomains, etc. My argument here is since our inputs never trigger "new control-flows" this is not fuzzing. (It's tricky how we define control-flow in this case, but I think you get the point).

2) Vuln scanning with magic strings. Now you are right to point out that magic strings are definitely part of fuzzing (e.g. 0, -1, INT_MAX), and this is where the lines get blurry. My current working definition here is that fuzzing starts somewhere when you are physically limited in trying all reasonable inputs (note that no real filesystem will require a trillion ../'s to detect a path traversal) and systematic algorithms (e.g. adding one more backslash) aren't effective, so you might as well start gambling.

WDYT?

@mumblegrepper Is it though? I remember that "pipe /dev/random to unix tools" paper as the original sin (which is random + open ended)?

Worst part is they may be technically right

[RSS] It rather involved being on the other side of the airtight hatchway: Tricking(?) a program into reading files

https://devblogs.microsoft.com/oldnewthing/20260216-00/?p=112065

Men's shirts: buttons on the right
Men's pants: buttons on the right
Women's pants: buttons on the right

Women's shirts: buttons on the left

buttons-on-the-left is the big endian of clothing

Have you ever wondered what it's like when security specialists and engineers work around the clock to fix a critical security bug in less than two days?

Watch LiveOverflow's documentary on pwn2own and how we fixed not only one but TWO security bugs.

https://www.youtube.com/watch?v=YQEq5s4SRxY