Wrote down everything I wish I knew earlier about Python supply chain security. Hash pinning, pip-audit, SBOMs, trusted publishing — the whole thing. Enjoy 🐍🔒https://bernat.tech/posts/securing-python-supply-chain/

What we get upset about. Cartoon for Dutch newspaper Trouw: https://www.trouw.nl/cartoons/tjeerd-royaards~bcb45712/

#GasPrices #oil #OilPrices #Iran

@freddy successfully teaching this to a 8yo proves that you really get it ;)

"There are, of course, an infinity of variations to that single routine."

A new page of my comic Ekphrasis, which you can read for free at https://ekphrasiscomic.neocities.org/.

Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC)

https://seclists.org/oss-sec/2026/q1/300

#NoCVE yet?

[RSS] Archive of classic reverse engineering tutorials (Armadillo, ASProtect, Themida, SoftICE era)

https://github.com/Show0ne/archivo-syxe05-snat

[RSS] Reverse Engineering the undocumented ResetEngine.dll: A C++ tool to programmatically trigger a silent Windows Factory Reset (PBR) bypassing SystemSettings UI.

https://github.com/arielmendoza/Windows-factory-reset-tool

[RSS] I Hacked My Laundry Card. Here's What I Learned.

https://hanzilla.co/blog/laundry-card-hack/

[RSS] Decrypting and Abusing Predefined BIOCs in Palo Alto Cortex XDR

https://labs.infoguard.ch/posts/decrypting-and-abusing_paloalto-cortex-xdr_behavioral-rules_biocs/

[RSS] A Nerd's Life: Weeks of Firmware Teardown to Prove We Were Right

http://blog.quarkslab.com/nerd-life-weeks-firmware-teardown-we-were-right.html

'An old photo of a very large BBS' posted in 2022, and a writeup about it. https://rachelbythebay.com/w/2022/01/26/swcbbs/

#BBS

AFL++ v4.40c release - best performance ever - optimal hidden coverage instrumentation, FrameShift, LLVM 22 support, IJON fixes, a lot of minor and bigger enhancements! #fuzzer #fuzzing https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.40c

"in the default installation of Ubuntu Server 24.04.3 plus the Postfix mail server, we create a 'fail-open' situation in Sudo" wat :D

EDIT: See later in thread, it seems like the good news is at least that it's not having auto-merging on, which is where the security risk comes in. I still have other concerns.

Looks like they're also using Claude for PR review https://github.com/systemd/systemd/commit/9a70fdcb741fc62af82427696c05560f4d70e4de

Which probably means systemd is now the most attractive target in FOSS for an AI prompt injection attack to insert a backdoor

EDIT: It does seem that they don't have auto-merging of PRs from the review bot, which is an improvement over the situation (and mitigates the primary security risk, hopefully it stays that way), and AI contributions are asked to be disclosed. That said, it seems like the issue is closed, and they are firmly in the "we will accept AI contributions, as long as disclosed" camp.

Only answer if you have direct and personal experience please. Is there ANY way on IOS (NOT ON ANDROID) to get Signal to help you clean its massive storage? I've manually tried to delete some large things but it is not helping. It is using 11GB and I can't do a thing anymore. Help?

@zygoloid This hits surprisingly close to home as I try to create a compatibility layer for decompilers: since they work with partial information by definition they regularly introduce stuff that has a name but has no/0 length (the rest is an exercise for the user). Now how do you explain the *other* decompiler what that zero-length thing means? :)

Hello Mastodon!

Since this is my first post, I thought I'd share some incredibly niche C++ trivia / pedantry:

For an enum whose enumerators all have the value 0, C++ asks us to imagine a hypothetical integer type with minimal width that can represent 0 (https://eel.is/c++draft/dcl.enum#8.sentence-2). This means we must consider the case where the width is 0. For an unsigned integer type, this gives a range of representable values of [0, 0], and that's the type we pick. But before we can determine that that's minimal, we must also consider a signed integer type with a width of 0, for which we get a range of representable values of [-½, -½]! (https://eel.is/c++draft/basic.fundamental#1.sentence-5) Conveniently that range does not include 0, so we discover that we must use an unsigned integer type to determine the range of values of the enumeration. (We also rule out an unsigned integer type of negative width as that would have a range of values 0 to -½ (inclusive) or smaller, which I think we can reasonably conclude is an empty range despite the parenthetical.)

In any case: if you ever wondered whether a zero-bit signed integer type in C++ can represent only the value 0 or only the value -1, now you know: no, it can represent only the value -½. Truly a marvelous compromise.

Follow me for more brilliant insights like this one :)

Happy Patch Tuesday! The latest security patches from #Adobe and #Microsoft are here. Thankfully, no bugs are listed as being under attack, but there's still some interesting ones in the mix. Join @dustin_childs as he breaks down the March release. https://www.zerodayinitiative.com/blog/2026/3/10/the-march-2026-security-update-review

And don't miss our bug of the month! Each patch Tuesday we'll be selecting our very favorite patch to highlight. This month, it CVE-2026-26144 - a Critical-rated info disclosure in Excel that uses the Copilot Agent to exfiltrate data. Neat! https://youtube.com/shorts/r4EjP3JxYRk?feature=share

Announcing #Pwn2Own Berlin 2026! We've got 10 categories for targets, including an expanded #AI target list. We have 4 AI categories - including coding agents (looking at you #Claude). More than $1,000,000 in cash & prizes available. Read the details at https://www.zerodayinitiative.com/blog/2026/3/11/announcing-pwn2own-berlin-for-2026