@synnfynn There's a quote along the lines of "doing mathematics is not about the joy of discovery but the relief from suffering"

@mttaggart What's the fun in that?

New security advisory in our bug parade: Unauthenticated Remote Code in dormakaba evolo Service.

.NET Remoting is still a thing...

https://mogwailabs.de/en/advisories/mlsa-2026-001/

Our colleague @mal had another look at OpenOLAT and found a nice RCE (CVE-2026-28228 and CVE-2026-28228). If you're interested, details can be found on our blog https://secfault-security.com/blog/openolat-ssti.html

#wero

Did anyone got that alleged Vim RCE PoC working? MacOS doesn't seem vulnerable, Ubuntu 22/24, Debian 13, the same... Advisory says <9.2.0272 but doesn't seem like it?

Smells like AI slop hype? Yeah, kinda because most distros don't seem to ship vim with +tabpanel feature. HYPEEEEEEEEEEEEEEEEE

@avuko Nah, "with a little bit of extra code, my lib could also do X" is definitely not 0-sum logic. It is true though that people find complexity compelling ("complexity sells better").

Also note that gaining understanding of lib capabilities/limitations/general design *is* valuable (but also can be a prohibiting barrier of entry for small projects).

@david_chisnall

@avuko @david_chisnall IMO part of the problem is that deep in their souls every dev wants to build frameworks that can do many things. You basically miss Quick Start guides that show you how to do $simple_thing. No one wrote that guide because they see value in $complex_things[] their project can do and probably even see $simple_thing distracting from the Real Purpose of the project.

Source: I also tend to write frameworks for everything.

Instead of using an LLM to write me some boilerplate and basic functionality, frontend etc, why isn’t there a library where I can find all of these?

You know, something structured and shared, again, like a library, for specific purposes, and specific languages, with educational hints from development pros on the best way to do things and maybe some constructive feedback and improvements from other people?

And why were we left to deal with stackexchange instead?

Could this have been, dare I say it: gatekeeping?

i blogged about the memcmp thing

https://blog.poly.nomial.co.uk/2026-03-31-watch-out-for-missed-warnings-on-vendor-cpp-toolchains.html

@haveibeenpwned That's disgusting! Where?

Underrated post

If someone comes to me today preaching about “post-quantum” security issues, I’ll remind them of the current state of security: the npm ecosystem gets abused daily, CI pipelines run left and right with full access to cloud services, so-called security devices like F5 and Ivanti are exposed (and compromised) to the internet, mailboxes get compromised just to change an IBAN in a PDF, and a simple phone call is still enough to get someone to hand over an MFA code.

But yes, by all means, let’s focus on post-quantum threats while handing AI tools SSH access like it’s a feature, not a confession.

#cybersecurity #stateoftheworld

This is a big deal. Already seeing evidence of this by way of OpenClaw installations.

https://opensourcemalware.com/blog/axios-compromised

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

I skim through a lot of articles daily and in this age of slop my signal/noise decisions are heavily influenced by whether the piece is being hosted on a custom domain (showing that the author cares enough to maintain one).

[RSS] Reverse Engineering Crazy Taxi, Part 2

https://wretched.computer/post/crazytaxi2

Tom Ptacek posted a great writeup titled "Vulnerability Research Is Cooked", covering the state of vulndev and its rapidly accelerating future:
https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/

"As of March 2026, Alphabet’s market cap is ~$2T while Lockheed Martin’s is ~$120B."

https://martinvol.pe/blog/2026/03/30/how-the-ai-bubble-bursts/

@wolf480pl Gov data can easily come from fake darkweb listings (sold as "threat intelligence"), aka. beware of circular references

@wolf480pl This report looks pure AI slop, but @thezdi does have a matching candidate listed (meaning ZDI accepted the submission as a valid vuln):

https://www.zerodayinitiative.com/advisories/upcoming/

Since that vuln was reported just 4 days ago my educated guess is that 1) the reporter wasn't dumb to trash their ZDI bounty by posting details online 2) someone saw the candidate and generated a slop report about it without any technical ground.

Edit: the reporter also works for ZDI, so I highly doubt they started a darkweb sell...