rocket propulsion engineers per newton

You can absolutely have an RSS dependent website in 2026 https://matduggan.com/you-can-absolutely-have-an-rss-dependent-website-in-2026/

C and C++ run your OS, your browser, your database, and your critical infrastructure. They're also the easiest languages to get catastrophically wrong.

We wrote down everything a security auditor should check: language-level bug classes, stdlib pitfalls, Linux and Windows issues from usermode to kernel, seccomp sandbox escapes, and ptrace handler race conditions.

One checklist, hundreds of checks. https://appsec.guide/docs/languages/c-cpp/

The RCE I've found in LiteLLM (https://x41-dsec.de/lab/advisories/x41-2026-001-litellm/) is a nice example of how AI agents can speed up security research. The issue was found during a project with strict time constraints by me manually. So I had a Nemesis backed AI agent do auto-triage and find a sandbox escape fully automated. After 20 minutes the job was done including a fully working exploit.

Linus Torvalds, the legend 🔥

#linux

Getting serious ADHD and building software nobody asked.

checksec for Mach-O
https://github.com/ChiChou/macchk

⚠️ Warning: vibe coded

@da_667 just jailbroke my paper white 3 last weekend. Was relatively simple. Great for older models with no Android running on it. Breathed new life into it.

https://kindlemodding.org/jailbreaking/index.html

i released an Atari 2600 demo with some friends at revision this year and managed to win 1st place in the oldskool demo compo! it's been in development for about a year now so was really cool to see it finally out :3
https://demozoo.org/productions/389801/
https://www.youtube.com/watch?v=aEJ0A8Wvdxs

Inherent flaws in node.js remain unpatched. Bobby Gould and Michael DePlante detail the problem and how the burden of security silently falls on app developers. https://www.zerodayinitiative.com/blog/2026/4/8/nodejs-trust-falls-dangerous-module-resolution-on-windows

RE: https://infosec.exchange/@NowSecure/116251163921885755

Last wednesday I sat down at the #paulsecurityweekly podcast to talk about static analysis with @radareorg and mobile security. The video/audio is now online! https://www.scworld.com/podcast-segment/14644-hacking-ip-kvms-reversing-with-radare2-sergi-alvarez-psw-918

Another #Hungary and #Russia investigation by #VQuare

• Budapest systematically weaponized the issue of Hungarian minority rights in Ukraine to stall EU accession negotiations.
• Péter Szijjártó offered Sergey Lavrov to send EU documents through the Hungarian Embassy in Moscow.
• Hungary and Slovakia, acting as Kremlin friends in the EU, pushed against restrictions of Russian energy supplies.
• Budapest also supported the Kremlin’s “achievements” of the Alaska Summit.
• Leaked audio reveals a strikingly deferential, submissive attitude from Szijjártó toward Lavrov.

https://vsquare.org/kremlin-hotline-how-hungary-coordinates-with-russia-blocking-ukraine-from-the-eu/

New from 404 Media: Microsoft has terminated an account associated with VeraCrypt, the popular and long-running piece of encryption software. This means can no longer receive updates on Windows, the developer told me. Little explanation given by Microsoft https://www.404media.co/microsoft-abruptly-terminates-veracrypt-account-halting-windows-updates/

taking pride in my vintage pre-AI CVEs

\o/ VLC in space

@videolan

It's definitely impressive the LLMs capabilities finding bugs (I was very interested with AIxCC) but let's be honest, bugs were never scarce. There is just a new toy able to scale things faster (although funny how the price is always hidden). So were fuzzers when AFL coverage was introduced. Will it plateau or not that's the question. And will introduction of new bugs crash or not. Interesting times? Sure. End of times? Meh... Time will tell, as usual 🙂