[RSS] Advisory X41-2026-002: Request Host Header not Validated in Starlette

https://x41-dsec.de/lab/advisories/x41-2026-002-starlette/

This can lead to auth bypass!

[RSS] Emulating & Exploiting UEFI: Unveiling Vulnerabilities in Firmware Security

https://www.netspi.com/blog/technical-blog/hardware-and-embedded-systems-penetration-testing/emulating-and-exploiting-uefi/

[RSS] Striga: Lifting x86 to LLVM IR with Python

https://secret.club/2026/05/21/striga.html

New from secret club!

@schrotthaufen Kids these days won't know how it is to move your friends 3rd floor apartment without an elevator, half-drunk on a narrow staircase. Sad!

@sassdawe You may enjoy https://adnauseam.io/

@schrotthaufen that must be a beast of a washing machine :D

@jonny @danluu These are unfathomably large numbers so to get a grip I looked up Shell's yearly profits (x*10^10 USD where 0<x<4), and with a wild estimate it'd take ~50 years for them to pay off this kind of money (while not investing in anything else)

@danluu part of the argument is that not just that it might not be profitable now, but that the amount of profitable that it would need to be to justify the amount of capital expenditure that has already been made and is promised is numerically impossible. JPMorgan estimated 1.2 trillion in AI debt back in december 2025, goldman sachs estimates another 500 billion in 2026. Where is the evidence that inference is profitable enough to pay off 1.7 trillion? If it was really profitable, all the publicly traded AI companies would be screaming this at the top of their quarterly reports.

A bunch of local companies had an incident when a datacenter fire triggered an extinguisher without proper nozzles installed and the shock wave of the gas killed a bunch of HDDs at once.

Now I wonder if I should move my speakers further away from my desktop machine...

https://soundcloud.com/djfernandamartins/tough-waves-36-rudosa

@sassdawe It's just a guess, but Yubico seems to have something similar to what I have in mind: https://www.yubico.com/works-with-yubikey/catalog/secure-disk-for-bitlocker/

@sassdawe Can't you use an external hw token that you could just touch when needed?

@Lee_Holmes https://www.youtube.com/watch?v=WCS8EgDzcHM

I just noticed a maybe lesser emphasized parental instinct: letting children do stuff very inefficiently.

Helping in the kitchen, driving a screw, planting a flower.

Because that's how we learn things and improve.

@hnsec Congrats! :)

RE: https://mastodon.social/@tdp_org/116614512704731546

It's probably over-attribution, but in the end politicians always first check what everyone else says! So I'll say it anyway: Republik journalism, the gift that keeps on giving.

https://www.republik.ch/2026/02/18/how-tenaciously-palantir-courted-switzerland [English]

https://www.republik.ch/2025/12/08/wie-hartnaeckig-palantir-die-schweiz-umwarb [German]

🎂 IDA Turns 35.
From DOS-era disassembler to one of the most widely used reverse engineering platforms in the world...

To celebrate, we’re launching:
• 35% off new licenses (see eligibility requirements)
• Limited-edition swag giveaway
• “35 Ways to Use IDA” as told by you
• Stories from the past and a few for the future

Read all about it here:
https://hex-rays.com/blog/ida-turns-35-lets-celebrate-together

For years, Rust binaries made reversing a nightmare. Modern decompilers only support C, lacking meaningful types, constructs, and language-specific functions. Led by @34r7hm4n, we're releasing our S&P work Oxidizer, the first deep Rust decompiler, built on angr!

Interested? 🧵👇

CVE-2026-40369: Twelve Bytes to Escape the Browser Sandbox https://voidsec.com/cve-2026-40369-browser-sandbox-escape/

github is like: "I see you're trying to look at a commit diff, how about skipping the files where the majority of the changes happened?"

@wdormann This must be another income source for Paper Street Soap Co's anarchist side-projects!