... this other damn thing works, but is "dark mode" only, so I can't see shit :P

The only thing that worked today so far was a debugging sleep().

The year is 2026:
- My Windows VM can't handle more than 2 serial ports
- My hexeditor won't run without a GPU

PRESS RELEASE
Today, our engineering team announced a streamlined editorial workflow powered by the Unix tool sed, enabling instant, consistent replacement of the symbol & with the word “and” across all communications. This improvement strengthens clarity, supports accessibility, and ensures brand‑wide linguistic consistency. By integrating sed into our publishing pipeline, we reaffirm our commitment to precision, efficiency, and high‑quality content delivery.

While everyone was on Holiday we scanned a few thousand hosts for #BadHost (CVE-2026-48710): zero auth required and we found clinical trial databases, email mailboxes, MCP server for SSH industrial IoT via bastion servers, and live PII APIs wide open. The FastAPI/MCP ecosystem is sitting exposed - patch to Starlette 1.0.1 now and check your exposure at https://badhost.org

We paired time travel debugging with an #AI agent on a noisy 7B-instruction ARM64 Android trace.

In ~10 minutes, it traced the MTProto v2 decryption chain down to AES-IGE and correctly described the execution flow.

Full write-up 👇
https://www.eshard.com/blog/telegram-ttd-trace-analysis

You should be reading No One:

https://nooneshappy.com/article/the-ai-bubble/

/via @fugueish

Holy crap, clang in C++ mode is *evil*!

https://godbolt.org/z/hM7W1WPsE

gcc at least puts a `ud2` in there...

RE: https://mastodon.social/@MikeElgan/116628156172886406

Canon behavior from meta, tbh

current status

The epoll uaf

https://guysrd.github.io/epoll-uaf

"That one call fixed a uaf that had been reachable from any unprivileged process for a few years on any Linux / Android running a 6.6 and above kernel with the affected optimization."

Micropatches released for Windows Shell Link Processing Spoofing Vulnerability (CVE-2026-25185)
https://blog.0patch.com/2026/05/micropatches-released-for-windows-shell.html

@TarkabarkaHolgy just assume it is? :)

@TarkabarkaHolgy no kink shaming!

Fuzzing finds bugs in Rust code - reliably so. But async Rust has largely stayed out of reach with its complexity making it hard for fuzzers to explore meaningfully.

At Oxidize 2026, Morgan Hill (@pcwizz) walks through what it takes to actually fuzz async Rust: the naive approaches that don't work, and an involved technique that does - involving LibAFL, user mode QEMU, and a fair amount of head scratching.

🔗 https://oxidizeconf.com/sessions/awaiting_exploitation

#Oxidize2026 #RustLang #Fuzzing #SecurityResearch #AsyncRust

-Mythos found thousands of critical bugs
-Hackers breach Russia's SDA disinfo group
-GitHub rolls out new npm security feature
-Bulletproof hosting providers raided in the Netherlands
-Hackers breach two Vietnam agencies
-Anonymous Monero platform hacked for $2.7m
-StablR hacked for $2.8m
-Hacker returns Verus stolen funds
-China tracks visiting foreigners
-Data centers devour 2% of all electricity
-AI is killing package repos

Newsletter: https://news.risky.biz/risky-bulletin-mythos-found-thousands-of-critical-bugs/
Podcast: https://risky.biz/RBNEWS568/

hack.lu is celebrating its 20th edition!

There is still time to be part of this special anniversary edition: submit your talk, presentation, workshop, or even a short talk for the Call For Failures.

Twenty editions of sharing, learning and community deserve something memorable. Don’t miss the chance to contribute, this year will be special!

Call-for-Papers Submission Site https://pretalx.com/hack-lu-2026/

CfP Details https://2026.hack.lu/blog/hack.lu-2026-call-for-papers/

#hacklu #conference #luxembourg #cybersecurity #hackerconf #cfp #callforpapers #europe

@hack_lu @circl

Error: password must contain:

Three lower case letters for the Elven-kings under the sky,
Seven upper case letters for the Dwarf-lords in their halls of stone,
Nine digits for Mortal Men doomed to die,
One special character for the Dark Lord on his dark throne;
In the Land of Mordor where the Shadows lie.

One username to rule them all, one password to find them,
A second factor to bring them all, and in the darkness bind them;
In the Land of Mordor where the Shadows lie

It's #TowelDay. Have a good one and don't forget your #towel

‚Torvalds added, in the case of AI-discovered bugs, you need to keep in mind that just "because you found it with AI, 100 other people also found it with AI."‘

There is nothing secret about a bug found by a model. If the software is a target, you can be sure that the bad guys are running continously prompts against it. Without token restrictions.

As a maintainer, this is all hard to manage. But this is happening everywhere. It‘s not your job to save the world from stupidity, vanity and greed.

@wirepair I'll do my part!