New Project Zero issue:

libheif: Heap-based Buffer Overflow in Uncompressed Image Tiled Decoding

https://project-zero.issues.chromium.org/issues/507396184

CVE-2026-47178

@cure53 @joern More computing power -> more BTC

So many calcs so little time.

OMG. Apparently tons of people have been generating secrets on an old server-side key generation website that had incredibly weak entropy. Like, 10 bits or something.

The website was allkeysgenerator[.]com. Here is a dump of 1000 keys generated on it. Searching for the URL finds hundreds of people recommending it for key generation.

Some of these snippets have hundreds of GitHub results.

The exact algorithm is unknown but (see below) It generates extremely predictable strings, you can visually see how the delta from character to character is almost constant. Thanks @dramforever for doing some analysis here. Their script here can generate the vast majority of sequences from this website.

Update: This script generates the entire list from a single seed, and large chunks of another.

I'm certain you can break into production websites using these keys for cookie signing etc.

@Viss This sounds like KaiOS with extra marketing

France to kick out Palantir out of intel service networks

https://www.reuters.com/technology/france-invest-655-mln-ai-set-up-common-chatbot-all-state-services-2026-06-16/

@cR0w which appliance was it this time?

Oh cool, the Firefox Roadmap is public and includes some experimental & upcoming features that people can play with RIGHT NOW.

https://www.firefox.com/en-US/whatsnext/

If energy efficiency was as much of a concern in the '50s as it is today we'd be still using vacuum tubes.

"Just one more gigawatt bro!"

We're excited to share that Firefox now uses zlib-rs for gzip (de)compression. This has both performance and safety advantages, but it took a while to get zlib-rs into production. Read why in Folkert's blog: https://trifectatech.org/blog/zlib-rs-in-firefox/

Thanks to @glandium, @gabrielesvelto, Bobby Holley, @nlnet, @sovtechfund, Chainguard, Astral / @charliermarsh, @mozilla, @ProssimoISRG

#rustlang #opensource

It's not too late to sign-up...

We're hosting a free virtual workshop/webinar on idalib — IDA as a library. Call IDA's analysis engine directly from your own code, automate workflows without launching the GUI, and integrate IDA into any toolchain you're already running.

👉 https://2dgu4h.share-eu1.hsforms.com/2D4ZYPjdCRFODEGRKtMILwQ

[RSS] I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

https://bobdahacker.com/blog/fifa-hack

well this is the scariest thing my work computer has ever done. I didn’t even know it was structurally possible for popup windows to appear over the Windows Update screen

Imagine going to the hospital to see a doctor. You wait for hours, then the doctors shift is over so they tell you that you are healthy and should go home.

This is how autoclosing issues feels like.

Today I learned that glibc has a broken %s implementation in strftime. It applies the timezone even when we want UTC...

https://github.com/curl/curl/issues/22038

I spend a lot of time discussing digital autonomy over at think tanks & other civil society places. I think we're going round in circles & need to look further ahead into more practical things to make any progress: https://berthub.eu/articles/posts/eu-civil-society-need-progress-digital-autonomy/

I can't believe that we live in a timeline where the thing people go most apeshit for in the world is a repository that literally consists of 77 lines of markdown that literally just say "don't write code that is pointless to write" in 6 bullet points

@G33KatWork Maybe, but what does that array of pixels is supposed to visually represent?

Edit: Maybe it's a wallpaper resized and compressed into oblivion??

Okay, could someone explain something to me please?

Why did ANYONE ever think “guardrails” would work?

We all know that blocklisting is suboptimal because you can’t possibly enumerate all the badness (see also: antivirus). And anyone who has had to write a statement of work that includes application security requirements knows how impossible THAT is without adding a whole textbook as an appendix. (Or just writing “Don’t do stupid shit with the code,” which covers it pretty broadly.)

Don’t do that. Or that. Or that, either. And not like that. Oh, we didn’t know you could do that! Don’t do that.

Seriously, why??