Stop Saying "Responsible Disclosure"

https://www.da.vidbuchanan.co.uk/blog/responsible-disclosure.html

"Your work, no matter how brilliant, becomes valuable to others only in so far as you communicate it to them." -- Simon Peyton-Jones

[RSS] Microsoft spots zero-day use in spy campaign against Kurdish military in Iraq

https://therecord.media/microsoft-zero-day-spy-campaign

Have you ever wanted to stretch your poetry writing muscles in the direction of "bad"? How about "vogon"?!

Read about ZZ9 Plural Z Alpha's #TowelDay Vogon Poetry contest at https://zz9.org/news or just jump in and enter: https://zz9.org/contact

Win a ZZ9 membership today!

Yes, we're beating a dead horse. But that horse still runs in corporate networks - and quietly gives attackers the keys to the kingdom. We're publishing what’s long been exploitable. Time to talk about it. #DSM #Ivanti https://code-white.com/blog/ivanti-desktop-and-server-management/

I just realized that @ is a lower case anarchy symbol.

One of my co-founders went into a paid engagement yesterday and was noodling through a piece on how to prevent upstream teams from making changes to application database schemas that would break analytics pipelines.

They got the attention of the room and then said "one solution is a baseball bat".

There was a moment of uncomprehending silence and then they said "solve at the human layer".

[RSS] Open-source toolset of an Ivanti CSA attacker

https://www.synacktiv.com/en/publications/open-source-toolset-of-an-ivanti-csa-attacker

[oss-security] Dropbear SSH 2025.88 fixes CVE-2025-47203

https://seclists.org/oss-sec/2025/q2/116

"Don't allow dbclient hostname arguments to be interpreted by the shell."

Sounds like fun on many embedded devices :) Original announcement:

https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q2/002385.html

[RSS] Dubious security vulnerability: A program does not run correctly if you run it the wrong way, redux

https://devblogs.microsoft.com/oldnewthing/20250512-00/?p=111174

Lulz...

"Impact: Muting the microphone during a FaceTime call may not result in audio being silenced"

@ https://support.apple.com/en-us/122404

CVE ID: CVE-2025-47729
Vendor: TeleMessage
Product: TM SGNL
Date Added: 2025-05-12
Vulnerability: TeleMessage TM SGNL Hidden Functionality Vulnerability
Notes: Apply mitigations per vendor instructions. Absent mitigating instructions from the vendor, discontinue use of the product. ; https://nvd.nist.gov/vuln/detail/CVE-2025-47729
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-47729

The ICAO Council has ruled that Russia is responsible for downing flight MH17, violating the Chicago Convention by using weapons against a civilian aircraft. 298 innocent lives were lost.

https://www.rijksoverheid.nl/ministeries/ministerie-van-buitenlandse-zaken/nieuws/2025/05/12/icao-raad-russische-federatie-verantwoordelijk-voor-neerhalen-van-vlucht-mh17

It's fruit update time.
https://support.apple.com/en-us/100100

This was a fun one :)

https://github.com/Binary-Gecko/ekoparty2024_challenge

There was a short period of time in history when people would unironically say "why are you asking me, go ahead and google it."
(See also: LMFGTFY)

And now we are going back to "for the love of god don't google it, ask an expert instead."

#AI #internet #DumbestTimeline

10 Burp extensions I actually use... BUT none of them are in the top 30 most popular in the BApp Store!

I get tired of seeing the same extensions come up in "top 10" lists. Here are some hidden gems you might not have tried... yet. In no particular order.

🧵👇

In this behind the scenes look at #Pwn2Own Berlin, Zed and Dustin have run into an interesting problem - no gear! https://youtube.com/shorts/Xj9Du8iuXCw?feature=share

We have a CI job to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot the diff. I mean the diff is shown, but the significance of it is not.

Changing just a single letter like that in a URL hostname opens up for a world of grief.

my bank, deutsche bank, is serving a *revoked* tls certificate on their website db.com.

the mind reels at this level of incompetence.

https://www.ssllabs.com/ssltest/analyze.html?d=db.com