Google Chrome is removing Hungarian CA NetLock from its trust store:

https://security.googleblog.com/2025/05/sustaining-digital-certificate-security-chrome-root-store-changes.html

Stated reason: "a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports"

I've personally ran into revoked NetLock certs during the past months, the reason for revocation was unclear ("administrative").

NetLock was compromised previously as part of the Stuxnet/Duqu campaign:

https://theintercept.com/2014/11/12/stuxnet/

Hidden Bear: The GRU hackers of Russia’s most notorious kill squad

https://theins.press/en/inv/281731

I don't want to log in with a fucking Microsoft account.

I want to use my fucking serial port.

Data from the domain DNS shows that many European public services rely on proprietary cloud services: https://jurgen.gaeremyn.be/2025/03/08/european-critical-dependencies/

"Querying mail-servers teaches that in some countries, over 70% of all public services rely on this American provider."

Last week, #Microsoft allegedly decided to cancel MS365 services of Chinese universities with a notice of about one week: https://www.scmp.com/tech/tech-war/article/3305889/microsoft-abruptly-cuts-services-chinese-university-genomics-firm

1/2

#endof10 #Trump #EuroStack #DigitalSovereignty #EU_OS

Has anyone set up kernel debugging with a Windows 11 target with Proxmox (QEMU-KVM)?

This only works with Win10, Win11 doesn't boot for me:

https://forum.proxmox.com/threads/windbg-remote-kernel-debugging-and-proxmox-not-working.163625/

Serial would also be an option if I could make them recognized by guests:

https://forum.proxmox.com/threads/two-windows-guests-communicating-via-serial-console-comn.67588/

Beating the kCTF PoW with AVX512IFMA for $51k

https://anemato.de/blog/kctf-vdf

A casual player finds a memory corruption in Super Mario allowing arbitrary code execution and speedrunners exploit it *by hand* to warp to the credits screen.

https://www.youtube.com/watch?v=WdadpHLAfdA

#GameHacking is really something else!

npm is getting trusted publishing soon!

https://github.com/orgs/community/discussions/161015

helping build and design the original version of trusted publishing for PyPI is easily in the top 3 moments of my career so far -- it's really amazing to see it get adopted by RubyGems, Rust (in progress), and now the JS ecosystem.

Had to make a proper GIF of this

Every time I lock my bike to a wall loop I fear a topologist will appear and prove my bike is not attached to the loop, or in fact, not even locked

#cycling

Blasting Past iOS 18

https://blog.dfsec.com/ios/2025/05/30/blasting-past-ios-18/

(Corrected link)

Hot take: ISO standards do not meaningfully matter to me, because an extremely impoverished, unbanked person cannot freely access their contents from a smartphone or library computer.

Therefore, I go out of my way to avoid referring to them or relying on them in anyway.

Edge group policy ADMX is truly a masterpiece of bad-faith fuckery even by Microsoft standards: misleading, obfuscation, omission, outright lying.

Top 3 favorites so far:
1. Setting to disable the ChatGPT sidebar is called "Show Hubs Sidebar". Obviously, it is not under the "Generational AI" subfolder.
2. There are a number of "AI assistance" settings tucked under Settings > Languages in the UI. "Collaborate with Copilot" doesn't have a GPO item (forum answer from MS droid suggests that someone "forgot" it).
3. Three separate settings to prevent Edge from running in the background and "preloading" things, in three different folders.

It seems #IBMi ACS users keep strugling with Win11 hardenings:

https://www.ibm.com/support/pages/node/7180720?myns=swgother&mynp=OCSWG60&mync=A&cm_sp=swgother-_-OCSWG60-_-A

Here's my previous analysis of the problem:

https://blog.silentsignal.eu/2025/01/21/ibm-acs-password-dump/

[RSS] Achieving Persistent Client-Side Attacks with a Single WeChat Message

https://www.darknavy.org/blog/achieving_persistent_client_side_attacks_with_a_single_wechat_message/

[oss-security] CVE-2025-48734: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default

https://www.openwall.com/lists/oss-security/2025/05/28/6

I wonder if the now restricted behavior is useful for #deserialization gadgets (I couldn't find references to declaredClass abuse, but haven't finished my coffee yet either...)?

[oss-security]

CVE-2025-46701: Apache Tomcat: Security constraint bypass for CGI scripts

https://www.openwall.com/lists/oss-security/2025/05/29/4

I think "GCI" is a typo in the message (CGIServlet.java is patched), although found the same typo elsewhere in the documentation...

Decomplexification - making #curl use simpler code

https://daniel.haxx.se/blog/2025/05/29/decomplexification/

The more mental energy you expend parsing a programming language's syntax, the less you have available for parsing a program's logic—or creating it yourself. This is why core fluency is so important; it frees up your own compute cycles for more important work.

It's also another reason why "vibe coding" is so toxic. It robs you of the opportunity to gain that fluency.