the AI slop in security reports have developed slightly over time. Less mind-numbingly stupid reports now, but instead almost *everyone* writes their reports with AI so they still get overly long and complicated to plow through. And every follow-up question is another minor essay discussing pros and cons with bullet points and references to multiple specifications.

Exhausting nonetheless.

For the Berlin peeps:

I’ll be playing some tunes tonight together with the amazing poco1oco, don’t miss out https://www.eschschloraque.de/vinyltrottel-02012026

[RSS] The Story of a Perfect Exploit Chain: Six Bugs That Looked Harmless Until They Became Pre-Auth RCE in a Security Appliance

https://mehmetince.net/the-story-of-a-perfect-exploit-chain-six-bugs-that-looked-harmless-until-they-became-pre-auth-rce-in-a-security-appliance/

New Project Zero issue:

Samsung: libimagecodec.quram.so buffer overflow in WINKJ_YcbcrWriteOutput1to1_YUV422_H1V2_toRGBA8888 during JPEG decoding

https://project-zero.issues.chromium.org/issues/450884207

CVE-2025-58480

California residents now have a real tool against the data broker industry.

The state has launched DROP, a single portal to demand deletion of your personal data from 500+ registered data brokers in one request, for free.

To start: https://consumer.drop.privacy.ca.gov/

#ca #drop #privacy #consumer
1/2

“Move fast and break kings.” I love @pluralistic and his rallying cry: https://pluralistic.net/2026/01/01/39c3/

Bonne année 2026 à tout le monde !

N'oubliez pas que l'appel à soumission est en ligne et que la date limite pour envoyer vos articles est le 18 janvier.

https://www.sstic.org/2026/cfp/

#sstic #sstic2026

Now those gpg.fail people made me find similar vulns elsewhere (console control character injection). By "elsewhere" I mean... my own code.
Opinions wanted: should "input can inject console output with ansi and control chars" always be considered a vuln/CVE?
(I'll fix it in any case, I'm just wondering if I should do all the "security release/advisory/request CVE/..." stuff.)

Thinking back to last year I remembered the us-east-1 outage, how it affected Signal and how some of the users freaked out that they have to rely on US hyperscalers.

Wouldn't it be useful if @signalapp (and maybe similar providers) published their infra requirements with little crosses and ticks, so alternative providers could aim for "good enough for Signal" service levels?

Related articles by @bert_hubert :

https://berthub.eu/articles/posts/the-european-cloud-ladder/

[RSS] Reverse Engineering the Miele Diagnostic Interface

https://medusalix.github.io/posts/miele-interface/

[RSS] Understanding and mitigating a stack overflow in [Raymond Chen's custom] task sequencer

https://devblogs.microsoft.com/oldnewthing/20251231-00/?p=111950

C++ coroutine debugging

[RSS] Detect Go's silent arithmetic bugs with go-panikint

https://blog.trailofbits.com/2025/12/31/detect-gos-silent-arithmetic-bugs-with-go-panikint/

TyphoonCon 2026 Early Bird tickets now on sale!

Dive into exploits, reverse engineering and cutting-edge insights in offensive security. May 28-29 in Seoul, South Korea

🎟️ Limited tickets available: https://www.eventbrite.com/e/typhooncon-2026-tickets-1968561639857

The Normalization of Deviance in AI

https://embracethered.com/blog/posts/2025/the-normalization-of-deviance-in-ai/

The next days #39c3 https://media.ccc.de thx ukeer

Question to people more knowledgeable about #BSD systems (primarily #FreeBSD, but the more answers the merrier)!

On Linux, I can use ipset (or nftables sets) to create a set of IP addresses I can match against with one rule. Like:

# ipset create test-set iphash
# iptables -I INPUT -m set --match-set test-set src -j DROP

This would drop any and all source addresses that I add to test-set in the future, without having to update INPUT. It also does some magic hashing thing to make all this efficient.

The reason I want this is because I'll be adding a lot of unique IPs to this set (about half a million, if not more). When adding them directly to iptables, the Linux kernel was very unhappy about that. But with a set? Worked like a charm.

Can pf or any other packet filter tool on the BSDs do something similar? Allow me to block a very large number of unique IPs?

Blocking ASNs or ranges is not feasible, I need to block unique IPs.

Bonus points if it can automatically expire entries that were added or updated N seconds ago.

Boosts appreciated.

I recently bought something from poshmark.com, for the first time. While I haven't heard of them before, I figure with credit card protections as they are in the US, there's really no harm with giving it a shot.

Within about 30 minutes of placing my order, I got a not-very-good phishing email from purchase-orders@loyverse[.]com, claiming to be "Poshmark".
The first time in my life that I've received a phish from somebody claiming to be Poshmark.

My wonders at this point:

• Is Poshmark currently breached?
• Is Poshmark unknowingly leaking the email addresses of people who purchase through their site?
• Is Poshmark knowingly leaking the email addresses of people who purchase through their site? Sub-wonder: If true, is this publicly known?
• Is the person whose Poshmark listing I purchased from either compromised or malicious?

🤔

MDN is more than just a resource. It's a community of developers, contributors, and learners passionate about web development.

Contribute to,
📚 MDN documentation
🤝 Help other devs
💟 Localize content
📝 Review or write on MDN

Start now 👇
https://developer.mozilla.org/en-US/community

Happy 0 January 2026 to all you nerds.

The US Treasury has lifted sanctions on three executives tied to spyware maker Intellexa, reversing a designation imposed by the Biden administration in 2024 (Suzanne Smalley/The Record)

https://therecord.media/treasury-sanctions-intellexa-removed
http://www.techmeme.com/251230/p18#a251230p18