RE: https://furry.engineer/@soatok/116082533052740652

ok the ghost vuln is quite funny. the WAF example really sounds like an array is involved there and it would have bet 20 bucks that its a type confusion (because despite it being 2026 its really easy to shoot yourself in the foot if your types get quirky)

but - spoilers - nope, its really just straight up string interpolation into raw sql like in the good ol days lmao. oh well, happens

nono - kernel-enforced capability sandbox for AI agents https://nono.sh

I’ve been working on this for a while, but let’s make it official: I started a little Tumblr-like microblog about software craft and quality!

You can sign up via RSS or a weekly newsletter digest. There’s already almost two months of content in there, if you just want to check it out.

Hope you like it!

https://unsung.aresluna.org/

Just got this link on my discord - https://www.kickstarter.com/projects/bitman/bootblock-rebels - passing it along because this book looks fun!

The past two months, I've been working on a little pet project, lovingly called OnlyJunk.Fans: hosted iocaine. For free. Because I could, and wanted to.

It's going to officially launch on the 17th of February, in just a few days. But I thought I'll blog about it before the launch, because I won't have time to do so later.

🚨 New advisory was just published!

Source code review of the Novarain/Tassos framework uncovered 3 critical primitives: unauthenticated file read, unauthenticated file deletion, and SQL injection enabling arbitrary DB reads, affecting 5 widely deployed Joomla! Extensions. Chained together, these bugs allow reliable RCE and administrator account takeover on unpatched Joomla! Instances: https://ssd-disclosure.com/joomla-novarain-tassos-framework-vulnerabilities/

❤️ Thank you to the #Archlinux Wiki maintainers! ❤️

#Maintainers in general, and maintainers of documentation most of the time get way too little recognition for their contributions to #SoftwareFreedom.

ArchWiki is one of the pearls of the internet! That's why I dedicated my this year's #ilovefs post to the #ArchWiki maintainers!

https://k7r.eu/i-love-the-work-of-the-archwiki-maintainers/

Ars Technica retracted an article about how AI is making the world worse because...
the Ars article itself contained AI-generated quotes in it.

https://arstechnica.com/staff/2026/02/editors-note-retraction-of-article-containing-fabricated-quotations/

Welp, we had a decent run, folks. But it's time to call it.

Not sure if it’s useful for anyone. 0 dependency parser for plist (xml only) in the browser

https://codecolor.ist/tinyplist/

r2web now has a built-in code editor 🤟, Edit radare2 scripts right in-browser, Fully mobile UI friendly as always.

#radare2

2026, the year of the AI-driven attacker that could do back flips, they said.

Meanwhile, there's a magic number that allows Auth Bypass against Ivanti EPM (CVE-2026-1603)

something about a pledge 🙄

Now that we have the infinite monkeys as software, could someone let them know that we don't need someone to write the complete works of Shakespeare again? We have libraries for that.

When I said that your discord clone doesn’t need e2ee, I got a lot of comments along the lines of “ then how would I use it to organize the revolution!” The answer is: you don’t. If you have more users than can comfortably share a Signal chat and hence want to use discord or something like it, you cannot POSSIBLY be vetting all of them to a high standard of trust. Your logs ARE leaking. End-to-end encryption between more people than can fit around a dinner table is pointless.

This article confirms what I already assumed, that “open source [information sense, not code sense] intelligence gathering on social media” includes, for the US government, asking for links to join groups that may *feel* private. My own discord has literally like a thousand idlers. It would be very *lucky* if none of them were logging for potentially nefarious purposes! And I remind the active users of this occasionally.

https://www.kenklippenstein.com/p/exclusive-ice-masks-up-in-more-ways

Had a case this week of a fairly secure deployment of BeyondTrust, but vulnerable to CVE-2026-1731. With basically zero egress, I implemented a timing oracle POC instead. Takes about 20 minutes to get the ls command output in this demo, but hey, it works! :D

Today is an excellent day to enjoy free, ad-free, non-stop #MTV #nostalgia

https://wantmymtv.vercel.app/

Capture XPC traffics and backtraces in Wireshark because why not

https://github.com/ChiChou/XpcScope/releases/tag/v1.0.0