NINETY DAYS

NINETY INCIDENTS

NINETY PERCENT

YOU PAID FOR ALL FIVE NINES BUT YOU’LL ONLY NEED THE EDGE

#github

I teach cybersecurity. And I genuinely don't know what to tell my students after this one. Federal reviewers spent years trying to get basic encryption documentation from Microsoft for its GCC High government cloud. They couldn't get it. One reviewer called the system a "pile of spaghetti pies," with data traveling from point A to point B the way you'd get from Chicago to New York: a bus to St. Louis, a ferry to Pittsburgh, and a flight to Newark. Each leg is a potential hijacking. They knew this. They said this out loud in writing. Then they approved it anyway in December 2024, because too many agencies were already using it. 🔐 That's not a security review. That's a hostage negotiation. Two things in this story should make every CISO and CIO uncomfortable:

🧩 Microsoft built its federal cloud on top of decades of legacy code that it apparently can't fully document itself
👮 "Digital escorts" often ex-military with minimal software engineering backgrounds are the firewall between Chinese engineers working on the system and classified U.S. networks 🤦🏻‍♂️

The scariest line in the whole ProPublica investigation isn't the "pile of shit" quote. It's this: FedRAMP determined that refusing authorization wasn't feasible because agencies were already using the product. Read that again. The security review process reached a conclusion based on sunk cost, not risk. Ex Post Facto Fallacy

If that logic holds, the compliance framework is just documentation theater. And right now, CISA is being hollowed out, so there are fewer people left to even run the theater.

https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
#Cybersecurity #Microsoft #FedRAMP #Leadership #RiskManagement #security #privacy #cloud #infosec

In 1967, IBM introduced the System/4 Pi line of aerospace computers, packing mainframe performance into a compact box. 4 Pi computers powered everything from military aircraft to the Space Shuttle to sonar systems on submarines. Thread...

I got 99 problems and they're all red balloons.

To celebrate the failure of Hungarian Railways (MÁV) to properly switch to DST, here's the famous list of

Falsehoods Programmers Believe About Time

https://gist.github.com/timvisee/fcda9bbdff88d45cc9061606b4b923ca

Watch electricity hit a fork in the road at half a billion frames per second

https://www.youtube.com/watch?v=2AXv49dDQJw

Alpha Phoenix blows my mind again!

[RSS] Soviet CDs And CD Players Existed, And They Were Strange

https://hackaday.com/2026/03/29/soviet-cds-and-cd-players-existed-and-they-were-strange/

"Predictably, they decided to implement a super-complex XML parser [...] It will also accept the same parameter via query string in a GET request, except in that case the base64-encoded XML document is additionally compressed."

#Citrix should do CTF challenges instead of security appliances, really.

https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/

The Sequels Are Never As Good, But We're Still In Pain (Citrix NetScaler CVE-2026-3055 Memory Overread) - watchTowr Labs https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/

while we’re eating our best writing crayons and using finger paint to finish our latest research, we’ve decided to take this opportunity to share research from the archives with new followers 🙂

happy Friday… for now 🥹

https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/

(Yes this is not new don’t @ us)

[RSS] CVE-2025-14325: SpiderMonkey Type Confusion in Baseline JIT Inline Cache

https://qriousec.github.io/post/cve-2025-14325/

Cry and sob hysterically at every occasion, especially when confronted by government clerks.

[RSS] TP-Link, Canva, HikVision vulnerabilities

https://blog.talosintelligence.com/tp-link-canva-hikvision-vulnerabilities/

"Insanity is doing the same thing over and over again and expecting different results"

Einstein obviously didn't have to work with LLMs

A hefty root cause analysis of #Cisco Secure Firewall Management Center (FMC) RCE CVE-2026-20079 out now from our exploit dev team. The bug's a CVSS 10, but there are significant prerequisites for exploitation that limit real-world exploitability https://www.vulncheck.com/blog/cisco-fmc-auth-bypass-cve-2026-20079

AI, a few thoughts, observations about AI & security vulns.
My standard line about AI is "there's a lot I'm uncertain about". But let's be clear, there's a lot I don't like & I'm probably biased towards the "here's how spectacularly AI failed once again" news (of which there are plenty) or at least the "it's not as impressive as it may look".
Yet, I don't want to close my eyes if I see things that clearly don't fit my biases. And I know a thing or two about security vulnerabilities.🧵

Took me a while to discover the automatic tab arrangement/containerization feature of Sidebery - best thing since silced bread!

https://addons.mozilla.org/en-US/firefox/addon/sidebery/

Right click on tab -> Configure site

[RSS] io_uring from Userland

https://jinjucat.github.io/io_uring-from-Userland/