From the same author as BlueHammer we now have RedSun.

This works ~100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server 2019+ with April 2026 updates, as well as Windows 10, as long as you have Windows Defender enabled. Any system that has cldapi.dll should be affected.

Join us tomorrow, April 17th @ 4pm ET, for some live pwn! We'll be using Binary Ninja's shell coding compiler, patching binaries to make them easier to debug, analyzing data moving from globals to the stack to the heap, and finishing by popping shells live with pwntools: https://youtube.com/live/VcK4SoeYZiU

RE: https://hachyderm.io/@Mara/115373191721487331

Half a year later, I'm *very* excited to report that we got initial funding and have hired our first Rust maintainers!

RustNL's Rust Maintainers Team now has two full time maintainers, one intern, and five part-time maintainers, now stably employed to continue their invaluable maintenance work that is crucial for Rust’s long-term sustainability.

https://rustnl.org/maintainers/

Apparently we reached the state of #Thoughtcrime punishment, it's called #precrime and on virustotal. Microsoft and Sophos just "blocked" (aka content filter says it's porn... whuat?) a friend's website because the #AI was suspicious of his AI website probably because on #Virustotal PreCrime is flagging it as will-be-malicious-in-the-future.

I want my Internet back.

Average number of hours between #curl security reports

Material for a pending presentation

AI Use Appears to Have a “Boiling Frog” Effect on Human Cognition, New Study Warns

"In a new study, researchers claim to provide the first causal evidence that leaning on AI to assist with “reasoning-intensive” cognitive labor — mental tasks ranging from writing to studying to coding to simply brainstorming new ideas — can rapidly impair users’ intellectual ability and willingness to persist despite difficulty."

https://futurism.com/artificial-intelligence/ai-boiling-frog-human-cognition-study

#tech #AI #ArtificialIntelligence #LLM #LLMs #FuckAI

I reported an insecure DKIM key to Deutsche Telekom / T-Systems. They first asked me to further explain things (not sure why 'Here's your DKIM private key' needs more explanation, but whatever...). Then they told me it's out of scope for their bugbounty.

I guess then there's really no reason not to tell you: They have a 384 bit RSA DKIM key configured at: dkim._domainkey.t-systems.nl

384 bit RSA is... how shall I put it? I think 512 bit is the lowest RSA key size that was ever really used. 384 bit RSA is crackable in a few hours on a modern PC (using cado-nfs). The private key is:
-----BEGIN RSA PRIVATE KEY-----
MIHxAgEAAjEAtTliQYV2Xvx1OGkDyOL799BTFEuobY2dn2AgtiKCQgrh78NVK1JK
j0yRXgNnPpGBAgMBAAECMF0t+TBZUCi8xATSMij7VLTxv5Xi5OIXesNiXOKtYIRP
LkpYfR5PggaMScfbmqSssQIZAMwOhm9d7Y7Qi7I2j1AlYbiqdtqO54T7FQIZAONa
9dJFkC6lM3EPXR+0SZ4dqwwpiM0nvQIYYgz8thi5JK264ohq9sTvnu9yKvUN9I09
AhgfgMYZKcxtujRjkSZtMzUUNLYzzDmJe90CGDKwqcBI0v9ChaR8WHht+/chMdxj
7ez94w==
-----END RSA PRIVATE KEY-----

I wrote up in the TLS mailing list why I think composite signatures (ML-DSA + ECDSA/RSA) are a net negative, will hurt the ecosystem, and should not be implemented.

Hybrid key exchange was simple and self-contained. Hybrid signatures would be a mountain of complexity in code responsible for half of sev:crit in crypto libraries since 2020.

https://mailarchive.ietf.org/arch/msg/tls/oh3jmmkHzHdp1hk4R4M9QjkmvBk/

watt-hours per password

Our C/C++ code review challenge closes April 17.

The new Testing Handbook chapter covers memory safety, integer errors, type confusion, kernel modules, Windows usermode, and seccomp sandbox escapes through manual code review.

Analyze the vulnerable programs, explain how to exploit them, and submit a writeup. First 10 correct entries win swag.

https://trailofbits.com/c-whats-wrong-challenge/

The Salt Typhoon hack ended the debate on safe lawful access. State-sponsored attackers didn't just breach networks; they explicitly targeted mandated wiretap systems. Backdoors don't just weaken security; they become the ultimate prize for advanced adversaries. 1/2

Thank you for being a valued Streaming Service+ subscriber. Your monthly plan is increasing from $9.99 to $24.99. This price adjustment reflects our continued investment in canceling your favourite shows after one season, removing titles from the library without warning, and building a worse user interface. Note: Your tier now includes ads. To remove them, upgrade to our new Ultra Premium Platinum plan ($39.99/mo). Btw your password can no longer be shared with the people you live with.

Thank you to the company that owns the drivers license embedded into my cybernetic companion animal for emailing me on an address I haven't used since she was born to remind me that access to her identity chip has been sold to an insurance company and any desperate attempts to recover her will now be accompanied by informative articles

CRITICAL: if you are running Mosaic 2.4 on a VAX/VMS system, please be aware of this RCE that GPT-5.4 just found and exploited!

This might be my favourite weird car yet.
The Puli (also called the Puli Pinguin) was a microcar made in Hungary between 1986–1998. The more powerful electric version maxxed out at 7.4 kW (9.9 HP). Hold onto your hats!
https://en.wikipedia.org/wiki/Puli_(car)
#WeirdCarMastodon

The full TyphoonCon 2026 conference agenda is now live:
https://typhooncon.com/full-2026-agenda-sessions

Join us May 28-29 in Seoul for a highly curated program focused on advanced offensive security. From vulnerability research to real-world exploitation.

🎟️ Tickets are going fast - secure your spot now

OTD 1989: #SunMicrosystems announces the SPARCstation 1, aka Sun 4/60, aka "Campus".
Also first use of SBus.

https://theretroweb.com/motherboards/s/sun-sparcstation-1

The AI slop security reporting is basically extinct. It almost does not happen anymore. At all.

"I am submitting this via direct email as I am currently unable to use the HackerOne platform due to account restrictions for new reporters."

In case someone was wondering what happens when we try to make it harder for new accounts to submit new reports.