Almost 25 years ago, I wrote a blog post with the title ‘jumping ship slowly’ about leaving Windows (XP was awful, it was mind boggling to me that Vista managed to make people nostalgic for XP). My advice remains the same:

Don’t try switching OS first. The OS is the most easily replaceable bit in the stack. Switch applications first. Most ‘Linux’ apps are cross platform. They’ll run on Windows, and the few that don’t will run in WSL2. You can switch out apps one at a time, and take the time to get comfortable with the alternatives.

Once you’re comfortable not using any Windows-only apps, changing the OS but using all of the same applications is very easy to do. Changing OS and application stack at the same time is an enormous obstacle.

I believe this is also why a lot of corporate and government Linux migrations fail: they try to change everything at the same time and that’s too steep a learning curve.

Wired: Meta Silently Added Face-Recognition Code for Its Smart Glasses to Millions of Phones

Code reviewed by WIRED uncovered an unreleased face-recognition system embedded in Meta’s smart glasses platform. It’s designed to identify people via biometric data stored on users’ phones.

https://www.wired.com/story/meta-smart-glasses-face-recognition-nametag-connections/

#privacy #cybersecurity #meta

Just released our (@ThinkstCanary) internal tool for managing supply-chain risk from compromised packages: https://blog.thinkst.com/2026/06/introducing-package-proxy-supply-chain-safety-checks-without-client-side-software.html

#pypi #npm #cargo #opensource

From prompt 😃to pwned 😢:
Implementing an LLM in your org? Useful.
Trusting its output? That's how a low-priv user became admin.

Ship the feature, don't extend it your trust.
https://blog.quarkslab.com/from-prompt-to-pwned-chaining-llm-and-web-bugs-to-admin.html

This was a fun Linux kernel bug (though it only existed on >=6.10 and requires access to network namespaces): https://project-zero.issues.chromium.org/496923375

One of those rare bugs where, if you pass a kernel address in the right place, with the right setup, the kernel will just read from that kernel address as if it was userspace memory, and give you the data that was read.

Somebody released a PoC for Firefox CVE-2026-8389, and it works.

The PoC doesn't include a sandbox escape, and claims that poc-win-sbx.html includes the escape. This file was not shared in the repo.

The python server on localhost seems unnecessary, as the exploit web server can surely serve up primer.js the first time that payload.js is requested, and the actual payload.js the second time. 🤔

absolute gem of a Wikipedia image description

New Project Zero issue:

Linux >=6.10: io_uring: kernel memory read via unchecked address in ITER_UBUF/ITER_IOVEC iov_iter combined with non-checking nocache/flushcache accessors

https://project-zero.issues.chromium.org/issues/496923375

CVE-2026-43073

To save you 34 minutes, researchers had previously found 72 days on which there were second-long jamming events of GPS in most of Europe (as described in https://radionavlab.ae.utexas.edu/wp-content/uploads/Clements-space-interference-iongnss25.pdf ) Later they were able to record such an event & could locate the source of the disruption to a Russian military satellite. https://www.youtube.com/watch?v=tz23G_UXCGA

ti84 game programming about to enter a new golden era
https://bird.makeup/users/coffeededo_o/statuses/2062166308809269495

Unauthenticated RCE as QSECOFR via #IBMi Management Central

https://blog.silentsignal.eu/2026/06/05/unauthenticated-rce-as-qsecofr-via-ibm-i-management-central/

#Java #Deserialization #0day #NoCVE

The idea of banning minors from using social media is at its heart an attempt to punish victims instead of going against the perpetrator. If minors are more easily victimized by the predatory practices of large tech corporations it's not their fault. The blame lies squarely on the corporations. They must stop using predatory practices. And that's doubly important because those practices hurt adults and minors alike.

proof per unit test

Holy moly, one of my cousins (8 weeks into undergraduate computer science) asked me for help on a university assignment. I was surprised because he's very switched on.

It's a group assignment and it was extremely obvious that every other student has logged into a parent's corporate LLM and written all the code via prompt with no understanding.

When I asked how they're getting away with it, he said that the lecturers have just given up on all policing. (University is RMIT in Melbourne.)

[RSS] System Over Model, Tested: Reproducing Mythos's FreeBSD Find on Local Open-Weight Models

https://clearbluejar.github.io/posts/system-over-model-tested-mythos-freebsd-local-openweight/

[RSS] Docker Internal (3)

https://u1f383.github.io/linux/2026/06/04/Docker-Internal-3.html

3rd part of the Docker security research series

[RSS] The futex READ_ONCE

https://guysrd.github.io/futex-read-once

Android kernel race condition analysis

I complained about hexeditors recently. Now I found TeeHee, and I think I'll stick with it on all platforms:

https://sr.ht/~aleksi/teehee/

Edit: Since this took off somewhat, I'd note that I found the editor in this list: https://github.com/merces/awesome-hex-editors <- give it some love <3

Our Call for Participation will close on 7 June - if you have a talk, workshop, or performance you'd like to give at EMF, there's still time to submit!

https://www.emfcamp.org/cfp