Nice chain of attacks. This shows more than one vulnerability needs to be leveraged to lead to root access. This provides valuable lessons.

Fascinating research about side-channel attacks. Learned a lot about them and website fingerprinting here. Also interesting the explanations of how the use of machine learning models can actually get in the way of proper understanding of the side-channel really used by an attack which can prevent developing actually useful counter-measures.

Looks like there are people out there to get Tor relays down... and they found a smart networking trick I'd expect to not work anymore.

Definitely an interesting tool. GitHub Actions workflow aren't easy to setup while ensuring they're secure, having a tool analyzing them for issues can only help.

Nice technique for automating the verification of SSH host keys. It'd be nice to see wider adoption.

Good reminder that /tmp has many security flaws built in.

It's tempting to use uv. It's probably fine on the developer workstation at this point. It looks a bit early to use it in production though, it's a bit young for that and carries questions regarding supply chain security still.

It's a very important project, it's really concerning that this attack went through. The service is still partly disrupted but they're showing signs of recovery. Let's wish them luck and good health. This archival service is essential for knowledge and history preservation on the web.

This one is definitely a bad one. Looks like CUPS is a weak part of the ecosystem, especially when coupled with zeroconf. I wouldn't be surprised to see macOS being affected too.

More details about the KIA security issue. Clearly securing the embedded systems is not worth much if it is then all exposed via unsafe web services.

Could we just stop connecting cars with web access for features we don't really need? Please?

Excellent proof of why you don't want to "rewrite it all in Rust". It's important to respect the old code and focus on applying safety practices on the new code. This is also why the upcoming changes to C++ are worth it, it might improve the interoperability factor almost for free.

Lots of good stuff definitely coming. This should definitely help make it more approachable to lots of people.

People are putting LLM related feature out there too hastily for my taste. At least they should keep in mind the security and safety implications.

Or why we should all be concerned and condemn the latest pager and walkie-talkie attacks. They clearly opened a Pandora's box, it'd be surprising not to see more of those from various organizations. The funds and efforts required make it affordable enough.

Interesting comparison of the difference in approaches between RedHat and Debian about default system hardening.

Looks like an interesting venue to attack systems which use LLMs.

Nice post explaining the basics of OAuth. If you wonder why the flow seems so convoluted, this article is for you.

Interesting point. As the memory safety of our APIs will increase, can we reduce the amount of sandboxing we need? This will never remove completely the need if only for logic bugs, but surely we could become more strategic about it.

Woops, this was clearly a very bad security issue allowing to completely bypass airport security screening in the US.