HackerTrans
TopNewTrendsCommentsPastAskShowJobs

mmsc

no profile record

Submissions

18 CVEs fixed in Curl 8.21.0

curl.se
3 points·by mmsc·17 дней назад·0 comments

Meta Fixes Instagram AI Flaw Used in Account Takeovers

sqmagazine.co.uk
2 points·by mmsc·в прошлом месяце·0 comments

[untitled]

1 points·by mmsc·в прошлом месяце·0 comments

CVE-2026-42511 Breakdown: RCE in FreeBSD

aisle.com
28 points·by mmsc·2 месяца назад·1 comments

Finding and Fixing 24 CVEs in WeKan

aisle.com
1 points·by mmsc·2 месяца назад·0 comments

AISLE Discovers 38 CVEs in OpenEMR Healthcare Software

aisle.com
177 points·by mmsc·2 месяца назад·113 comments

System over Model: Zero-Day Discovery at the Jagged Frontier

aisle.com
3 points·by mmsc·3 месяца назад·0 comments

Wikipedia: AI or Not Quiz

en.wikipedia.org
2 points·by mmsc·4 месяца назад·0 comments

Aquasecurity/Trivy GitHub Repository and Homebrew Cask Compromised (again)

opensourcemalware.com
16 points·by mmsc·4 месяца назад·4 comments

Always 'Copy Clean Link' When Possible on Firefox, with UserChrome.css

joshua.hu
5 points·by mmsc·4 месяца назад·0 comments

CrackArmor: Multiple Vulnerabilities in AppArmor

cdn2.qualys.com
3 points·by mmsc·4 месяца назад·0 comments

Making Firefox's right-click not suck, more, with userChrome.css

joshua.hu
5 points·by mmsc·4 месяца назад·1 comments

Making Firefox's right-click not suck with about:config

joshua.hu
351 points·by mmsc·4 месяца назад·223 comments

Using Aisle to Find Vulnerabilities in Amazon's Crypto Stack: AWS-LC and S2n-TLS

aisle.com
2 points·by mmsc·4 месяца назад·0 comments

AISLE’s autonomous analyzer found all CVEs in the January OpenSSL release

aisle.com
197 points·by mmsc·5 месяцев назад·130 comments

The end of the curl bug-bounty

daniel.haxx.se
17 points·by mmsc·6 месяцев назад·0 comments

Investigating shared dictionaries and ChatGPT breakage in Firefox

joshua.hu
3 points·by mmsc·6 месяцев назад·1 comments

Gixy-Next: Nginx Configuration Security and Hardening Scanner

gixy.io
3 points·by mmsc·6 месяцев назад·0 comments

Iranian Censorship, Bypasses, Browser Extensions, and Proxies

joshua.hu
3 points·by mmsc·6 месяцев назад·0 comments

comments

mmsc
·17 дней назад·discuss
already exists: https://joshua.hu/comparing-redos-detection-tools. `recheck` and `redos-detector` are definitely the best. there's even an eslint plugin for the latter: https://github.com/tjenkinson/eslint-plugin-redos-detector
mmsc
·23 дня назад·discuss
> Another month later, GitHub support sent me an email saying that they had removed these repositories.

I recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.

I reported it to GitHub and it was removed within 24 hours.

I discovered another repository like this, and they still haven't replied since (one month).

No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)
mmsc
·в прошлом месяце·discuss
A missed opportunity to say you 'Fn' hate the Fn key :)
mmsc
·2 месяца назад·discuss
Aisle has hundreds of CVEs with publicly available models: https://aisle.com/wall-of-fame
mmsc
·2 месяца назад·discuss
https://codeberg.org/forgejo/governance/src/commit/5c07b3801...

> Failure to comply with these rules will be criticized publicly, and we reserve the right to no longer coordinate with you or your project in the future.

lol
mmsc
·3 месяца назад·discuss
How is that a scam? You don't get participation awards for solving half of a puzzle...
mmsc
·3 месяца назад·discuss
Unmaintained code is a security issue in of itself, so this is of course a net benefit.
mmsc
·3 месяца назад·discuss
The website of this blog and their connections listed are a sight to behold. I miss that version of the internet.
mmsc
·3 месяца назад·discuss
As long as it's not hydrofluoric acid...
mmsc
·3 месяца назад·discuss
> You say "works perfectly". I do not think it means what you think it means.

Copying some files from a different machine is not that burdensome. The point is, it works.
mmsc
·3 месяца назад·discuss
FreeBSD works perfectly on intel MacBooks if you've got one laying around: https://joshua.hu/FreeBSD-on-MacbookPro-114-A1398
mmsc
·3 месяца назад·discuss
> Also, a note to those who make fancy "[email protected]" addresses:

Just wait until one of these companies demands an email from the registered email address of your account!
mmsc
·4 месяца назад·discuss
Ah, finally catching up to ... The UK, Australia, Ireland, France, the Netherlands, and probably a lot more.
mmsc
·4 месяца назад·discuss


  こすり箸 Kosuribashi:
 To rub waribashi (disposable chopsticks) together to remove splinters.
I don't know about Japan, but everybody does this in Taiwan.
mmsc
·4 месяца назад·discuss
The offending commit seems to be: https://github.com/aquasecurity/trivy/commit/1885610c6a34811... which updates the action to `actions/checkout@70379aad1a8b40919ce8b382d3cd7d0315cde1d0 # v6.0.2`. https://github.com/actions/checkout/commit/70379aad1a8b40919... is not actually in `actions/checkout` but a fork, and it pulls malicious code from the typo-squatted "scan.aquasecurtiy.org" (note the _tiy_).

Any system with Trivy 0.69.4 on it (and being run) can be assumed to be compromised.
mmsc
·4 месяца назад·discuss
GitHub advertises itself as warning about those Unicode characters: https://github.blog/changelog/2025-05-01-github-now-provides...

Of course, it doesn't work though. I reported this to their bug bounty, they paid me a bounty, and told me "we won't be fixing it": https://joshua.hu/2025-bug-bounty-stories-fail#githubs-utf-f...

The exact quote is "Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing your report based on factors including the complexity of successfully exploiting the vulnerability, the potential data and information exposure, as well as the systems and users that would be impacted, we have determined that they do not present a significant security risk to be eligible under our rewards structure." The funny thing is, they actually gave me $500 and a lifetime GitHub Pro for the submission.
mmsc
·4 месяца назад·discuss
Require dual sign off
mmsc
·4 месяца назад·discuss
> an LLM can ingest unstructured data and turn it into a feed.

An LLM can try to do that, yes. But LLMs are lossy compression. RSS feeds are accurate, predictable, and follow a pre-defined structure. Using LLMs to ingest data which can easily be turned into an parseable data structure seems strange: use the LLM to do the "next part" of the formula (comprehension, decision making, etc)

There is also LLMs.txt https://llmstxt.org/ eg https://joshua.hu/llms.txt / https://joshua.hu/llms-full.txt
mmsc
·4 месяца назад·discuss
https://paulgraham.com/disagree.html

Please consider reading.
mmsc
·4 месяца назад·discuss
It's cool that Mozilla updated https://www.mozilla.org/en-US/security/advisories/mfsa2026-1... because we were all wondering who had found 22 vulnerabilities in a single release (their findings were originally not attributed to anybody.)