@Harry Sintonen
Infosec consultant at REVƎЯSEC https://reversec.com - Coding, Research + various other interests
Relays (1)
- wss://relay.ditto.pub – read & write
Recent Notes
Heads up to anyone using #AMD CPUs in a setting where Transparent Secure Memory Encryption (TSME) is critical: AMD has disabled this feature for consumer AMD products as of the latest AGESA updates. The feature is now only available for "PRO" CPU variants.
https://arstechnica.com/security/2026/06/users-cry-foul-after-amd-stripped-memory-crypto-from-its-consumer-cpus/
#enshittification
https://arstechnica.com/security/2026/06/users-cry-foul-after-amd-stripped-memory-crypto-from-its-consumer-cpus/
#enshittification
I, for one, hail our EU overlords for staying their ground and not bending over to Apple.
This EU regulation did not come as a surprise to anyone, and definitely not to Apple. Yet they decided to go all knee-jerky about it.
Food for thought: If you cannot implement an AI feature in an interoperable and safe manner, it likely should not be implemented at all.
This EU regulation did not come as a surprise to anyone, and definitely not to Apple. Yet they decided to go all knee-jerky about it.
Food for thought: If you cannot implement an AI feature in an interoperable and safe manner, it likely should not be implemented at all.
Significant number of vulnerabilities fixed in #OpenSSL - https://openssl-library.org/news/secadv/20260609.txt
The most serious one is CVE-2026-45447: Use-After-Free in the PKCS7_verify() Function that could lead to remote code execution in some conditions.
#CVE_2026_45447
The most serious one is CVE-2026-45447: Use-After-Free in the PKCS7_verify() Function that could lead to remote code execution in some conditions.
#CVE_2026_45447
Credits and debit cards issued in Finland have two checksums instead of just one. The outer checksum is the standard luhn-mod-10 as usual, but the inner checksum is another method (variation of IBM Check with 7 1 3 multipliers). So why is this interesting?
The two checksums make it far easier to resolve partial card numbers. For example if you take a picture of your card by hiding 3 digits with you finger, such masked card number can be resolved to about 12 possibilities.
TL;DR: Never post pictures of your Finnish debit/credit card, even when hiding some of the digits.
I have no knowledge if cards elsewhere might have similar double-checksum feature.
The two checksums make it far easier to resolve partial card numbers. For example if you take a picture of your card by hiding 3 digits with you finger, such masked card number can be resolved to about 12 possibilities.
TL;DR: Never post pictures of your Finnish debit/credit card, even when hiding some of the digits.
I have no knowledge if cards elsewhere might have similar double-checksum feature.
Apparently, AI capacity outages are hitting users big time. You can't get resources even with money. Daily tokens run out in hours, and weekly by Tuesday.
The only remedy for this will be to hike pri...
"Github Copilot customers report up to 100-fold price hikes — AI sticker shock bites as Microsoft switches to usage-based pricing"
https://www.tomshardware.com/tech-industry/artificial-intelligence/github-copilot-customers-suffer-from-sticker-shock-as-microsoft-switches-to-usage-based-pricing-customers-report-up-to-100-fold-price-hikes
https://www.tomshardware.com/tech-industry/artificial-intelligence/github-copilot-customers-suffer-from-sticker-shock-as-microsoft-switches-to-usage-based-pricing-customers-report-up-to-100-fold-price-hikes
1
This rasdaemon code is clearly missing some else statement(s). Thus any MCI_STATEUS_UC is reported as "Uncorrected, software containable error." no matter if those other flags are set or not. https://github.com/mchehab/rasdaemon/issues/251
#programming #bug
#programming #bug
We've released #MorphOS 3.20 https://morphos-team.net/news
This is the first major release in three years and constitutes some of the most extensive amount of changes ever. See the extremely long change log at https://morphos-team.net/releasenotes/3.20
Yes, it is somewhat technical and detailed at times, but condensing three years of work to mere "fixes and improvements“ would feel like demoting the amount of love that went into it.
Yes, it is somewhat technical and detailed at times, but condensing three years of work to mere "fixes and improvements“ would feel like demoting the amount of love that went into it.
We've released #MorphOS 3.20 https://morphos-team.net/news
1
CVE-2026-47187: Symlink escape - rogue SFTP server -> local file read/write
Severity: Critical (CVSS 9.3, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)
CWE: CWE-59 (Improper Link Resolution Before File Access)
A rogue SFTP server can return symlink targets (absolute paths or relative "../../../" escapes) that sshfs passes to the kernel unchanged. The kernel resolves them on the client's local filesystem, so an ordinary "cp" through the mountpoint can read local files back to the server or write server-controlled bytes to local files. transform_symlinks does not cover relative targets.
https://www.openwall.com/lists/oss-security/2026/05/30/3
#CVE_2026_47187
Severity: Critical (CVSS 9.3, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)
CWE: CWE-59 (Improper Link Resolution Before File Access)
A rogue SFTP server can return symlink targets (absolute paths or relative "../../../" escapes) that sshfs passes to the kernel unchanged. The kernel resolves them on the client's local filesystem, so an ordinary "cp" through the mountpoint can read local files back to the server or write server-controlled bytes to local files. transform_symlinks does not cover relative targets.
https://www.openwall.com/lists/oss-security/2026/05/30/3
#CVE_2026_47187
Most web browsing has been using post-quantum secure algorithms for years now.
Why? Browsers and large CDNs have pushed for post-quantum key agreement implementations, such as X25519MLKEM768.
This h...
About 70% of human traffic towards cloudflare is using PQC - https://radar.cloudflare.com/post-quantum
Most web browsing has been using post-quantum secure algorithms for years now.
Why? Browsers and large CDNs have pushed for post-quantum key agreement implementations, such as X25519MLKEM768.
This h...
The next larger visible disruption will likely be when it is finally decided that non-PQC connections are considered too insecure. This will likely lead to a phase-out similar to what happened with SHA1 signatures over ten years ago.
- https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
- https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
- https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/
- https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
- https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
- https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/
Most web browsing has been using post-quantum secure algorithms for years now.
Why? Browsers and large CDNs have pushed for post-quantum key agreement implementations, such as X25519MLKEM768.
This has been a great success: No one needed to change or configure anything, or even know about it. This is the best kind of security: unobtrusive and transparent, without requiring user involvement for deployment.
#pqc #pqcryptography #cybersecurity #infosec
Why? Browsers and large CDNs have pushed for post-quantum key agreement implementations, such as X25519MLKEM768.
This has been a great success: No one needed to change or configure anything, or even know about it. This is the best kind of security: unobtrusive and transparent, without requiring user involvement for deployment.
#pqc #pqcryptography #cybersecurity #infosec
2