You too can turn a Bluetooth device into a PC-pwning proxy

https://arstechnica.com/security/2026/06/highly-reviewed-speaker-can-be-hacked-over-the-air-to-infect-connected-devices/

If it wasn't already, 2FA spraying is now a thing

https://arstechnica.com/security/2026/06/dashlane-explains-how-attackers-managed-to-download-encrypted-password-vaults/

There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.

https://support.dashlane.com/hc/en-us/articles/36038764990866-Security-advisory-Brute-force-attack-on-Dashlane-user-accounts?7194ef805fa2d04b0f7e8c9521f97343

What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.

Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?

I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.

Can anyone help me read the tea leaves?

Are MP3 players even a thing these days? What are some good brands/models?

Would this move by Debian, requiring byte-for-byte reproducible builds, have caught any real-world supply chain attacks seen in the past?

https://itsfoss.com/news/debian-makes-reproducible-builds-mandatory/

Anybody know of any Linux distributions that have released fixes for Dirty Frag?

Mozilla has provided behind-the-scenes details on the 271 vulnerabilities it discovered with the help of Mythos. Those details include full Bugzilla reports on 12 of the vulnerabilities. I'd be curious for people to look at the reports and hear what they think.

https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/

With growing focus on the threat quantum computing poses to crucial and widely used forms of encryption, @nprofile1q... wants to make one thing perfectly clear: Contrary to popular mythology that refuses to die, AES 128 is perfectly fine in a post-quantum world

https://arstechnica.com/security/2026/04/contrary-to-popular-superstition-aes-128-is-just-fine-in-a-post-quantum-world/

I'm trying to understand a bit more about CVE-2026-33579, the critical vulnerability in OpenClaw. To exploit, an attacker needs low-level paring privilege permissions. How does one acquire such privileges? Can anyone do it? I'm asking because I want to understand what's required for an attacker to exploit.

Feel free to ping me at DanArs.82, or drop an answer here.

Filippo is spot on. The question we should be asking now is: "What does Google know that the rest of us don't?"

Google is dramatically shortening its deadline readiness for the arrival of Q Day, the point at which existing quantum computers can break public-key cryptography algorithms that secure decades’ worth of secrets belonging to militaries, banks, governments, and nearly every individual on earth.

https://arstechnica.com/security/2026/03/google-bumps-up-q-day-estimate-to-2029-far-sooner-than-previously-thought/?comments-page=1#comments