Mitja Kolsek

All that the Turing Test proves is that human are much, much stupider than Alan Turing ever suspected.

Oh, clever, thanks!

Of course having the server auto-sign a customized installer would be a seriously risky thing to do (exposing the signing key) and today with the requirement for the key to be on a secure hardware device may also be impossible to implement. So are customized installers even possible anymore?

Thanks, Eric, for explaining why this is a bad idea. When one wants to provide users with a signed installer, but also make it super easy for said installer to be able to auto-register the product to user's account, adding user-specific data as padding sounds like almost the only reasonable option.

Adobe tries to cheat Authenticode, which can result in additional blocks and security warnings.

textslashplain.com/2024/11/15/b...

Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices NFC relay malware on Android devices is exploiting Tap-to-Pay systems, targeting financial institutions globally with sophisticated attacks and minimal user interaction.

Zimperium has discovered more than 760 Android apps that steal and relay NFC data to a remote attacker

zimperium.com/blog/tap-and...

Introducing Aardvark: OpenAI’s agentic security researcher Now in private beta: an AI agent that thinks like a security researcher and scales to meet the demands of modern software.

Aardvark is a labor of love and mission for the whole team. We are super excited to bring it to you. Sign up for the beta immediately!!! openai.com/index/introd...

The latest WindowsUpdate disables Windows Explorer previews for files that were downloaded from the Internet or are on Internet Zone network shares.

gist.github.com/ericlaw1979/...

For our scientists YouTube video by Elle Cordova

Need a summary of all the ways the White House has gutted science?

🧪Or are you scientist who needs to hear your work valorized in song?

From brilliant songwriter, Elle Cordova:

“If they don’t like the data in your graphs/they’ll just turn the lights out in your lab”

youtube.com/shorts/AYm9w...

Come work with me on Microsoft Defender for Endpoint!
jobs.careers.microsoft.com/global/en/jo...

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...

If you want to understand the struggle anyone doing input validation has, just look at ver 16.0 of the unicode standard: unicode.org/versions/Uni...

Unicode 16.0 adds 5185 characters, for a total of 154,998 characters

244 pages.

yeah, good luck with that.

<script>alert('𐒀𐒁𐒂')</script>

The Alot is Better Than You at Everything As a grammatically conscientious person who frequents internet forums and YouTube, I have found it necessary to develop a few coping mechani...

The Alot is better than you...

hyperbole-andahalf.blogspot.com/2016/08/the-...

So Long to Tech’s Dream Job

Five-ish years ago, @lizthegrey.com told me tech workers needed to organize because the tech giants would automate their jobs, the market would flood with talent and they would lose bargaining power. I thought it was unlikely. Here’s a story about me being wrong. www.nytimes.com/2025/08/04/t...

Morning in Kyiv. No sleep. Air quality is extremely bad. City is covered in thick smoke.

This is Russian terror, aimed at people who chose to stay, resist and fight.

Re-reading Stumbling on happiness by @danielgilbert.bsky.social and loving every page again. Relatable facts, interesting actual and thought experiments wrapped in just my type of humor.

OAuth is hard and we often find security flaws, but this is next level. Kudos to Modzero.

A friendly reminder from the Patron Saint of the Internet, Deth Veggie

So sorry to hear this. Chipped in and sharing.

Hey, we can sell you a USB-HDMI adapter that works well in your office but flickers on stage.

Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113] A deep technical breakdown of CVE-2025-49113, a critical Roundcube vulnerability involving PHP session serialization. Learn how the bug was discovered, exploited, and responsibly disclosed with full P...

Threat actors are exploiting a recently patched vulnerability in the Roundcube webmail server.

Attacks began two days after a patch was published on GitHub.

FearsOff believes attackers bin-diffed the code before a final patch was ready and started exploiting servers.

fearsoff.org/research/rou...

Hacking My Car, and probably yours— Security Flaws in Volkswagen’s App This flaw made me the owner of thousands of cars (sort of).

Volkswagen fixed vulnerabilities in its mobile app that could allow attackers to hijack user accounts and retrieve car/owner details.

The app lacked brute-force protection, stored internal credentials in plaintext, and exposed any car owner's details via a VIN.

loopsec.medium.com/hacking-my-c...

You receive a call on your phone.

The caller says they're from your bank and they're calling about a suspected fraudulent payment.

"Oh yeah," you think. Obvious scam, right?

The caller says "I'll send you an in-app notification to prove I'm calling from your bank."

🧵 1/4

Makes sense, thanks.

Perhaps to prevent someone from pasting your potentially sensitive clipboard content to the username field?

New Windows 7 And Windows Server 2008 Security Updates Confirmed Users of end-of-support Windows 7 and Windows Server 2008 platforms are advised of the availability of new security updates.

By me @forbes.com: Roll up, roll up, you legacy-loving loons, get your Windows 7 and Windows Server 2008 R2 security updates here. #kudos @0patch.bsky.social and @mkolsek.bsky.social

#infosec

www.forbes.com/sites/daveyw...

Oh