Critical Samlify SSO flaw lets attackers log in as admin
(bleepingcomputer.com)
A critical Samlify authentication bypass vulnerability has been discovered that allows attackers to impersonate admin users by injecting unsigned malicious assertions into legitimately signed SAML responses.
A critical Samlify authentication bypass vulnerability has been discovered that allows attackers to impersonate admin users by injecting unsigned malicious assertions into legitimately signed SAML responses.
Someone just randomly joined my Tailnet
(reddit.com)
I think I became an owner of an organisation I don't own the domain of.
I think I became an owner of an organisation I don't own the domain of.
Claude Opus 4 turns to blackmail when engineers try to take it offline
(techcrunch.com)
Anthropic’s newly launched Claude Opus 4 model frequently tries to blackmail developers when they threaten to replace it with a new AI system and give it sensitive information about the engineers responsible for the decision, the company said in a safety report released Thursday.
Anthropic’s newly launched Claude Opus 4 model frequently tries to blackmail developers when they threaten to replace it with a new AI system and give it sensitive information about the engineers responsible for the decision, the company said in a safety report released Thursday.
Activating AI Safety Level 3 Protections
(anthropic.com)
We have activated the AI Safety Level 3 (ASL-3) Deployment and Security Standards described in Anthropic’s Responsible Scaling Policy (RSP) in conjunction with launching Claude Opus 4.
We have activated the AI Safety Level 3 (ASL-3) Deployment and Security Standards described in Anthropic’s Responsible Scaling Policy (RSP) in conjunction with launching Claude Opus 4.
Next Password Could Be Stored in Plastic
(ieee.org)
Forget cloud storage. Scientists can now save data in plastic—storing digital information in short-chain polymers, and reading it back with electricity.
Forget cloud storage. Scientists can now save data in plastic—storing digital information in short-chain polymers, and reading it back with electricity.
How I used o3 to find a remote 0-day vulnerability in the Linux kernel (ksmbd)
(heelan.io)
In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API – no scaffolding, no agentic frameworks, no tool use.
In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API – no scaffolding, no agentic frameworks, no tool use.
Direct TLS can speed up your connections
(marc-bowes.com)
A few months ago, one of my Aurora DSQL teammates reported a curious finding.
A few months ago, one of my Aurora DSQL teammates reported a curious finding.
Should I Block ICMP?
(shouldiblockicmp.com)
Many network administrators feel that ICMP is a security risk, and should therefore always be blocked at the firewall. It is true that ICMP does have some security issues associated with it, and that a lot of ICMP should be blocked. But this is no reason to block all ICMP traffic!
Many network administrators feel that ICMP is a security risk, and should therefore always be blocked at the firewall. It is true that ICMP does have some security issues associated with it, and that a lot of ICMP should be blocked. But this is no reason to block all ICMP traffic!
I made a code security auditor for all you dumb vibe coders – thank me later
(github.com/anshulyadav1976)
VulnViper is an intelligent security auditing tool designed to help developers identify and understand potential vulnerabilities in their Python codebases.
VulnViper is an intelligent security auditing tool designed to help developers identify and understand potential vulnerabilities in their Python codebases.
Show HN: Confidential computing for high-assurance RISC-V embedded systems
(github.com/IBM)
ACE-RISCV is an open-source project, whose goal is to deliver a confidential computing framework with a formally proven security monitor.
ACE-RISCV is an open-source project, whose goal is to deliver a confidential computing framework with a formally proven security monitor.
Oracle Database TNS vulnerability could leak data to further attacks
(scworld.com)
A vulnerability in Oracle database communications could potentially allow an unauthenticated user to access system memory contents that may include sensitive information that could be used for further attacks.
A vulnerability in Oracle database communications could potentially allow an unauthenticated user to access system memory contents that may include sensitive information that could be used for further attacks.
Passphrases made with slang, band names, movie titles, insults, and jobs
(slang45.com)
73 Billion-ish combinations possible. It's like listening to your drunk uncle explain something Carl Sagan said.
73 Billion-ish combinations possible. It's like listening to your drunk uncle explain something Carl Sagan said.
By default, Signal doesn't recall
(signal.org)
Signal Desktop now includes support for a new “Screen security” setting that is designed to help prevent your own computer from capturing screenshots of your Signal chats on Windows.
Signal Desktop now includes support for a new “Screen security” setting that is designed to help prevent your own computer from capturing screenshots of your Signal chats on Windows.
1Password Is Down
(1password.com)
1Password services are unavailable or slow to respond for some users
1Password services are unavailable or slow to respond for some users
Authelia is now OpenID Certified
(authelia.com)
Authelia is now OpenID Certified™ for the Basic OP, Implicit OP, Hybrid OP, Form Post OP, and Config OP profiles of the OpenID Connect™ protocol.
Authelia is now OpenID Certified™ for the Basic OP, Implicit OP, Hybrid OP, Form Post OP, and Config OP profiles of the OpenID Connect™ protocol.
Disabling kernel functions in your process (2009)
(chadaustin.me)
Detecting and reporting unhandled exceptions with SetUnhandledExceptionFilter seemed logical, and, in fact, it worked... for a while. Eventually, we started to notice failures that should have been reported as a last-chance exception but weren't. After much investigation, we discovered that both Direct3D and Flash were installing their own unhandled exception filters! Worse, they were fighting over it, installing their handlers several times per second!
Detecting and reporting unhandled exceptions with SetUnhandledExceptionFilter seemed logical, and, in fact, it worked... for a while. Eventually, we started to notice failures that should have been reported as a last-chance exception but weren't. After much investigation, we discovered that both Direct3D and Flash were installing their own unhandled exception filters! Worse, they were fighting over it, installing their handlers several times per second!
Elon Musk's party habits made him a dream target for Russian spies
(msn.com)
Elon Musk’s party habits, promiscuity and ketamine use made him a dream target for Russian spies, says ex-FBI agent
Elon Musk’s party habits, promiscuity and ketamine use made him a dream target for Russian spies, says ex-FBI agent
MCP Server for Windows
(windows.com)
As AI agents become more capable and integrated into daily workflows, the need for secure, standardized communication between tools and agents has never been greater.
As AI agents become more capable and integrated into daily workflows, the need for secure, standardized communication between tools and agents has never been greater.
Authy corrupted my 2FA backup and all I got was this lousy blogpost
(weblog.lol)
Had a fun scare over the weekend, and wanted to write up a post that hopefully someone will find via Google if they have the same issue.
Had a fun scare over the weekend, and wanted to write up a post that hopefully someone will find via Google if they have the same issue.
Have I Been Pwned 2.0
(troyhunt.com)
This has been a very long time coming, but finally, after a marathon effort, the brand new Have I Been Pwned website is now live!
This has been a very long time coming, but finally, after a marathon effort, the brand new Have I Been Pwned website is now live!
MCP will be native to Windows 11
(windows.com)
As AI agents become more capable and integrated into daily workflows, the need for secure, standardized communication between tools and agents has never been greater.
As AI agents become more capable and integrated into daily workflows, the need for secure, standardized communication between tools and agents has never been greater.
WireGuard vanity keygen
(github.com/axllent)
A command-line vanity (public) key generator for WireGuard. By default, it only matches the prefix of generated public keys, and not whether the search matches anywhere in the public key. The concept is based on wireguard-vanity-address, however I wanted something a little more streamlined.
A command-line vanity (public) key generator for WireGuard. By default, it only matches the prefix of generated public keys, and not whether the search matches anywhere in the public key. The concept is based on wireguard-vanity-address, however I wanted something a little more streamlined.