CVE-2026-5728: LollMS /api/upload/chat_image endpoint'i sadece istemcinin gönderdiği Content-Type başlığına güveniyor; doğrulanmış kullanıcılar PNG ya da JPEG kılığında görsel olmayan dosyalar…

CVE-2026-5728: LollMS /api/upload/chat_image trusts the client Content-Type header only, so authenticated users can upload non-images disguised as PNG or JPEG.

Everything was going nicely until Debian 13 was stuck in a boot loop. Qemu repeated the following, endlessly blinking in my terminal: Booting `Debian GNU/Linux' Loading Linux 6.12.85+deb13-amd64…

This is the story of the rabbit hole I went down because I wanted pretty syntax highlighting for embedded SQL queries in my Rust code. I’m a fan of sqlx, which provides macros for writing inline SQL…

I am proud to release Tunnel Launcher: an open source GUI for managing SSH tunnels that is written in Go and built on top of the Fyne toolkit. It lives in the system tray, lists each configured…

How to have new apps without letting the dependency mess leak onto your carpet

it all began with a brilliant video released by the venerable Dammit Jeff - How to ACTUALLY quit spotify! A fairly engaging introduction into the weird and wonderfully rewarding world of reclaiming…

Your AI agent's MCP config can be a target for an attacker who reaches your machine. A decoy MCP server entry pointing at a Cloudflare Worker can reveal the attacker's presence and their intent.

I've always wanted a network rack for all my stuff but just never got around to actually buying one or figuring out all the pieces I would need to get one set up. Well I recently came across a…

Packers, cryptors, and code obfuscation are all methods used to bypass signature-based scanners in AV/EDR or to slow down the reverse engineering process. Many people are now using Large Language…

Anthropic's Claude Mythos completes 73% of expert-level CTF tasks and writes root exploits autonomously. The harder problem isn't what AI can find — it's what happens after it finds…

My last metastable blog post discussed the interactions between systems and components and how they can lead to metastable failures. Specifically, I looked at interactions between systems/components…

As one tends to do on Saturday mornings with coffee in hand, I was reviewing two samples that were attributed to the LunaStealer / LunaGrabber family. Originally I was validating that tiquery was…

Envelope Encryption is something I think is important when developing an application that saves user data. The user is trusting you with their data and you shouldn't take that responsibility lightly.…

Estimated Reading Time: 15 minutesWhile doing some code analysis of network services running as root in one of my lab VMs, I came across ISC DHCP Server (dhcpd), a common DHCP implementation in Linux…

I’ve been thinking as of late about the things that desktop computer users get that we’ve decided isn’t worth giving software engineers in their own infrastructure. I don’t…

Clan is built by people who care about independent infrastructure and want it to be easier to run, share, and improve. The wider Clan community is where we coordinate work, help each other, and…

Hey Everyone! I want to talk about something that’s been bothering me since the Axios compromise. This issue goes beyond just one package. First, a quick definition: In the npm ecosystem, “trusted…

Today I was browsing twitter and I saw a falcon feed post about NoName claiming to have DoS’d some UK … Continue reading 2026: Why have we not solved DDoS Yet?

Welcome to another edition of “This month in KDE Linux”! Infrastructure remained a major focus this month, with multiple outages and bugs in Arch’s package archive leading to Harald…

We have plenty of land, data centers provide more revenue per unit area than any other building, and we should have way less farmland

This post is mostly so that future me can find my Debian package without having to ferret around on various laptop and other disks :) I just set up (yet) another machine. My go-to OS these days is…

RetainDB side project with 81 users hit a $36k Cloudflare bill — 16B Durable Object writes from a runaway queue loop, unbatched DO writes, and a KV list scan on every request...

Arbitrary binary data can be hidden at the end of JPEG files which otherwise behave normally. This article explores strategies for packing and unpacking payloads into JPEG images using standard…

VoIP Toolbox can already pull SIP call flows out of a PCAP, directly in the browser. The latest update runs sipright over every SIP message. This gives a high level good/warning/bad call indicator,…

When an application gets breached, the first thing an attacker will do is exfiltrate whatever data they can reach. From customer data to authentication tokens, secrets are target number one (goodbye…

Once you start dealing with cloud systems, you need to grapple with the reality that failure is a question of […]

Can you tell from the outside whether a company pays Cloudflare or uses the free plan? Cloudflare normally… The post How to detect paying Cloudflare customers (vs free) appeared first on…

I have run AMPS (1G) in my lab. I’ve run 2G (GSM) networks in production. There’s a few dozen production LTE/5G networks out there I’ve put my stamp on, but… Never, have I…

“The Second Factor” name comes from the security concept known as two-factor authentication (2FA). The first factor in 2FA is something you know , and the second factor is either something you have…

A review of my experience with _Bitwarden_ after several years of self-hosting it, and why I decided to move away from the password manager.

Table of Contents Introduction The MCS problem The test script GitLab’s official suggestion and why it falls short How GNOME currently handles this Exploring libkrun Firecracker and the custom…

In Part 1, I added tree-sitter tools for structural code reading. In Part 1.5, I locked those tools behind a secure factory. In Part 2, I added an OODA loop with a rule engine and verify phase. In…

.it { border-collapse: collapse; width: 100%; margin: 1.2em 0; font-size: 0.88em; } .it th, .it td { border: 1px solid #30363d; padding: 8px 13px; text-align: left; vertical-align: top; line-height:…

One of eight buildings in the ongoing OpenAI Stargate Abilene project. (Move across the image to slide from ugly to beautiful.) (function () { const hero = document.querySelector(".abilene-hero");…

Understanding and explaining the "kamakiri" MediaTek BROM exploit

So I’ve got three nodes in my homelab k8s cluster (celebrated its 7’th birthday the other day 🎈 ) that are lovely little lenovo M75 boxes. They’re cheap, reasonably powerful, not too old, and make…

This post will be just a complaint with no real solution, but it’s worth keeping as a record of how we perceive our times. Consider yourself warned. In October 2025, the main AWS region went…

The Great Pyramid and a hyperscale datacenter are structurally identical bets — concentrated short-term cost justified across a longer horizon.

I want to set up a n8n self hosting instance on my server and run a marketing funnel for this site. I want to present a pop up like substack to subscribe to a newsletter and build an audience. And at…

This is a short PSA (Public Service Announcement) on how I dealt with the Copy Fail vulnerability. This will be updated as soon as the updated kernel packages are made available. This is a pragmatic…

Right, so, this started with me looking at , seeing a 98% context reduction claim, and immediately thinking: bull shite. Not because the idea is bad. The idea is good. The bit that made me twitch was…

Disclaimer: I am not a cryptographer. There may be serious bugs or side channels! The minimum MTU for IPv6 is 1280 octets; if you subtract the 40-octet IPv6 header and the 8-octet UDP header, you get…

It's been a year since I built my Intel N100 home server, and a few things have happened since I wrote that post. Some of what I set up is still humming along untouched. Some of it I quietly tore…

One of the earliest blog posts I made before I somewhat abandoned writing blog posts in lieu of this "microblogging social media" hype train we all rode for a decade was titled…

ZeroClaw is an open-source agent runtime. By default it expects a frontier model API key such as Claude, OpenAI, etc. This guide shows how to use a local Qwen3.6 model served by vLLM on an NVIDIA DGX…

I was invited to give testimony in front of this committee about S.71, An act relating to consumer data privacy and online surveillance. This is what I said

How I run OpenAI Symphony 24/7 on Zo Computer with Linear, project skills, and a token usage dashboard.

Two ambitious project branches emerged from the v0.27 milestone. The first is removing the Big Kernel Lock. The second — lifting taskman to user mode — gets its own post. This one covers v0.28…

In the aftermath of the Copy Fail bug being (very unceremoniously) disclosed, the security news organization Decipher published a (maybe not serious?) “Mt. Rushmore of branded bugs”. The list is as…