惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
N
News and Events Feed by Topic
T
Troy Hunt's Blog
Help Net Security
Help Net Security
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
M
MIT News - Artificial intelligence
G
Google Developers Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V2EX - 技术
V2EX - 技术
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
大猫的无限游戏
大猫的无限游戏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Microsoft Security Blog
Microsoft Security Blog
Cisco Talos Blog
Cisco Talos Blog
T
Threatpost
Recent Commits to openclaw:main
Recent Commits to openclaw:main
S
SegmentFault 最新的问题
I
InfoQ
H
Hacker News: Front Page
D
Docker
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Blog — PlanetScale
Blog — PlanetScale
人人都是产品经理
人人都是产品经理
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
Netflix TechBlog - Medium
AWS News Blog
AWS News Blog
Know Your Adversary
Know Your Adversary
博客园 - 【当耐特】
T
Tor Project blog
U
Unit 42
H
Heimdal Security Blog
Microsoft Azure Blog
Microsoft Azure Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Privacy & Cybersecurity Law Blog
PCI Perspectives
PCI Perspectives
美团技术团队
O
OpenAI News
T
Tailwind CSS Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
B
Blog
GbyAI
GbyAI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
MyScale Blog
MyScale Blog

Comments for Hackaday

Repairing A Pair Of Voodoo 2 GPUs For Some SLI Action AI The Truly Environmentally Friendly Way News Sites Are Blocking Internet Archive Over AI Scraping Fears How The 2020s Chip Crisis Led To A Buggy Saleae Analyzer In 2026 Evidence For Water Vapor Plumes On Europa Vanishes In Re-Analysis Mechanical Stability For Your Coils 3D Printed Hose Sprayer Sets Phasers To Suds The Merits Of Comment-Driven Development As Counterweight To TDD Building A Desktop Catalytic Cracker Process 4 Billion Pixels Per Second From 16 DIY Cameras For The Best V-Tubing Rig Ever An Unlikely Host For An 8080 Emulator Using Brand New NiMH Cells After Sitting 12 Years Unused Investigating The S3 Virge’s Reputation As A 3D Decelerator Card As It Turns Out, There’s More Than One Cassette Mechanism Being Made After All Using Windows 11 On An LGA 775 PC With AGP Videocard An Ethernet WiFi Router on a Pi Pico 2W This Week In Security: Messing With AI, 7Zip And Notepad++ Vulnerabilities, HTTP2 Bomb, And More Using Electrolysis For More Than Just Generating Hydrogen Vintage Turntable Gets Brain Transplant And Home Assistant Integration Connecting Your Car To Home Assistant Microsoft Claims 20 Second Qubits If You Want To Hack Me, Come In Through The Speaker Ways To Embed Magnets In 3D Prints And Not Ruin Printers An RGB Keyboard For Your Hackaday Communicator Badge Ask Hackaday: How Do You Feel About Electronic Shelf Labels? Make Your Ceiling Disappear With ADS-B And Short-Throw Projector Fixing A Nintendo Game Boy Clone That Runs Too Fast Web-Based Control For A CB Radio Distilling Stale Gasoline To Make It Usable Again DIY Ceramic Circuit Boards Surely Count As Solarpunk Texas Instruments Changes The NE5532 And Others Into Incompatible Versions Deltarune’s Tenna Brought To Life Linux Fu: Fake Webcams, GUI Edition Hydraulic Drive For Your Lawn Tractor But Just What Is This ‘Artificial Intelligence’? A Diffraction Grating Makes This Clock Readable Turning An Old 3D Printer Into A Vinyl Cutter For Cheap A High-Vacuum Controller For An Eventual Electron Microscope Does Your Terminal Speak Morse? This One Does From Scrappy Pallet Wood To Fancy Tea Tray The 2026 EMF Badge Arrives, With An Add-On. As Expected, It’s Familiar Linux Fu: Taming Strace STM32 Handheld Has OpenGL And All The Classics Jenny’s Daily Drivers: Microsoft Windows 11 Using A Mirror To 3D Scan Both Sides Of An Object At Once Cookies, Baked The 3D Printer Way Restoring Apple’s Terrible But Awesome IBook Laptop After The Dust Settles: Building Pebble Apps Bilingual E-paper News Feed Helps Brush Up Language Skills On The Wisdom Of Replacing A NiMH Module In A Prius Battery Pack Know Your Food: Cheesemaking Like A Wire Bender, But For Pop Tubes Revisiting Making Your Own Internet Router In 2026 Classically-named Argus Robot Is Terminator Meets Tumbleweed Making a Zippy FDM Printer out of Wood Off-Grid OCR Server Powered By IPhone Hackaday Links: May 31, 2026 Comment on A Special Type of Mower For Rocky Fields by Chris Maple 4-bit Relay Logic Counter Begs To Have Its Buttons Pushed Loading Sega Genesis Games Off A Vinyl Record Ebike Display Uses Reflective LCD Modern Graphics Via DisplayLink For Your ISA-Era PC The Final Steps To A Sub-Minute Benchy Poking Around With JTAG On A Guitar Amp Keychain GameCube Controller Made Functional Breaking Enigma With An FPGA, Just Like At Bletchley Park The Uncooperative Mirror Will Not Help You Testing Various Ways To Waterproof FDM Printed Parts Cheap Yellow Display With Boosted PSRAM Turned Snazzy Emulator Station It’s Another Pi Handheld. But It’s A Really Good One Take The Reins Of This Unique Controller Be Your Own Oil Company With Desktop Fischer-Tropsch Process ESP-Osito Eschews Retrocomputing For Modern Code On Modern, Equivalent Hardware A Modern Web Browser For Classic Mac OS Hackaday Podcast Episode 371: Space Computers, Spy Phones, And So Long CHU When Is An Apple Laptop Not A Macbook? When It’s An Apple II Linux Distributions And Who Is Responsible For The Software Autopsy Of A Failed Vintage Carbon Resistor Hunting Submarines Via Gravity Is A Tough Errand So Long, CHU, And Thanks For All The Time Signals A Bicycle Built On An Italian Renaissance Tech Base Linux Fu: The Bluetooth Regression Remember When Flash Drives Were Going To Make Your PC Faster? Putting Version 7.1 Of The Direct Granules FDM Extruder Through Its Paces Tech In Plain Sight: The Mechanics Of String Trimmers Between-Device Sharing Still Sucks Salvaged VFDs In Nixie-Like Clock Mod This IKEA Lamp Into Smart Lighting For Not A Lot Building And Testing A Turbine Driven Hydro Generator Tearing Down Walmart’s $12 Keychain Camera Biohack Your Way To Lactose Tolerance (Through Suffering) Liberating AirPods With Bluetooth Spoofing It’s Hard To Make A (Good) Oscillator Rudolph’s Sleigh On A North Pole PCB This Typewriter Types Toast Beating Bitlocker In 43 Seconds Using An Old Smartphone In Place Of A Raspberry Pi Working Model Reveals Amazing Engineering Of Webb’s Mirror Actuators Electric Vehicle 1900’s Style: New Leases On Old Tech Forth: The Hacker’s Language
This Week In Security: Ubiquiti Fixes, And FreeBSD Joins The Club You Don’t Want To Join
satadru pram · 2026-05-29 · via Comments for Hackaday

Ubiquiti released a new security bulletin detailing fixes for six security issues, including one rated 9.1 (critical) and one scoring a perfect 10.0 on the CVE risk scale.

The vulnerabilities range from path traversal revealing configuration files (escaping from the web server by requesting a path like “../../../../../etc/passwd” for instance), to command injection (running arbitrary shell commands on the system), and actually changing device configurations. Some of the reported vulnerabilities require an account on the management server, but some only require network access .

Fortunately, all of the vulnerabilities require access to the network in the first place to exploit – but this could include access to open guest networks as well as trusted users. If you run Ubiquti or UniFi equipment, chances are the automatic update function has already integrated the fixes, but make sure to check the advisory to see if you’re impacted and update accordingly!

FreeBSD Root Exploit

FatGid lets FreeBSD join the fun of kernel exploits to gain root.

The FatGid vulnerability doesn’t require any manipulation of disk cache; instead it is a direct kernel stack overflow in a system call. The kernel miscalculates the size of a variable as 8 bytes instead of 4, which when used later interacting with a user buffer allows the stack overflow.

Like the recent spate of Linux local privilege escalation attacks, this requires the attacker to already have an account on the system or the ability to run arbitrary programs, but remember that any bug in network services which allows command execution gets you there, so if you run network exposed FreeBSD, it’s time to update!

Kali365 Phishing-as-a-Service

Phishing-as-a-service platforms have been gaining traction, allowing criminals to automate targeting users with crafted lures. The FBI has issued a warning about the Kali365 service in particular.

Kali365 targets credentials for Microsoft 365 accounts by directing users to the official Microsoft portal for linking additional devices to the account, attaching an attacker device directly to the user identity. Alternatively, the framework steals credentials by directing the user through a hostile service which presents a false login page which captures browser sessions along with authentication cookies and tokens once the user answers the fake multi-factor login prompts.

Automating the phishing process lowers the bar for the skill level needed to create authentic-looking lures and makes it simpler for criminal groups to attack large numbers of users; Phishing-as-a-service groups operate as companies offering customer support, tracking dashboards, and pre-made phishing templates.

Glassworm Botnet Takedown

CrowdStrike, Google, and the ShadowServer Foundation have done a coordinated takedown of the infrastructure used by the Glassworm supply-chain botnet.

Glassworm has been mentioned previously; it is one of several major worms infecting the open source package supply chain repositories like NPM and PyPi or the Visual Studio extension repository. Once a victim installs a compromised package or extension, the Glassworm trojan steals any saved authentication tokens for package repositories, GitHub accounts, AI services, and any SSH keys found, and begins the stage two infection. Using the stolen credentials, the worm infects any GitHub workflows, packages, and extensions the user has access to, and installs a remote-access trojan which waits for further commands.

Glassworm used a complex control server structure including blockchain memos, BitTorrent files, and public Google Calendar entries, but the coalition of companies was able to interrupt all control channels simultaneously. Hard-coded aspects of the worm will continue to function, but all behavior which requires downloading payloads from the control servers has been disrupted.

This isn’t the first time multiple Internet companies have coordinated to take down malware, but it’s always good to see action against threats which have been decimating the package repository infrastructure lately.

TechCrunch Spyware Avoidance

On the positive side of things, TechCrunch has an article about modern features to protect users against spyware. If this isn’t news to you, there’s still almost certainly someone in your life who will benefit from a user-friendly write up of best practices!

Both major commercial mobile platforms (iOS and Android) offer advanced protection features which are minimally invasive. For users who are likely to be higher targets of spyware like journalists, lawyers, and human rights activists, or simply those who are worried, these features offer real protection.

The features explained in the article include Apple’s Lockdown mode, Androids Advanced protection mode, and WhatsApp specific application settings, all of which work to reduce common attack surfaces for devices. The advanced security modes typically have minor impacts on performance and battery life due to disabling optimization features which introduce additional complexity and attack surfaces (such as just-in-time compilation of JavaScript code into native instructions.). When situations call for an abundance of caution, a few percent of battery life daily is a reasonable compromise.

Go check out the full write up!

Microsoft Bans NightmareEclipse

An exploit researcher known only as “NightmareEclipse” has been featured here several times in the past months already. Showing intense frustration with their experience with the administrators of the Microsoft security bug bounty program, they have taken to releasing zero-day exploits against Windows, often coinciding with Patch Tuesday (clearly no accident; by releasing a new exploit on the same day as the Microsoft patch set, it’s unlikely to be fixed before the next months Patch Tuesday at the earliest). Previous exploits released by NightmareEclipse include BlueSun and RedHammer (local user to Windows SYSTEM privilege escalation), UnDefend to disable Windows Defender, and YellowKey which unlocks BitLocker drives using a collection of nothing more than magically named files.

Toms Hardware reports that Microsoft has disabled the researchers GitHub accounts (GitHub being owned by Microsoft has long been a point of concern for security researchers who find vulnerabilities in Microsoft products), as well as the actual Microsoft account used by the researcher.

While it’s certainly within the terms of service of Microsoft and GitHub that accounts may be terminated, the optics are particularly poor in this case, given the confusion around the initial interactions which led the researchers original anger. NightmareEclipse has moved their example code repositories to GitLab in the mean time, and promises Microsoft that “I will make sure your bones are shattered on July 14”, implying there will be additional releases (on, you guessed it, what looks like another Patch Tuesday).

Further clouding the issue, an official Microsoft statement indicates they are attempting to bring criminal (not just civil) charges against researchers who do not cooperate with the Microsoft disclosure policies, a stance which will certainly in no way exacerbate the situation.

Fingerprinting Devices by SSD

Dan Goodin at Ars Technica highlights a new paper on fingerprinting users via SSD disk performance, using just standard JavaScript.

The modern web is a hellscape of user tracking, and this attack, dubbed FROST, highlights another technique for identifying unique devices and user patterns based entirely on hardware behavior. By generating a large file using local browser storage via OPFS (origin private file system, an API for JavaScript to create raw files inside the browser storage area) and continually reading and writing data while monitoring the performance, a web page is able to monitor the disk access performance of the device.

Using a neural network trained on timing data, researchers say they are able to determine what apps may be running on the computer alongside the browser – and sometimes even what other websites are being viewed, based solely on the delays in disk IO caused by other applications and websites accessing the SSD. The paper will be presented in July, with researchers saying that the neural network can be trained to recognize “any system which reliably generates SSD accesses”.

Likely, browser developers can mitigate FROST by decreasing the performance of file operations in the OPFS API so that the performance data lacks the fidelity needed to derive user behavior.

FROST is a “side channel attack”; by monitoring one set of characteristics, side channel attacks are able to infer other system behaviors. Side channel attacks can be incredibly subtle and difficult to predict: Another side channel attack method has been to use extremely fine-grained monitoring of the power consumption of a device to derive encryption keys, predicting the CPU instructions and values based on the amount of power used to set the internal registers.

Improving Memory Safety in C#

Programming languages have been moving towards stronger default memory models, making programs more secure by default by eliminating behaviors which are commonly exploitable. Using a memory-safe language does not prevent logic errors or other security issues, but can still help by eliminating common mistakes.

Microsoft has posted an extensive article about new enhancements for C# in .NET 11. Borrowing in many ways (that’s a programming joke) from the Rust memory model, C# 16 will add additional memory enforcement and object lifetime, detecting when memory is no longer available and preventing invalid memory accesses on expired objects, with the goal of eliminating use-after-free memory corruption and attacks.

C# 16 will also increase the meaning of the “unsafe” keyword, a mechanism introduced in C# 1.0 and since heavily adopted by newer languages such as Rust and Swift. Code marked as unsafe in C# 16 is able to bypass the stricter memory model, but all code referencing it must also be marked as unsafe. Making unsafe code more difficult to use increases the overall friction of doing things the dangerous way, while clearly marking code which is higher risk.

There are few magic bullets for secure programming, but reducing the ways a programmer can make simple mistakes can be a big win.