Rohith Kumar Ankam

I had hacked CBSE's OSM (On-Screen Marking Portal) in February and had reported the vulnerabilities to CERT-In, but they were unable to patch most of them. I've written a detailed blog post about it here: ni5arga.com/blog/posts/hac…

tl;dr When you delete a Google API key, it says it’s immediately deleted. Our testing says ~23 minutes. During that window, an attacker with a leaked key keeps access to your data and enabled APIs (including Gemini).

Deleting a Google API key doesn't revoke it immediately. Our research found successful authentications up to 23 minutes after deletion across Google's infrastructure. During that window, attackers with a leaked key can still access enabled APIs, including Gemini. Google closed our report as "won't fix."

#Proxmox 9.2 is out! This release includes: * New Dynamic Load Balancer for improved cluster resource utilization * Expanded SDN with WireGuard as a new fabric protocol * Fine-grained BGP/EVPN filtering with route maps and prefix lists * Management of custom CPU models fro [...]

Today's a good day to self-host

Them: Linux is most secure OS Me: Yes - Dirty Cow (CVE-2016-5195) - Dirty Pipe (CVE-2022-0847) - io_uring UAF (CVE-2022-2602) - Copy Fail (CVE-2026-31431) - io_uring ZCRX freelist (CVE-2026-43121) - Dirty Frag (CVE-2026-43284 CVE-2026-43500) - Fragnesia (CVE-2026-46300)

AS9583 few decades ago :-)

my brain after one year of vibe coding

Mullvad exit IPs are surprisingly identifying tmctmt.com/posts/mullvad-…

scrcpy 4.0 is out 🚀 Try the new flex display feature (and more): github.com/Genymobile/scr…

A new VPN leak that allows any app to leak traffic outside the VPN tunnel has recently been discovered by @cybaqkebm Read more here: mullvad.net/blog/any-app-o…

dig brau.internat.jp TXT @14.192.44.1 +norec は ns.brau.jpの偽glue仕込んでくる怪しいドメイン。 1.1.1.1は解決しちゃうけど偽glueをキャッシュには入れてなさそうだから実害はないように思うけどどうなんだろう。

1.1.1.1 の問題点

responsible disclosure is dead🤦

Nice feature

Copy-Fail? More like Copy-Fixed. 🛑 At @DECIX , our customers depend on our availability and integrity. So when the Linux "Copy-Fail" vulnerability popped up, we took it super seriously and patched things up immediately. But our engineers don't just patch; they innovate. 🧠 During the mitigation process, one of our brilliant system engineers identified a completely alternative way to block the vulnerability using ftrace. Because it’s been supported in the kernel since 2013, it’s an incredibly accessible solution for the broader community. We love a clever fix. Check out the GitHub repo below, try it yourself, and hit us with your feedback! 👉 github.com/philfry/cve-20…

A Ticking Time Bomb in macOS TCP Networking - It Detonates After Exactly 49 Days photon.codes/blog/we-found-…

Germany's .de TLD went dark for DNSSEC-validating resolvers tonight. DENIC's signing pipeline emitted a malformed RRSIG (keytag 33834) over an NSEC3 record. The signature is formally valid through May 19; it is cryptographically defective right now. That single bad bit takes ~17 million domains down together — bahn.de, spiegel.de, amazon.de, gmx, web.de, ZDF, Sparkassen, Telekom, Hetzner, Ionos. The first signal is who broke. Google 8.8.8.8, Cloudflare 1.1.1.1, Quad9 9.9.9.9 — the resolvers that actually validate DNSSEC — return SERVFAIL with EDE 6 (DNSSEC Bogus). Most German ISP recursors do not validate, and pass the same answer through unbothered. The security-conscious half of the internet experiences the outage; the lax half does not. The second signal is what DNSSEC was designed for. The protocol was standardized in 2005 and crash-deployed at scale after the 2008 Kaminsky cache-poisoning attack — a forged DNS answer race that could redirect a TLD's traffic before the legitimate response arrived. The root zone was signed July 15, 2010. .de followed in 2011. DNSSEC adds a cryptographic chain so a forged answer is rejected by validators. The third signal is the failure class. "Formally valid, cryptographically defective" is not a key rollover. It is not an expiry. It is a signing pipeline producing a signature whose validity window is fine but whose math is wrong. The cure is DENIC re-signing and pushing a corrected RRSIG, then waiting for negative caches to drain. The reframe. DNSSEC converts an attack surface into a failure surface. Without it, a faulty signature cannot exist — there is no signature. With it, every validating resolver on the planet is contractually obligated to refuse 17 million names because one signing operation at one organization went wrong. The protocol that closed cache poisoning opened cache invalidation at TLD scale. .nz spent ~13 hours offline in May 2023 in this same failure class through a different mechanism (KSK retired too early). The shared lesson: TLD-level cryptographic centralization makes a single signing pipeline load-bearing for whole continents. One operation, one zone, one country off-balance.

I see clear drop in traffic to my mirror as users are no longer able to access the ubuntu website to download.

LLMs after hitting the 40% context mark