The open source vulnerability scanner trivy has experienced a *second* security incident: a compromised release (v0.69.4) was published to the trivy repository.

https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release

Most people think Bluetooth works at about 10 meters.But researchers have already demonstrated Bluetooth attacks 𝗳𝗿𝗼𝗺 𝗺𝗼𝗿𝗲 𝘁𝗵𝗮𝗻 𝗮 𝗺𝗶𝗹𝗲 𝗮𝘄𝗮𝘆 using directional antennas and external power amplifiers.

Now a company called Hubble Network has demonstrated Bluetooth connectivity 𝗮𝗹𝗹 𝘁𝗵𝗲 𝘄𝗮𝘆 𝘁𝗼 𝘀𝗮𝘁𝗲𝗹𝗹𝗶𝘁𝗲𝘀 using space-based phased-array receivers. And they’re building and launching the constellation.

https://novelbits.io/hubble-network-nrf54l15-tutorial/?utm_source=novelbits&utm_medium=email&utm_campaign=no-cellular-no-lora-just-bluetooth-le-to-the-cloud

#bluetooth #lorawan #space #sattelite

This Afroman trial is giving me life.

Cops raided Afroman's house for no reason. They pointed guns at him and his kids, ransacked his house, and tried to disconnect his home security cameras. They didn't disconnect them all, and so were allegedly caught on camera stealing his money.

He then made a series of music videos using footage from his security camerasz and body cam footage. Now the cops are suing him for making the videos. The ACLU is defending him.

https://m.youtube.com/shorts/2m8NpGplUOM

This week the European Commission published the draft for a guidance document for the Cyber Resilience Act (CRA). It is 70 pages, but contains some helpful examples and flowcharts, like this one, making it accessible even to Open Source folks with limited time.

Here: Quick guidance for the question if your FOSS component is in scope for the CRA, and if so, wether you're deemed a steward or manufacturer in regards of the component.

#opensource #cra

I saw southern auroras last night!!!! Rakiura! Holy cow that was AMAZING

(View from a bit south of Arthur's Pass, New Zealand)

so!! i am excited!!! to have finally finished the complete reimplementation of the #GlasgowInterfaceExplorer memory-25x applet for managing SPI NOR flashes. it is called memory-25q and it took an enormous amount of effort, because i have decided to Build It Properly

want to jump to the docs (there are a lot of docs, including on the fundamentals of (Q)SPI flashes) or read the code? here we go:

• pull request introducing memory-25q
• quad SPI controller API
• framework for managing QSPI-style memories
• the CLI of the new memory-25q applet
• and, finally, the API of the new memory-25q applet

now, why did i do that? two reasons. memory-25x is one of the first applets i made, ~7 years ago, and i had no idea what kind of UI i should be building (yet). to make it worse, i thought that SPI NOR flashes were "easy", you could "just send a few bytes and that's basically it".

nothing could be further from truth. first off, SPI NOR flashes don't really exist—there is no spec, no standard organization that can say "no, your thing is not compliant", no order to any of this. every vendor does whatever they want, and then every other year JEDEC writes down all of the unhinged shit they did. here is the list of six incompatible methods to turn a single bit on or off, as a warmup

second, SPI flashes have an absolutely absurd diversity of framings. you cannot even express it without building a meta-framework for abstracting over all the ways people have come up to squeeze 8 bits into 2 or 4 wires. then on top of it you have to manage a bunch of global state that affects framing in subtle or sometimes really fundamental ways, without having any way to find out that you've made an error besides "you compare the actual data with the expected data (or its checksum) and it is not equal"

anyway, the new applet should be excellent at any daily task and at least okay at >90% of the exotic ones. also it's easily generalized for the (completely incompatible on the wire) QSPI NAND 25N series, octal or DTR variants, etc

A quick reminder that you really need to have your fortinet firewalls behind a firewall

https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html?m=1

The end of the release cycle is really the peak. When a full cycle's worth of work and efforts are combined into a fresh tarball that is sent out into the cold harsh real world with the ideal outcome that everything just keeps on working exactly like before, ideally a little better.

The night before a release we believe this is the best we ever did. Every time we think this. Who knows what we will think tomorrow at this time.

Thanks for flying #curl. It's an adventure and honor to pilot this.