IT'S HAPPENING.

#BSidesLjubljana 0x7EA is LIVE.

Ljubljana, let's go. 🔥

#BSidesLjubljana #InfoSec #Cybersecurity

did you know that SSH has a little-known secret menu?

i wrote a post about this on cohost a while back, but since that site shut down i'm posting it here too

Without an `exp` claim, a JWT can remain valid forever, turning a leaked token into permanent access.

https://securinglaravel.com/security-tip-your-jwt-might-be-a-forever-key/ #Laravel

Cybersecurity blog posts, writeups, papers, and tools

https://github.com/0xor0ne/awesome-list

#infosec

Today's sysadmin discovery:

So, for all that I like Debian, one big sticking point I've had with it is that when you install a package which contains a system service, even if it was pulled in as a dependency of something else, that service gets auto-enabled, with a default configuration.

That has always felt like bad security practice to me, as it means any update can suddenly expose new services to the outside world without warning. It's also subtly broken my setup on at least two different occasions.

Fortunately, there is a way to change the default policy, so that new services only get enabled when you tell them to be:

https://manpages.debian.org/trixie/systemd/systemd.preset.5.en.html (example 1)

Definitely going to put that in my ansible configs!

This post describes how to execute code on every Pod in many Kubernetes clusters when using a service account with nodes/proxy GET permissions

https://grahamhelton.com/blog/nodes-proxy-rce

#infosec #cybersecurity #redteam #pentest

Huge news for container users! Docker Hardened Images (DHI) are now FREE! Enhanced security for Alpine, Debian, & 1000+ images. Docker handles base image CVEs & boosts supply chain trust. #selfhost #homelab

More Info: https://www.docker.com/blog/hardened-images-free-now-what/

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things lmao.

Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system. Is nothing safe anymore? 😭

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

#noai #microslop #microsoft #windows #programming #writing #windows11 #enshittification #cybersecurity #infosec #technology

PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?

Like https://github.com/i3/i3/pull/6564 for example

Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!

This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.

Tickets! Now! -> https://tickets.bsidesljubljana.si

#BSidesLjubljana #tickets