Neil Madden

@[email protected]
876 Followers
353 Following
1.8K Posts
Author: API Security in Action (Manning), CVE-2022-21449. I'm on smoko so leave me alone.
Bookhttps://www.manning.com/books/api-security-in-action
Bloghttps://neilmadden.blog/
Githubhttps://github.com/NeilMadden
Newsletterhttps://buttondown.email/illuminatedsecurity
Consultinghttps://illuminated-security.com/
Show threadNeil Madden3h ago
@brucelawson Detailed technical write-up from Google: https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog

DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.

Google Cloud Blog
Neil Madden3h ago
Bruce Lawson ✅ ♫ ♿ ✌️♂️✊4h ago
Running iOS 18? Update now, as there's a HTML and JavaScript exploit published on GitHub that exfiltrates contacts, messages, call history, and iOS keychain data from the previous version of the locked-down OS that is so secure you're forbidden from running a browser that's not made by the same vendor. https://techcrunch.com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-can-hack-millions-of-iphones/
Someone has publicly leaked an exploit kit that can hack millions of iPhones | TechCrunch

Leaked "DarkSword" exploits published to GitHub allow hackers and cybercriminals to target iPhone users running old versions of iOS with spyware, according to cybersecurity researchers.

TechCrunch
Show threadNeil Madden3h ago
By “SCA” I’m thinking specifically of CVE detection.
Show threadNeil Madden3h ago
Related: do you run SCA on:
Source repo only
Container images only
Both
Poll ends at .
Neil Madden3h ago
Those of you doing SCA and generating SBOMs, do you:
Generate SBOM & SCA in one go
Generate SBOM then run SCA on that
SBOM and SCA are entirely separate
I only do one of these
Poll ends at .
Neil Madden5h ago
Show threaddaniel:// stenberg://5h ago
"researchers" can go to extreme lengths to argue for and claim there are vulnerabilities in code, but yet almost none of them ever works on actually fixing the issue. Whatever the assessment of the issue is.
Neil Madden5h ago

I see in the release notes that Java 26 also snuck in support for HPKE:

https://docs.oracle.com/en/java/javase/26/security/java-cryptography-architecture-jca-reference-guide.html#GUID-D345961F-D4A3-480D-89D2-4416B13C7764

It’s single-recipient and single-shot AFAICT. I wonder why?

Security Developer’s Guide

The Java Cryptography Architecture (JCA) is a major piece of the platform, and contains a "provider" architecture and a set of APIs for digital signatures, message digests (hashes), certificates and certificate validation, encryption (symmetric/asymmetric block/stream ciphers), key generation and management, and secure random number generation, to name a few.

Oracle Help Center
Neil Madden1d ago
Does git actually verify hashes? What I mean is: if I use the “git” CLI to modify old commits then it will recompute the correct SHA1 and update everything. But if I just go and hack the data files directly and leave the hashes unchanged, will anything notice?
Show threadNeil Madden1d ago
@coda cool, just gotta add a “perfect” on there too...
Neil Madden1d ago
“The future is already here – it's just not evenly distributed. Like butter scraped over too much bread.”
— William J.R.R. Gibson