Let’s start this week with many happy returns for Let’s Encrypt! It’s been 10 years since free TLS certificates made it much more common that things go via HTTPS rather than HTTP. When anyone and everyone was able get a cert, it certainly reduced the barriers to adoption. These days it is almost unimaginable to have some web traffic that doesn’t use TLS. Now, if only we could convince some “security experts” to stop going on about how connecting to a public wifi will allow h4x0rs to steal all your data.

This week, we’re talking about React4shell. The latest in the 4shell family of vulnerabilities. What does 4shell mean? Usually that it’s possible to do RCE (Remote Code Execution) based on an application vulnerability and typically, attackers will leverage that to get a remote shell. And now, for something completely different My first link is not related to react4shell, but it’s yet another way of how guardrails in LLM models can be subverted.

This week is an odd mixture about sandworms, supply chains and basically how everything is broken anyway. And then (after all the naughtiness) let’s end on something nice. Thumped by a Sandworm Sha1 Hulud came back for another go at supply chain attacks. Patient zero of this wave appears to have been Posthog - an analytics platform a bit like Mixpanel. According to their postmortem, their build pipeline was compromised by a simple pull request.

This week there have been some interesting bugs. Or interest in bugs. Bugs It was Cloudflare’s turn to break the internet. As per usual, the transparency on display is rather cool. It was rather interesting that for once, the problem wasn’t DNS or BGP, neither was it a cyberattack. Though indirectly, the threat of bots was responsible. As a subtle change in the handling of queries meant that the bot management system suddenly produced config files that were twice as large and that made them larger than the system could handle.

This week’s edition of the weakly link has got some fire in it: First on the menu we’ve got a report that tries to tell us that if there’s an AI bubble, that’s a good thing: The AI Wildfire Is Coming. It’s Going to Be Very Painful and Incredibly Healthy Instead of a bubble, the post tells us of one dinner guest at a CEO dinner in Silicon Valley who argues that instead of a bubble it is more like a wildfire.

This post is a mixture of AppSec, vibe coding and cryptography. SPOILER ALERT: This post describes how to complete the Capture-The-Flag exercise “Encrypted Pastebin” (Hard) on Hacker101. Over the last few days I have had a lot of fun with a padding oracle. But let’s take a step back: I have been looking at Hacker101 CTF exercises. The premise is simple: You’re given a website The website has flags hidden.

Every week I come across some interesting, ridiculous or astounding content related to security and tech around software engineering. And I post it on the company Slack, sometimes on LinkedIn and often on BlueSky or Mastodon. (I deleted my Twitter account a long time ago. No Nazi bar for me.) And yet, I often forget all about the content. And because I closed my browser with 200ish open tabs once too often, I thought, why not write about the things that interested me, then I can look back on them and maybe someone else might find them interesting too.

BSides Newcastle is probably one the most anarchic of the BSides I’ve been to so far. So much so that the fascists organised a protest. Well, not really, but there was a far-right and counter-protest not far from where the conference was. Thankfully, the organisers were on top of it and kept is all up-to-date with advice: “Punch Nazis” (for the benefit of the tape, nobody endorsed violence). Aaanyway, aside from a really early start I was ready to dive in and hope to share some of the experiences with you.

Have you ever wondered how hard it is to make an AI talk to an API? Wouldn’t it be great if I could talk to a machine like Captain Picard does to his computer? “Tea. Earl Grey. Hot!” would have to sent to the replicator subsystem with the correct instructions. But how would that actually work? I suppose, the Starship Enterprise-D made its first appearance on the airwaves in 1987. So at the time I guess we could expect a replicator to be programmed in C.

I’m on the plane returning from a Scan Agile conference that was just joyful. What made it that way? Was it the setting in the gorgeous looking Paastorni conference centre, was it the fact that the hotel was next door or was it because the speaker dinner the night before the conference set just about the right tone? Erm, of course that all helped, but I think it was the people.