This broke embargo: https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
Linux kernel and their "just stealth fix it" way doesn't work anymore with everyone watching commits like a hawk.
what did you learn today? (part 2)
- Thread starter continuum
- Start date
This broke embargo: https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
Linux kernel and their "just stealth fix it" way doesn't work anymore with everyone watching commits like a hawk.
All of the smug-ness around "open source is better because it's reviewed by everyone!" is going to collapse. Not only was it a dumb thing to start with (See OpenSSL), the advent of AI tools means that closed source actually has an advantage here.
I mean, maybe? I assume that Mythos etc are going to get good at finding exploits even when they don't have access to the code. Whenever that happens, the pendulum (probably) swings back to open source, since instead of depending on one company to fix the bug, we can again rely on the combined might of millions of angry nerds worldwide.
We're probably in for a very rough ride no matter what.
Possibly related to said rough ride: https://security.paloaltonetworks.com/CVE-2026-0300
If you have your authentication portal exposed to the internet, maybe don't do that? No patch available for this lovely 9.3 until at least 5/13.
More than enough people have access to the source code of windows etc that any advantage there is illusionary.
Yeah, and with AI looking for flaws, it doesn't matter too much how human readable the decompiled code is.
As in the specific version including all current patches updated every time - probably not. But plenty of strategic partners and government agencies have official access to at least major versions, and I doubt the likes of China, North Korea or Iran have major problems getting it either.
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2026q2/018471.html
But scrolling through the diff, damn, I am surprised they haven't been found earlier. These aren't Mythos-level bugs but often simple bounds overflow. Typical underfunded open source C project
But scrolling through the diff, damn, I am surprised they haven't been found earlier. These aren't Mythos-level bugs but often simple bounds overflow. Typical underfunded open source C project
If you want the list of CVEs CVE-2026-2291,CVE-2026-4890,CVE-2026-4891,CVE-2026-4892,CVE-2026-4893,CVE-2026-5172
Another day, another issue not responsible disclosed. https://github.com/v12-security/pocs/tree/main/fragnesia
This is probably going to be the norm for a while.
This is probably going to be the norm for a while.
Everyone is freaking out about Mythos. Board members are asking execs, execs are asking everyone else, clients are telling us that integration timelines may be impaired because resources will be reallocated to deal with security issues, etc. I feel like we are in reasonably good shape overall, but only because we've spent the last ~3 years aggressively improving our ability to manage endpoints, automating server patching, moving workloads to containers and managed services, etc. Fingers crossed that it helps...
I am so glad we are on memory safe languages like Java and Python. Yes especially Java has weak spots, like whenever you allow deserialization that turns into remote code execution pretty much by default, but use JSON over HTTP as transport and you need to fuck up severely to get an RCE level bug.
I wonder what kind of issues pop up in Django, Flask, Jinja2, but I think it would be on the level of cURL, where 1 low tier bug popped up on a single scan, https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/
I wonder what kind of issues pop up in Django, Flask, Jinja2, but I think it would be on the level of cURL, where 1 low tier bug popped up on a single scan, https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/
PHP has always been a dumpster fire of a language. Yeah alright avoid that too.
Although modern PHP is a bit better, it still has a bunch of footguns.
WordPress is unique though, with opt in security, plugins need to esc_html() and check_ajax_referer() and verify user permissions. Some just hide the button instead of hardening the exposed endpoint. The core is meh, but the true swamp is the plugin ecosystem.
We just had a fun one where the WP install got exploited because in the previous exploit WP cron accidentally got disabled and it didn't self-patch like it's supposed to. I can laugh because it's not my problem. Unfortunately, there's nothing quite as easy as WP that you can just drop in and let people go on.
yup, been hit by an exploit of a dep of a paid-for plugin, and because it wasn't me that did purchase of the plugin we didn't have any support details or ability to properly patch. Oh that and the preferred update method is to let PHP write to itself. That's not a bad idea at all.
https://www.drupal.org/sa-core-2026-004
Drupal released a SQL injection security advisory just now, and Symphony, the framework it depends on, dropped like 34 CVEs at once, some credited to Mythos. https://symfony.com/blog/category/security-advisories
Twig, another dependency, had 13 security issues fixed. Big coordinated release for these three packages, if you run any of these, it's now a race - patch vs exploit.
At least the SQL injection only works on Postgres.
Drupal released a SQL injection security advisory just now, and Symphony, the framework it depends on, dropped like 34 CVEs at once, some credited to Mythos. https://symfony.com/blog/category/security-advisories
Twig, another dependency, had 13 security issues fixed. Big coordinated release for these three packages, if you run any of these, it's now a race - patch vs exploit.
At least the SQL injection only works on Postgres.
TL;DR Google suspends Railway's GCP account via automated process with no notice
https://blog.railway.com/p/incident-report-may-19-2026-gcp-account-outage
This is brutal. Anyone who knows me knows I will dump on Azure at any opportunity, but my god, I would never trust Google with any critical part of my business. Stories like this abound from Google, predating GCP as a thing entirely. I can only imagine that companies not of Railway's scale would have virtually no recourse if something like this happened.
Kudos to Railway for owning the design decision to make GCP a critical part of their platform architecture and taking steps to change that.
https://blog.railway.com/p/incident-report-may-19-2026-gcp-account-outage
This is brutal. Anyone who knows me knows I will dump on Azure at any opportunity, but my god, I would never trust Google with any critical part of my business. Stories like this abound from Google, predating GCP as a thing entirely. I can only imagine that companies not of Railway's scale would have virtually no recourse if something like this happened.
Kudos to Railway for owning the design decision to make GCP a critical part of their platform architecture and taking steps to change that.
I have been using Google Cloud for over a decade, and have never run into any situations where they would shut down an account without prior notice.
I have gotten notices from them regarding billing issues, as well as security issues that needed to be resolved by a particular date or they would shut off the GCP project in question, but never sudden shutoffs.
Google tends to be a favorite punching bag of the Hacker News crowd, but I'm guessing there's way more to the story than Railway is mentioning.
I have gotten notices from them regarding billing issues, as well as security issues that needed to be resolved by a particular date or they would shut off the GCP project in question, but never sudden shutoffs.
Google tends to be a favorite punching bag of the Hacker News crowd, but I'm guessing there's way more to the story than Railway is mentioning.
Yeah only Google can shoot itself in the foot like this, repeatedly...
As for people wondering wtf, it's not the first time Google failed hard. Last high profile case is
It's not about you or me not having issues, but them not treating a disruptive action as "maybe ask the account manager about it first", before suspending.
It was clearly in error, as 7 minutes later after poking the account rep, it was undone. Then you need to wait for the disks and networks to provision and that took forever.
As for people wondering wtf, it's not the first time Google failed hard. Last high profile case is
It's not about you or me not having issues, but them not treating a disruptive action as "maybe ask the account manager about it first", before suspending.
It was clearly in error, as 7 minutes later after poking the account rep, it was undone. Then you need to wait for the disks and networks to provision and that took forever.
Last edited:
Not only are there no safeguards but Google doesn't seem to understand or care why this is horrible.
When Amazon has a fuck up like this they figure out exactly how it happened and communicate very publicly how they're going to prevent it from happening again regardless of it was a human error, code or both.
Microsoft sits somewhere in the middle where I believe they want it to be great but their absolute titanic mass prevents them from not hitting the iceberg, usually.
When Amazon has a fuck up like this they figure out exactly how it happened and communicate very publicly how they're going to prevent it from happening again regardless of it was a human error, code or both.
Microsoft sits somewhere in the middle where I believe they want it to be great but their absolute titanic mass prevents them from not hitting the iceberg, usually.
Another thing Google has done within the last few years that really pissed me off was stopping peering at IXes anymore for anyone with a PNI moving less than 10 gigs. You now have to go through their Verified Peering Partner program instead.
I get why they did it, but it still pisses me off.
I get why they did it, but it still pisses me off.
I'll be happy to be rid of Broadcom some day but not vSphere itself. There isn't anything better or as well supported by 3rd party products (backups, etc)
If I could justify it financially, I would be staying but I just can't make those numbers pencil out.
We're building our first Hyper-v stretched cluster next week. Should be fun.
Some of my workloads cannot run on anything other than VMware, so I'll still have to pay Broadcom in the end. But if I can reduce my dependency by 80-90%, it just makes sense. Convert to a commercial account, lose the cancerous account team (that's a win in my book), pay list price for everything, pay extra for support from someone else, and move on. We're only a couple months into our latest ELA, so we have 2.5 years left before Broadcomhurts us again shows us how much value we're missing out on.
Some of my workloads cannot run on anything other than VMware, so I'll still have to pay Broadcom in the end. But if I can reduce my dependency by 80-90%, it just makes sense. Convert to a commercial account, lose the cancerous account team (that's a win in my book), pay list price for everything, pay extra for support from someone else, and move on. We're only a couple months into our latest ELA, so we have 2.5 years left before Broadcom
Yeah, we're lucky that our workload (even our hosted VDI) is pretty hypervisor agnostic.
Interestingly we started out quoting process for VMWare Friday as well. It should come back awfully interesting - we have 1000ish cores of VCF and 700ish cores of Standard. Standard of course is no longer available so this quote could come back a whopper. I’ve also background started a quote with one of my professional service partners to give me quoting to migrate those 700 cores of hosts to Xencenter before Aug 8. The way I look at it there’s no way that won’t come out to less than the cost of licensing up from Standard to VCF so it’ll be a cost win. I’ll just be on Xen which is… meh. It really sucks that vSphere really is the gold standard and now is radioactive.
Best of luck with that. We are renewing ours and will be moving to Dell Private Cloud running Azure Local.... so Hyper V.
I really need nothing but standard. Technically speaking I need something Citrix can talk to and that I can occasionally vmotion (or equivalent) stuff around. We’re hearing Broadcom will quote nothing but VCF as of Jan ‘26. It’s the big boy or nothing.
Meanwhile my UHMC Citrix licenses entitle me to 10k cores of Xen, so…
Broadcom flat refused to quote us VVF or Enterprise+. We had to buy VCF or dump our account team and pay list/retail price for everything. We actually went down that rabbit hole, but found out that buying it retail doesn't include any support. And everyone we talked to that offers third party support ends up getting a quote from Broadcom, because all of those companies did the old "we'll be the first and second line of defense, but we can call vmware to escalate if there's a bigger problem." Once we did that, Broadcom set our price for VCF to like $2/core less than VVF list. Cause they're a bag of dicks.
Interestingly enough, our VDI team completely nuked everything Citrix in the environment after they pulled the same level of bullshit that Broadcom did, just earlier. We went from two parallel EMR's down to just one, so neeeded to reduce licensing. Halved the licenses and the price was the exact same. They came back after we got rid of them completely and said they'd give us a bunch of free shit and it was totally the old account team's fault, but that has the same ring to it as "baby I'll never hit you again." Run away.
We ran into the same issue trying to not renew 1 license. they wouldn't let us.