The Axios supply chain attack post mortem notes show how it was done: via a fake cloned company on a fake Teams call. The two comments with details: github.com/axios/axios/... and github.com/axios/axios/...
Here's your (ir)regular reminder that HTTPS certificates without the CN (Common Name) field are completely valid. For example the 6-day certificates from Let's Encrypt do not have a CN as per the "shortlived" profile letsencrypt.org/docs/profiles/
There's a chance they need to store my data to not use them anymore if a new "enrichment source" appears. They also say they're not controllers as per GDPR, only processors, but entering my data could made them one.
I could be wrong though. This will be 🤔 and I hope I'll learn a thing or two.
I always find entering personal details into a website to tell them to stop processing my personal data a bit absurd.
This biz data enrichment company is processing my personal phone number. They told me to fill out this form, so I did. Now I'm asking how they process my data I have entered 😅
My favorite XSS trick when you can add only attributes (when < and > are removed from the input) is to add onfocus=alert(1) and autofocus: <input value="" onfocus="..." autofocus="">
To not create a loop, I add this.blur(), otherwise alert() steals the focus, and then the field gains it once again.
Naming is hard, so that's why my PHPStan extension called "Disallowed **Calls**" now supports disallowing **properties** 😅 Also a Friday the 13th release 👻 (at least in my timezone) github.com/spaze/phpsta...
When issuing a HTTPS certificate, the CA needs to make sure you own the domain, and one of the many methods is via email where they'll email you a link. This method will be discouraged in March 2026, disabled in March 2028. See security.googleblog.com/2025/12/http... + cabforum.org/2025/11/20/b...
Instead of `cat`, I use `bat`, "a cat(1) clone with wings." github.com/sharkdp/bat
It supports syntax, line nrs, git etc. I have it aliased to `cat`.
If you'd like to concat multiple files into one (`cat 1 2 3 > foo`), you should run the original like `\cat`, seems faster, in my case up to 10x.
Best news I've discovered today is that ripgrep is also available for Windows and you can install it with winget (winget install ripgrep). ripgrep is like the grep utility in Linux, but a bit faster, it also accepts grep's params github.com/burntsushi/r...
Michal Špaček @spazef0rze.bsky.social presenting his talk "Password Reuse Is a Dumpster Fire – We Brought a Hose" at #PasswordsCon in Prague, December 2, 2025.
youtu.be/AuCNgoDf-5c
Looking at my access logs, the easiest way to block web scanners & bots is to block requests with a User-Agent header that says "old browser" where old is -10 major versions and older😁 For example Chrome is v142 and bots use Chrome/120, 116 etc. It's mostly a fun idea but it seems like I need a PoC😅
TIL that OCI stands for "Oracle Cloud Infrastructure" and also "Open Container Initiative". I've first learned about the former ("Oracle Cloud Infrastructure") and just spent 5 minutes trying to understand a bug where they used OCI in the latter meaning ("resolves remote OCI artifacts")
Díky za (virtuální) návštěvu přednášky, těší mě, že se líbila :-)
Chrome for Android can now help users adopt passkeys more seamlessly.
If a user signs in with a saved password , your website can request that an associated password manager (in many cases on Chrome is Google Password Manager) creates a passkey automatically.
developer.chrome.com/blog/automat...
Upper part of the image is a Dilbert comic titled "Tour of Accounting" where in the first frame there's Dilbert presumably in hell, because there's a creature resembling a cute devil next to him. The creature is saying "Over here we have our random number generator." In the next frame there's another creature saying "Nine nine nine nine nine nine". In the last frame Dilbert asks "Are you sure that's random?" while the creature from the first frame responds "That's the problem with randomness, you can never be sure." Below the strip is a screenshot of a code using a random number generator: > random_int(0, 29) = 9 > random_int(0, 29) = 9
My random number generator just did a Dilbert
Did you know Facebook has a Certificate Transparency monitoring tool? Never mind then, they're shutting it down anyway :-) developers.facebook.com/tools/ct
You can configure it any way you want or need, but the extension comes with a bundled configuration files you can use out of the box. One of them disallows dangerous functions like var_dump() or put_env(), while another one blocks insecure functions like hash() with MD5 github.com/spaze/phpsta...
Just noticed that my PHPStan extension to detect disallowed calls, methods, attributes, constants etc. has been installed more than 15M times, wow! Not bad for a weekend project (a long weekend since 2018). PHPStan itself has 300M installs, so 5% of all PHPStans installs use the extension, nice! :-)
Chrome Certificate Viewer displaying a certificate without the CN field: In "Issued To" it says "Common Name (CN) <Not Part Of Certificate>"
Chrome developer tools Security tab, the Subject field is empty when the certificate has no CN
Firefox certificate viewer says "(unknown)" in the tab title when viewing a certificate without a CN field.
Just got one certificate using the tlsserver profile and of course as expected, the browsers are doing just fine, they just omit the field (Chrome), or say unknown (Firefox, could be confusing though).
There's another @letsencrypt.bsky.social certificate type ("profile") that doesn't come with a CN (Common Name) field anymore: the tlsserver profile.
It's a 90 day cert, its properties "reflect the latest recommendations from the CA/Browser Forum Baseline Requirements, as well as general trends."
Such certificates are not very common today, but they will be more common in the future. For example Let's Encrypt's short-lived 6 day certificates do not have the CN field letsencrypt.org/docs/profiles/
You can find a cert without the CN field for testing here letsencrypt.org/2025/02/20/f...
HTTPS certificates can exist without the CN (Common Name) field. It's not used for validation, instead browsers use the SAN (Subject Alternative Names) field.
But if your tool uses CN for anything, e.g. to show a "name" for management purposes, check whether the tool works with CN-less certificates
420: Czech your DNS cache (420 is the CZ phone country code and this is a lame joke of mine 😅)
😅
Here's a draft written by ChatGPT 😁 It has defined the new code 432 and even a new media type application/dns-refresh+json that would provide more details on why do you feel the client should refresh their cache gist.github.com/spaze/c1e100...
There should be an HTTP response code in the 4xx range that would instruct the client to refresh their stale DNS records. Even after 48 hours some bots (looking at you Palo Alto Networks) are using the old IP for a hostname, while the DNS records have TTL of 5 minutes or so.
Someone in my DMs: Hi Do you have any debit card information you can share with me? I’m struggling atm. Need help Me: Yeah, it’s a matte plastic Visa debit card, issued by a local bank. Made in 2024. The chip’s shiny. Hope that helps!
Here's one information for you: should be more specific when phishing IT folks
GiveWP (the donations WordPress plugin) managed to leak donors' emails into the donation form. And then they managed to mess up the communication :-( Nice resume of the problem at the Pi-hole blog as they were one of the affected sites pi-hole.net/blog/2025/07... Go and learn how to communicate.
Absolutely! I hope that translates to free data transfers! Or maybe not 😅
A Linux login screen after signing in, shows "Temperature: -273.1 C"
Setting up a new server and I'm so happy I can do it remotely because it must be absolutely cold in the data center