I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.

The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().

It's RCE, not auth bypass, and gated/unreplayable.

既定で20人を自動フォローするのか....いろいろと事故る人いそう

activetkの方でアカウントを再作成しました。
MisskeyにせよBlueskyにせよ、やはりtwttrに近いUIですね。

Hello, world!