Allan

The thing about the Taliban is that it's probably best understood as a Pashtun ethnic movement rather than a religious one. The Afghanistan-Pakistan border divides the Pashtun tribal lands almost exactly in half, leaving Pashtuns as ethnic minorities in both Afghanistan and Pakistan.

I’ve always felt that the pizza index was one of the more BS-laden OSINT stories. Google only measures in-person activity, and the pentagon fast food places have surge capability by design.

I googled “Weather” and instead of the weather widget, Google gave me an AI summary of a week old weather report from an unknown location in Alabama.

Volunteer Interest for BSides Edmonton 2026 Please fill this out if you are interested in volunteering for BSides Edmonton 2026! This form expresses your interest, and does not automatically make you an volunteer or organizer. We strongly rec...

BSides Edmonton needs some volunteer organizing staff, specifically a CTF co-lead is that you? is that someone you know? docs.google.com/forms/d/e/1F...

It baffles my mind. Doctors don’t support bad doctors. Lawyers are disbarred. Teaching philosophies differ, but no one lines up behind abusive teachers. All major LE voices had to do was draw clear lines and say “this is not how we protect communities” and 80% of Americans would have backed them.

HUGE NEWS! 📣

The "father of SBOM," @allanfriedman.bsky.social, is joining Anchore as a Board Advisor!

We sat down with him to discuss the future of #SoftwareSupplyChainSecurity and what comes after SBOM.... https://anchore.com/blog/anchore-welcomes-sbom-pioneer-dr-allan-friedman-as-board-advisor/

Surround yourself with good people. Pay it forward. Hug your friends every chance you get. Purge toxic people from your life.

Critical Vulnerabilities in VS Code Extensions Threaten 128 Million Developer Environments Three critical vulnerabilities have been found in four popular Visual Studio Code extensions. These extensions have been downloaded over 128 million times. The vulnerabilities are identified as CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717. The findings from the OX Security Research team, later confirmed on Cursor and Windsurf IDEs , expose a systemic blind spot in modern software supply chain security: the developer’s own machine. Integrated Development Environments (IDEs) are where developers store and interact with the most sensitive organizational assets, such as business logic, API keys, database configurations, environment variables, and customer data. Extensions that operate with broad system-level permissions represent an unguarded gateway to it all. According to OX Security, a single malicious or vulnerable extension is sufficient to enable lateral movement and compromise an entire organization. CVE ID Extension CVSS Score Downloads Vulnerability Affected Versions CVE-2025-65717 Live Server 9.1 72M+ Remote file exfiltration All versions CVE-2025-65715 Code Runner 7.8 37M+ Remote code execution All versions CVE-2025-65716 Markdown Preview Enhanced 8.8 8.5M+ JavaScript execution leading to local port scanning and data exfiltration All versions No CVE Issued Microsoft Live Preview — 11M+ One-click XSS to full IDE file exfiltration Fixed in v0.4.16+ Extensions operate like privileged administrative processes embedded inside the IDE. They can execute code, read and modify files, and communicate across the local network all without raising standard security alerts. CVE-2025-65717, rated 9.1 (Critical), allows attackers to remotely exfiltrate files from a developer’s machine through Live Server’s localhost functionality. CVE-2025-65716 in Markdown Preview Enhanced (CVSS 8.8) enables JavaScript execution that can scan local ports and exfiltrate data, while CVE-2025-65715 in Code Runner (CVSS 7.8) opens the door to remote code execution, a worst-case scenario for any development environment. Microsoft’s Live Preview extension contained an XSS vulnerability that enabled full IDE file exfiltration; it was quietly patched in v0.4.16 with no CVE issued and no public credit given to OX Security. OX Security responsibly disclosed all three vulnerabilities to the respective maintainers in July and August 2025 through email, GitHub, and social channels. As of the publication of this article, none of the maintainers have responded to a failure that highlights the absence of any enforceable accountability framework for extension security in popular IDE marketplaces, OX Security added. Security teams and developers should treat IDE extensions with the same scrutiny applied to third-party software dependencies. Organizations are advised to audit installed extensions immediately and remove those that are non-essential. Localhost servers should not be left running unnecessarily, and developers should avoid opening untrusted HTML files while any localhost server is active. Configurations such as settings.json should never be modified using snippets sourced from emails, chats, or unverified repositories. At the platform level, OX Security calls for mandatory security reviews before extensions reach marketplaces, AI-powered automated scanning of new submissions, and enforceable patch response timelines for maintainers of high-download extensions. With AI coding assistants driving rapid increases in extension reliance, the current “install at your own risk” model presents an unacceptable and growing organizational risk. Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories. The post Critical Vulnerabilities in VS Code Extensions Threaten 128 Million Developer Environments appeared first on Cyber Security News .

Critical Vulnerabilities in VS Code Extensions Threaten 128 Million Developer Environments

When everyone talked about quitting tech and becoming farmers that was not what we meant

Table next to me at the coffee shop are senior firefighter policy folks talking about CERTs (community emergency response teams) and the language is similar enough to infosec that my ears won't stop firing cyber interrupts into my conscious brain.

I am notoriously bad at predictions (curse of the expert, etc.) but I am going to say with some confidence that the pattern in all computing hardware is that companies expand to meet the current level of demand and, inevitably, there's a crash and overcapacity

Screenshot from ArsTechnica article where we learn that our colleagues formally from CoalFire who were arrested on a legit pen test are finally over their ordeal with the conclusion of the civil matter

Hell yes!  Many of us have been following this story from the beginning, and I'm SO glad to see it resolved finally...

arstechnica.com/security/202...

With Trump admin scrapping requirement for software vendors to attest to their products' security, agencies must now decide how (or even whether) to require those assurances. My new story looks at what that could mean for software security in govt & beyond: www.cybersecuritydive.com/news/white-h...

People of DC: This is a great, frequently updated, zoomable map of where the snow plows are, and how recently they've been on any given street.

Based on our experience, it's accurate. We saw a truck, and then the map status of our street changed. Check it out

citizeninsights.geotab.com#/dcsnowgov

Love it!

A gorgeous 2 mile walk across DC and the National Mall to make it to Day 2 of @districtcon.bsky.social and the entertaining keynote by Daniel Ridge.

Feels pretty special… “hackers now a-bed Shall think themselves accursed they were not here,”

If anyone is making the hard choice not to attend @districtcon.bsky.social because of the weather, I will happily buy your badge.

Is it untoward for me to use this thread to offer to buy a ticket from someone who has had to cancel plans?

"Prompt Engineering" is starting to feel a lot like just... engineering.

It’s less about finding magic words and more about managing state, memory, and flow control.

We’re back to building state machines, just with fuzzier logic.

Good summary of yesterday’s hearing on Cyber Offense and Deterrence. Testimony seemed good and hit important points, but it’s still not clear to me “public private partnerships” look like for offensive-oriented deterrence.

industrialcyber.co/critical-inf...

Non-deterministic additions to amateur-drafted contracts seems like a bad idea…

look upon my works, ye mighty, and let me know what you think

The freezer inventory is complete and structured, but only available to customers. We await your visit to our table, David!

For the cocktails, we have canned several jars of homemade cherries, maraschino’d for one’s pleasure. The frozen cherries are for pies.

Spending a Sunday defrosting a freezer and replacing the door gasket. Also discovering some fun things tucked away in the depths: really good butter, duck quarters, bags of pitted tart cherries.

Trader buys $36 million of copper and gets painted rocks instead - London Daily Commodities trader Mercuria says it is the victim of fraud. Thieves in Turkey switched painted paving stones for copper

The spirit of Ea-nāṣir lives on ;)
londondaily.com/trader-buys-...

A old advert that has the words What the heck is Electronic Mail? With a man looking very scared by a sparkling trail flying around his desk

The first two hours this morning

Yeah, it’s been a rough year here.

Love EBFC!

When you’ve stayed up later than your bed time to celebrate properly with good people. Happy New Year, friends.