Gerald Benischke
LightNews LightNews
banner
beny23.github.io
Gerald Benischke
@beny23.github.io
2.9K followers 890 following 1K posts
Maker, breaker and fixer of software. Adventures in #appsec and #agile: beny23.github.io he/him
Posts Replies Media Videos
beny23.github.io
In this festive edition we do what we usually do during the holidays: focus on the latest vulnerabilities that ruin our Christmas and some advice on slowing things down. Enjoy!

beny23.github.io/posts/weakly...
Weakly Link 25/52
To those who celebrate the festivals either end of the last 7 days of the year: Happy <insert here>! This time round, there’s not one, but two bleeding fails in security, some interesting protections,...
beny23.github.io
December 28, 2025 at 10:54 AM
Reposted by Gerald Benischke
filippo.abyssdomain.expert
At the gpg.fail talk and omg #39c3

You can just put a \0 in the Hash: header and then newlines and inject text in a cleartext message.

Won’t even blame PGP here. C is unsafe at any speed.

gpg has not fixed it yet.
December 27, 2025 at 4:31 PM
Reposted by Gerald Benischke
ollieatnowhere.bsky.social
Weekly summary is out...

ctoatncsc.substack.com/p/cto-at-ncs...
CTO at NCSC Summary: week ending December 28th
Addressing fundamentals move dials - be it architectures (cross-domain, privileged access workstations etc), approaches (external attack surface management, deception), or solutions (passkeys).
ctoatncsc.substack.com
December 27, 2025 at 8:26 AM
Reposted by Gerald Benischke
doublepulsar.com
patch ye MongoDB, there's an exploit for a vuln which has been in the product for over a decade that allows the remote, unauth read of any memory - which includes plaintext creds.

Somebody posted an exploit on Christmas Day, Merry Christmas!

doublepulsar.com/merry-christ...
Merry Christmas Day! Have a MongoDB security incident.
Somebody from Elastic Security decided to post an exploit for CVE-2025–14847 on Christmas Day.
doublepulsar.com
December 26, 2025 at 10:57 PM
beny23.github.io
The American anus horribilis, wonder who that refers to ;-)
princess-vimentin.bsky.social Princess Vimentin PhD | Cancer Biologist @princess-vimentin.bsky.social · 4d
2025 is definitely the American annus horribilis.

The WH website spreads misinformation about the origins of Covid. The CDC denies real data about vaccines/autism. ACIP does not support Hep B vaccines for babies. Measles/pertussis outbreaks. #NIH is politicized.
🧪 www.thelancet.com/journals/lan...
2025: an annus horribilis for health in the USA
The US Advisory Committee on Immunization Practices vote on Dec 5 to no longer recommend the hepatitis B vaccine birth dose, which had ensured that babies exposed to hepatitis B would not later develo...
www.thelancet.com
December 23, 2025 at 5:35 PM
Reposted by Gerald Benischke
saraghadams.bsky.social
Let's play Who Said It, AI Hyper or The Borg?

"Embrace the inevitable."

"Knowledge is irrelevant unless shared."

"We are the future."

"This is the next stage of evolution."

"Your resources will be repurposed."

"We are the sum of all species."

"Your technology is obsolete."
December 21, 2025 at 4:07 PM
beny23.github.io
In this week's link collection, we look at incidents, get another SVG surprise and we've got good, bad and ugly stories about vibe coding.

beny23.github.io/posts/weakly...
Weakly Link 25/51
This week we’re looking through a mix of security and AI once more. Because tech is nothing but those two topics, right? Right? Anyway, I am often travelling on the train or stay in hotels these days,...
beny23.github.io
December 21, 2025 at 1:21 PM
Reposted by Gerald Benischke
robinince.bsky.social
Very sad that I felt I had no choice but to resign from The Infinite Monkey Cage - a victory for the transphobes and other bigots - I did it because so much of the media has chosen to believe the kind and empathetic people are a fiction - they are real and so often unrepresented.
This is the saddest day of my professional life. Today is not only the final recording of the latest series of The Infinite Monkey Cage, it is my last ever Monkey Cage. I never thought that I would have to leave the show. I always imagined going on until | dropped dead under the studio lights due to a brain aneurysm caused by my final attempt to understand notions of quantum gravity or the shock of being told about fly maggot infestations in the sacks of macaque monkeys. I resigned in September, after sixteen years of dedication to the show, A show that I named and helped develop over all those years. Unfortunately, my opinions outside the BBC have been considered problematic for sometime, whether it has been voicing support for the trans community, criticism of Donald Trump, numerous other outlandish opinions, including once gently criticising Stephen Fry. These things were considered to conflict with being a freelance BBC science presenter In a recent meeting where BBC Studio executives again voiced problems with me, I realised my choices. Obedience and being quieter to remain making Monkey Cage, or 'Resign and have the freedom to speak out against what I believe are injustices'. • I chose the latter. It broke my heart. I love this show and I love the audience, and it is because of the audience in particular, that this decision was so difficult to make. I kept thinking about all the extremist voices promoting hate and division. They are being given so many platforms, while voices that represent kindness, open mindedness, empathy seem to be scarcer and scarcer. I felt I couldn't pamper myself with the luxury of silence. One of my many privileges is that I am able to resign and I can speak out even if it is to the detriment of my career. I have thought a lot about my heroes, Sinead O Connor, James Baldwin, Audre Lorde, and so many more. I think of Sinead's words, "the job of an artist is to be themselves at any cost". James Baldwin said prejudice was really just a word for cowardice. Audre Lorde, viewing her life, wrote that her only regrets were her silences. I think of my father as I resign, he brought me up to believe in fairness , justice and kindness. Though my heart is broken, it is also full of fire. I apologise to our incredible listeners for my departure, your love of the show means a great deal. I am so sorry to let you down. I hope that you can understand my reasoning. I have to accept that I am not what the current BBC expects of their freelance presenters. Despite this I should add that I have always worked far more than my contracted hours to try and ensure the show was always the best it could be, as well as making myself accessible and responsive to the audience wherever and whenever I met them. Every night, we have recorded, I have been filled with determination to make the best show possible. This was not "just a job" I hope that with my departure I can be a better ally to the LGBTQ community, to the neurodivergent community, to activists fighting against those who aim to brutalise society, to those currently in prison on hunger strike, and to all those who fight for a more inclusive world. From many conversations, I know there are many Monkey Cage listeners who support these communities and activists too. The strawberry is dead. Long live the strawberry. B
December 13, 2025 at 12:02 AM
beny23.github.io
@quinnypig.com in @theregister.com writing about an AWS keynote. Has snarkmas come early? www.theregister.com/2025/12/08/a...
AWS re:Invent keynote: Matt Garman bores, then thrills
: But the 25 announcements in the last 10 minutes included a few well worth waiting for
www.theregister.com
December 13, 2025 at 11:11 AM
beny23.github.io
This week, we celebrate Let's Encrypt's birthday, look at exotic vulnerabilities and get serious about the exploitative nature of GenAI. #WeaklyLink beny23.github.io/posts/weakly...
beny23.github.io
December 11, 2025 at 10:31 PM
beny23.github.io
The latest weakly link reacts to react4shell and finds coffee will prevent the rise of the machines. beny23.github.io/posts/weakly...
Weakly Link 25/49
This week, we’re talking about React4shell. The latest in the 4shell family of vulnerabilities. What does 4shell mean? Usually that it’s possible to do RCE (Remote Code Execution) based on an applicat...
beny23.github.io
December 8, 2025 at 12:46 AM
beny23.github.io
This week’s link blog is an odd mixture about sandworms, supply chains and basically how everything is broken anyway. And then (after all the naughtiness) let’s end on something nice.

beny23.github.io/posts/weakly...
Weakly Link 25/48
This week is an odd mixture about sandworms, supply chains and basically how everything is broken anyway. And then (after all the naughtiness) let’s end on something nice. Thumped by a Sandworm Sha1 H...
beny23.github.io
December 1, 2025 at 1:11 AM
beny23.github.io
These words are insulting to weasels.
gerritd.bsky.social Gerrit De Vynck @gerritd.bsky.social · Nov 25
Additionally, OpenAI argues its not liable because Raine, by using ChatGPT for self-harm, broke its terms of service
November 26, 2025 at 9:11 AM
beny23.github.io
This week on my link blog: bureaucracy, bugs, reliability and those pesky 5 nines.

beny23.github.io/posts/weakly...
Weakly Link 25/47
This week there have been some interesting bugs. Or interest in bugs. Bugs It was Cloudflare’s turn to break the internet. As per usual, the transparency on display is rather cool. It was rather inter...
beny23.github.io
November 24, 2025 at 1:57 AM
beny23.github.io
Oh no, what will @kevlin.bsky.social do now?

www.theregister.com/2025/11/18/w...
Windows Digital Signage mode hides BSoDs after 15 seconds
: BORK is borked
www.theregister.com
November 19, 2025 at 8:34 AM
beny23.github.io
It’s wasn’t DNS. Wait what?!?

blog.cloudflare.com/18-november-...
Cloudflare outage on November 18, 2025
Cloudflare suffered a service outage on November 18, 2025. The outage was triggered by a bug in generation logic for a Bot Management feature file causing many Cloudflare services to be affected.
blog.cloudflare.com
November 19, 2025 at 8:02 AM
beny23.github.io
Unite in opposition?
BBC news headline: LIVE Home secretary says asylum reforms will 'unite a divided country' as full plans published
November 17, 2025 at 4:39 PM
beny23.github.io
Latest edition of my link blog - the weakly link - is now out.

This time there is fire. Well, dumpster fires. Unsurprisingly, there's some AI commentary.

beny23.github.io/posts/weakly...
Weakly Link 25/46
This weeks edition of the weakly link has got some fire in it: First on the menu we’ve got a report that tries to tell us that if there’s an AI bubble, that’s a good thing: The AI Wildfire Is Coming. ...
beny23.github.io
November 15, 2025 at 6:01 PM
Reposted by Gerald Benischke
lookitup.baby
🚨☸️🚨
Ingress NGINX Retirement: What You Need to Know
To prioritize the safety and security of the ecosystem, Kubernetes SIG Network and the Security Response Committee are announcing the upcoming retirement of Ingress NGINX. Best-effort maintenance will...
www.kubernetes.dev
November 13, 2025 at 4:23 AM
beny23.github.io
TIL caffeine keeps me awake:
Screenshot of caffeinate man page: CAFFEINATE (8) NAME caffeinate - prevent the system from sleeping on behalf of a utility
November 13, 2025 at 8:45 AM
beny23.github.io
“If healthy diets and daily exercise really worked, we’d all be doing it, right?”

Oof.
November 13, 2025 at 7:12 AM
beny23.github.io
The one where a padding oracle meets SQL injection. With some vibes thrown in. #ctf

beny23.github.io/posts/captur...
Vibe hacking a padding oracle
This post is a mixture of AppSec, vibe coding and cryptography. SPOILER ALERT: This post describes how to complete the Capture-The-Flag exercise “Encrypted Pastebin” (Hard) on Hacker101. Over the la...
beny23.github.io
November 12, 2025 at 7:29 AM
beny23.github.io
This rather lovely rant about dogma, bureaucracy and dependencies in software engineering deserves to be in the category of “print it out so you can use it to beat people over the head with” sonofalfred.substack.com/p/botox
Botox
TL;DR You may be selling snake oil.
sonofalfred.substack.com
November 10, 2025 at 12:49 PM
beny23.github.io
CyberSlop is only going to get worse. Great debunking by @doublepulsar.com
doublepulsar.com Kevin Beaumont @doublepulsar.com · Nov 5
There's some really big caveats to this. A thread.
ericjgeller.com Eric Geller @ericjgeller.com · Nov 5
New: Google says it has discovered at least 5 malware families that use AI to rewrite their code and generate new capabilities on the fly, suggesting AI-powered malware is finally starting to take off. cloud.google.com/blog/topics/...

Report also has interesting stories about state actors' AI use.
November 7, 2025 at 1:27 PM
beny23.github.io
I've started experimenting with a link blog to share what interesting bits I've found this week: beny23.github.io/posts/weakly...

/remind me next week to see whether I actually follow through
Weakly Link 25/45
Every week I come across some interesting, ridiculous or astounding content related to security and tech around software engineering. And I post it on the company Slack, sometimes on LinkedIn and ofte...
beny23.github.io
November 7, 2025 at 1:16 PM