Was about to comment, anyone who finds themselves bouncing off Kerouac could do worse than read Miller. The latter is more like your first torrid love affair versus the former’s first giggling glimpse at a porno mag.
You don’t necessarily know when someone will decide to do a commercial release of an old game, causing it to disappear from various abandonware sites. Much simpler to grab eXoDOS once and use it for life.
I first read this on an HTC Typhoon smartphone on my daily commute to my first job out of university. I must have felt pretty smug and futuristic at the time.
After all these years, we finally have enough eyeballs that all bugs are shallow, and it kinda sucks. How many times a week am I going to be updating my kernel from now on?
I haven't updated mine. I have a firewall and it's not exposed to the Internet. Need a key to SSH in. Same with my public facing server. Almost none of these exploits are "drop everything now and patch" unless you are somehow exposing yourself stupidly.
It's a "drop everything and patch" if you have a large multi-user server where you don't completely trust all of the users. Like say in a university with a server that students can log in to, like I have just had the joy of updating (and had RHEL break ZFS on me yet again).
But yes, in most other cases no it isn't a "drop everything" exploit - but it does mean one less layer in the multi-layer security, as unprivileged remote exploits now become root-access remote exploits.
I understand where you're coming from, it's no reason to panic.
But this kind of thinking can be dangerous because it implies that your systems don't talk to the outside world at all, which they obviously do. I mean a very glaring example is container images, so it definitely takes more than a firewall and ssh keys to stay safe in general.
I sort of always expect there to be an LPE to root on Linux tbh, if anything this is great news and Linux might be a useful multiuser system after all.
With physical access, root access is as simple as setting init=/bin/bash in the kernel parameters from a bootloader. No need for credentials or anything.
Secure boot ensures the image you boot was not tampered with. You can't install keylogger without tampering with the image. If you wanted to install physical keylogger, you would need to open the device up, and at least my laptop provides detection of bottom cover removal, meaning the system will ask you for a bios password if the laptop was opened up.
I think when there’s a step change in our ability to find one type of vulnerability, other types of vulnerability are probably going to become more common as well. Let’s see where we stand at the end of the year.
Within an hour of be advised of, and running the mitigation for DirtyFrag, my upstream provider has blocked all WHM/cPanel/SSH/FTP/SFTP access with a heads-up on:
CVE-2026-29201
CVE-2026-29202
CVE-2026-29203
which look like a repeat of CVE-2026-41940 a week ago.
Same reason people muck about with knowledge management systems... to put off the day when you have to sit down at your desk and actually do something.
There was a period in the early 2000s where AskJeeves’ answer to the question “what is the meaning of life?” was an old Eliezer Yudkowsky essay saying that because we weren’t smart enough to work out the meaning of life ourselves, our highest purpose was to build smarter AIs who might be able to answer definitively. Time to close the loop!
A charitable view might be that changing which fingers you're using to plug the holes in the dike is a lot harder when the volume of water on the other side is increasing exponentially.
While I wouldn't necessarily phrase it this way, there is a chart going around social media that tries to imply that GitHub had basically 100% uptime right up until the MS acquisition. All it takes is either 1) having been there or 2) a cursory search of HN to know that this is a complete fabrication.
reply