While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise every Entra ID tenant in the world (except probably those in national cloud deployments). If you are an Entra ID admin reading this, yes that means complete access to your tenant. The vulnerability consisted of two components: undocumented impersonation tokens that Microsoft uses in their backend for service-to-service (S2S) communication, called “Actor tokens”, and a critical vulnerability in the (legacy) Azure AD Graph API that did not properly validate the originating tenant, allowing these tokens to be used for cross-tenant access.

In my last post I talked about how I spent a week heads down using AI to work on a greenfield engineering metrics tool. As I built it, I’d often navigate the web app and spot things that needed to be fleshed out. Sometimes it was a small typo; other times it was a bigger […]

A hilarious macOS app that plays fart sounds as you open and close your MacBook lid - iannuttall/fartscroll-lid

Scroll to survive. How far can you DOOMscroll?

That NPM attack could have been so much worse.

Agent Builder and Runtime by Docker Engineering. Contribute to docker/cagent development by creating an account on GitHub.

Engineers prove their technique is effective even with the lowest-cost WiFi devices

Unauthorized TLS certificates were issued for 1.1.1.1 by a Certification Authority without permission from Cloudflare. These rogue certificates have now been revoked. Read our blog to see how this could affect you.

Contribute to aws-samples/sample-developer-tutorials development by creating an account on GitHub.

Announcing a pilot test of a new Claude browser extension

For the last ten years or so of working on Bundler, I’ve had a wish rattling around: I want a better dependency manager. It doesn’t just manage your gems, it manages your ruby versions, too. It doesn’t just manage your ruby versions, it installs pre-compiled rubies so you don’t have to wait for ruby to compile from source every time. And more than all of that, it makes it completely trivial to run any script or tool written in ruby, even if that script or tool needs a different ruby than your application does.

A critical vulnerability in Docker Desktop for Windows and macOS allows compromising the host by running a malicious container, even if the Enhanced Container Isolation (ECI) protection is active.

The new Commodore is already thriving with $2m in sales in the first week of the C64 Ultimate's debut.

From the Zed Blog: This investment lets us pursue our vision for bringing a new kind of collaboration directly into the IDE.