Lots of misinformation being spread about me the last couple days, so some quick facts - My name is Tina, not Guo Can (or Jessie Anderson). I’m one of many Raptor flight operators on console since flight2. Before that, I wrote control software for the vehicle, and was a stage software operator for flight1 - Been living in Starbase since surborbital days in 2020, absolutely love it down here. The people are wonderful and so so excited about the mission - the lows are lows but the highs are very high. My friends here are the best in the world, and I love them to the moon/mars and back :) - The reason I decided to say something was because facts matter, but also because wanted to share my real life journey to how I got here. I don’t have a masters or a PhD, I started full time directly after college after 2x internships also at spacex doing software/automation. I was on a couple design teams in college, including Stanford solar car mars rover. When I started spacex as a software engineer, I knew very little about fluids / propulsion engineering - I learned a lot of it on the job with some pretty incredible mentors. Then I swapped over to propulsion about halfway through my career and have been loving it ever since

A timelapse view from our @SpaceX Dragon of the spectacular southern aurora seen in yesterday’s post, a result of a recent solar event. As opposed to the previous aurora I’ve seen, this one danced and snaked its way directly below us, putting on quite a show. I am in awe of this ethereal and emotionally evocative phenomenon.

‘Undisclosed location’

👀 Kall Morris Inc.’s REACCH system capturing a target object during testing on the ISS. Instead of a single small satellite test, the team completed 172 test runs, validating the system for debris removal and in-orbit relocation: ow.ly/gyO050Z5kji #SpaceDebris #ISS

LFG!

NASA will attempt to land Endurance lander on the connecting ridge! (Marked in Yellow) .This is the same area where Chandrayaan1 MIP impacted on Moon's surface! (It's either this ridge or the ridge before it based on revised estimates) This is one of the toughest places to land as it's literally a valley and the ridge is 1000m higher than the valley within 3 kms!

Update from our Cybersecurity Teams: The CBSE revaluation portal is currently supporting over 8,000 concurrent users. As of 3:00 PM today, more than 16,000 students have successfully completed their submissions. While thousands of students accessed the CBSE re-evaluation portal today, malicious actors attempted to disrupt services through a barrage of cyberattacks. Most recent being a denial of service attack attempt causing 1.5 million hits on the portal within a matter of 2 minutes and more than 1 lakh attempts of unauthorised file access. Based on student feedback, we have further refined the platform, including extending session time limits to make the process more convenient and seamless. Our teams remain vigilant and responsive to ensure our dearest students are facilitated in all ways possible. @EduMinOfIndia @dpradhanbjp @sanjayjavin @PIB_India @PIB_Edu @AkashvaniAIR @airnewsalerts @PTI_News @DDNewslive

Here is the complete information about the CBSE RCE incident from 29 May 2026. I found it and fully owned the server in just 3-4 hours. I’ll break down exactly what happened, in plain language anyone can follow. The same issues were present on the MRVV OnMark portal too. The CBSE OSM portal, where evaluators check answer sheets and upload marks, had a serious flaw on the login page. It accepted the username and password in JSON format but pasted the password straight into a dynamic SQL query with no safe handling or parameterization. I sent a simple timing test that made the database pause for 10 seconds, proving stacked queries were possible. Within minutes I had full database access on the backend Microsoft SQL Server 2019 running on Windows/IIS, with dbo privileges and visibility across hundreds of tables. Directory listing was enabled on the /bin/ folder, so I could download the compiled .NET DLLs. Decompiling them revealed hardcoded SA database credentials that were reused across CBSE production servers, other Onmark portals, and the MRVV OnMark portal. This reuse across shared components made it a supply chain attack - one weak framework affected multiple education boards, made worse by database replication. With SA-level database access I used native SQL Server tools to write a custom webshell straight into the webroot. That gave me immediate arbitrary OS command execution and full file system operations under the IIS application pool identity. From there, the overly permissive app pool account let me escalate in one move to NT AUTHORITY\SYSTEM (full Windows server control) by creating and running an elevated scheduled task. Complete server ownership in a few hours: I could read, write, or execute anything. Millions of records were exposed, including student marks, answer scripts, and evaluator personal and banking details. I took or kept no data, reported everything to CERT-In and removed access by May 29. Root causes were straightforward: direct SQL concatenation, hardcoded credentials in assemblies, directory browsing left on, over-privileged IIS pool, and no real auditing of shared codebases. It wasnt a hard job to get into other OnMark portals because all of them were sharing the exact same vulnerabilities. This is exactly why this became one of the biggest supply chain attacks in recent education tech one weak shared framework compromised multiple boards at once, with database replication making the impact even larger. Fixes are basic but essential: use parameterized queries everywhere, store secrets properly in vaults without hardcoding or reuse, turn off directory listing and risky SQL features, apply least privilege, and run regular security reviews on shared platforms. This shows how quickly a short chain of basic mistakes can lead to full compromise in critical education systems, putting data of lakhs of students at risk. #CBSE #OSM #RCE #ONMARK

CBSE people didn't configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answersheets & question papers. ListObjectsV2 works without any auth and the bucket root is listable too — anyone on the internet can download any scanned booklet — across institutions. Multiple institutions are using the same bucket, insanely insecure.