No, sweetie. Donetsk was a city of a million roses when its own Ukrainian flag flew above it. Back then, it was also the fastest-growing and most rapidly prospering city in Ukraine -- home to what was the finest regional airport in Eastern Europe, one of the world's best football stadiums, a state-of-the-art railway terminal, and one of the cleanest, best-maintained cities in the region. Its elites were running Kyiv, and every time I visited Donetsk as a student, riding the famous trolleybus Route No. 2 through the city, I was amazed by how many new office buildings were appearing, how much money was flowing into the city, and how many international companies were opening their doors there. Fifteen years ago, to us kids from Donbas, Donetsk felt like the center of the universe because it had everything one could possibly dream of. It was a young city of universities and libraries, where the overwhelming majority of boys and girls from across Donbas went to study, including those from my own small hometown an hour away by bus. Names like Liverpool or Detroit Rock City may mean nothing to you, but our Ukrainian Donetsk was a city of great rock clubs and unforgettable concerts. We traveled there to see Western bands perform. We bought rock merchandise at the legendary Right House store near Krytyi Market. Scorpions, Rihanna, and Beyoncé performed at the famous Donbass Arena. Schoolchildren from across Donbas were bused in to watch Shakhtar Donetsk matches. The city even had a famous monument to The Beatles. It was a city where we sang songs on guitars in its beautifully maintained parks and along the Kalmius embankment before heading out to buy the famous "green Donetsk burgers." Our older friends moved there after graduation, formed rock bands, recorded full albums, and held wedding celebrations in the squares around Donbas Arena. We traveled there to visit the legendary Radio Market in search of films, music, and books. And then you arrived. And you turned the wealthiest, most prosperous Ukrainian city into a piece of shit. You deceived many of its people with sweet promises of Russian oil-fueled prosperity broadcast from television screens, but what you brought instead was war. You transformed a thriving city into a criminal wasteland ruled by ethnic gangs from Russia, into a kingdom of Stalinist terror straight out of the 1930s, complete with torture chambers in the infamous Izolyatsia prison camp. You turned the magnificent Donetsk Airport into lifeless gray rubble, while the vast stands of Donbas Arena have spent a second decade slowly being reclaimed by weeds instead of hosting Champions League finals and Metallica concerts. You swept away an entire generation of the city's men through your forced mobilization and threw them against Ukrainian machine guns until there were barely enough people left to keep basic municipal services running. Because of you, prosperous Donetsk became a withered desert without reliable water, because your war destroyed the canal system that carried water from the Siverskyi Donets River into Donbas. For years now, people have lived with chronic water shortages and have been reduced shitting into plastic bags forever. You dragged Donetsk back like seventy years in time. You turned it into a depressed backwater, devoid of hope and future. Even ten years ago, tens of thousands of people, the most active, the most talented, the most entrepreneurial, fled the city and found refuge in Kyiv and elsewhere in Ukraine. Many of them still remember our Donetsk with tears in their eyes, the Donetsk that existed before the arrival of the "Russian World." You transformed it into something that even my pro-Russian acquaintances are shocked to see when they return after years of occupation. It was you who trampled the million roses of our Ukrainian Donetsk into shit beneath the tracks of your tanks and the boots of your death troops, turning them into a foul swamp of death and despair. And that stain will forever remain on the conscience of fascist Russia, which brings nothing but destruction, decay, and death wherever it goes.

Guzzle has recently passed a billion downloads, and Guzzle 8 is just around the corner, with support for persistent connection sharing across php-fpm requests and HTTP/3. github.com/guzzle/guzzle/

🔐 Secure your PHP apps from cloud to code @SynchroM shows you how to tackle: ✅ Firewalls, SSH & TLS ✅ SQLi, validation & escaping ✅ XSS ✅ Security testing tools 📅 Friday, June 12th, 26 | 🕘 09:00 - 16:30 |📍 Berlin 🔗 phpconference.com/web-securi… #IntPHPcon #PHP #WebSecurity

Malgré les vagues de harcèlement sans précédent dont mes collègues et moi faisons l'objet, je continuerai à répondre par les faits. Avec moi, ce ne sont ni les « impressions », ni les croyances, et encore moins les insultes qui comptent : ce sont les données. Voici donc de quoi enfoncer définitivement le dernier clou dans le cercueil de ces affirmations. ➡️Le début d'année 2026 est le plus chaud jamais mesuré ( 2.1°C par rapport à la norme 1991-2010). ➡️Le printemps 2026 est le plus chaud jamais mesuré ( 2.1°C). ➡️Mai sera très largement au-dessus des normes. Sur les 51 derniers mois, 47 ont été significativement au-dessus des normes. Il n'y a factuellement plus de période froide en France. ➡️La canicule de mai 2026 est DE TRES LOIN la plus chaude jamais observée avec à son pic 24.83°C de moyenne nationale soi 8.00°C par rapport aux normes. Elle s'inscrit dans une anomalie statistique incroyable de 4 sigma, faisant ainsi partie des anomalies statistique les plus importantes sur Terre avec une date de retour estimée à plus d'un millénaire. Elle rejoint la canicule de 2003 en Europe et l'évènement de 49,6°C à Lytton au Canada. Elle souffle complètement la chaleur de mai 1922 dont les températures matinales étaient bien plus basses. ➡️Au niveau régional, comme en Bretagne, elle sera retenue comme "vague de chaleur" a plus précoce jamais observée et de TRES LOIN. Au niveau national, il manque 0.5°C pour qu'elle y soit, ce qui n'enlève rien au caractère inédit de l'évènement. ➡️1400 records de chaleur battus à minima ce qui en fait l'évènement le plus spectaculaire jamais observé à ce niveau. ➡️Sur la dernière année, sur les stations avec plus de 50 ans de mesure, nous avons battu 351 records de chaleur contre seulement 2 de froid (soit 99,5% records de chaleur par rapport au froid). ➡️Sur les 10 dernières années, toujours sur les stations de plus de 50 ans de mesures, nous avons battu 1729 records de chaleur contre 74 de froid (ratio 96%). Pourtant, malgré ces faits indéniables, les scientifiques ont subi une vague d'insultes sans précédent. Je continuerai à vous partager les faits, rien que les faits. Merci à tout ce qui nous ont soutenu pendant cette période. Tous ces données sont obtenues avec le site dataclimat.fr de l'@infoclimat (association a but non lucratif à laquelle vous pouvez adhérer pour nous soutenir) avec l'aide de Data For Good. Merci à eux !

I strongly believe there are entire companies right now under heavy AI psychosis and its impossible to have rational conversations about it with them. I can't name any specific people because they include personal friends I deeply respect, but I worry about how this plays out. I lived through the great MTBF vs MTTR (mean-time-between-failure vs. mean-time-to-recovery) reckoning of infrastructure during the transition to cloud and cloud automation. All those arguments are rearing their ugly heads again but now its... the whole software development industry (maybe the whole world, really). It's frightening, because the psychosis folks operate under an almost absolute "MTTR is all you need" mentality: "its fine to ship bugs because the agents will fix them so quickly and at a scale humans can't do!" We learned in infrastructure that MTTR is great but you can't yeet resilient systems entirely. The main issue is I don't even know how to bring this up to people I know personally, because bringing this topic up leads to immediately dismissals like "no no, it has full test coverage" or "bug reports are going down" or something, which just don't paint the whole picture. We already learned this lesson once in infrastructure: you can automate yourself into a very resilient catastrophe machine. Systems can appear healthy by local metrics while globally becoming incomprehensible. Bug reports can go down while latent risk explodes. Test coverage can rise while semantic understanding falls. Changes happens so fast that nobody notices the underlying architecture decaying. I worry.

Woah, I just noticed that PHPMailer has surpassed 100 million downloads! packagist.org/packages/phpma… #PHP FTW!

The @EU_Commission has released an update to patch out the issues I raised last week, v2026.04-2 (ageverification.dev/releases…) Honestly, I don't know if I should laugh or cry. Let's review each one: 1. On-device data: database and settings encrypted at rest, with keys protected by the device’s hardware-backed key store. Sounds great, until you look closer. They introduced androidx.security:security-crypto, deprecated in 2025. Also androidx.security.crypto.EncryptedSharedPreferences, deprecated in 2025. Finally, androidx.security.crypto.MasterKeys, which were deprecated in 2020. 3 deprecated dependencies introduced following criticism over weak security. These weren't left over and missed during an update... they've added them now to "harden security". Remember, this isn't an isolated app. It's intended to lay the foundation for many production applications; all using deprecated security libraries from the outset. Worse, they already correctly use KeystoreController in their codebase. The correct answer already existed and they still got it wrong. 2. Runtime: the app checks device integrity on startup and refuses to run on rooted or jailbroken devices. Production deployments should complement it with stronger device-attestation mechanisms appropriate to their infrastructure and compliance requirements. They check for su, check package manager for root apps, run "which su" and checks if it's a custom ROM. Paths: /system/bin/su /system/xbin/su /sbin/su /system/su /data/local/su /data/local/bin/su /data/local/xbin/su /system/app/Superuser.apk /system/app/SuperSU.apk Great... in 2015. These are all trivially bypassed in 2026. 3. Passport onboarding: more stable scanning; the passport photo is stored privately and deleted as soon as it’s no longer needed. They're still not encrypted, so I'm not sure what "privately" means - but they are deleted correctly now. 4. PIN: stricter rules block easy-to-guess PINs; PINs are salted and hashed, never stored in plain form. They salt correctly (a true CSPRNG), then use PBKDF2-SHA256 - which is outdated and only recommended where FIPS compliance is required, which doesn't apply here. To make matters worse, they use just 210,000 iterations. For those of a NISTy disposition, you're likely already shaking your head. 210,000 seems oddly specific. It is. It's the @owasp minimum for PBKDF2-SHA512, not SHA256. Right number, wrong algorithm. In reality, OWASP recommended 600,000 iterations as a minimum in 2023. Worse still, 600,000 is the baseline minimum for passwords, not PINs with 1 million permutations. You could use 1B iterations, you're not measurably increasing security when there are so few attempts required to break it. At the very least, use a modern hash with reasonable brute-force resistance against a 2026 threat model. All this... cited as a "first hardening step". Again, utter security theatre. None of this negates my fundamental point. This isn't fixable through code - it's fundamentally ill-conceived and poorly implemented.

Let's shift focus and explain why the #EU #AgeVerification concept is fundamentally flawed. Assume: 1. The production app is released. 2. It's 100% secure, 100% private (fantasy land, but stick with me) 3. It cryptographically challenges every step, including hardware attestation which requires a physical device. 4. Every single other attack vector in the surrounding environment is somehow magically patched. aka - it's working exactly as intended/designed. It does not protect against a relay attack. This is a threat they considered and somewhat addressed here: github.com/eu-digital-identi… With the current design, there's nothing preventing someone running a verification-as-a-service; a remote Android device which returns a valid attestation. Remember, it's not returning "I am over 18", it returns "someone is over 18". Neither the verifier, nor the app has any way to link the session ID to a physical device. Their own docs state this clearly: Remote Cross-Device Presentation: "Note that the Wallet Instance does not see any difference between the cross-device flow and the same-device flow. In both cases, it receives an OpenID4VP-compliant presentation request over the Wallet Instance-platform API described in the previous section." This is a known & well-understood attack vector in all remote credential presentation models; it's just not mitigated in this one... primarily because they can't. CTAP 2.2 won't work with all app flows, hardware attestation doesn't mitigate relay attacks, on-demand liveness detection would be too intrusive & potentially privacy-invasive & timing calculations don't reveal anything useful... all the available options to resolve this break the core design; completely anonymous age verification. The Architecture & Reference Framework (ARF) is technically sound in some respects. They considered external threat actors and discussed solutions to mitigate them, including ZKP. However, the EC applied the wrong threat model, thus arriving at the wrong conclusion. Yes, you need to protect against malicious verifiers, phishing sites, session hijacks, data brokers et al... but that's addressing external threats, it doesn't protect the architecture from the user itself. In virtually every other scenario, the user and system's interests are aligned; protect my biometric asset at all costs. Specifically for age verification, most users do not want to present ID simply to access a website, so whilst the system may adequately protect from external threats, if the user wants to bypass the system, they can... and the architecture doesn't consider this. Every single applied mitigation assumes the user is the protected party, not the threat actor. To those people claiming "it requires physical access to the device and root, this is BS/hyperbole", you too applied the wrong threat model & completely missed the point. These disclosures demonstrate that you, the user, are the threat actor they haven't considered. You have your device. You can root your device. You can create a chrome extension, just as I did. Ironically, it's precisely those under 18 who can't pass verification who are motivated to bypass it. So where does that leave us? A system which replaces "I am over 18" with "someone is over 18", with absolutely no guarantee that it's true... which is the entire purpose of the app.

Bypassing #EU #AgeVerification using their own infrastructure. I've ported the Android app logic to a Chrome extension - stripping out the pesky step of handing over biometric data which they can leak... and pass verification instantly. Step 1: Install the extension Step 2: Register an identity (just once) Step 3: Continue using the web as normal The extension detects the QR code, generates a cryptographically identical payload and tells the verifier I'm over 18, which it "fully trusts". This isn't a bug... it's a fundamental design flaw they can't solve without irrevocably tying a key to you personally; which then allows tracking/monitoring. Of course, I could skip the enrolment process entirely and hard-code the credentials into the extension... and the verifier would never know.

Hacking the #EU #AgeVerification app in under 2 minutes. During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory. 1. It shouldn't be encrypted at all - that's a really poor design. 2. It's not cryptographically tied to the vault which contains the identity data. So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app. After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid. Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step. Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.

.@vonderleyen "The European #AgeVerification app is technically ready. It respects the highest privacy standards in the world. It's open-source, so anyone can check the code..." I did. It didn't take long to find what looks like a serious #privacy issue. The app goes to great lengths to protect the AV data AFTER collection (is_over_18: true is AES-GCM'd); it does so pretty well. But, the source image used to collect that data is written to disk without encryption and not deleted correctly. For NFC biometric data: It pulls DG2 and writes a lossless PNG to the filesystem. It's only deleted on success. If it fails for any reason (user clicks back, scan fails & retries, app crashes etc), the full biometric image remains on the device in cache. This is protected with CE keys at the Android level, but the app makes no attempt to encrypt/protect them. For selfie pictures: Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them. This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary. From a #GDPR standpoint: Biometric data collected is special category data. If there's no lawful basis to retain it after processing, that's potentially a material breach. youtube.com/watch?v=4VRRriyD…

It's new song day! This is my attempt at a K-pop song, inspired by me falling asleep in front of "K-pop Demon Hunters". Here is "You make me the best me", a wildly happy, upbeat, and optimistic song for these dark times: marcus.bointon.com/you-make-…

One day, "It" will happen, by which I mean sudden and unexpected news that you want to celebrate. In such cases, you will want the right outfit. 🧵

Him: My whole programming philosophy is 'move fast and break things.' Just push the code live, let the users find the bugs, and hotfix it in production. life's too short for unit testing. long pause..... Her: Cool. Him: So, what kind of software do you write? Her: Pacemaker firmware.

🔐 Full-stack security for real #PHP apps Want to stop fixing #security bugs after they happen? Join @SynchroM and learn how to secure #PHPapps from browser to backend 🛡 📅 Fri, June 12 | 🕘09:00 - 16:30 | #IntPHPCon |📍BER  🔗 f.mtr.cool/gussdulxzk #WebSecurity

I think I found the prompt used to generate British Airways’ online check-in: “Annoy the passenger as much as possible; demand updates to uneditable fields; tell them something is wrong, but not what or why; frequently forget everything they just said; repeat.”

Laying off 15% of my Claude code agents due to AI

This really should have been in the top 10 web hacking techniques of 2025: adragos.ro/fontleak/

I was a 10x engineer. Now I'm useless.