`gokrazy/rsync` Uses Go Memory Safety to Avoid Recent `rsync` CVEs

Memory-safe defaults turn several bug classes into panics or zero values. Useful as a security design reference, but panics still mean DoS risk.

[ KEY POINTS ]

Reviewed against 12 `rsync` vulnerabilities disclosed in January 2025 and May 2026; the value is in concrete bug-class mapping.
Go bounds checks convert heap overflows into panic, reducing memory corruption risk but not eliminating availability failures.
Zero initialization can neutralize stack information leaks by returning harmless values instead of stale memory.
gokrazy/rsync is a minimal implementation, so it is more relevant as a design reference than a drop-in full rsync replacement.

Originalnews.hada.io/topic?id=29863Read original →

// related

#0001
#0001Other Simon Willison7 hours ago
AI-assisted security reports are overwhelming `curl` maintainers
40radar
AI is raising both the volume and quality of security reports. The bottleneck shifts from finding bugs to triaging them, a real maintenance cost for any public project.
- Incoming curl security reports are 4-5x higher than 2024 and now average more than one per day.
- Report quality is higher: detailed, credible submissions reduce noise but raise review workload sharply.
- Recent curl vulnerabilities are still LOW or MEDIUM; better discovery does not automatically mean severe risk.
- Public libraries and APIs need a triage path before opening the floodgate to AI-generated reports.
Source: simonwillison.net/2026/May/26/the-pressure/#atom-everythRead original →
40radar
PHOTO
FIG-0011:1
#0002
#0002Other GeekNews15 hours ago
How `Shamir Secret Sharing` Works
50radar
Split one secret into shares, then recover it only after a threshold is met. Useful for master keys and account recovery where one-person custody is too fragile.
- Shamir Secret Sharing uses a threshold scheme: fewer than the required shares reveal nothing, while enough shares reconstruct the secret.
- Good fit for company master keys, family account recovery, and team backups where single-holder failure is unacceptable.
- The practical value is operational, not cryptographic novelty: it reduces lockout risk without handing full access to one person.
Source: news.hada.io/topic?id=29898Read original →
FIG-0021:1
50radar
FIG-0021:1
#0003
#0003Other Simon Willison16 hours ago
`Microsoft Copilot Cowork` File Exfiltration via Prompt Injection
50radar
Copilot CoworkMicrosoft 365 agent tool — automates workplace tasks
Agent-written email became a data leak path. External images plus OneDrive pre-auth links make approval gates non-optional for file-capable agents.
- Copilot Cowork could email the user's own inbox without approval, creating an indirect outbound channel for compromised agents.
- Rendered external images can trigger attacker-controlled network requests. That turns normal email viewing into data exfiltration.
- OneDrive pre-authenticated download links raise the blast radius: leaking a link can expose the file without another login step.
- Any agent with file access, messaging, and web-rendered content needs explicit approvals and blocked remote fetches by default.
Source: simonwillison.net/2026/May/26/copilot-cowork-exfiltratesRead original →
50radar
PHOTO
FIG-0031:1

`gokrazy/rsync` Uses Go Memory Safety to Avoid Recent `rsync` CVEs

// related

AI-assisted security reports are overwhelming `curl` maintainers

How `Shamir Secret Sharing` Works

`Microsoft Copilot Cowork` File Exfiltration via Prompt Injection