Pop quiz, hotshot: what can an adversary who can do some IP spoofing but is not otherwise in a privileged position do? A week ago you'd say something like 'ddos or something' but nothing scarier because TCP streams aren't vulnerable to muckracking unless you can listen in. Well, thanks to an improvement in security, Improving TCP's Robustness to Blind In-Window Attacks, the answer is now "learn the sequence number, window size, RST the connection and inject arbitrary DATA packets into the stream". This is being somewhat soft-sold as a javascript injection attack but of course it's actually quite a bit more severe. Fortunately, the fix is pretty straightforward as it relies on the nuances of a specific implementation in the Linux kernel. The lesson is clear: don't even try. Wait no, the lesson is "global state is the enemy". Many thanks to cp for bringing the full scope of this to my attention.
Government agency gets hacked, yawn right? Well, this time it's the NSA (a.k.a. Equation Group (pdf)). Snowden -- who isn't dead -- provides some context. More coverage here and here with a (dead) link to the files and some indications that at least one of the exploits (against Cisco ASA) is functional.
nom, a rust parsing framework. NB, this is very reminiscent of well-built regexes: r'(?P<areacode>\d{3})[ -]+(?P<exchange>\d{3})[ -]+(?P<extension>\d{4})'