The “Have I been pwned" site has helped reduce the value of breach dumps (and thus, may be disencentivizing them). Troy Hunt asks for your help.

Want to be horrified when your phone vibrates? This app sends "a push notification every time the police kill someone in the United States."

Economic concerns trigger survival instincts and will often override our ethics and conceptions of morality. When this happens, we can find ourselves making decisions we do not rationally agree with. Here’s a precautionary tale.

One might assume that governments who become aware of security vulnerabilities in products would want to help get those vulnerabilities fixed, at least if those products are made by companies headquartered in their country, or if their citizens frequently rely on those products. After all, the core argument for a government is to protect its citizens.

“But if you’re not doing anything wrong, then you have nothing to worry about" is a common refrain when we discuss abuses by governments. Here’s “A brief history of governments hacking human rights organizations" from Amnesty International.

"The whole page is static content, yet they literally hit the Rails stack, then hit the Node stack to render the React to a string and then send it back through the Rails stack." via The Sad State of Web Development

There are some instances of Cross-Site Scripting (XSS) attacks that don’t show up when performing a dynamic or manual application security test. These same issues are often seen as “unlikely" or “non-exploitable" when seen in static analysis security testing or code review. A great example of these is XSS of admins through log-injection. Portswigger is calling these “blind XSS" and has released an update to Burp Suite to dynamically/manually test for them.