Kanatoko

🦔In South Korea, "dopamine sites" have spread among Gen Z. Fake food delivery apps where you browse menus, fill a cart, and simulate an order you never place. Fake shopping sites where you track a courier that doesn't exist. Virtual smoke break rooms where you sit with strangers and watch a timer count down. Young Koreans spend up to 30% of their income on rent. The youth employment rate has dropped to 43.6%. Nearly half a million young Koreans have stopped looking for work entirely. My Take I don't know whether to call this sad or rational. Probably both. If you can't afford the delivery, faking the order and taking the dopamine without the bill is a better financial decision than going into debt for the food. That's a sentence I never expected to write, but the logic holds. This is what the end of the consumer pipeline looks like. Companies spent decades fine-tuning every app and every checkout to trigger the purchase impulse. They got exactly what they built. A generation wired to consume. And then the economy priced that generation out. The dopamine sites are the honest version of what every shopping app already does. The only difference is they took the transaction out. Every other shopping app is a dopamine site that also charges you. Hedgie🤗

HTTP/2を利用する主要Webサーバーに、わずかな通信で数十GBのメモリを消費させる新たなDoS攻撃「HTTP/2 Bomb」が公開された。PoCコードも既に公開されており、ApacheやEnvoyなどでは1台のクライアントからサーバー全体を停止状態へ追い込める可能性がある。 この攻撃は、HTTP/2のヘッダー圧縮機構であるHPACKとSlowloris型攻撃を組み合わせたものだ。通常の圧縮爆弾とは異なり、大量データを送るのではなく、極めて小さなヘッダーからサーバー側で大量のメモリ確保を発生させる。さらにゼロバイトのフロー制御ウィンドウを悪用し、確保したメモリを長時間解放させない。 研究者によると、Apache httpdやEnvoyでは単一の攻撃クライアントが約20秒で32GBのメモリを消費させることが可能という。サーバーはクラッシュせずスワップ状態へ陥るため、正規ユーザーのアクセスが極端に遅くなる。 影響は広範囲に及び、nginxは既に対策を実装済みで、ApacheもCVE-2026-49975として修正を公開した。一方でMicrosoft IISやEnvoy、Cloudflare Pingoraなどは記事時点で修正が提供されていないとされる。 対策として研究者は、可能であればHTTP/1.1への切り替えやヘッダー数の制限、コンテナ単位でのメモリ制限設定を推奨している。 https://t.co/FB6DxWNsWt

We’ve now seen at least four nginx RCEs that require non-default configs: nginx rift, nginx poolslip, and two of our own (including the one in the last tweet). The configs involved are unusual, which raises the obvious question: do these attacks actually work in real-world deployments? We asked Claude to download and analyze more than 4,000 nginx config files from GitHub. The result was embarrassing: none of them were vulnerable to nginx rift or our own attacks. We can’t say anything about nginx poolslip yet, since it hasn’t been published. So don't worry about your nginx yet. Moral of the story: AI can generate FUD, but also help fight FUD. Embrace it!