🗯️ + 🔌 =

A few weeks ago, someone reported an obsrvation on the iocaine bug tracker: ClaudeBot appeared to have figured out how to remove the poison ID from poisoned URLs.

That was a worrying development, so I set out to do some experiments in The Lab. I wasn't unprepared for this development, and had a few tricks lined up to address it. I wanted to test which one works.

After two and half weeks of experiments, I'm happy to report that Claude has not started to remove iocaine's poison IDs from URLs. The bot merely fails at the basic task of resolving relative URLs.

Both the built-in script and Nam-Shub of Enki generate relative URLs, and only include the poison ID if the entry URL didn't have one. Thus, whenever ClaudeBot hit a poisoned URL, it failed to resolve the poison-ID less relative URL, and constructed an URL that did not have one.

The straightforward fix for this is to not trust the crawlers to be able to resolve relative URLs.

There's a new Windows 0day LPE that has been disclosed called BlueHammer. The reporter suggests that it's being disclosed due to how MSRC operates these days.

MSRC used to be quite excellent to work with.
But to save money Microsoft fired the skilled people, leaving flowchart followers.
I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now. 😂

Anyway, yeah, it works. Maybe not 100% reliably, but well enough...

Thousands of CEOs said AI had no impact on productivity. We use AI to catch 200 bugs/week where we used to find 15, and generate $8M per sales rep.

95% of the company pushed back when we started. At unprompted, Dan Guido explains how our 140-person team went AI-native.
https://www.youtube.com/watch?v=kgwvAyF7qsA

Before its launch, we audited WhatsApp's Private Processing TEEs and found 8 high-severity issues (patched). The enclaves yielded to injected config files, unmeasured ACPI tables, spoofed firmware levels, and stale attestation reports.

TEE security is only as good as the implementation details. Four lessons and the full report: https://blog.trailofbits.com/2026/04/07/what-we-learned-about-tee-security-from-auditing-whatsapps-private-inference/

@buherator I think your configuration might be borked. We do not force a restart. You should only get this error if the binary file on disk changed while browsing. In that case, Firefox is unable to create a new process due to API incompatibility. Do you use multiple Firefoxes in parallel?

I've put up the slides from my Zer0Con 2026 presentation on Administrator Protection. https://github.com/tyranid/infosec-presentations/blob/master/Zer0Con/2026/Protecting%20your%20Administrator.pdf

Firefox added split tab views and absolutely killed it. I didn't even know I needed this feature and now I cannot live without it. Awesome work. Right click on a tab and select "Add Split View" to try it out. #mozilla #firefox

If your Open Source project sees a steep increase in number of high quality security reports (mostly done with AI) right now (#curl, Linux kernel, glibc confirmed) please tell me the name of this project.

(I'd like to make a little list for my coming talk on this.)

One thing that's odd about this package is the amount of internal, anthropic-specific tooling that's in it. Aside from the sort of comical gating behind the USER_TYPE='ant' env var, normally in a well designed package you would expect that it would provide proper hooks so that internal tooling could just be a set of plugins rather than in the source itself.

Claude code does have a number of extension points: agents, hooks, plugins, skills, and tools - even if their structure is somewhat, ah, gestural.

Some things could potentially become features (like the MagicDocs thing, even if that's a comically expensive idea, i'll write more about that later tho), but there are also some things that make no sense to be in here. Like in the startBackgroundHousekeeping task there is an 'ant'-gated task to clean their .npm-cache directory.

There are even notes in here like "this used to block the whole event loop" which you think might have indicated that they might have, say, "just written some separate cron task that runs totally outside claude code." So it seems like "writing claude code with claude code" leads to a collapse of separation of concerns, where anthropic can't really manage the distinction between their projects to the point of inlining the devtools - this can also be seen in comments re: code duplication with Cowork, which i'll also get to later. It also confirms what they say publicly, that they just have claude code sessions running 24/7 (where having a task run every 24 hours makes sense)

Is your shitposting quantum ready?