I'm like 99% sure that strings is the best reverse engineering tool.

My kinda hot take on the Mythos stuff is really that there is so little money in offensive research that it's still not really that hard to find bugs. These AI companies are operating with budgets that make the entire offensive research of all big tech combined look like a joke

I remembered Joseph Kong today. His books basically guided me through the kernel and practically launched my career as a security researcher.

I started with FreeBSD around 2008–2010 while working as a sysadmin at a local ISP. Around that time, I began writing a FreeBSD rootkit just to understand how everything worked. In 2012, I wrote two kernel exploits for it. My first real kernel exploit targeted the sysret bug on Intel CPUs (the vulnerability discovered by Rafal Wojtczuk). After that, I wrote another exploit for a vulnerability in FreeBSD’s Linux compatibility layer.

I know FreeBSD gets a lot of criticism these days, but it’s still a great operating system. I believe in its philosophy and have a lot of respect for the competence of the people involved in the project.

"Days of arguing about exploitability can save minutes of fixing the bug."

-- Socrates, on vulnerability disclosure

An updated version of "Exploits of a Mom" by XKCD:

Hyperbridge exploited two weeks after April Fools' hack joke

April 13, 2026
https://www.web3isgoinggreat.com/?id=hyperbridge-exploit

The peril of laziness lost

https://bcantrill.dtrace.org/2026/04/12/the-peril-of-laziness-lost/

Getting e-mail to work shouldn't be rocket science...

@two just hope that nothing you do here causes a Wikipedia article to get written.

Micropatches released for Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510) https://blog.0patch.com/2026/04/micropatches-released-for-windows-shell.html

@jonny These so called "guardrails" are a bad joke in general, I'm amazed that you have the willpower to wade through this shitspaghetti

the next item on my todo list is look at all the places where there is a retry loop that is not logged in any user discoverable way - there are a lot of uh strategic nondisclosures of failure states in here. in my use, i have found that it is very difficult to get claude to tell you what it's doing at any given time, and it is increasingly clear why.

@jonny System reminders are sort of genius money printers too - you can find a bunch of issues like this in Claude's bug tracker:

https://github.com/anthropics/claude-code/issues/21214

System reminders also include things like commit history, multiplying the price of every prompt for large repos.

Anthropic also seems kind of reluctant to give users control over system reminders, I wonder why...

@TarkabarkaHolgy I'm actually glad I was reading to kiddo when Orbán announced defeat: politics didn't infect our lives *that* much.

@tihmstar I think your friend should talk to the customs office of the airport(s)

We chose a vulnerability in glibc (CVE-2025-4802) to teach students registered in our binary exploitation training the importance of the libc, loader, dynamic linker, and the kernel in making the execution of a modern Linux binary possible.

Furthermore, it demonstrates how a small oversight in the static glibc code allowed arbitrary libraries to be loaded into privileged code. Do you know the crucial role of the auxiliary vector? Or the main differences between dynamically and statically compiled binaries?

Check out the blog post for a brief analysis of CVE-2025-4802.

https://allelesecurity.com/libc-vuln-analysis/

When times were simpler:

"text generator"

LLMs now do the busywork of finding amazing vulnerabilities for everyone willing to spend the tokens.

But hacking still isn't dead:

1. We haven't at all solved the underlying problems which come with writing and shipping code.

2. You still need to understand what you're looking at and what you are operating.

3. The LLM platforms themselves are a exquisite target for hacking^Wcreative use of the technology.

Now when everyone can pull a CVE or two out of thin silicon and a few kWh of electricity the art of hacking might need adopt and maybe reshape a little but at its core the mind- and skillset will stay as relevant as it always was.

In that sense: keep hacking, keep exploring, break some stuff.

Stealthy RCE on Hardened Linux: noexec + Userland Execution PoC https://hardenedlinux.org/blog/2026-04-13-stealthy-rce-on-hardened-linux-noexec--userland-execution-poc/

Blessed are the cheese makers

https://www.youtube.com/watch?v=NFPIGNua5WM