Big companies have an expensive new addiction to AI, and their smack is getting more expensive. Who could have seen this coming? From the WSJ:

"Use of artificial intelligence by big companies is exploding—and the soaring cost has some of them pumping the brakes in a way that could complicate AI’s triumphal march across the economy.
Executives across industries this year have urged employees to integrate AI tools into their work, spending freely to encourage experimentation and seeking to send a message to Wall Street that their companies won’t be left behind in a coming wave of disruption."

"All that enthusiasm has resulted in skyrocketing costs for so-called tokens, the basic unit of measurement for AI computing, as AI model providers seek to balance supply and demand and manage their own costs. Some enterprises have hit their annual budget in just three months or reported seeing their AI spending bills double or triple."
 
"Now corporate leaders are scrambling to bring down expenses by finding ways to ration AI use in their organizations, steer workers toward cheaper, homegrown tools and help them hone their skills to improve returns." 

https://www.wsj.com/tech/ai/corporate-america-is-starting-to-ration-ai-as-cost-skyrockets-1eb99d7a (paywall)

https://archive.ph/v2dwg

This person has been a prolific bug finder for quite some time. Here's their public HackerOne profile: https://hackerone.com/halove23/hacktivity?type=user

Reading their Xitter timeline over the years is pretty interesting. They went from working w/ a lot of these bug bounty programs and giving MS time to fix stuff beyond the usual 90-day window to increasing frustration in dealing w/ vendors. I wish that were less of a common experience than it still is today, but some dynamics in this industry never seem to change.

Also just noticed something interesting. Back in 2019, MS was including hyperlinks to researchers in their advisories. In this advisory, they actually link to the researcher's shitposting Facebook profile, which has posts up until this month.

https://www.facebook.com/com.android.vending

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-1385

It's worth catching one of the Pwn2Own OG's (Aaron Portnoy) on the latest Three Buddy Problem

Aaron with the timeless advice "level up.. get better"

(Also with props for Deception in Defense 💪💚)

https://pca.st/episode/5da764af-2a7e-4c03-9026-760e339b9d22

Offensivecon's talks are now available on our YouTube channel!

🔗 https://youtube.com/playlist?list=PLYvhPWR_XYJkIP2X-uGDsAMIKnhdSauaM

@pojntfx I liked it too until it started to seriously mess with my code, you better be careful...

@pojntfx beware of #29395 though!

Is WarCon ready to jump?

https://www.youtube.com/watch?v=sAY4KVtsTUE

Submissions are still open!

If you've been sitting on a bug, technique, war story, weird research rabbit hole, or beautifully cursed idea: now is the time.

Write something worth archiving.

Phrack CFP closes June 30.

More details on how to submit at https://phrack.org/news

The openSUSE peeps have figured out some crazy compression, it seems. 107.0 B for everything!

Daily #Rust:

You can write this and the compiler will just figure out all the generics for you:

`let baz = Foo::new(Bar::new());`

But if you want to write:

`return Foo::new(Bar::new());`

... it seems you have to make your function generic, even though the compiler knows exactly what will be returned.

My flight got delayed: the departure time is struck through and the new expected departure is written underneath. The arrival time is...just struck through o.O

📅 Next Web Talks at Mozilla Berlin Meetup is happening Thu, June 11, 18:00 🦊

Two talks:
• Sunil Mayya on "Keep Off My LAN": Firefox's implementation of Local Network Access
• @freddy on "The Devil is in the Defaults": defending against XSS with Trusted Types and the Sanitizer API

https://www.meetup.com/de-DE/berlin-mozilla-meetup/events/314623241/

#Firefox #InfoSec #Mozilla #Berlin #Web

@andrija That lecture sounds exactly what I need, thanks! Linking here FTR:

https://www.youtube.com/watch?v=3IyKC5EtNkM

RE: https://infosec.exchange/@x41sec/116651028731076045

Important! Using a reverse proxy might not fully protect you from BadHost / CVE-2026-48710 **also this does not only affect AI related infrastructure because FastAPI is also affected and used for various applications!**

Pasting a huge AI generated explanation to a problem in an issue or pull-request is nothing but RUDE. Don't do it. You look stupid and the receivers of that feel insulted.

We are humans. We communicate like humans. Fine, use the tools you like, but don't insult us.

@joern I couldn't create this without @airwhale! I just pushed the source files in case anyone wants to print their own:

https://github.com/v-p-b/von-neumann

[RSS] Security Bulletin: IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator (CVE-2026-7770)

https://www.ibm.com/support/pages/node/7274214?myns=swgother&mynp=OCSSRQKY&mynp=OCSWG60&mync=A&cm_sp=swgother-_-OCSSRQKY-OCSWG60-_-A

@andrija how did you figure it out? My problem is that I don't see a way to get this knowledge from docs (although the required information is definitely there).

https://www.youtube.com/watch?v=xyup-362r1w

Respect, at that age such a great #punkrock song and then such current lyrics!

Well done, guys!

Honestly, there is absolutely no way I could solve this without massive help from #LLM:

I wanted to define an interface with associated types to abstract away specific implementations of a component and used trait bounds (from a 3rd party lib) to provide guarantees about the associated types.

The problem was:

- 3rd party Traits forced generics on me that I didn't even use
- These generics had other bounds I needed to fulfill, which also what more bounds, etc.
- As a bonus, these two factors produce about a gazillion missing implementation errors for the first naive implementation, so you either need a really sharp debugger eye or will end up implementing one wrong solution after the other (as I did)

The solution for now is to drop the trait bound entirely (this is legal?!) and let the compiler intervene at the call site if someone doesn't implement the right trait - I complained exactly about this behavior the other day, because implementers can't figure out the bound just by looking at my trait, but at least now the code compiles and I left comments :P

#Rust

RE: https://infosec.place/objects/2c4cdbac-06e5-43bb-b070-044be09209b3