Full research, benchmark methodology, scoring breakdown, and the obfuscation techniques that worked: https://go.es.io/3QSJGnI

Hey fellow hackers and CTF players and cybersecurity enthusiasts, wanna participate in a small experiment?

I created a small CTF task designed to be solved with AI and I need to collect as much feedback as possible to determine if the core principles I used to create it are relevant.

For now, a few people I know already solved it but I definitely need more people to test it so I made it public:

https://virtualabs.fr/ctfai/

Try it, solve it, and send feedback! 😁

RE: https://mastodon.world/@paninid/116445313743159155

This _seems_ bananas, but you have to appreciate Microsoft's central role in computing as a _consumer of excess capacity_ that only incidentally _produces_ useful outputs. That is to say, the classic cycle of the computing _economy_ has been chipmakers, mostly Intel, builds faster machines, and then Windows and Office grow to soak up that excess capacity, driving demand for yet faster hardware. But... there's a plausible need in that cycle for Windows, Word, etc.

https://cosocial.ca/@paninid@mastodon.world/116445313952711313

Whatever Anthropic provided to Google, didn’t include the 0-days in Chrome that I am reporting right now. Zero dupes so far
https://bird.makeup/users/alisaesage/statuses/2046886808689270796

A new Git version just dropped and it comes with a new experimental `history` command!

`reword` can be used to change commit messages and `split` can untangle a single commit into multiple ones.

No more interactive rebase. 🎉

https://github.blog/open-source/git/highlights-from-git-2-54/

I checked and it's been 2 years since my last blog post??? So anyway, here's a quick blog post about KDP pool - the latest KDP feature that will replace the secure pool in future Windows versions: https://windows-internals.com/goodbye-secure-pool-hello-kdp-pool/

Interesting links of the week:

Strategy:

* https://cert.pl/en/posts/2026/04/annual-report-2025/ - .pl CERT gives us their annual update
* https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations - more on that Guardian story from a couple of weeks back about Russian hostmasters working for free
* https://arxiv.org/abs/2603.29545 - exploring how cyber crime's vibe will change
* https://gambit.security/blog-post/a-single-operator-two-ai-platforms-nine-government-agencies-the-full-technical-report - how .mx got popped
* https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a - .ir are planning a silent disco and all of US are invited

Standards:

* https://github.com/OWASP/APTS - @owasp has a crack at defining autonomous testing standards

Threats:

* https://socket.dev/blog/bitwarden-cli-compromised - careful warden, I see you're managing a password
* https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/ - .de doxes head of REvil
* https://www.ic3.gov/PSA/2026/PSA260407 - .ru completes sticker collection of logos from every major law enforcement agency
* https://www.lumen.com/blog/en-us/frostarmada-forest-blizzard-dns-hijacking - .ru... in your modem, stealing your DNS requests
* https://dti.domaintools.com/research/dprk-malware-modularity-diversity-and-functional-specialization - .kp IT skills continue to develop
* https://pushsecurity.com/blog/device-code-phishing - phishermen continue to catch phish, news at 10

Bugs:

* https://www.jamf.com/blog/darksword-ios-exploit-kit-three-lessons-mobile-security/ - breaking out on Safari
* https://blog.calif.io/p/we-asked-claude-to-audit-sagredos - Claude vs qmail but FFS, it shouldn't have taken that much effort to spot that one
* https://heyitsas.im/posts/cups/ - printing a new 0day

Exploitation:

* https://vulnbench.ghostsecurity.com/ - testing LLM efficacy on the work bench
* https://agentic-threat-modeling.github.io/MAESTRO/ - how to make friends with agents and influence them

Hard hacks:

* https://gpubreach.ca/ - another hammer, another pixel dead...

Hardening:

* https://lore.kernel.org/lkml/20260404133746.80914-1-zybo1000@gmail.com/ - an interesting new kernel driver for Linux

Cryptography:

* https://www.openssh.org/pq.html - #OpenBSD takes a stance on PQC

#security, #research

Effective security measures are easier to implement and maintain than to bypass #showerthoughts

a new zero-trust security appliance just dropped

Hister v0.13.0 is out with quite a few new features. Update your instances.

https://github.com/asciimoo/hister/releases/tag/v0.13.0

Hister is a general purpose web search engine providing automatic full-text indexing for visited websites.

#selfhosted #search #freesoftware

CVE-2026-33824: Remote Code Execution in Windows IKEv2 - the folks from TrendAI Research break down this wormable bug that was patched last week. The show root cause & offer detection guidance. Read the details as https://www.zerodayinitiative.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2

A 4-star admiral told Congress the U.S. military runs a Bitcoin node to “secure networks” and endorsed Bitcoin as a “power projection” capability. The cryptographic primitives he cited like proof or work aren’t exactly earth shuttering in 2026. https://gooden.house.gov/2026/4/gooden-reveals-historic-u-s-military-use-of-bitcoin-node

Micropatches released for Windows Telephony Service Elevation of Privilege Vulnerability (CVE-2026-20931)
https://blog.0patch.com/2026/04/micropatches-released-for-windows.html

The Dungeon of Dark Patterns

Sources and bonus timelapse: https://www.peppercarrot.com/en/miniFantasyTheater/049.html

#webcomic #krita #miniFantasyTheater