AIs have been finding bugs and vulnerabilities in #curl for some time.

Is it work to fix those? Yes.

Has someone paid for this? Partially (wolfSSL and @sovtechfund)

Are the AIs annoying? Yes, very.

Could humans find the same bugs? Yes, if they‘d somehow avoid being bored to death through it.

Was there something „heartbleed“ like? No.

Were there lots of C mistakes? No, logic bugs mostly.

Do AIs run out of steam? Yes. After a while a model stops finding things. Findings differ per model.

It’s International Haiku Day apparently and so for today’s poetry offering, here are a few assorted haiku.

[RSS] Virtual Memory Area Management From Red Black Trees To Maple Trees

https://jinjucat.github.io/Virtual-Memory-Area-Management-from-Red-Black-Trees-to-Maple-Trees/

I've been uploading #hacking magazines from #China, some of which have been removed for reasons I don't understand, to Internet Archive. This is a decent scan of an issue of Hacker Defence (or Hacker Defence Line?) from I think the early to mid 00s.
#hacker #history
https://archive.org/details/hacker_defence_unknown

Micropatches released for Windows Error Reporting Service Elevation of Privilege Vulnerability (CVE-2026-20817)
https://blog.0patch.com/2026/04/micropatches-released-for-windows-error.html

@lcamtuf @diyelectromusic No Starch complained multiple times about Amazon selling counterfeits, I had good experience with blackwells.co.uk when ordering overseas tech books from EU.

The cat's out of the bag! My latest book, "The Secret Life of Circuits", is available in early access:

https://lcamtuf.coredump.cx/blog/secret/

It's the reference I wish I had when I was starting out. Electrons to embedded systems, 290+ color illustrations and 420+ pages of well-explained theory.

New Post: Debugging - WinDBG(X) Automation & Scripting - Part 1 https://www.corelan.be/index.php/2026/04/17/debugging-windbgx-automation-scripting-part-1/

RE: https://infosec.exchange/@attackanddefense/116418875523198922

Q1 2026 was a very strong quarter for Firefox Security & Privacy.

some highlights:
- We expanded AI-assisted vulnerability discovery through our collaboration with Anthropic, helping identify and fix a high number of real security issues.
- We shipped the Sanitizer API in Firefox 148, making Firefox the first browser to support this stronger defense against XSS.

More in the newsletter linked below :)

Current stats:

* Bugs found in target: 1
* Bugs found in bug discovery tools: 4

RE: https://ec.social-network.europa.eu/@EUCommission/116408720976324749

Doesn't work without a Google/Apple-tied device btw. There is absolutely no story for how this would work on a desktop, anything without a Google/Apple account, or open source OS at all either.

@dsp @badkeys That's a limitation of DNS, and management UI's can make configuring larger strings quite frustrating. My favorite is when parts of the base64 gibberish are mixed up in the DNS response so you can see that there is something that *looks like* your public key, yet it won't verify your messages.

I had pretty good experiences with Zed so far, but this is lunacy:

https://github.com/zed-industries/zed/discussions/29395

From the same author as BlueHammer we now have RedSun.

This works ~100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server 2019+ with April 2026 updates, as well as Windows 10, as long as you have Windows Defender enabled. Any system that has cldapi.dll should be affected.

Join us tomorrow, April 17th @ 4pm ET, for some live pwn! We'll be using Binary Ninja's shell coding compiler, patching binaries to make them easier to debug, analyzing data moving from globals to the stack to the heap, and finishing by popping shells live with pwntools: https://youtube.com/live/VcK4SoeYZiU

RE: https://hachyderm.io/@Mara/115373191721487331

Half a year later, I'm *very* excited to report that we got initial funding and have hired our first Rust maintainers!

RustNL's Rust Maintainers Team now has two full time maintainers, one intern, and five part-time maintainers, now stably employed to continue their invaluable maintenance work that is crucial for Rust’s long-term sustainability.

https://rustnl.org/maintainers/

Apparently we reached the state of #Thoughtcrime punishment, it's called #precrime and on virustotal. Microsoft and Sophos just "blocked" (aka content filter says it's porn... whuat?) a friend's website because the #AI was suspicious of his AI website probably because on #Virustotal PreCrime is flagging it as will-be-malicious-in-the-future.

I want my Internet back.

@david_chisnall @itgrrl @scottymace User story: I explicitly looked for and manually enabled the history on Android bc there were notifs that contained important info but I sometimes removed them from the screen by accident and I couldn't find them in the corresponding app (can't tell the exact app/feature).

Windows: You can execute stuff by double-clicking

Also Windows: PowerShell is the way to script me!

Still Windows: If you double-click a PS script, it'll open a text editor