here's a technical write-up i wrote on one of the kernel bugs we've found :)
https://bird.makeup/users/bynar_io/statuses/2052720419157782809

When we said that we found and fixed hundreds of bugs in Firefox using AI, people were skeptical and said: Where are the bugs?

Well, here they are. We are unhiding 12 security bugs that are representative of the issues we have found.

https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/.

Remember when we used to dial into the internet, and the machines would scream at us?

That was a warning right?

I'm a little concerned about the general tech attitude towards the Mozilla bug findings. Yes, I'm an AI hater, so add that to the biases, but that's not really the point here.

People seem excited about the fact that Mythos was used to find a bunch of security bugs in Firefox, which is cool:

https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/

However, the general attitude seems to be that devs can keep pushing for more new things because some AI system will catch the bugs for them. But to me, there should be more concern about how there were so many previously unknown unfixed bugs in Firefox to begin with. These findings should be a cause for concern and give pause to evaluate how so many security bugs make it to prod. And I'm not just talking about Firefox, everyone should be learning from each other in this space.

If nothing else, people celebrating the LLM-fueled bug findings should be recognizing just how much harm the whole Move Fast and Break Shit approach really creates rather than allowing the LLMs to be the excuse to move faster and break more shit.

Secret Panel HERE 🍔 https://tinyview.com/mrlovenstein/2026/05/07/off-menu

🔐 Releasing LUKSbox: encrypted vaults that survive the next decade.

Drop sensitive files on any cloud or USB. The provider gets one random-looking blob they can't read, even under subpoena.

✅ FIDO2 (YubiKey, Titan, Nitrokey, Windows Hello)
✅ TPM 2.0 keyslots
✅ Post-quantum hybrid (ML-KEM-768/1024 - FIPS 203)
✅ Detached header → zero metadata on the container
✅ Linux / macOS / Windows
✅ Rust, Apache-2.0, 30M+ fuzz iterations

v0.1.0 is out. External audit next.

👉 https://github.com/PentHertz/LUKSbox

#infosec #encryption #postquantum #FIDO2 #rust #opensource #cryptography #penthertz

555 timer Integrated Circuit

This gem is now 55 years old! A wonderful history is described in this vid.

Naturally I also looked in the wikipedia and Encyclopedia Britannica to find goodies of the time this wonderful timer was build. Since no patent was filed you can find a billion versions of it, which is a nice variant on the patent theme

Wikipedia states

The timer IC was designed in 1971 by Hans Camenzind under contract to Signetics.[3] In 1968, he was hired by Signetics to develop a phase-locked loop (PLL) IC. He designed an oscillator for PLLs such that the frequency did not depend on the power supply voltage or temperature. Signetics subsequently laid off half of its employees due to the 1970 recession, and development on the PLL was thus frozen.[6] Camenzind proposed the development of a universal circuit based on the oscillator for PLLs and asked that he develop it alone, borrowing equipment from Signetics instead of having his pay cut in half. Camenzind's idea was originally rejected, since other engineers argued the product could be built from existing parts sold by the company

We are sure glad marketing was on good insticts then

The first design for the 555 was reviewed in the summer of 1971.[8] After this design was tested and found to be without errors, Camenzind got the idea of using a direct resistance instead of a constant current source, finding that it worked satisfactorily.[8] The design change decreased the required 9 external pins to 8, so the IC could be fit in an 8-pin package instead of a 14-pin package.[8] This revised version passed a second design review, and the prototypes were completed in October 1971 as the NE555V (plastic DIP) and SE555T (metal TO-5).[9] The 9-pin version had already been released by another company founded by an engineer who had attended the first review and had retired from Signetics; that firm withdrew its version soon after the 555 was released. The 555 timer was manufactured by 12 companies in 1972, and it became a best-selling product.[6]

Quite neat this was for us electronic tinkerers and engineers

The 555 found many applications beyond timers. Camenzind noted in 1997 that "nine out of 10 of its applications were in areas and ways I had never contemplated. For months I was inundated by phone calls from engineers who had new ideas for using the device."[8]

sources

https://en.wikipedia.org/wiki/555_timer_IC

https://www.youtube.com/watch?v=6JhK8iCQuqI

#electronics #timer #timer555 #555timer #IC #engineering #mathematics #physics #no #TV

Trenchant exec, Peter Williams, who stole zero-day exploits from his employer and sold them to a Russian buyer (known for selling exploits to the Russian government) has been ordered to pay $10 million in restitution to his former employer. My story about it is here:

https://www.zetter-zeroday.com/trenchant-exec-who-sold-zero-days-to-russian-buyer-ordered-to-pay-10-million-in-restitution-to-former-employers/

DistrictCon Year 1 Talks are officially live on our YouTube Channel! Check it out: https://youtube.com/watch?v=RDqXQ4nCOIE&list=PLILSGbVWGGPwuqdZhFrsf2sjEMPjIlceH

A HUGE shoutout to our incredible speaker line up that came out through the snow to share their amazing content with us.

The 3 recent Linux LPEs are sort of interesting in that each one took a different path from discovery to disclosure.

1. Copy Fail: Publicity stunt where they claim to have done the right thing, yet didn't bother to tell a single distro vendor, and lied about updates being available.
2. Dirty Frag: Attempted to do proper coordination, including notifying the linux-distros mailing list. But the embargo was broken, so it was disclosed unexpectedly ahead of time.
3. Copy Fail 2: Discovered as an n-day by looking at kernel commit logs and Spender noticing that it was copyfail-class

Each path had basically exactly the same outcome (No fixes at publication time). 😂

Well, that's a new captcha...

"I can see a bird in it from here," said Pooh. "Or is it a fish?"

A hands-on look at Microsoft’s Independent Guest Virtual Machine (IGVM) format inside OpenHCL’s `openhcl.bin`.

We unpack the fixed header, variable headers, data layout, and how IGVM measurement supports Confidential Computing with SEV-SNP and TDX.

🔗 https://blog.quarkslab.com/the-igvm-file-format.html

Paramiko is a pure-Python implementation of SSHv2. Recently, we worked with the Paramiko team on a security audit sponsored by @ostifofficial 🙏
Read a summary of our findings and find the full report here:
https://blog.quarkslab.com/paramiko-security-audit.html