@kaaswe @troed Looking at the news I can't wait for our robot overlords to arrive!

We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps.

https://uattest.net/

did you know that SSH has a little-known secret menu?

i wrote a post about this on cohost a while back, but since that site shut down i'm posting it here too

Sign in with ANY password into Rocket.Chat EE (CVE-2026-28514) and other vulnerabilities we’ve found with our open source AI framework https://github.blog/security/how-to-scan-for-vulnerabilities-with-github-security-labs-open-source-ai-powered-framework/

It's a bit hard to find in the announcement publications, but this is the technical analysis of one of the #Firefox bugs Anthropic's #LLM agents found (CVE-2026-2796):

https://red.anthropic.com/2026/exploit/

@kaaswe @troed LLMs and concious AI are very different topics IMO. The former definitely won't become the latter, but that doesn't mean the latter can't exist.

There's a lot of discourse on Twitter about people using LLMs to solve CTF challenges. I used to write CTF challenges in a past life, so I threw a couple of my hardest ones at it.

We're screwed.

At least with text-file style challenges ("source code provided" etc), Claude Opus solves them quickly. For the "simpler" of the two, it just very quickly ran through the steps to solve it. For the more "ridiculous" challenge, it took a long while, and in fact as I type this it's still burning tokens "verifying" the flag even though it very obviously found the flag and it knows it (it's leetspeak and it identified that and that it's plausible). LLMs are, indeed, still completely unintelligent, because no human would waste time verifying a flag and second-guessing itself when it very obviously is correct. (Also you could just run it...)

But that doesn't matter, because it found it.

The thing is, CTF challenges aren't about inventing the next great invention or having a rare spark of genius. CTF challenges are about learning things by doing. You're supposed to enjoy the process. The whole point of a well-designed CTF challenge is that anyone, given enough time and effort and self-improvement and learning, can solve it. The goal isn't actually to get the flag, otherwise you'd just ask another team for the flag (which is against the rules of course). The goal is to get the flag by yourself. If you ask an LLM to get the flag for you, you aren't doing that.

(Continued)

Our #CTF continues its world tour: we're heading to @ph0wn 🚩

Come time travel debug our challenge for a chance to win cool prizes 😉

TIL Leif Svalgaard passed away last year:

https://solarnews.aas.org/2025/obituary-leif-svalgaard-1942-2025/

A true #AS400 (lately #IBMi ) hacker legend:

https://svalgaard.leif.org/as400/

https://www.itjungle.com/2004/08/16/fast400-founder-sues-big-blue/

R.I.P.

We've invented service accounts all over again. MCP servers are quietly becoming the same overprivileged, under-monitored access brokers that have haunted enterprise security for years. Except this time, we're stacking them on top of the old ones.

https://go.aembit.io/s/mcp-servers-and-the-return-of-the-service-account-problem-25746

RE: https://techhub.social/@Techmeme/116177695971771546

Can't wait for Xbox to start giving people long form racism in Call of Duty.

[RSS] Challenges in Decompilation and Reverse Engineering of CUDA-based Kernels

https://nicolo.dev/files/pdf/reverse26-cuda-kernels.pdf

[RSS] AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks

https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf

Tired of guessing inputs? Let the computer do the work! Learn about symbolic execution from @barbie in "Reverse Engineering 3201" https://ost2.fyi/RE3201 and use SMT solvers to find the exact inputs to reach vulnerable code. Stop guessing, start solving! 

I already knew that we use nonsense measurement systems here in the US. But only recently did I realize that a US gallon is different than a UK gallon.

RE: https://infosec.exchange/@mr_phrazer/116166155203519881

I also published my Ghidra Headless MCP that follows similar design principles: https://github.com/mrphrazer/ghidra-headless-mcp

@pleia2 Except there is at least one fundamental difference between the X->Prompt abstraction and everything else he brings up (based on the slides):

https://blog.trailofbits.com/2025/12/19/can-chatbots-craft-correct-code/

New blog post: Perfect types with `setHTML()` - https://frederikbraun.de/perfect-types-with-sethtml.html - TLDR: Use require-trusted-types-for 'script'; trusted-types 'none'; in your CSP and nothing besides setHTML() works, essentially removing all DOM-XSS risks....

Composing Sanitizer configurations (https://frederikbraun.de/composable-sanitizers.html): The HTML Sanitizer API allows multiple ways to customize the default allow list and this blog post aims to describe a few variations and tricks we came up with while writing the specification.

Building a Super-Compact Cistercian Numerals Clock

https://hackaday.com/2026/03/08/building-a-super-compact-cistercian-numerals-clock/