"Intel admits what we all knew: no one is buying AI PCs"

People would rather buy older processors that aren't that much less powerful but way cheaper. The "AI" benefits obviously aren't worth paying for.

https://www.xda-developers.com/intel-admits-what-we-all-knew-no-one-is-buying-ai-pcs/

Today we broke 12k stars on #GitHub remaining #1 on Reverse Engineering there and #1 for, “Reverse Engineering Tutorial” on Google. Thanks again for all of your continued support to help get new folks free training on #ReverseEngineering for everyone! https://github.com/mytechnotalent/Reverse-Engineering

🌪️ Something new is coming to TyphoonPWN 2025!

This year, we’re expanding our scope with LG webOS! If you’ve been researching webOS, this is your moment to earn up to $20,000 for discovering an Unauthenticated Remote Code Execution vulnerability.💰

TyphoonPWN is less than a month away — don’t miss your chance to showcase your skills and get the recognition (and rewards) you deserve. 🏆

Remote participation is fully supported. Register now and secure your spot:
👉 https://typhooncon.com/typhoonpwn-2025/

[RSS] Exploiting Undefined Behavior in C/C++ Programs for Optimization: A Study on the Performance Impact

https://web.ist.utl.pt/nuno.lopes/pubs.php?id=ub-pldi25

[RSS] RomHack 2025 Call for Papers

https://cfp.romhack.io/romhack-2025/

[RSS] Linternals: Exploring The mm Subsystem via mmap [0x02]

https://sam4k.com/linternals-exploring-the-mm-subsystem-part-2/

"How many calories in one gram of Uranium?" from CalorieHealthy.com

In fact the answer varies from Uranium 235 fissile isotope at 34 billion calories/gram all the way down to Natural Uranium in a light water reactor at a diet friendly 100,000,000 calories/gram

If you're dieting, try to switch out the Uranium for Plutonium 238, or Hafnium 178m2 isomer

And definitely no bread!

I need to be very clear, that the push towards "vibe coding" - that is, deliberately deskilling people - is because AI code assistants are an (increasingly expensive) subscription service.

If you know how to code, you can just write Python, C, Java, R, PHP, whatever for free and make things. You may not own the tools of production, but at least you're not renting them.

If you have been deskilled so you only know how to vibe code, you will be paying for that privilege forever.

This also goes, by the way, for researchers who are starting to be convinced they don't need to learn how to be scientists anymore, because "the AI" can just do the science for them. Nope.

Two sisters on our train are taking turns to make up a fairytale about themselves. It involves a castle made of rainbows and gold, and one of them being a dragon. Much better plot than Star Wars sequels too.

CEO of cybersecurity firm charged with installing malware on hospital systems

https://securityaffairs.com/177020/cyber-crime/ceo-of-cybersecurity-firm-charged-with-installing-malware-on-hospital-systems.htm 🤦

We are excited to announce that the 1st Workshop on Software Understanding and Reverse Engineering (SURE) will be co-located at ACM CCS 2025 in Taiwan! We invite the community to submit their awesome research https://sure-workshop.org/.

So, what is SURE? More in the 🧵

The biggest thing that I wish people knew before starting their 1st tech job (probably most jobs) is that asking someone more experienced for the “answer” is what you should do as soon as you get stuck. It’s drilled into students that this is “cheating”, so this is a big change for new hires. The faster a new hire can unlearn that you’re not expected to do your own work without getting advice from others, the happier and more productive they will be in a team environment.

Microsoft Outlook is pants at usability and running a fat GUI isn’t great for security. About a year ago I went on a mission to make mutt (the CLI mail client) work in a sandbox so I could read my work Microsoft365 mail nicely and more securely. Here’s how https://github.com/singe/muttpack

Update: I just added some further hardening ideas to this. My favourite is to run the containers under esoteric architectures with QEMU.

When IT tells you they invested in a new security product.

Ok, all y'all that did all the research into Recall, you can tell me how to detect and disable, right? Cause it is in violation of every NDA I have ever signed.

The EU is introducing an energy label for phones, together with mandatory requirements for phones sold in the EU;

- 5 years of software updates (AFTER they stop selling the device in the EU)

- providing important hardware parts (during sale and for 7 years after), including free software (if needed), to every repair shop, within 5-10 business days

- batteries have to make 800 charging cycles and still be above 80% original capacity

And on top of that, phones and tablets need this energy label (which also includes a fall damage durability and repairability score), and abide by the above requirements, from 20 June 2025.

(https://energy-efficient-products.ec.europa.eu/product-list/smartphones-and-tablets_en)

[Project] I built a tool that tracks AWS documentation changes and analyzes security implications https://awssecuritychanges.com/

Threads is starting to rollout ads, another feature that we will never have in here

I am so tired of all of the long blog posts of the form ‘I like the idea of magical AI things and I don’t understand why {some product with an integrated bullshit generator} doesn’t just do {thing that is either impossible without using something totally different to any current GenAI approaches or is possible but would be laughably easy to attack and would be worse than useless} and then it would be so much more useful!’

These machines are not magic. They are not thinking, they are not reasoning. They will generate token streams that have high probability based on their training data of following the input (prompts plus any other tokens you stream them). That’s it. This can be useful. They can quite quickly produce not-totally-wrong translations, for example, because their training sets include a load of things in two languages. They can produce code that solves minor variations on problems that have been solved hundreds of times before. There are probably other useful things (ethics of large-scale copyright infringement during training and ludicrous energy use aside).

The thing that really annoys me is that there are a load of more useful things that both rule-based and machine-learning systems could do and don’t. I’d love to have something that would suggest Sieve rules based on how I’ve manually filed email, for example. This is simple statistical correlation. It’s not even that hard. I haven’t seen a system that has done it. Yet people keep trying to use LLMs for live filtering instead (which is a terrible idea because avoiding prompt injection is almost impossible).

as is tradition, I just published my commentary on this year's Verizon Data Breach Investigations Report (aka #DBIR): https://kellyshortridge.com/blog/posts/shortridge-makes-sense-of-verizon-dbir-2025/

In the post, I include the following sections covering what I felt were the most notable insights and facets in the report:

🌍 So, what?

💃 Espionage: fast fashion or couture?

👻 APTs go BWAA-haha >:3

💸 How do the money crimes generate money?

🤖 Attackers are still not really using GenAI

👩‍🍳 If you can’t make your own 0day, store-bought creds are fine

🔓 #Security was the real supply chain threat all along

🍄 Things Rot Apart

🕵‍ Scooby Doo's Spooky Kooky Corporate IT Caper

🌈 At least some things are improving somewhere

Go forth and enjoy my commentary, and then make sure to find me at #RSAC to tell me what you loved or hated Tuesday 14:30 at the @fastlydevs booth (where you'll also get a free copy of my book ✨)

thanks @alexcpsec for the early copy <3