The full TyphoonCon 2026 conference agenda is now live:
https://typhooncon.com/full-2026-agenda-sessions

Join us May 28-29 in Seoul for a highly curated program focused on advanced offensive security. From vulnerability research to real-world exploitation.

🎟️ Tickets are going fast - secure your spot now

OTD 1989: #SunMicrosystems announces the SPARCstation 1, aka Sun 4/60, aka "Campus".
Also first use of SBus.

https://theretroweb.com/motherboards/s/sun-sparcstation-1

The AI slop security reporting is basically extinct. It almost does not happen anymore. At all.

"I am submitting this via direct email as I am currently unable to use the HackerOne platform due to account restrictions for new reporters."

In case someone was wondering what happens when we try to make it harder for new accounts to submit new reports.

🤔Ever wondered how your favorite tools work under the hood? During our work on SightHouse, we dug into BSIM, Ghidra's Binary function SIMilarity engine.

Many tools have been built around it, yet its internals remained undocumented. Until now 👇
https://blog.quarkslab.com/bsim-explained-once-and-for-all.html

I'm like 99% sure that strings is the best reverse engineering tool.

My kinda hot take on the Mythos stuff is really that there is so little money in offensive research that it's still not really that hard to find bugs. These AI companies are operating with budgets that make the entire offensive research of all big tech combined look like a joke

I remembered Joseph Kong today. His books basically guided me through the kernel and practically launched my career as a security researcher.

I started with FreeBSD around 2008–2010 while working as a sysadmin at a local ISP. Around that time, I began writing a FreeBSD rootkit just to understand how everything worked. In 2012, I wrote two kernel exploits for it. My first real kernel exploit targeted the sysret bug on Intel CPUs (the vulnerability discovered by Rafal Wojtczuk). After that, I wrote another exploit for a vulnerability in FreeBSD’s Linux compatibility layer.

I know FreeBSD gets a lot of criticism these days, but it’s still a great operating system. I believe in its philosophy and have a lot of respect for the competence of the people involved in the project.

"Days of arguing about exploitability can save minutes of fixing the bug."

-- Socrates, on vulnerability disclosure

An updated version of "Exploits of a Mom" by XKCD:

Hyperbridge exploited two weeks after April Fools' hack joke

April 13, 2026
https://www.web3isgoinggreat.com/?id=hyperbridge-exploit

The peril of laziness lost

https://bcantrill.dtrace.org/2026/04/12/the-peril-of-laziness-lost/

Getting e-mail to work shouldn't be rocket science...

Micropatches released for Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510) https://blog.0patch.com/2026/04/micropatches-released-for-windows-shell.html

We chose a vulnerability in glibc (CVE-2025-4802) to teach students registered in our binary exploitation training the importance of the libc, loader, dynamic linker, and the kernel in making the execution of a modern Linux binary possible.

Furthermore, it demonstrates how a small oversight in the static glibc code allowed arbitrary libraries to be loaded into privileged code. Do you know the crucial role of the auxiliary vector? Or the main differences between dynamically and statically compiled binaries?

Check out the blog post for a brief analysis of CVE-2025-4802.

https://allelesecurity.com/libc-vuln-analysis/

When times were simpler:

"text generator"

LLMs now do the busywork of finding amazing vulnerabilities for everyone willing to spend the tokens.

But hacking still isn't dead:

1. We haven't at all solved the underlying problems which come with writing and shipping code.

2. You still need to understand what you're looking at and what you are operating.

3. The LLM platforms themselves are a exquisite target for hacking^Wcreative use of the technology.

Now when everyone can pull a CVE or two out of thin silicon and a few kWh of electricity the art of hacking might need adopt and maybe reshape a little but at its core the mind- and skillset will stay as relevant as it always was.

In that sense: keep hacking, keep exploring, break some stuff.

Stealthy RCE on Hardened Linux: noexec + Userland Execution PoC https://hardenedlinux.org/blog/2026-04-13-stealthy-rce-on-hardened-linux-noexec--userland-execution-poc/

Blessed are the cheese makers

https://www.youtube.com/watch?v=NFPIGNua5WM

2 years ago I did a PoC to run #rust 🦀 in the #pixel modem

Today it shipped in millions of devices!

They grow up to fast! 🥲

https://security.googleblog.com/2026/04/bringing-rust-to-pixel-baseband.html

#rust #security #smartphone #baseband