The WhatsApp complaint vs NSO contains some fun technical exhibits. The user manual and Ghana contract reveal quite a bit on NSOs system design and thinking.

So, we need to figure out what is going on with CVE-2026-41089, the Netlogon vulnerability that Microsoft patched in May and that the Center Cybersecurity Belgium said on 05/29 is being exploited in the wild. If the latter is true that's a *huge* deal. But no public confirmation?

Maybe hyping LLMs has downsides.

1/ You publicly fight with your government because you don't trust them to use your models with no guardrails. 2/ You train a capable cyber model with no internal guardrails. 3/ Super-hype it as being too dangerous for the world to have. 4/ Only give a few select companies access to it. 5/ Release it to the whole world with only a small model guarding access. 6/ The small model gets jailbroken in 48 hours. 7/ The government steps in and says you need to take it down as it's too dangerous for the world to have. 8/ You complain?? 🤔

This is a funny and high quality copy of the WSL workflow

לא לא. האתוס הכי גרוע שהתפתח בצה"ל הוא שמפתחים פיקוד מהשורות. ולא רק שזה אתוס גרוע, הוא גם לא נכון. לפני 30 שנה צה"ל היה ממיין מעט ואז שולח לפיקוד את הטובים שנשארו מהשורות. ההכשרה הייתה קצרה, אבל האיכות והניסיון איכשהו קיזזו את זה (לא באמת. אבל נגיד. עזר לנו שהאויב היה חלש). היום צה"ל ממיין מראש את מי שרק אפשר, מוציא את כל הטובים לתפקידים בכל מיני מיוחדים ושו שו ואז מוציא את מי שנשאר להכשרות סופר קצרות לתפקידי פיקוד - לא פעם מיד אחרי המסלול ובלי שום ניסיון. ואז הוא טופח לעצמו על השכם על איכות הקצונה. וזה, גבירותי ורבותי, הפוך מאיך שעושים דברים בעולם. בעולם ממיינים מתוך השורות למערכים מיוחדים (כי צריך להבין מה ערכו של אדם בשדה לפני ששולחים אותו לעורף האויב) וממיינים מהבקו"מ לקצונה (כי זה מעמד נפרד, שמצריך גם דיסטאנס וגם הכשרה ארוכה מאוד) ובד בבד יש פיקוד זוטר מנוסה מאוד שגדל מתוך השורות. כי, בהינתן שכל השאר שווה, המבדיל העיקרי בין כוח טוב לכוח לא טוב הוא המפקד. אפשר לקחת חבורת חמורים ולהפוך אותם לאריות ואפשר לקחת אריות ולהפוך אותם לחמורים. הכל תלוי במפקד שמוביל (ומאמן ומכווין ומספק השראה) אותם. ולכן - תפקידי פיקוד נחשבים מאוד ובצדק גמור. הבעיה היא שבפועל, צה"ל פועל שנים בניגוד לאתוס שלו, כיוון שפשוט לא מפסיקים להקים מערכים מיוחדים (גם כי זה סקסי וגם כי האמל"ח הופך יותר ויותר מורכב) והצבא הגדול כל הזמן מפסיד בדראפט - ליותר ויותר גורמים. כשממיינים לשלוש יחידות מיוחדות, טיס וחובלים\צוללות זה ניחא. כשממיינים לכמעט 20 מערכים לפני שהחייל אפילו נתן ביס בשניצל של הבקו"מ (מערכים שרובם המכריע מוציא אפס קצינים לצבא הגדול), פשוט מרוקנים את האגם שהוא הצבא הגדול מדגים במעלה הזרם. צה"ל אלוף העולם במיצוי כוח אדם מלש"ב. אנחנו נכנסנו לאזורי ה over fitting של המודל. #פידצבא

These things still surprise me

What's better than writing a book about GC? Writing a GC! I am excited to share that I've joined Microsoft as Principal Software Engineer, to work on the evolution of the .NET Garbage Collector and in general the future of the .NET runtime. Stay tuned for much more! After my two-year detour into agentic AI, and my deep .NET background, I find it a perfect match for today's evolution of .NET and serving heavy AI workloads. The intersection of AI with low-level programming and hardware-aware algorithms is a great place to be. Not to mention AI-assisted work and engineering is already deep in my heart. #dotnet 💜

wild to me that people vibe-generate slides for conference talks they are ugly (for now). they are low info densiry (thanks rlhf) but worse, they don't represent your thoughts, so your presentation of them will be terrible, unless you put in a ton of work (so just write them!)

Le immagini del ministro israeliano Ben Gvir sono inaccettabili. È inammissibile che questi manifestanti, fra cui molti cittadini italiani, vengano sottoposti a questo trattamento lesivo della dignità della persona. Il Governo italiano sta immediatamente compiendo, ai più alti livelli istituzionali, tutti i passi necessari per ottenere la liberazione immediata dei cittadini italiani coinvolti. L’Italia pretende inoltre le scuse per il trattamento riservato a questi manifestanti e per il totale disprezzo dimostrato nei confronti delle esplicite richieste del Governo italiano. Per questi motivi, il Ministero degli Affari Esteri e della Cooperazione Internazionale convocherà immediatamente l’ambasciatore israeliano per chiedere chiarimenti formali su quanto accaduto.

Private evals or GTFO

security research now has this weird incentive where finding the bug is only half the game. the other half is packaging the story as "claude/codex found it" because that’s where all the attention is right now. model providers, with their big accounts and distribution, will push the story for you. it looks win-win. weirdly, the human taste, target selection, hand holding, all get compressed into "the model found it". frontier model companies happily push that narrative, while the researcher slowly gets devalued.

The magical news you’ve all been waiting for: registration for the new BlueHat IL 2026 date is officially open! Spots are limited - go grab yours! Register here: aka.ms/BlueHatILRegistration Full Agenda: microsoftrnd.co.il/bluehatil…

Inference isn't everything, but it does require a new stack -- not Kubernetes, not SLURM. At @modal, we dove deep to build that stack. In this blog post we explain how, from compute management & cloud-native cacheing to CRIU & GPU checkpointing. modal.com/blog/truly-serverl…

Done something cool with AI? Great! Now, have some respect for your own work, and the people reading it, and don't have AI do the write-up. Good writing is a skill. Conveying complex technical ideas is hard. But AI is not good at it, and the write-ups it generates are dogshit.

I am genuinely impressed by The Walt Disney Company’s accomplishment of making me not care about Star Wars any more

The Unprompted.au CFP is officially OPEN! If you are doing cool stuff with AI in offense, defense, or working on core AI tech (from frontier models to open source LLMs), we'd love to hear from you! Submit here: unprompted.au/

Things that have failed to bring the regime to negotiate in "good faith" (think tank slang for making concessions that aren't in its interests): - Sanctioning Iran's Central Bank - Kicking Iran off SWIFT - Sanctioning Iran's oil - Making Iran's currency collapse - Assassinating everyone from Khamenei to Soleimani to Larijani - Carpet bombing Tehran twice in 9 months - Hitting every enrichment site - Bombing the heart of Iran's industry - Wiping out most of Iran's conventional navy None of that worked. They haven't even agreed to the basic stuff like diluting the 60% enrichment stockpile which are the easier parts, let alone the trickier concessions. Oh no but you don't understand the geniuses at the Brookings Institution have it figured out. The blockade will do what all those failed in. Yea ok. The fruit flies infesting my home are more intelligent than these people ...

Poll check for an upcoming report I intend to publish In a controlled lab with modern EDR/XDR/whatever and a flat network, how far does an autonomous AI agent get starting from a basic SharePoint exploit?

I'm going to plant a flag here: 2026 is going to go down in computer security history as the year of a million CVEs. (Maybe literally, but definitely figuratively.) LLMs are producing lots of slop, but they're also finding a heck of a lot of real vulnerabilities.

I'm not surprised that grsec wasn't impacted