102 Photos and videos
If you're doing cold outreach automation. Make Claude/Codex generate diverse profiles of your ICP and situations. Then respond to each profile with an opener. Save, analyze and recycle these in the actual cold outreach automation. Keeps things humane and aligns w your persona
1
1
102
some fire research!
also the exp has been same for me for all sorts of pentests code/api. when dealing with a huge attack surface build logic islands of the attack surface. segregation helps (depending on your harness) the system not dilute attention across multiple heads
Hacking Google with A.I. for $500,000
brutecat.com/r/hacking-googl…
2
257
Cvewhen? retweeted
Jun 9
i look forward to our chinese brothers liberating the knowledge from within fable-5 and selling it to me at 5% the cost & 2x the speed
318
1,586
24,638
1,057,482
Fable, Opus, GPT all models have one disease
skim repo -> make claims -> edit rando file -> lgtm -> miss the actual prod path -> "you're absolutely right!" -> hexagon -> pentagon -> tokensgon
slopflow is just my attempt to beat that out of the agent.
sys instructions skills that force the model to:
- trace code before claiming behavior
- separate facts from guesses
- expose assumptions
- review diffs for consequences
- stop pretending validation happened
- think about correctness/security instead of vibes
Fable is better by default at coding than Opus but good luck raising seed round to seed the API bills after June 22🙃
slopflow works across open and frontier models.
and the part i care about most - secure design before codegen. the prompts push the model to reason about security before a single line of code hits the file.
github.com/1ikeadragon/slopf…
3
133
Munching on my dinner, came across this vid from @eostudi0 featuring prof @ProfTomYeh
He talked about how people wished downfall of Chegg because students cheated using it. Chegg got cooked but then AI became free for all 🫠
They tried detecting cheating but reality was that Chegg was never the problem! it was just an interface. at that time an easy one for students to use.
It was a symptom of a deeper rooted problem in society of there being an incentive to cheat.
If you think about it the detection war against cheating isn't too far from home from infosec.
imo orgs are chasing the wrong tail with just doing AI SAST/DAST in the pipeline.
SAST, DAST, PR review, AI-powered scanners, better triage, lower false positives, etc is important but still it's detection of vulns which is an after-effect of writing insecure code.
A good SAST/DAST solution should be treated as a strong backstop and not the core strategy.
Code is being written with volume and speed like never before. Teams are plugging their security gates at PRs like before but now with AI sprinkled on top.
but why at PR?
By the time a PR is opened, significant engg effort is already spent. A serious finding at that gate can mean lots of effort duplication, frustration for everyone involed and delayed delivery.
shift left was advocated before but it wasn't as realistic to achieve. The most you could do were still scans after code is already written because tools needed that as a base to reason about.
And the way to write secure code was training your devs and hoping they remember to set verify_signature=True lol
Now, it's AI that produces a large chunk of the code. And the best part about it is AI can be shaped at the source.
With the right harness your features can be secure BEFORE the code gen even starts.
Just like PM role get merged with engg, security needs enmeshment with dev.
Security at design stage IS the future and it's staring at us in the face. just what i think.
Mythos or gpt 5.6 writing hardened and secure code by default >>> detecting all vulns
pic related
1
4
256
Cvewhen? retweeted
May 20
For years, Rust binaries made reversing a nightmare. Modern decompilers only support C, lacking meaningful types, constructs, and language-specific functions. Led by @34r7hm4n, we're releasing our S&P work Oxidizer, the first deep Rust decompiler, built on angr!
Interested? 🧵👇
21
184
1,094
99,431
Lately doin 10hr days n most of it has just been evals and staring at logs for random provider, or infra failures
LLM work has this magical property where model call is fast but everything around it eats your whole day. Hate this part but when shit works it feels worth it
1
6
216
Early this week, we had a meeting at Apple Park in Cupertino. While there, we also shared with Apple our latest vulnerability research report: the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE. It was laser printed, in honor of our hacker friends.
Full story: open.substack.com/pub/calif/…
9
66
425
122,149
Cvewhen? retweeted
May 14
Claude helped me with this bug too but in a different way... Tried to gaslight me saying it wasn’t ~exploitable in practice~ and I got obsessed with proving it wrong 😩
Confirmed! @chompie1337 of IBM X-Force Offensive Research (XOR) used a race condition to escalate privileges on Red Hat Enterprise Linux for Workstations, earning $20,000 and 2 Master of Pwn points. #Pwn2Own #P2OBerlin
42
100
1,346
79,045