A short video about the new BCyber program.

This is very great.

Hacking Google with A.I. for $500,000 brutecat.com/r/hacking-googl…

After 25 years of brave & brilliant work by hundreds of scientists in my lab to understand then safely reverse aging for the first time, it was moving to witness the first human dose being delivered 🥹 nature.com/articles/d41586-0…

Here is the complete information about the CBSE RCE incident from 29 May 2026. I found it and fully owned the server in just 3-4 hours. I’ll break down exactly what happened, in plain language anyone can follow. The same issues were present on the MRVV OnMark portal too. The CBSE OSM portal, where evaluators check answer sheets and upload marks, had a serious flaw on the login page. It accepted the username and password in JSON format but pasted the password straight into a dynamic SQL query with no safe handling or parameterization. I sent a simple timing test that made the database pause for 10 seconds, proving stacked queries were possible. Within minutes I had full database access on the backend Microsoft SQL Server 2019 running on Windows/IIS, with dbo privileges and visibility across hundreds of tables. Directory listing was enabled on the /bin/ folder, so I could download the compiled .NET DLLs. Decompiling them revealed hardcoded SA database credentials that were reused across CBSE production servers, other Onmark portals, and the MRVV OnMark portal. This reuse across shared components made it a supply chain attack - one weak framework affected multiple education boards, made worse by database replication. With SA-level database access I used native SQL Server tools to write a custom webshell straight into the webroot. That gave me immediate arbitrary OS command execution and full file system operations under the IIS application pool identity. From there, the overly permissive app pool account let me escalate in one move to NT AUTHORITY\SYSTEM (full Windows server control) by creating and running an elevated scheduled task. Complete server ownership in a few hours: I could read, write, or execute anything. Millions of records were exposed, including student marks, answer scripts, and evaluator personal and banking details. I took or kept no data, reported everything to CERT-In and removed access by May 29. Root causes were straightforward: direct SQL concatenation, hardcoded credentials in assemblies, directory browsing left on, over-privileged IIS pool, and no real auditing of shared codebases. It wasnt a hard job to get into other OnMark portals because all of them were sharing the exact same vulnerabilities. This is exactly why this became one of the biggest supply chain attacks in recent education tech one weak shared framework compromised multiple boards at once, with database replication making the impact even larger. Fixes are basic but essential: use parameterized queries everywhere, store secrets properly in vaults without hardcoding or reuse, turn off directory listing and risky SQL features, apply least privilege, and run regular security reviews on shared platforms. This shows how quickly a short chain of basic mistakes can lead to full compromise in critical education systems, putting data of lakhs of students at risk. #CBSE #OSM #RCE #ONMARK

Just DM me otherwise. Will do it for free.

Give this actress an Oscar please. She played this role so good.

This is what our journalists should be doing btw.

Don't end up in jail my guy

Found a cool bug at Meta. From misconfigured Grafana instance to R/W access on 507 private Meta repositories. Wrote up the full chain here: sectricity.com/blog/misconfi… $157k bounty awarded by @metabugbounty

The Delhi High Court just ruled against Google in a trademark case that every Indian founder needs to know about!! Hindware sued because searches for "Hindware" returned competitor ads - Cera, Grohe, above their own listing. Customers looking specifically for Hindware were being intercepted at the moment of highest intent. The court ruled it trademark infringement. Competitor keyword bidding on your brand name is now legally actionable in India. Search your brand name on Google right now. If a competitor's ad appears before yours, you have a case, and your competitor has a problem. This reshapes performance marketing in India. Keyword bidding on competitor names is standard practice across every category - beauty, fintech, edtech, D2C. The brands doing it most aggressively are also the ones most exposed to this ruling. Let's see how this pans out.

Surrounding yourself with optimistic people in your life is an underrated life hack.

If @SunRisers win from this it will be the most epic comeback. Rooting for SRH. ✌🏼

I once criticized CERT-In on LinkedIn and got calls from terrified employers (past & then present) asking me to remove it. I said no and proceeded to change all my employment history to ‘Confidential’ to ease their worries. The reason they panic is because they don’t want to lose their “CERT-In Empanelment”. CERT-In Empanelment is one of the biggest scams in the Indian cyber security industry. CERT-In makes you go through several stages of tests (all worthless btw) and then “certifies” you as an empaneled auditing firm. This status then allows you to bid on government contracts for cyber security projects along with enabling you to serve compliance customers under regulatory bodies. If, for whatever reason, CERT-In decides to revoke this empanelment, the firm would lose majority of its business. That’s how CERT-In keeps all the major cyber security firms in India under their thumb.

POV: you are downloading npm packages in 2026

Wondered why we don’t hear about heart cancer? Contraction-sensing Nesprin-2 protein is discovered to prevent heart cancer By causing cells to pulse (or adding in Nespirin) we might be able to treat cancer in other organs 👏 @ScienceMagazine

Time Dilation kind of makes the whole “datacenters in space” idea more fun. Technically…something like a GPS Block III CPU runs an extra ~7,000 clock cycles per day compared to the same machine on earth. Extend this to the extreme, and you get the whole subfield of CS physics called relativistic hypercompuation. There’s some (fun?) papers that allow you to solve the halting problem by placing yourself dangerously close to a black hole…while your computer safely computes for ~infinite-ish amounts of time. One of the better papers on this field appears to be: "Relativistic computers and the Turing barrier" (Németi & Dávid 2006) (sadly, the maximum speedup just escaping earths gravity well is something like 1 x 10 ^ (-10), so yeah the blackhole thing is kinda necessary)

@nvidia CEO Jensen Huang says that he doesn't know what else is better than wishing upon aspiring people to suffer in life so that they would learn the RIGHT lesson He is soooo wrong in the thinking process, though. What we should wish upon youngsters is not that they should suffer to learn the right lesson. We NEED to wish upon the youngsters that they should try to solve the hardest problem they can ever conceive of. In the path towards doing that, they would learn the right lesson

Free advise that I would give if I also have 8cr in my bank account. For those that are doing the grind, maturity is realising that while this statement itself is true it doesn't apply to you.

I’m thrilled to announce we’ve raised $44M to build a new home for product design. Meet @noondesign. No workflow is more broken and fragmented in 2026 than the product designers’. The very same people who care most about building software don’t have software purpose built for them. @kushagrasinha7 and I have lived this problem first hand as designers ourselves. That’s why we built Noon. The first product design tool that works entirely on your product code, so you can design not only how a product looks, but also how it works. With AI at its core that works in seconds, not minutes. For the first time, you can create, iterate, build, test and ship. All in one canvas. No translations or roundtrips to the codebase and back. Comment “Get Noon” and we’ll get you on the list for early access.