Earlier this week I gave a talk to our internal hacking teams about the difference between good hackers and great ones that have been able to impact our field. I included three extended quotes - two from writers and one from Hamming that influenced my approach early on. Maybe some of it is useful for you.

I audibly eyeroll when most cyber people talk about post-quantum crypto, and it's even worse when they're talking big consulting engagement to do what? - update some openssl packages or makes a TLS key exchange explicit? Now you can give them pqc4free github.com/singe/pqc4free

this is my personal singularity moment this post may sound like a paid ad. I only wish. I'm concerned, more so than happy. the world is changing, and, among the scenarios where AI goes terribly wrong, inequality is the most realistic, yet, the one Anthropic seems to be the least concerned about. I'm glad OpenAI is taking the opposite stance: *personal AGI for everyone*. I think this is a commendable position in the times we live. but who am I in the queue of the bread? anyway, Fable is here, so I'll just report my first-hour experience first of all, all my pet prompts are solved. → λ-calculus puzzles → bug questions → one-shot apps all are trivial to it. I don't have anything harder other than my ongoing work so, in the last several days, I've been toying with HVM5, a new interaction net evaluator with a faster loop. after writing the first version, I left 32 GPT-5 agents working for ~20 hours each. this resulted in up to 2x speedups, but the file size increased by 2-fold and quality decreased significantly. I then simplified the whole thing into an even simpler core, and left Opus 4.8 and GPT 5.5 optimizing it for 8 hours. Opus got a legit 6% - 34% speedup in most benches. GPT got better results, but, sadly, an unusable file. I then asked Fable to optimize it. 2 hours later, it landed a 1770% speedup in one case, 100% in other 4, and 22% in average. yes, in 2 hours it outperformed me, opus 4.8 and a swarm of gpt 5.5 agents, by one order of magnitude. that could not possibly be legit. "it must be hardcoding the benchmarks" (GPT trauma). so I read its explanation and what it did was, indeed, the most high impact optimization one could try first. seems like HVM5 was wasting a lot of time garbage-collecting unused branches of pattern-match nodes. I had optimized that for static mats, but not for dynamic mats. skill issue. Fable figured how to do it for these, resulting in a massive speedup in some benches but wait, is that *correct*? I'm not sure yet, it is credible, but this is the kind of thing that is very easy to get wrong on interaction nets. the problem is, when I was ready to start auditing Fable's solution so I could tell whether it was buggy or legit, it interrupted me to tell me it had found a massive bug on the code *I* had written. ... wait, what? so... for garbage collection purposes, I stored a bit on lambda term pointers that meant "the variable bound by this lambda has been freed, so, its lambda must free whatever argument it is applied to". that's fine. yet, on duplicator nodes, I also used the same bit to mean "one of the duplicated variables was freed, so, treat this dup as a passthrough no-op". so, if a lambda entered a duplicator, it would mistake the lambda's collection bit for its own, resulting in corrupted interaction! that's a mouthful, why I'm writing this? just so you can appreciate the sheer absurdity of what just happened. I didn't ask it to find bugs. I asked it for an optimization. and even if I did ask it to find bugs, this bug is so astonishingly subtle and specific, identifying it takes mastering the domain to an extent that it beyond even me. I'd easily need hours or days to fix it, *if* I ever came across it. chances are it would just go unnoticed. and Fable found it and fixed it like it was nothing, while it was busy adding a 17x speedup to a file that neither I, nor Opus 4.8, nor a fleet of GPT 5.5 managed to barely make 2x faster. oh and there is also another tab where it is also ripping through Bend's codebase and finishing everything I had to do I don't know what to say anymore this isn't about Anthropic or OpenAI, this is about our collective future as a species. the world is changing, and we need to be aware of it, and discuss how to handle this change. receipt below . . .

iOS 27’s “Describe an Extension” works surprisingly well. It built me a page editor, form POST interceptor, hidden input revealed and view source extension either in a single shot or on the second or third time. It was faster asking it to make a new one than editing one.

I don't know why any of you haters are surprised I'm the one actually engaging here. You're the ones who've obsessively pored over the 10,000 photos, the 30,000 text messages, and the 128,000 emails from my hacked iCloud and stolen devices. If I am anything, I am prolific. You know what you won't find? Any of the most heinous, hateful things you keep posting about me. What you'll find from me here is the same thing you found there. Total transparency. Finally on my terms. Not yours.

Good news in South Africa: the murder rate has sharply declined. Key factors: better high-visibility policing, and the end of daily electricity cuts, according to crime experts in the analysis below. It's important for us to acknowledge good news when it happens.

A reference implementation for autonomous vulnerability discovery and remediation with Claude, based on our learnings from partnering with security teams at several organizations since launching Claude Mythos Preview. github.com/anthropics/defend…

Love me some clankers - a little optimisation to common-substrings for your password cracking pleasure github.com/sensepost/common-…

A pentest tells you what was exploitable. A vuln scanner tells you what might be. Neither tells you what's exposed right now. ActiveWatch does—continuous, attacker-style monitoring of your internet-facing assets. Only confirmed vulnerabilities. More here: ow.ly/Xe9S50Z0VHU

Those aren’t version numbers, they’re multipliers to token cost.

Hackers are no longer just going after the obvious targets. Retail. Healthcare. Finance. If you hold people's data and cannot afford to go offline, you are interesting to them now. Find out more in our Security Navigator: ow.ly/qpI950Z0VAN

Technical Tuesday: We came to investigate one compromised website and walked away with two new CVEs in CraftCMS 4.12.8, uncovered during live incident response. Classic scope creep, except this kind helps everyone. Find out more here: ow.ly/S6kp50Z0VEA

#TechnicalTuesday: Leon Jacobs tested pre-installed software from six brands and found vulnerabilities in all six. This is not a careless brand story, but a "nobody tests this layer" story that runs elevated on everything you own. Read more: ow.ly/NNIi50Z0VwP

Technical Tuesdays: In 2025, SensePost researcher Leon Jacobs explored how attackers exploit Windows named pipes, building pipetap. It routes connections via injected processes, bypassing identity checks to view and modify processes. Read more: ow.ly/YiXu50YNls8

#TechnicalTuesday: A "no-touch" door sensor is built to let people in or out without touch. In testing, Michael Rodger triggered one from metres away using infrared light. It opened. Convenience and access control? Not the same thing. More here: ow.ly/Qjip50YUQ5A

Technical Tuesday: Isak Van Der Walt found a way to change what an app trusts without reversing the whole system. If trust can be edited at runtime, it stops being a safety net. When last did someone test whether yours could be? Read more here: ow.ly/l7tu50YYb8i

Technical Tuesdays: Your flat internal network could be handing your domain to attackers. A non-hierarchical setup lets them hijack sessions via shadow RDP, steal tokens, and impersonate users undetected. Aurelien Chalot explains how tiering helps: ow.ly/ua7Y50YNl1u