Fable isn't the first. In 1999 the department of defense blocked exports of the PowerMac G4 for crossing the 1 gigaflop threshold. Steve Jobs turned it into an ad.

NEW: malware developers added nuclear & biological weapons text to to their spyware. Goal? To trigger LLM safety refusals... so that their spyware wouldn't be analyzed by an AI security scanner. Cleanest practical example I can think of for why over-indexing on first order safety alignment is risky. When closed (and open) models ship with aggressive refusals, they will be sprinkled with second-order blindspots that attackers will discover...and exploit. We are only in the earliest days of attackers leveraging these features, and it wouldn't surprise me if users systems that need to handle complex cybersecurity issues demand that models be less safety-blunted. In the weeds: @SocketSecurity's post also shows why intention matters in how you design a malware analysis pipeline to avoid prompt manipulation. H/T to colleagues that shared this with me socket.dev/blog/mini-shai-hu…

🇺🇸 TODAY: The US National Security Agency is using Anthropic's Mythos AI for offensive cyber operations, with Anthropic engineers embedded inside the agency. This comes despite Anthropic's ongoing legal battle with the Pentagon over how its AI is used in warfighting.

An easy way to avoid this hassle is to just never submit anything to MSRC.

‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs." The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can. Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept. He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."

We know what probably happened. From what we see publicly, NightmareEclipse doesn't communicate well, is emotionally immature, and appears to want to extort Microsoft. Almost certainly, this played a part in the conflict between them and Microsoft -- it's probably as much NightmareEclipse's fault as Microsoft's. With that said, everything Florian says is correct. It doesn't excuse Microsoft's failures. They are supposed to be the responsible one, When there is miscommunication or dispute, it's always allowable to drop 0day, regardless whose fault it is. It's Microsoft's job to avoid that, even when they really aren't at fault for the miscommunication. But Microsoft has convinced themselves of the opposite, that "responsible" disclosure means only the responsibilities of the vuln finder. Vuln finders have no responsibility. Dropping 0day is responsible. Responsible companies don't have so many bugs. We let industry subvert the disclosure process. Instead of working to secure their code, vendors have tricked people into believing in the myth of "responsible disclosure", that vendors should be given time to fix and patch their bugs so they are never to blame for the bugs to begin with. That's why you have customers still buying Fortinet appliances even though their bugs continue to be major sources of customers getting hacked. Customers shrug their shoulders: as long as Fortinet has a vulnerability disclosure program and releases patches, they aren't responsible for when hackers keep breaking into their boxes. This is garbage. Vendors are still responsible for preventing bugs in the first place, a responsibility that doesn't go away just because they patch. Regardless of what happened, Microsoft's threats are a gross violation of ethics in the industry.

🚨APPLE ADVERTISES $2 MILLION FOR FINDING SECURITY BUGS.. THEN CALLS YOUR DISCOVERY A "DUPLICATE".. PATCHES IT SILENTLY.. GIVES YOU NOTHING.. AND BANS YOUR APPLE ID IF YOU COMPLAIN.. Two researchers found a critical macOS vulnerability that let attackers steal passwords, encrypted chats, and Safari data through Archive Utility.. Submitted it October 2025.. Apple took 5 months.. Patched it with zero credit.. Zero CVE.. Zero bounty.. Their reason.. "You were not the first person to report this issue".. That's the duplicate loophole.. Apple claims an internal engineer found it first.. But researchers can't verify that.. Apple controls the tracking system.. No audit.. No appeals.. The researcher said it felt like "doing charity work for a $3 trillion company".. Another researcher found apps could access your entire photo library even after you turned off access in settings.. Apple's own page lists that at $50,000.. They reported it.. Apple went silent.. Patched it quietly.. Said it was a duplicate.. $0.. When the researcher blogged about it.. Apple permanently banned their 12-year-old Apple ID.. Apple's brand new Passwords app in iOS 18 was sending data over unencrypted HTTP.. A credential manager transmitting password reset links in plaintext.. Any attacker on the same WiFi could intercept them.. Researchers reported it.. Apple let it sit 3 months.. Patched it quietly.. Said it "didn't meet the impact criteria".. Then there's the FaceTime disaster.. A 14-year-old discovered you could eavesdrop on anyone's iPhone.. Start a FaceTime call.. Add your own number before they answer.. Their microphone turns on.. If they hit the volume button.. Their camera activates too.. His mother spent a week trying to tell Apple.. Emails.. Faxes.. Social media.. Support told her to pay $99 for a developer account to file a bug report.. Apple did nothing until the exploit went viral and millions started eavesdropping on each other.. Then they panicked.. Took FaceTime offline globally.. Congress sent formal letters to Tim Cook demanding answers.. Then there's the researcher who got so fed up being ignored that they hacked Apple's own internal daily security call.. They'd reported a zero-click iMessage vulnerability.. Apple stonewalled them.. So they found another flaw.. Used it to infiltrate the internal FaceTime call where Apple engineers discuss bugs.. And dropped a screenshot proving the exploit live.. The team securing 2.35 billion devices couldn't secure their own meeting.. Apple's response.. A threatening legal letter.. Not a bounty.. A legal threat.. This is why the exploit black market thrives.. A zero-click iPhone exploit sells for $1.5 to $2.5 million on the gray market.. Guaranteed payment.. No bureaucracy.. No "duplicate" risk.. Submitting to Apple means NDAs.. 6-12 months of waiting.. Risk of $0.. Risk of your Apple ID being banned if you speak up.. Those gray market exploits end up with mercenary spyware vendors like NSO Group.. Deployed against journalists and human rights lawyers worldwide.. Apple pushes researchers toward the black market.. Then spends billions defending against the exploits those researchers could have sold them for a fraction of the price.. 2.35 billion devices.. And the company would rather send lawyers than pay what they owe.

I built an entire Windows security platform on the basis that Microsoft Windows is not secure.

And this is why we need people like Nightmare-Eclipse. It is fundamental that we take the control of responsible disclosure out of companies hands. They shouldn't be the ones who decide everything. This is not responsible disclosure, this is fundamentally damaging the overall security of a product.

Websites have a new way to spy on visitors: analyzing their SSD activity arstechnica.com/security/202…

The free phone software that wiped itself during a French police raid, got branded a drug-trafficking weapon by prosecutors, and was threatened with arrests and server seizures just landed a deal with a major phone manufacturer. GrapheneOS is the most hardened phone operating system in the world. Android with Google cut out of it by the root, built since 2014 by a nonprofit and a handful of contributors, funded by donations, given away for free. No Google account. No tracking services. A phone that slams itself back into a locked, encrypted state the moment it sits untouched. A duress PIN that burns the whole device the instant someone forces you to open it. In November, French police seized a suspect's Google Pixel and could not crack it. It wiped itself mid-search, exactly as built to, and the evidence died sealed. So the state did what the state always does when it loses. Prosecutors threatened the developers with prison and seized servers unless they cut a hole in it. The project refused to break the locks of millions and tore every server out of the country in a week, ran them to Canada and Germany, and kept shipping without missing a day. Then it gained ground. For its entire life GrapheneOS ran on Google's Pixels and nothing else, and the cartel's whole sneer rested on that, impressive but caged on a single phone, a toy for paranoids. This year Motorola killed the sneer, signing a long-term deal to build GrapheneOS protections into its own hardware and drag the phone out of the forums and onto the shelf. They never come for your privacy by admitting it guards you too well. They come for it wearing the face of the worst man they can find, because a public that will hand over a stranger's phone will hand over its own next. Every phone you have ever owned was sold to you twice. Once at the counter, for money. Then every day after, as a quiet feed of where you went, what you read, and who you spoke to. The second sale is why the supercomputer in your pocket costs less than a mattress. GrapheneOS kills the second sale cold. That is what France was really guarding in that courtroom. The second sale, on every phone, forever. The fence around what a man is allowed to keep private has always been guarded by men who wanted a copy of his key.

South Carolina just passed a law requiring platforms to estimate your age every 100 hours of use, or any time they run their algorithms on you. 80% confidence minimum, $10k fine per wrong guess. The incentive is to collect more data about everyone, including kids. reclaimthenet.org/south-caro…

Full exploit code for CVE-2026-40369 - A Windows kernel arbitrary write vulnerability that allows browser sandbox escape from all browsers render process sandbox github.com/orinimron123/CVE-…

Hermes is 5x better than Openclaw. The responsiveness and general ability to interrupt thinking is huge.

The movement kicked off with the purchase of Massie’s seat by Israel isn’t about the 55,000 boomers who got fooled into voting for paper puppet Gallerien. It’s about the MILLIONS across all of the US who see more clearly the problems with foreign influence and the deep state.

‘The Worst Leak That I’ve Witnessed’: U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub — Gizmodo apple.news/ADGjeAu4QSLKDE8zF…

Here's the PoC for Nginx CVE-2026-42945 which works against vanilla Ubuntu (and any other distro?) Nginx with ASLR enabled. I have included all iterations of the PoC the LLM was kicked to improve. TL;DR: We can use an LFI/file-read primitive to leak enough details from /proc/<nginx-worker>/mem to bypass ASLR and achieve reliable RCE, in most cases at first shot. There are still other ways to make it work, with even less subtle primitives. If you ask Geppetto nicely, he will help you ;) github.com/Hamid-K/nginx-rif…

Holy shit! There’s like nobody at Pete Hegseth’s event for Ed Gallrein here in Kentucky. Lmaoooo

One of John McAfee's last messages to the world: "Some of you may be living an existence of dissatisfaction... of emptiness... of longing." "This sense of longing... is really your loss of freedom. And it is freedom for which you yearn." "And you have none in this government. A government... which started out with the people being free and the government being our servants. It has become the government is free... and it's the people that are the servants." "You have woken up to your reality. That is what you are feeling." "Wake up a bit more and do something about it."

I will say it has been wild seeing the defensive community panic about ai when it's really the offensive community that should be lighting their hair on fire...