checking in to let everyone know that i am still using a computer

a group of cartoon characters are dancing together in a park . ALT: a group of cartoon characters are dancing together in a park .

The Sixth Annual Binary Golf Grand Prix #BGGP6 will start Friday 10/17!!!

@binary.golf Fall/Winter 2025

QR Codes You Shouldn't Scan Number 3 may surprise you! I’m kidding of course, blatant web-based phishing attacks are boring. This blog isn’t about those. Most of these examples will probably surprise you in some way. This blog i...

Every year there’s some discourse around how safe/unsafe it is to scan QR codes at BlackHat and DefCon.
Last year, I set out to enumerate the scope, and did!
And then promptly forgot for a year.

QR codes you shouldn’t have scanned last year; this year.

remyhax.xyz/posts/no-sca...

i am very excited to see all of my friends in las vegas, nevada

hahaha, never thought about it but post should have come with a warning for anyone with service indicator-related ptsd.

also, being at nationals back-to-back years is impressive!

New blog post about all the fun I had red teaming at @NationalCCDC this year!

Covers some of the fun we had this year specifically relating to the web side of things, as well as some tips and resources for competitors & those interested in participating

www.sshell.co/red-teaming-...

As of this morning I am unemployed. I am looking for work! I have a range of experience that can be valuable to the right team. A short list of relevant skills that I'd call out: reverse engineering & vuln research, DFIR, project management, infrastructure architecting, system administration.

screenshot of an app saving a bookmark, but being stuck at 50%

what do you mean “stuck at 50% done saving a bookmark?”

you completed one half of one api call?
i hate it here.

Flyer for the Phrack 40th anniversary edition CFP. It contains the text of the CFP at phrack.org, with additional text "CFP EXTEND!! Papers due June 15 2025" and "Phrack Since 1985"

We heard you needed some more time, so we wanted to let you cook.

We decided to push the Phrack 72 CFP deadline back until June 15th.

Stay tuned for upcoming Phrack events.

Print this flyer out and give it to someone IRL!!

Report government waste to DOGE:

- Every Electron app wastes hundreds of MB of disk space (and RAM) by bundling it's own Chrome browser. Make native UI great again!

- Every Go binary is too large. What are they hiding in there?

- Windows installs 500+ language packs. In the US we only use en-US!

i wish there was a very serious medical drama where everything was normal EXCEPT every patient was played by the same actor, and it was never brought up or addressed in any way.

Got an MRI recently and @sshell.co immediately turned it into a banger

i tried openai operator and got jumpscared because i forgot how terrible it was to rawdog the internet without an ad-blocker.

Many YouTube videos lately are clickbait and stretch out a Wikipedia page into 30 minutes. Many videos are just questions with simple answers.

So I built tldw.tube: put in the URL and save your time!

(No hate on Veritasium, it just happened to work well for the screenshot)

i am attendee at the local shmoo conference today. i can’t wait to talk about the latest developments in shmoo technology.

Yup, same result set across all tests! A lot of it was deduplicating requests, removing feature bloat, smart tuning based on internet speeds, and being much more efficient with memory.

Note: this is as much an indictment of default settings on tools as it is of feature bloat. Even painstaking optimization of the original tool didn't approach these numbers.

run times starting at 12 seconds, decreasing down to 2.2 seconds over 5 runs

Took an existing open-source tool that 105 seconds to run on default settings out of the box.

Had Cursor rewrite it in a more performant language with only functionality I needed, and tuned for performance on my specific setup. Kept prompting it to further optimize and...

screenshot of the CFP on phrack.org

We updated our CFP for Phrack 72! The deadline is now April 1st 2025. Check the site for specifics on how to contribute, as well as some inspiration! We also posted a link to purchase physical copies of Phrack 71, and a donation link too. Enjoy!

phrack.org

a man talking on a phone with the words put that cookie down on the bottom Alt: a man talking on a phone with the words put that cookie down on the bottom

the best part about december is watching “jingle all the way” at least 7 times

Yo, new big thing: Shift.
AI seamlessly integrated into your HTTP proxy.

Use cases:
"Take this JS and build the JSON request body"
"Fill in these IDs from my notes - UserA"
"Create a match and replace rule to turn on this feature flag"
"Generate a wordlist with all HTTP Verbs"

Me reverse engineering: Haha fuck yeah!!! Yes!!

Me engineering: Well this fucking sucks. What the fuck.

truly believe pompeii/herculaneum graffiti should be required reading in school to really emphasize this point

Tool Use | Scale Leaderboards Explore ToolComp, Scale AI's SEAL leaderboard evaluating large language model agents on their ability to plan, reason, and orchestrate complex, dependent tool calls. Discover the latest results and in...

yeah, even the best models in general are pretty fragile with wording when it comes to tool use.

scale.com/leaderboard/...

who are some of your favorite hackers and companies working with AI for offensive security right now?

many such cases

any agent framework can by just writing a function (or series of fuctions) for it to use as a tool.
it's really easy to do with a private custom GPT if the API is on the open internet too

i’ve been playing around with common crawl URLs and the Internet Archive URLTeam project. definitely need to find a good way to categorize URLs as trash or useful at scale, LOTS and lots of noise

tracker.archiveteam.org:1338/status

I've released 'brainstorm': an alternative way to do web fuzzing combining my fav fuzzing tool 'ffuf' (from @joohoi.bsky.social )with local LLMs (via Ollama API) to generate smarter filename tests. It usually finds more endpoints with fewer requests. Added a IIS shortname support @irsdl.bsky.social