Two conclusions from this - it's an incremental improvement, not a sea change. And $1k per attack won't easily scale. We probably not about to experience "THE VULNPOCALYPSE" but continued incremental improvements in vulnerabilities hunting.
This morning we got one of our pending #curl security flaws reported a **4th** time.
Everyone is using (the same) AI tools now.
What if Mythos is being overhyped so that Anthropic can develop a higher margin enterprise model instead of the high volume low margin one they’ve pursued until now? This is not to say we can disregard the claim - but let’s wait and see where the truth lies.
Totally worth reading.
LOL
🇨🇭 In Ticino, the open Swiss model Apertus powers in-house AI translation for the Cantonal Administration — boosting multilingual services with local, transparent control. A great example of sovereign AI in action bit.ly/4rzU0Og @epfl-ai-center.bsky.social @eth-ai-center.bsky.social
EntraFalcon update 🚀 The new Security Findings Report turns Entra ID enumeration into actionable findings with 60+ checks and colorful charts. Read Chrigi's @zh54321.bsky.social blog and try the tool now on your tenant!
blog.compass-security.com/2026/03/from...
#EntraID #CloudSecurity #EntraFalcon
The sheer strategic stupidity of bailing Russia out of its economic hole by launching a war that entirely foreseeably spikes the oil price - and then having no minesweepers in place to deal with the foreseeable fallout. Rank incompetence.
This is a very good approach.
(And I say approach, rather than outcome, because the headline goes a bit far. But still: well done Ukraine!!)
#drone
www.nytimes.com/2026/03/11/w...
PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:
Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item […]
Paged Out zine #8
pagedout.institute ->
Original->
You can grab the latest copy of our quarterly security research roundup at thinkst.com/ts ¹
For this issue, we selected work from over 1,370 talks & 1,200 blog posts.
Available as PDF, ePUB (or audio highlights)
__
¹ As always, completely free
What is happening in the United States is horrible. Half the Americans is in the right side, and it is the side that can restore and make the country sane again. Act now (without getting killed), do what you can to fix this mess. Get back your country.
We have exciting news to share. Compass folks made the Alpine car infotainment system to run arbitrary code and earn a 10‘000 USD. 🎉🎉🎉
Confirmed! Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) exploited one exposed dangerous method/function bug on the Alpine iLX-F511, winning Round 2 for $10,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
[RSS] wtf is NS_ERROR_INVALID_CONTENT_ENCODING? investigating shared dictionaries and ChatGPT breakage in Firefox
joshua.hu ->
Original->
Joint statement by 4 former officials in Democratic and Republican Administrations—including four NATO Ambassadors, 3 Assistant Secretaries of State for Europe, and 3 NSC Senior Directors.
Excellent opening in particular.
If Seatbelt Guidance Worked Like Cybersecurity Guidance
scribe.rip ->
Original->
Bloomberg's X account has more than 800k followers. Their most recent post was shared five times
It would basically come at close to zero cost for outlets like Bloomberg to delete their X accounts, and "We don't want to use a non-consensual deepfake abuse app as a comms platform" is a fine excuse
I hope the Danes and the other European forces are training in guerrilla warfare as that always works against the USA, especially on hostile territory (cf. Greenland).
So, what did we achieve for 🇪🇺's cloud situation in 2025? It is now crystal clear our governments can't continue to run on 🇺🇸 clouds. Yet even now, neither buyers or sellers of cloud tech in 🇪🇺 sense the urgency. Below I elaborate & discuss an unorthodox way out of this mess: berthub.eu/articles/pos...
In a new video, Nicolò @rationalpsyche.bsky.social walks through how to fuzz with AFL++, how to pick targets, avoid common pitfalls, and boost effectiveness. Find performance tips, fuzzing theory, and AFL++ internals.
Watch here: youtu.be/L5Tin7m5sbE?...
#security #fuzzing #AFLplusplus #appsec
Super interesting and highly recommended.
There's so much to unpack that I bookmarked it for a second read.
NTLM relay works against HTTPS if channel binding is missing. Our new blog post explains why, shows how tooling evolved, and highlights defensive measures.
blog.compass-security.com/2025/11/ntlm...
We still need to get from a situation where Russia pretends to negotiate to a situation where they need to negotiate.
Extract from my press remarks following today’s informal Foreign Affairs Council ↓
