I’m reminded of the disconnect between typical vuln scan/pentest XSS findings and real world exploitation by this write up of Russian exploitation of webmail apps ctrlaltintel.com/threat researc…
How do you demonstrate XSS impact beyond the classic alert dialog or cookie stealer?
Periodic reminder - there’s no easy way to clear tracking cookies and other cruft from iOS apps. But you can do it across all of them with one easy shortcut! It won’t log you out of the app just get rid of the cruft from the in-app browser.
prefs:root=SAFARI&path=CLEAR_HISTORY_AND_DATA
Two conclusions from this - it's an incremental improvement, not a sea change. And $1k per attack won't easily scale. We probably not about to experience "THE VULNPOCALYPSE" but continued incremental improvements in vulnerabilities hunting.
UK gov’s review of Mythos shows it completing challenge of approx 20hrs human expert time & 32 steps 3/10 times using 100M tokens. www.aisi.gov.uk/blog/our-evalu…
Opus 4.6 did 28/32 steps max & 100M tokens is approx $900. More for Mythos when/if released.
BloodHound isn’t just AD anymore. With OpenGraph, it extends into GitHub, Jamf, and more.
But most training hasn’t caught up.
If you maintain coursework, @mrmurky.bsky.social shares what you should update: ghst.ly/4dzYnFL
Orgs aiming to implement a Mythos-ready security program when they have a flat network with default creds everywhere and ransomware actors casually logged in.
🧵 Thread of European leaders reacting to Péter Magyar's victory and Viktor Orbán's defeat.
Ursula von der Leyen: "Hungary has chosen Europe. Europe has always chosen Hungary. A country reclaims its European path. The Union grows stronger."
Companies should be required by law to completely open devices when they end support for them
www.theguardian.com/technology/2...
This thread is :chefs kiss:
Can attest, they’re super nice about it if you ask.
Yeah Project Glasswing seems cool and all but when you're screaming from the rooftops about "OUR AI IS SO POWERFUL WE CANT RELEASE IT BECAUSE THE RISKS ARE TOO GREAT" then what you're really doing is product marketing.
EDITED* to change the word “truth” in the last sentence to “realistic outcome” to sound less conspiratorial. I don’t believe Anthropic is lying about its capability, but cost is usually the inhibitor.
*BlueSky needs an edit button.
100% this. I also don't think they can afford to release it to subscribers on Max plans without tiny limits which would upset the user base. They also want to avoid distillation by the Chinese AI labs.
What if Mythos is being overhyped so that Anthropic can develop a higher margin enterprise model instead of the high volume low margin one they’ve pursued until now? This is not to say we can disregard the claim - but let’s wait and see where the truth lies.
There is no easy 'just do' in response to the surfacing of latent vulnerability in technology.
Vendors must make the investment to address, test and then release.
Customers then need to patch.
There is no magic - just a sequence of events which now need to take place..
FBI IC3 report is out for 2025. Reports from ZA went up by 42% (1075-1532). Small compared to the 1m they received in total. Reported losses since 2022 have doubled from $10 to $20 billion. $1.6b of that is from outside the US (complaints from over 200 countries)
www.ic3.gov/AnnualReport/R…
Monthly reminder: Many people have a book in them, but it takes a special kind of freak to leave the Land of Laziness, cross the Plains of Procrastination and Insecurity Mountain, find the Blade of No One Made You Do This, and use it to cut your chest open and yank that book out.
If you’d like to play some more github.com/singe/seldon will also let you speak to it and play with its tool calling ability. By default it ships with web search and a calculator.
I watched LLMs write full exploit chains years ago. The amazement fades once you hit context limits and have to steer the model through every hard corner. The industry is full of people who just got here and are still in the amazement phase. That's the gap worth watching.
Walking diagonally between two points is faster than walking in straight lines and right angles.
Florence Welch and Adele are my go tos for that. Not quite as big and operatic but KT Tunstall and Tracy Chapman. Regina Spektor may be a wild card too?
Totally worth reading.
No really, I am not kidding when I say that the data broker industry must be destroyed: www.npr.org/2026/03/25/n...
Thanks James!
Haha!
I’ve been fighting a losing battle in my home and the time has come to admit defeat. We’ll be getting a dog. Most likely an Alsatian - I know nothing about dog ownership. Internet - I’m looking for all the advice you care to give!
This whole concept in LOTR is one of my favourite parts of the whole book. “Evil fucks up because evil people fundamentally cannot imagine that others are not motivated by the same things as them” is another theme that feels relevant right now
LinkedIn is how I keep track of you too! I’ll have occasion to be in London more often this year - hopefully an in person meetup with Lord Jen.
@infosecjen.bsky.social Jen! 👀
𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗳𝗼𝗿 𝗔𝗜 𝗶𝘀 𝗰𝗿𝗲𝗮𝘁𝗶𝗻𝗴 𝗮𝗻 𝗲𝘅𝗽𝗲𝗿𝘁𝗶𝘀𝗲 𝗽𝗮𝗿𝗮𝗱𝗼𝘅 - blog.451alliance.com/security-for...