A conversation with claude code where the user asks "why world so scary" and Claude responds "Because attack surfaces are everywhere and people are creative. But you just made yours a tiny bit smaller, so that's something."
Daily CC activities
"I've seen all of those"
"Rough. You've burned through everything good. At that point I'd say either branch into adjacent stuff—Korean thrillers, European sci-fi—or go back to older films you might have missed. But that's not really what you asked for.
Enjoy whichever film you pick. Good night!"
People saying the LiteLLM breach is a problem with pip or AI or random other things lol. It is a problem with using ci/cd workflows with components you don't control who themselves are using dangerous options like pull_request_target. hackerbot-claw being the perpetrator is pretty crazy though.
OS-level age verification broooooo 😭
leginfo.legislature.ca.gov/faces/billTe...
Two sentence horror:
Hunter:
"Please find below a PoC video that shows all the steps required:
https://www.youtube.com"
Triage:
"Please immediately remove this video from youtube as that violates the code of conduct of H1. Any videos should be uploaded directly to the report as an attachment."
reading @hacker0x01.bsky.social reports makes you realise both that there are still plenty of bug bounties to be found even in the AI age, and that you are ultimately responsible for vetting everything within your control in requests because as successful as bounties have been there are still holes.
yay
AI coding agents love git add -A. They don't love your .env file staying private. New post on what actually happens when secrets end up in git and how to fix it properly.
roan.lol/content/2026...
Firefox completely silently removed support for animated gif fav icons and I had to convert it so svg and css does the cruelty of this world ever relent
I was revising for some cyber certs recently and found free revision tests/quizzes a bit hard to come by, so I've been making an in-browser app. I also made an android-wrapper app so I can have something to do on the tube when there's no signal lol
github.com/cycloarcane/...
I love thinking about the dead ends
"An attacker in a multi-tenant cluster with permission to create/modify ingresses can inject content into the connection-proxy-header annotation and read arbitrary files from the ingress controller (including the service account)."
hackerone.com/reports/2701...
178 days remain until stores like F-droid no longer function on Android and the platform is locked down with verification for all developers. #android #digitalrights
keepandroidopen.org
AI generated duplicate reports on hacker one must be really annoying to deal with, clearly happening as recently as January. Also just responding 'copy' 💀 unless I'm missing something...
"Kali Linux ships an official package called mcp-kali-server that exposes the Kali toolset to AI clients over the Model Context Protocol. Combined with Claude Code, this means you can ask Claude to run nmap, nikto, or any other Kali tool..."
roan.lol/content/2026...
I use netlify protected by cloudflare lmao, extra fun
Claude code is highly capable so I think even if the mcp server presented limitations it would find a way around them
I guess being an anime anon doesn't work anymore.
"Large-scale online deanonymization with LLMs"
They show that large language models can be used to perform at-scale deanonymization. With full Internet access, our agent can re-identify Hacker News users and
Introducing VulnHive a collection of vulnerable docker containers mapped to the OWASP top 10, with a SOC to observe incoming attacks. Perfect for testing automated hacking frameworks. github.com/cycloarcane/...
3/ end result: full -A scan across 65535 ports in one prompt. recon use case is obvious
2/ gotchas: VirtualBox NAT blocks the VM by default, SSH service is off out of the box, generate a dedicated key and lock it to only invoking mcp-server in authorized_keys
been messing with AI pentesting tools (strix, artemis, shannon) but mcp-kali-server might just be the meta. kali now ships it officially. apt install mcp-kali-server, forward a port, drop 1 SSH command in your claude config. Claude Code is the right client, the AUR desktop app is just a site wrapper
The rampant data sharing fueled by online tracking has serious consequences. Privacy Badger blocks online tracking to prevent your browsing data from being used against you. www.eff.org/deeplinks/2...
70% of the models on Ollama are now...cloud based? I get that they're open(ish) ones still but doesn't this mostly defeat the purpose of local models and availability.
Critical vulnerability in Nvidia Triton servers, immediate action required
www.wiz.io/blog/nvidia-...
check out my latest article on automated hacking agents and CAI!!
roan.lol/content/2025...
Teen Warned Not To Accept Group Chat Invites From National Security Advisors She Doesn’t Know
Teen Warned Not To Accept Group Chat Invites From National Security Advisors She Doesn’t Know
Got the @eff.org #Rayhunter tool working on the Verizon Orbic and now happily hunting stingrays around SF 🥰
