Moritz Sanft

I‘m at @1ns0mn1h4ck today and tomorrow. Feel free to drop me a DM if anyone wants to meet :)

@thorstenball I curl -s a lot

It's always like: how much do you squat? Never: how much do you curl? "wow you have strong legs" buddy, my bis are up here

@mycoliza Yeah, could just be a {}

hey, it just says it was “impacted by objects”…it could be any kind of objects!

@cramforce Ah, thanks! I guess this mostly holds for cut-off JSON objects then. I think that /{"[a-zA-Z].*/ should pretty much always(?) map to "eyJ...". Some also map to "eyI", though, e.g. /{"\d+.*/

@stdoutput Don't think so. This is {". Of course, there are other possible beginnings for JSON

Nobody? Beginning of a JSON payload encoded as base64

This stunt feels irresponsible to me. If we don't want regular people developing toxic relationships with their chatbots it really doesn't help for leading labs to start giving them "retirement interviews" and encouraging them to blog their "musings and reflections"

@pilvar222 🥱http://č.㎺/

also whoops now everyone can see my cool 5 chars domain 👀

My team and I have been working on this for quite a while. I'm proud to announce it's finally released (and with a killer video!) 😁 Teams ship daily, but pentests are annual. It's time to fix this :)

@zeeg Generally, academic research on this part of applied AI / agents doesn't make a lot of sense imo, even when well-done. The current AI frontier is just moving way faster than the publishing cycles of traditional academia.

Alright internet lets be clear on two things: Auto generating skills does not mean worse performance for a harness. Nor does having AGENTS files. The papers don’t even support this. Never did I ever think mainstream internet would be reference half baked papers.

Video is live! youtube.com/watch?v=YQEq5s…

@kerckhove_ts @abdimoalim_ may i introduce you to isatty(3) sir

@abdimoalim_ Pls no spinners. ANSI clear codes are a nightmare for accessibility or piping logs

If you're gonna design a CLI tool, please add loading text/spinners for items queued for download. I don't want to stare at the screen for 15 mins only to get a crash report.

#Insomnihack speaker, @pspaul95, reveals how abandoned workflows and weak controls become entry points for attackers. Get to know more: ow.ly/yRKr50Y9XCz #Cybersecurity #INSO26 #InfoSec

This was very fun and instructive to exploit. We'll be trying to give a talk on it some time this year.

I think all of this would come at the expense of having an environment agents aren't very familiar with, with certain papercuts that might hurt them. Although I need to re-evaluate the newest models, my impressions on agents with Nix were very mixed so far.

Hey @mitsuhiko! In the Gondolin README, you write "In particular using nixOS is very appealing for agentic use" - what makes you think this? Letting the agent configure the VM image? Or just being able to have certain roolback capabilities?

@mitsuhiko Maybe the fuzzer should be TS in that case though. Perhaps it could integrate Node's coverage API that way. I know that chrome / v8 has one, but I'm not sure how it's exposed in Node.

@mitsuhiko Wow! Since you control much of the environment on Gondolin, you could maybe even implement coverage-guided fuzzing. Might be too hard for the clanker to get right without a detailed plan though.

I hope nobody claims that you don't need memory safety because clankers exist.

@steventseeley bash?

Wondering how many researchers have missed multiple pre-auth RCE due to arithmetic evaluation? I can confirm at least 3 researchers have, myself included.

@sirdarckcat @ky1ebot @bl4sty If you guys are interested to discuss this in a larger group, see x.com/stdoutput/stat…

@ky1ebot @stdoutput @bl4sty I wouldn't necessarily make it anti-AI, just fun even if AI is used

I'm kind of glad I (competitively) got out of the ctf scene quite a while ago; seeing pwnables get solved by ralph wiggum loops would've been massively demotivating back then :)

I've created a Discord server to discuss security research and CTFs in the context of AI and vice versa. I'll slowly try to reach out to people who I think might be interested. In the meantime, if you are, feel free to join: discord.gg/DrASfE58

@domenkozar Congrats!

Today is birthday 🎂 🎊 It's such an exciting time to be alive and create, I wish a good day to all builders 🔥