Evan Sultanik

After 6 months and over 5k new lines of 6502 assembly, the Kaizo-style platforming section of the NES game in my résumé is finally done! Yes, among other things, the PDF of my résumé is also an NES ROM. You can download it here for your emulating pleasure: sultanik.com/files/ESultani…

@JSyversen @aarondotrb I'm a proponent of AI development, but I think the analogy with compilers is flawed: blog.trailofbits.com/2025/12/19/can…

It's funny to me how many people are worrying or flat out pushing back against AI development. I had a conversation with @aarondotrb about this today where I compared LLM development to compilers (which emerged in an era when people wrote code in assembly). He agreed and said he researched to see if there was similar hand wringing back then and sure enough, there was. Nothing new under the sun. None of the strongest developers I know are hand writing code any more. But plenty of people are "worrying" or flat out fighting back and saying manual is better. It isn't, for 90%+ of cases, any more than hand writing assembly is better (outside of some cool shellcode examples, training, or cramming into an NES ROM!)

@me_jango Confirmed!

@ESultanik hey, cross referencing I’m talking to the right person in other channels.

@robertgraham I chose to leave the terminal, go upstairs to departures, and do security at a normal checkpoint. There was no wait. My connecting flight was sold out but took off 70% full.

@robertgraham I transited at MIA this morning. The TSA checkpoint they feed all of the international arrivals through for domestic connections had a 1+ hour wait. The people doing crowd control (who looked like contractors) insisted the wait was just as long everywhere.

Just went through Atlanta airport security. No lines. These ICE agents have replaced TSA agents. Remember: the press goes to the airport at peak times and point their cameras at the longest lines. This gives you a distorted view of what's really going on.

Memory Analysis for #Linux has always been a bit hit-or-miss. @trailofbits has released a tool called #mquire that doesn't require debug symbols for the originating Kernel. #MemoryForensics #IncidentResponse #DFIR #DigitalForensics

@DominicJPino New York already has the largest citywide heating system in the world: en.wikipedia.org/wiki/New_York_…

A hilariously bad metaphor, if you know how collectivist heating worked in the USSR. In Soviet Moscow, they had a centralized heating system for the whole city. Heat was centrally generated and then distributed through a network of pipes to houses and other buildings. The service was very, very cheap to the end users. Hooray! Workers of the world, unite! But people got what they paid for. A thermostat in your house would be too individualist, so they didn't exist. The level of heat was set collectively by government administrators. They had to base their decisions on weather forecasts because it would take about 12 hours for a temperature change to work its way through the system. So when the forecasts were wrong (which was often), the heat level was wrong too. On top of that, every building is different. So no matter what heat level the government chose, some people would be too cold and others would be too warm (except for the times when the heat ran out due to shortages, then everyone was cold). People in buildings that were too hot would open the windows, even in the middle of winter, wasting heat that could have been used by others. And because there were no price signals, they hardly faced any costs when they did so. The heating system didn't even have meters for individuals to measure their usage. Officials in post-Soviet Moscow estimated that the whole system used about as much natural gas per year as all of France. The collectively owned underground pipes that carried the heat suffered from the classic problem: If everyone owns them, then nobody does. The pipes fell into disrepair and would be replaced by above-ground temporary pipes (which could go anywhere since nobody owned the land either). And they would stay that way for years. That is, if you were one of the lucky ones who got temporary pipes in the first place. Others were just left out in the cold. So yeah, if I was trying to promote collectivism, I probably wouldn't use a heat metaphor in winter. There are a lot of people who lived in collectivist countries who would dispute its association with warmth.

@pitdesi In other words: If you live anywhere in the East besides DC or Northern NJ, you'd only ever fly United if you're going to a United hub or one of their codeshares' hubs, like Tokyo.

@pitdesi In 2024, CUN had ~8.5x more US travelers than TYO. The only East Coast airports with direct flights to CUN operated by UA are EWR and IAD, both of which also have direct flights to TYO. If you are traveling from a DL/AA hub like PHL/JFK/MIA/BOS/ATL to CUN, you'd never fly UA.

United airlines top international destinations by state & overall. I would have expected Tokyo to be lower than it is.

This made me mirken until I realized the "i" and "e" were swapped.

#BSidesBerlin Speaker Showcase @kiki_morozova explores Weaponizing Image Scaling Against Production AI Systems. @SecurityBSides #AI #Infosec

Solving the Traveling Salesman Problem for NYC's 474-station subway network, obviously! @ESultanik used Christofides algorithm to find a 20h 42min route through all 474 stations, which would beat the world record by 45 minutes. blog.trailofbits.com/2025/08/25/spe…

New post and tool! Attackers can break production AI systems by using image scaling to hide multi-modal prompt injections from users. 🧵for more info on what broke, how this works, and our new tool to try this out yourself

@fluffypony @VikParuchuri PS is a fully fledged programming language, which makes it even harder than PDF. You can have functions that programmatically render text; you’d have to emulate them. Fonts are often also either rasterized or vectorized, sometimes losing the original strings.

@VikParuchuri This might be a naive thought, this is not my wheelhouse, but is there any value in printing to postscript and extracting the text there?

Parsing PDFs has slowly driven me insane over the last year. Here are 8 weird edge cases to show you why PDF parsing isn't an easy problem. 🧵

@dvyukov @pr0cf51 @TeamAtlanta24 If you ignore unit tests and competition-specific deployment scripts, the code for Trail of Bits' CRS is 22 KLOC using sloccount.

@pr0cf51 @TeamAtlanta24 Thanks for sharing! This is awesome! Can you give estimation of lines of code that the team wrote? I've got ~41 KLOC Python for Trail of bits, 21 KLOC for Theori using sloccount utility. But for yours I have trouble with all third-party code pulled in.

Here’s the source code of our #AIxCC winning team @TeamAtlanta24, enjoy! github.com/Team-Atlanta/a… More things TBA

@dvyukov @theori_io @trailofbits FWIW, Trail of Bits spent the last month divorcing our system from the competition framework so you can run it on your laptop against real codebases. github.com/trailofbits/bu…

@ESultanik @theori_io @trailofbits This would be awesome! I am especially interested in engineering/productionalization aspects. To clarify: my interest is how industry should approach [re]using the results.

With #AIxCC results in, thinking how much it's "this is the best approach to the problem" vs "this is all just hard work, development, engineering, tuning, etc"?... 1st: 392.76 score, 42 ppl team 2nd: 291.35, 10 3rd: 210.68, 8 4th: 153.70, 8 Also: 2nd: 41KLOC Python 3rd: 21KLOC

@dvyukov @theori_io @trailofbits @trailofbits will be analyzing the detailed results as they are released by DARPA over the coming weeks and posting a series of blog posts on our conclusions.

@dvyukov @theori_io @trailofbits The scores roughly correlated with teams’ computation costs. Team Atlanta stated that they used their people power to develop three different systems, ran them in parallel, and then effectively merged the results.

A wild Buttercup appears! Our @DARPA AI Cyber Challenge CRS is in the @BSidesLV Silent Auction. Bid on this encrypted limited edition!

@0xbool @trailofbits Thanks for the kind words! A quick clarification for anyone curious about the implementation: Deptective actually uses syscall tracing (not installation logs) to discover dependencies, and it was built without any LLMs. 100% deterministic. Immaculate implementation, not vibes 😂

Nice use of installation log and llms @trailofbits

Our new whitepaper covers secure-by-design steps that CEXes can take to keep users' accounts (and funds) safe from account takeover (ATO) in 2025. (Read more 👇)