Quentin Kaiser

Upstream's covering up of security information they're aware of at time of commit is directly related to why your distros have no fixes for the copy.fail vuln. Completely irresponsible.

If you’re looking for an offensivecon ticket, DM within the next 48 hours.

@moyix it’s a thin line, but usually conditional checks on country are good “code smell”. Netgear had this 3rd party “gaming speed improvement service” only enabled in China. onekey.com/resource/secur…

@qkaiser It's amazing you can go so far into compliance that you loop back around into looking like malware

Can anyone think of a non-sketchy reason my wifi router would accept an unauthed UDP packet on port 20002 with a port-knock mechanism and add a firewall rule allowing Dropbear ssh on TCP 20001 — but ONLY if the country is set to Singapore?

And thanks to our intern we also support UFS so you can find bugs in those shiny firewall firmware running FreeBSD 😁

We also have an F2FS extractor that we did not communicate about. Started seeing Android firmware with F2FS around June 2025. This format is *cursed*, almost lost it working on it.

Back in Sept ’25, I projected format support requests would decrease based on trend. Then automotive showed up and boy was I wrong. Anyway, we can handle QNX SAFEFS, QNX IFS embedded in ELF, QNX deflate, UCL compression, and some more obscure format with unblob now.

"Overall I think we're going to see a much higher quality of software, ironically around the same level than before 2000 when the net became usable by everyone to download fixes." yes yes MEG RYAN YES lwn.net/Articles/10656…

' Tearing Down eCos RTOS Embedded System ' ' juhye0p.kr/2026/03/30/Tea… '

@juhye0p @kiddo_pwn Cool stuff ! I’ll share it on ecos.wtf :) if you’re doing bootloader/firmware reversing this may be of interest: github.com/ecos-wtf (mostly Broadcom so your mileage may vary on Realtek targets)

And if you rely on renovate to manage your dependencies, use miminumReleaseAge docs.renovatebot.com/key-concepts/m…

Release is already on PyPi and at github.com/onekey-sec/unb… Nixpkg update is on the way too.

unblob v26.3.24 is out ! Added support for more formats, improved extraction logic, speed/memory optimisations, and tightened up the release pipeline. Detailed blog post about this release below 👇

lock your dependencies

Corelan is back ✌️

@watchtowrcyber @SinSinology tragic

speak next week friends

We got our first AI slop report ^^ github.com/onekey-sec/unb…

Spent the evening digging through the code. The engineering behind this is 🤌 deeply complex, yet full of elegant, high-leverage tricks to keep it fast. If you work on similar problems, there’s a lot here to learn from.

I want to share a quick thought for people in cyber security. This will be my longest tweet ever. I’ve spoken to many lately who are having an existential crisis from the constant posts about “the end of cybersecurity jobs.” Yes, things are changing quickly. This is a significant moment for the tech industry. Change can be uncomfortable. But we’ve seen cycles like this before. • When GitHub and open source took off, people said software engineers would disappear because code was free. • When AWS and cloud computing emerged, people said infrastructure jobs would vanish. • When fuzzing and SAST tools improved, people said vulnerability research would disappear. • Virtualization would eliminate infrastructure jobs. • Mobile computing was going to end desktop dev. • Exploit mitigations would end exploitability. It didn't. Each time automation improved, the amount of software grew faster than the automation. It does feel "different" this time as it's explosive. Some roles will shrink: • repetitive pentesting • basic vulnerability scanning • tier-1 SOC monitoring But other areas are expanding rapidly: • AI system security • supply chain security • identity architecture • autonomous agent security • critical infrastructure protection Historically, every time we eliminate one class of bugs, new classes emerge. Right now people are vibe-coding entire systems, giving AI access to their machines, crossing trust boundaries, and deploying autonomous agents with excessive permissions. The legal and regulatory world is nowhere close to ready. There will absolutely be new failure modes. Humans are amazing and always adapt, finding new ways to do things. The worst thing you can do right now is fall into a doom loop. ...and I’ll be honest, I too have felt the "psychological paralysis" a few times thinking, “Is this time different?” It's especially impactful when it comes from someone I respect in the community. There are certainly unknowns, in an industry where we've become accustomed to predictability. But... the majority of those reactions are usually driven by social media, not reality. Platforms like X reward engagement, and sensational doom posts spread faster than measured thinking. If you see something like: “Holy #$%^! Opus 66.6 just found every bug in Chrome and replaced 50 startups!” …mute it and move on. Instead: Stay curious. Learn the new technology. Adapt your skillsets. Build things. We’ll get through this transition the same way we always have. If I'm wrong then Sam Altman better be right about UBI! :) I'm sure that if this tweet gets any engagement that I'll get some heat for it, but a good friend of mine reminds me often to focus on what you have control over. I'll revisit this tweet at DEF CON 40!