Stefano Di Paola

New Blog post and tool on testing the security of Modbus services! blog.mindedsecurity.com/2024/03/testin… github.com/mindedsecurity…

this guy has 29 models on huggingface at page 2 ranking. no lab behind him. no sponsorship. $2,000 from his own pocket on GPU rentals. he compressed GLM-4.7 to run on a MacBook and quantized Nemotron Super the week it dropped. all public. all free. nvidia is a trillion dollar company with hundreds of teams but they are not the ones quantizing models middle of the night and pushing them out before sunrise. if nvidia stopped tomorrow their employees stop working. people like @0xSero would not. that is the difference between a paycheck and a mission. @NVIDIAAI you talk about making AI accessible. the people actually doing it are right here. 29 models deep burning their own compute with no ask except more hardware to keep going. you do not need to build another program. just look at who is already building for you. one GPU to this man would produce more public value than a hundred internal sprints. i am not asking for charity. i am asking you to invest in someone who already proved it.

Send help. plz

A friend had Claude spend all night trying to hack into an e-ink display, and gave Claude camera access so it could verify whether an attempt worked. He told Claude to show him a message if it won. My friend woke up to this victory lap, which Claude didn't realize was backwards

Now available: The @trailofbits Curated Skills Marketplace. We're reviewing, cleaning, and improving 3rd party skills into a trusted marketplace. github.com/trailofbits/sk…

BREAKING: US Olympian Chloe Kim, who has immigrant parents, speaks out: “In moments like these it’s really important for us to unite. We are allowed to voice our opinions on what’s going on. I think we need to lead with love and compassion.” I’m so happy that so many Olympians are not hesitant to speak out for what they believe in even when they know the president could try to bully them.

People: "Let me give this AI agent access to my files, browser, terminal, and credentials, then install community skills from a registry with zero vetting." Attackers: "Thank you." The top @openclaw skill was an infostealer. Shocking absolutely nobody. 1password.com/blog/from-magi…

Diagrams are becoming my primary way of reasoning about code with Agents. And I didn't find anything there that I'm happy to look at all day long. Mermaid as a format is amazing - so we built something beautiful on top of it. It's called Beautiful Mermaid agents.craft.do/mermaid

Beautiful, well deserved!

Skynet Starter Kit: From Embodied AI Jailbreak to Remote Takeover of Humanoid Robots by @DarkNavyOrg #t=26" target="_blank" rel="nofollow noopener">media.ccc.de/v/39c3-skynet-…

"With the permission of Adobe, the Computer History Museum is pleased to make available the source code to the 1990 version 1.0.1 of Photoshop. All the code is available with the exception of the MacApp applications library that was licensed from Apple." computerhistory.org/blog/adobe-pho…

Cyber security these days..🙄

Someone found an RCE on my website yesterday. CVE-2025-55182. React2Shell. I don't have a bug bounty program. I never asked for a security assessment. I woke up to a DM: "Hey I found a critical vulnerability in your site. I only ran the exploit to verify it worked. Here's my PayPal for the bounty." Bounty? I checked my logs. Forty-seven requests to my RSC endpoint. Something, something ... Prototype pollution payloads. They used the GitHub script. The one with 2,000 stars. The one that runs id automatically "for verification purposes." They spawned a shell on my production server. uid=1001(nextjs) gid=65533(nogroup) They took a screenshot. They posted it on Twitter. "Popped a Shell on a Live Website 🚀💀 #BugBounty #CVE-2025-55182 #YOLO" They got 84781 likes. My customers' data was on that server. I asked them to delete the screenshots. They said "I removed the domain name, you should be thanking me." Thanking them. For unauthorized access to my production infrastructure. For running arbitrary commands on systems I own. For posting proof of exploitation for clout. They called it "responsible disclosure." I called my lawyer. They called me "ungrateful." I called the FBI. Now they're in my DMs explaining that "this is how the industry works" and I "don't understand pen testing." A pen what? I understand it perfectly. I understand that running react2shell-ultimate.py against random websites isn't research. I understand that "I removed the identifying info" doesn't undo the unauthorized access. I understand that #BugBounty doesn't apply when there's no bounty program. I understand that finding my site on Shodan doesn't constitute authorization. Their followers are defending them now. "Presumption of innocence." "You don't know if it was authorized." "The screenshots were redacted." Three hundred people are calling me a bootlicker for reporting a crime. Someone said I should be grateful they didn't deploy a cryptominer. The bar is underground. I just wanted to run a small Next.js app. I didn't ask to be someone's proof-of-concept. I didn't consent to being their "first" I didn't sign up for an unscheduled penetration test from a stranger with a GitHub account. There is no safe harbor for spraying public exploits at random websites. There is no legal protection for "I was just verifying the vulnerability." There is no ethical framework where unauthorized prototype pollution is a favor. But sure. Thank you for your service. You found a CVE that was already public. Using a tool someone else wrote. Against a target that never authorized you. And you posted about it on main. For likes. Hero.

Stealth died 😢 A member of Team-Teso, Phrack staff, and many other groups. A true hacker—perhaps as true as a hacker can ever be. WE MISS YOU. 🩷 More: thc.org/404 <stealth> we had joy we had fun we had a rootshell on a sun.

Let me introduce you to my most novel and oldest technique to verify if sites behind CDN are hosted in Inside Iran or not. Works most of the time. I call it the BOOBS CHECK. curl -i https://domain/boobs.jpg If your response is a 403 with 10.10.34.x IP in body, you're landing inside IR. Result of basic censorship filtering applied on traffic.

@lukOlejnik Afaik, critical controls require an odd number of processors to perform majority cross-checking. I find it strange that there were only two. Are you aware of any justifiable reason to be just 2? Am I missing smt?

Airbus is rolling out a critical software update. Around 6,000 A320 aircraft have been grounded. The reason: solar radiation can cause failures in the onboard computer. Recently, an A320 experienced an uncontrolled down “pull” while the autopilot was engaged. The cause turned out to be a problematic software update that led to a failure in the flight control computer (ELAC). In the worst-case scenario, this could push the aircraft beyond its structural limits. The ELAC system is designed with redundancy. Two onboard computers cross-check each other to avoid errors. When one provides incorrect data, the other should detect it and take over. In software version L104, this logic was faulty, it failed to detect corrupted data caused by cosmic radiation. When radiation “flipped” bits in memory (e.g. from 0 to 1 or from 1 to 0, which does happen), the system did not recognize the error and executed an incorrect command. The solution is to revert to an older software version

Lynx started at the University of Kansas in 1992 and it's the oldest web browser still being maintained.

@s4tan Congrats Antonio! 👏👏

my first PhD paper :) this work is the result of a great collaboration between University of Milan and EURECOM

🧞Your wish has been granted - the latest @pagedout_zine edition is out! In it, our @tell1c0 takes a quick look at #vibecoding, walking through the creation of an AI agent🤖. Check it out today! #doyensec #appsec #ai #Security pagedout.institute