Ace Pace

The WhatsApp complaint vs NSO contains some fun technical exhibits. The user manual and Ghana contract reveal quite a bit on NSOs system design and thinking.

security research now has this weird incentive where finding the bug is only half the game. the other half is packaging the story as "claude/codex found it" because that’s where all the attention is right now. model providers, with their big accounts and distribution, will push the story for you. it looks win-win. weirdly, the human taste, target selection, hand holding, all get compressed into "the model found it". frontier model companies happily push that narrative, while the researcher slowly gets devalued.

The magical news you’ve all been waiting for: registration for the new BlueHat IL 2026 date is officially open! Spots are limited - go grab yours! Register here: aka.ms/BlueHatILRegis… Full Agenda: microsoftrnd.co.il/bluehatil/conf…

Inference isn't everything, but it does require a new stack -- not Kubernetes, not SLURM. At @modal, we dove deep to build that stack. In this blog post we explain how, from compute management & cloud-native cacheing to CRIU & GPU checkpointing. modal.com/blog/truly-ser…

Done something cool with AI? Great! Now, have some respect for your own work, and the people reading it, and don't have AI do the write-up. Good writing is a skill. Conveying complex technical ideas is hard. But AI is not good at it, and the write-ups it generates are dogshit.

@chompie1337 @NedWilliamson Depends on your opsec threshold!

@NedWilliamson “We estimate that SockPuppet has an inherent exploit success rate limit of around 92%, meaning that even the best possible exploit that selects which exploit strategy to use based on the viable reallocation types would fail about 8% of the time.” hey that’s still pretty good 🤣

apple.com/newsroom/2019/… youtu.be/My_13FXODdU?t=… security.apple.com/blog/what-if-w… One last thing! I'm getting married soon so I'll be too busy to keep up. The AI boom is intense, but no matter how great the tension, cooperation and repair is always possible. Let's keep moving forward.

I am genuinely impressed by The Walt Disney Company’s accomplishment of making me not care about Star Wars any more

The Unprompted.au CFP is officially OPEN! If you are doing cool stuff with AI in offense, defense, or working on core AI tech (from frontier models to open source LLMs), we'd love to hear from you! Submit here: unprompted.au

Things that have failed to bring the regime to negotiate in "good faith" (think tank slang for making concessions that aren't in its interests): - Sanctioning Iran's Central Bank - Kicking Iran off SWIFT - Sanctioning Iran's oil - Making Iran's currency collapse - Assassinating everyone from Khamenei to Soleimani to Larijani - Carpet bombing Tehran twice in 9 months - Hitting every enrichment site - Bombing the heart of Iran's industry - Wiping out most of Iran's conventional navy None of that worked. They haven't even agreed to the basic stuff like diluting the 60% enrichment stockpile which are the easier parts, let alone the trickier concessions. Oh no but you don't understand the geniuses at the Brookings Institution have it figured out. The blockade will do what all those failed in. Yea ok. The fruit flies infesting my home are more intelligent than these people ...

Poll check for an upcoming report I intend to publish In a controlled lab with modern EDR/XDR/whatever and a flat network, how far does an autonomous AI agent get starting from a basic SharePoint exploit?

@_arkon Did you come when he gave a keynote? :)

@ace__pace Always loved them

I'm not surprised that grsec wasn't impacted

@spendergrsec How so? I have guesses but I want to hear yours

@ace__pace Are still, but MODHARDEN should limit the impact in many common cases. Everyone involved handled this extremely poorly, it was most certainly not just a "you need fix X" issue, and the reporting company must know that, just like they should know...

I'm going to plant a flag here: 2026 is going to go down in computer security history as the year of a million CVEs. (Maybe literally, but definitely figuratively.) LLMs are producing lots of slop, but they're also finding a heck of a lot of real vulnerabilities.

@BarkolAmir מקלדת, משטח לשולחן, נעליים, ג'קט אמריקאי, משקפי שמש, מגבת חוף, סלסלת קניות שוק, מזוודה.

הייטקיסטים.ות, איזה סוואג מטופש אתם אוהבים לקבל מלבד גרביים? הרהיבו אותי ברעיונות מטומטמים.

@lorgandon Never mind. The post also does the cardinal sin of asking the AI to explain its own decision, which is a recipe for making shit up

@lorgandon I don't understand what's new or surprising here. Most PaaS vendors such (Sturgons laws) and this entire post was written by an AI as rage bait where the author self-proclaims they were doing nothing according to best practice.

A mandatory read for anyone building with AI today

@daveaitel Yep using it. CSV export that suffers from inserting unescaped \n and breaks most parsers.

@ace__pace We're working on it. Stay posted. In the meantime, don't forget there's a comma separated value file download button.

Anyone know if Codex security has an API I can pull findings from?

@ryanaraine @craiu Again thank you for providing high-quality transcripts for free. This is really not trivial even with today's technology

@ace__pace @craiu Transcript is here docs.google.com/document/d/1G2…

NEW! On the Three Buddy Problem we talked to Mark Dowd on the state of offensive research, the economics of the exploit market, the AI hype machine, daily stresses of running an offensive shop, and state of zero-day market: youtu.be/NEDlOKHG8nY?si…