chen

I got CVE - 2026 - 20841 in the latest Microsoft patch. I'm glad Microsoft fixed his new challenge and continued to attack the latest targets. Enjoy the hunting process. Happy hackers 😁📷 msrc.microsoft.com/update-guide/v… @msftsecresponse

不要太相信依赖AI 可以用来做信息收集的手段 。

@Fried_rice fake news

vibe coded a fuzzing ai agent last month and let it run for a week using my $200 claude max. it then found 21 high/critical vulnerabilities in Chrome.

@kaijieguigui Looks good

Bad news... :/ Burned an all-nighter and $100 on Claude to find exactly zero bugs Good news... :D Found a fresh 0day the old-fashioned way Bad news... -_- It might be dead on Win11 Good news... :P It completely melts every Win10 build in existence

@mtrainier2020 误报一堆 大部分需要人工去验真

用了AI之后，挖洞的效率直接爆表了。 开源的chrome在最新的一个更新包里，一下子挖出来了，几十个 High CVE。 然后一个小伙，用claude 挖一个星期也挖出来了21个。。。 这还是已经久经考验的chrome。。。。

@richengfeng03 实际上稍微有能力黑客在web3都是降维打击，法律约束着。

看的一身冷汗，还是用硬件钱包最安全啊

mp.weixin.qq.com/s/D6v6w3XSgi4G… 黑吃黑啊

听说已经开始399卸载龙虾了 太颠了吧

@GhgYellow 是的

@chen9918b 自动化？

用AI来进行漏洞挖掘要比手工挖洞还累

@0xyilu 系统化的工作 没有好的提示词和大模型基座作为支撑，根本不可控 这是致命的。 所以openclaw的路还很长。好的结果应该都是实验室出来的。工程化还很远。

OpenClaw 可以用来干什么？这个问题目前没有看到很好的回答。 OpenClaw 其实就是 非程序员的 Claude Code，但是 Claude Code 是程序员的生产力(赚钱)工具，但是对于大部分人来说，OpenClaw 还不是真正的生产力工具，有哪些场景真的需要 OpenClaw么？如果不能回答好这个问题，OpenClaw 也会面临退潮和质疑。

@Steph3nSims True

I want to share a quick thought for people in cyber security. This will be my longest tweet ever. I’ve spoken to many lately who are having an existential crisis from the constant posts about “the end of cybersecurity jobs.” Yes, things are changing quickly. This is a significant moment for the tech industry. Change can be uncomfortable. But we’ve seen cycles like this before. • When GitHub and open source took off, people said software engineers would disappear because code was free. • When AWS and cloud computing emerged, people said infrastructure jobs would vanish. • When fuzzing and SAST tools improved, people said vulnerability research would disappear. • Virtualization would eliminate infrastructure jobs. • Mobile computing was going to end desktop dev. • Exploit mitigations would end exploitability. It didn't. Each time automation improved, the amount of software grew faster than the automation. It does feel "different" this time as it's explosive. Some roles will shrink: • repetitive pentesting • basic vulnerability scanning • tier-1 SOC monitoring But other areas are expanding rapidly: • AI system security • supply chain security • identity architecture • autonomous agent security • critical infrastructure protection Historically, every time we eliminate one class of bugs, new classes emerge. Right now people are vibe-coding entire systems, giving AI access to their machines, crossing trust boundaries, and deploying autonomous agents with excessive permissions. The legal and regulatory world is nowhere close to ready. There will absolutely be new failure modes. Humans are amazing and always adapt, finding new ways to do things. The worst thing you can do right now is fall into a doom loop. ...and I’ll be honest, I too have felt the "psychological paralysis" a few times thinking, “Is this time different?” It's especially impactful when it comes from someone I respect in the community. There are certainly unknowns, in an industry where we've become accustomed to predictability. But... the majority of those reactions are usually driven by social media, not reality. Platforms like X reward engagement, and sensational doom posts spread faster than measured thinking. If you see something like: “Holy #$%^! Opus 66.6 just found every bug in Chrome and replaced 50 startups!” …mute it and move on. Instead: Stay curious. Learn the new technology. Adapt your skillsets. Build things. We’ll get through this transition the same way we always have. If I'm wrong then Sam Altman better be right about UBI! :) I'm sure that if this tweet gets any engagement that I'll get some heat for it, but a good friend of mine reminds me often to focus on what you have control over. I'll revisit this tweet at DEF CON 40!

拥抱AI、乐此不疲 、 筋疲力尽 😂

openclaw测试下来用的频率极低、不要说用它来做渗透测试了、实际上很多常规的工作它都完成的一塌糊涂。 openclaw只是工具 目标完成度取决于 ：提示词和LLM的基座质量。 openclaw的思想在早期 MCP和前端时间被meta收购的manus 都已经体现、Multi agent 也不是新鲜事、openclaw只是把这个封装起来让人用而已、食之无味、弃之可惜。

@imwsl90 不用梯子也可以装

帮人安装openclaw几百块真不过啊 开局一台空白电脑 没梯子 没环境 什么都没有 然后要安装个openclaw…🥲🥲🥲

食之无味弃之可惜

@evilcos 大力出奇迹，优雅的暴力美学

从我玩死十多只 OpenClaw 的感受来看，我其实是不信任 OpenClaw 的稳定性或韧性的，但我对 Claude Code 挺放心。这可是软件工程的核心目标之一… 安全重视上，两家对安全的重视力度都很高，我马甲提交的漏洞有得到很及时的反馈。题外话：某些 OpenClaw fork 或参考版本，对安全的积极性就差了许多，估计作者也只是玩玩而已。 安全场景上，OpenClaw 虽然也有 Sandbox 机制，也试图在工具权限上做更细粒度的设计，但如其名“OpenClaw”，Open 是其最大魅力，束手束脚的 OpenClaw 就不是 OpenClaw 了。又希望它自由，又希望它可控，这是大家纠结的一点。但真正生产环境下，过度自由的 OpenClaw，容易失控… 我在 OpenClaw 上看到了暴力美学，有大力出奇迹的惊喜，也有对它搞砸一切的担心… 一点感受，供大家参考。

Embrace ai

@skyworship2 @david88lee 师傅这是基于什么AI的实践？

@david88lee 我的bot 也是这个意思

准备定价“权力真空”，如果接下来 48 小时内，周一开盘前没有强力人物站出来稳定局势，我觉的全球资本会开始定价一个“长期动荡的中东”。所以接下来48个小时很关键的，并不是我不想写文章，路人甲是不会影响到我的，只是我真的还没想好怎么从老川手里接招，怎么划线…😅