Matt Coley

Recaf 3X? 4X? Where's the next Recaf update? youtube.com/watch?v=IIFnXF…

@struppigel @JAMESWT_WT @rifteyy @GDATA The unknown obfuscator is Skidfuscator by @thibautone - the ascii art is the calling sign.

I wrote an article about SugarSMP Minecraft scams, Spark stealer and hacked accounts After a brief contact to the threat actor, we talked to two victims and followed the trail. Analysis in collaboration with @rifteyy #GDATATechblog @GDATA #GDATA blog.gdatasoftware.com/2026/03/38390-…

Yeah, so basically it turns out Meta has been heavily lobbying online age verification laws. They've lobbied over $2,000,000,000 to politicians in form of grants and donations. x.com/bee_fumo/statu…

It's rare I see someone defend online identification. I'm unable to tell if they're a troll, engagement baiting, or being sincere. Let's discuss it. Pardon my condescension, but if this is a sincere rebuttal, this person is the LeBron James of logical fallacies. 1. False analogy. You cannot compare online identification to in person identification. Giving your ID to someone in person is a physical transaction in a controlled environment (bar, tattoo parlor). The Internet is global and interconnected. Additionally, when providing your ID in person you're doing it for an exchange of a physical good or experience (bar, tattoo parlor). Identifying yourself online is tied to SPEECH (e.g. social media). Identifying at a bar is not the same as identifying yourself online. 2. False equivalency Again, tying back to argument one, providing your identification for something like going to a bar is not the same as providing identification online. Social media, as an example, is a communication platform. Examples provided: bars, alcohol, cigarettes, tattoos, guns, lottery tickets, ... This is not the same as needing identification for access to a social media site. 3. Loaded questioning Rhetorical questions are trying to push the reader to assuming a logical conclusion that online identification is perfect. 4. Over simplification Identifying everyone online is not a practical solution. This ignores local laws, federal laws, different governments having different laws, free speech laws, data privacy laws, THE COST of performing all of this. Do people in the United States visiting a Brazilian website need to provide their ID to the Brazilian government? Do they have any jurisdiction? These are real questions. 5. Appeal to ridicule Concluding your statement with "grow up" tries to shame me, or the reader, for disagreement. These laws being suggested are far from perfect and serve no one. It will not protect children. The lack of clarity in laws makes people infer nefarious intent. I like pictures of cats.

Think about the power Hegseth is asserting here. He is claiming that the DoD can force all contractors to stop doing business of any kind with arbitrary other companies. In other words, every operating system vendor, every manufacturer of hardware, every hyperscaler, every type of firm the DoD contracts with—all their services and products can be denied to any economic actor at will by the Secretary of War. This is obviously a psychotic power grab. It is almost surely illegal, but the message it sends is that the United States Government is a completely unreliable partner for any kind of business. The damage done to our business environment is profound. No amount of deregulatory vibes sent by this administration matters compared to this arson.

Anybody inside the American military establishment who thinks that wiring up an LLM via API to manage an air defense system is a remotely defensible engineering approach should be immediately fired because they are going to get people killed

Anthropic had 2 red lines for the use of Claude: 1. No autonomous killings 2. No mass surveillance of Americans. Kind of strange for the DoD to frame those as having a "god complex" and that they want to "personally control the US military".

US Government: MAKE THE FUCKING KILLER ROBOT THING Anthropic: We think that's unethical. We won't do that. All customers have the same Terms of Service for Claude US Government: YOURE A FUCKING COMMUNIST AND YOU HATE FREEDOM

Has anyone done serious journalism tracking the networks behind this simultaneous push for all these digital ID laws in states all around the country? Seems like one of the biggest stories of our time, even at a time of massive stories

@potatopota30354 @vmfunc Looks like someone did archive.ph/z1aNJ

@vmfunc Damn did someone archive the original post

rick, i want to keep this on the record the same way everything else has been. you published our private correspondence before i could publish part 2 with my analysis alongside it. that's your right. but let's be clear about what just happened: you took control of the release timeline. the emails are out now on your terms, in your framing, before my analysis could accompany them. that's not transparency but positioning. i'll be honest about what this looks like from the outside. you released a signed public statement. before i could publish my analysis. you dumped our private emails. before i could contextualize them. you're now framing the conversation on twitter. before part 2 is out. every move has been timed to get your version of events in front of the public before mine can sit alongside it. that's not the behavior of someone pursuing transparency. that's crisis communications. and i say this without malice!!!!! i understand why you're doing it. you're a CEO protecting your company. but let's not dress it up as something it isn't.... let's walk through this. you say good research doesn't start with a conclusion. i agree. mine started with 53 megabytes of typescript source maps served from a government endpoint. that's not a conclusion. but that's reasonable suspicion. you invoke responsible disclosure. responsible disclosure is a framework for vulnerabilities in software. this isn't a CVE. this isn't a bug report. this is investigative research into a platform that processes biometric data for federal agencies, files suspicious activity reports with FinCEN, and runs facial recognition against every politically exposed person on earth with a similarity score. the public has a right to know how that infrastructure works. the public's right to know isn't gated behind your PR timeline. that's not a disclosure process. that's journalism. you say you were never reached out to before publication. you're right, and i've been transparent about that. i also didn't need to contact you. your source maps were publicly accessible on the open internet. i didn't break into anything. i read what you served. 53 megabytes of source maps on a government endpoint isn't a secret i stole. it's a file you published. the files were there, all we did was look. you cite "we can only assume they don't have access to all of that data. but if you want my two cents, they probably do" as evidence of bias. that line is clearly marked as editorial commentary, not a finding. the findings are the certificate transparency logs, the infrastructure topology, the source code. those are verifiable. anyone can check crt(dot)sh right now, today, independent of anything i've published. you say you've tried to give credibility to the public's perspective and divulged sensitive non-public information in the spirit of transparency. i acknowledge that and i said so in my emails. i also said publicly that you've been responsive and engaged in good faith. i meant it. but rick. rick, i'd like to continue this where we started, over email, in writing, on the record. twitter is not the venue for this. threads get quote-tweeted out of context, replies get buried, and the conversation fragments into a hundred sidebar arguments that serve neither of us. i offered you a written exchange that would be published in full so both sides could be read completely and in context. that offer still stands. let's do this properly. the public can read both sides and decide for themselves. that's the transparency we both claim to want. part 2 is coming. it will contain our full correspondence, your signed statement, and my analysis. you've now published the raw emails, which means readers can compare your framing to mine. i welcome that. sunlight is the best disinfectant and all that you said you admire my work. i appreciate that genuinely. i admire that you responded at all!!!! most CEOs wouldn't. but admiration is not a rebuttal and disappointment is not a counterargument i'm still here. and i'm still listening. and i can assure you i am acting out of good faith.

AI is destroying open source, and it's not even good yet

When I say it was "too good" I'm 100% serious. SSVM emulated the JVM so accurately that it discovered a hotspot implementation bug with methodhandles. bugs.openjdk.org/browse/JDK-828… x.com/invokecoley/st…

Its been a long time since we stopped maintaining SSVM, and I'm just finally getting back to emulating basic methods for deobfuscation transformers in Recaf. Its a much more simple/naive implementation, but thats kinda the point. SSVM was unironically too good.

@cyb3rops SecurityAffairs covered this and states: "Because traffic to notepad-plus-plus[.]org is rare, ISP-level redirection is feasible for well-resourced actors." So no direct NPP infra got compromised then? securityaffairs.com/185622/hacking…

This is bad. Putty level bad. notepad-plus-plus.org/news/hijacked-…

jesus christ this economy is dictated by morons

Genuinely once I started using this I went a little insane. Searching for files on windows is SO BAD by default that I thought we had run up against some law of physics. But no, searching for files can just be instantaneous. Microsoft is just evil and stupid.

@Grummz It's not about AI becoming better, it's about AI being shoved down our throats by people we don't trust.

Monopoly implies there's literally 0 alternatives whatsoever and valve has taken direct action to hurt competition Epic is the only one that offers devs money for their sole commitment to their launcher. Steam has it's flaws, but i wouldn't use the word monopoly when Tim Sweeney literally stole games off steam.

I think this is *really* the thing that @ffmpeg is complaining about. Not that they're getting feedback, but that the "security research" community tolerates this extremely toxic behavior, directing abuse at volunteers, in the same breath they proclaim their lack of qualification

Not everything revolves around business and "value". Our mission is to play every multimedia file in the world. We are proud to accept hobby contributors for obscure 1990s codecs. If trillion dollar corporations want things from volunteers, they have to pay for it.

It's interesting how the security "research" community is happy to write the most ruthless things when they find security flaws. But get upset when called out about sending patches to volunteer projects like FFmpeg (or libxml2)