Nick G

@techAU Nope, just normal 5.5. Don't need a special model for a 25 year old OS :P

@kallsyms Is that 5.5 cyber ?

🚨 0-day alert! GPT 5.5 has found and exploited a network accessible RCE in Mac OS 9.2.1 🚨

@moyix Network code for AFP :) Does mean file sharing needs to be enabled, but I've got it continuing to hunt for something better in the core networking stack

@kallsyms Hell YES where was the bug that worked?? Appletalk??

At least it's honest.

Another feature from our dev agent. It has full runtime environments spun up on demand to work in with full project context and access to shell tools!

Mentioned last week we're working towards open sourcing something big. Today I want to share a sneak peak into what's coming. Not sure what we're calling it yet but it's basically an open source version of the dev agent we've worked on for the last year and change.

Next.js had a serious vulnerability in their middleware system which allowed bypassing auth, and while bugs happen, the way it was communicated to their community was handled pretty terribly. Normally I'm not posting on the weekend but this is some pretty spicy 🌶️ stuff. In business if you have bad news you're supposed to communicate it quickly and directly, it's a trust exercise for people who put their faith or money in you. This is also true in tech. We've spent years cultivating a blameless culture because we recognize that with system complexity and how fast everyone is always moving there's bound to be issue that make it through checks. If the Twitter sphere is to be believed Vercel: - Knew about this bug for over 3 WEEKS and quietly pushed changes to their new SDKs. - Did not tag their PRs for fixes as a security issue - Waited until the last minute to work with their Open Source community to announce the issue and a path to resolution for those affected Part of responsibly disclosing issues like this is patch first and then move to communicate immediately to all impacted parties. You do not sit on your hands. Because of this multiple platforms went offline today to deal with the bug as a fire drill exercise instead of having proper time to deal with the issue. This is a serious trust issue for what is currently a widely used framework and service. You yourself might be impacted right now. As a steward of such widely used technology you have a responsibility to your users to protect them even if it's uncomfortable from a business perspective.

@okta @charles_maddock @Docker @e2b_dev @dexhorthy @humanlayer_dev @stripe @crewAIInc Going under the hood with @kinglycrow on Bismuth (terminal based agentic coding agent) specifically how they tackle selecting context from very long codebases , says Claude caching made this 15x faster

Check out the post on open sourcing our container orchestrator by my co-founder @kallsyms bismuthcloud.substack.com/p/how-we-built…

Man my eclipse photos look weird

@eatonphil Callgrind maybe?

@kallsyms Does it expand the options if it's allowed to do dynamic analysis? I run a test case and it lets me query the entire call graph?

Are there static analysis tools that will tell you all the call trees a function might be called from? Particularly for C projects.

Re the xz backdoor

@kinglycrow LGTM 👍

My co-founder made me give up my long running feature branch. @kallsyms

Here goes nothing. Ship it!

The idea is to use userfaultfd to track memory modified during a program execution and restore it between runs instead of re-forking. It's still a proof of concept, but results are encouraging yielding a ~1.8x increase in execs/sec compared to AFL's persistent mode on libjpeg.

Finally finished up and wrote about an exploratory side project from a year ago: accelerating fuzzing throughput by using userfaultfd to do dirty page tracking and restoring entirely in userland. nickgregory.me/post/2022/12/0…

@moyix archive.softwareheritage.org/browse/search/ may have them

Is there any service that has archived snapshots of GitHub repos? Trying to reconstruct MS's PyPIBugs dataset right now but a handful of the repos it refers to are gone now, like this one: github.com/alx-k/flask-je…