David Barroso

Muchas gracias, es un honor recibir este Premio. Es fantástica y puntera la comunidad de ciberseguridad en España y no cabe duda que el @CCNCERT ha sido uno de los principales contribuidores. Vaya sorpresa más bonita!

I'm pleased to announce that, when combined with my phone, my PDP-11 has achieved a storage capacity of 128.01GB!

I made a /seppuku skill for my Claudes for when they make an unforgivable mistake, and now they use it spontaneously without me asking.

what in the black mirror episode is this

I came across a theory that AI is starting to make more mistakes because the internet is increasingly polluted with AI slop. The idea of AI cannibalising itself into obscurity is one of my favourite things ever. I hope it is true and I hope it becomes impossible to fix.

JUST IN: Iran declares it will not charge tolls in the Strait of Hormuz, will instead charge “environmental protection fees”

Thank you to Pope Leo XIV for giving us an absolute banger of a Tolkien trivia question: “Which character from The Lord of the Rings is quoted in a papal encyclical?”

Congratulations, Twitter is good again.

the pope wrote a 42,000 word manifesto declaring war on AI. we are so freaking back.

Consultants charging $800/hr after pasting the client's problem into Claude:

one of the greatest or programming jokes of all time

@JaimeObregon @Recuenco Sigo una evolución parecidas, la única diferencia es que me pase a ghostty hace tiempo (cuando pusieron el buscar) y estuve tiempo con OpenCode. Me gusta más OpenCode que Claude CLI.

Estoy aprendiendo. Como todos, supongo 🙃; así que no me toméis como referencia de nada: — Ahora uso Codex (GPT 5.5). Vengo de Claude (Opus 4.7), pero no me caso con nadie: cambio sin compasión y me adapto a lo que mejor me funcione en cada momento. Todo cambia rápido. — Trabajo con un portátil (MBP 13 "). Siempre me bastó, pero ahora necesito ver a la vez agentes, código y terminal. Así que me he hecho con una pantalla panorámica de 40 " y estoy encantado. — Derivado de lo anterior, la IA me ha hecho programar menos en cafés y más en casa. También porque ahora a menudo dicto los prompts. Y hablar solo en un café… no lo veo. 😂 — Las veces que trabajo con Claude, dicto los prompts a ChatGPT. Encuentro la transcripción en castellano de OpenAI mucho mejor que la de Anthropic. Así que dicto a ChatGPT desde el móvil y —sin enviárselo— lo copio y pego en Claude en el escritorio. — La terminal es tan importante como la herramienta de IA. Hace años que uso iTerm2. Estoy encantado, pero últimamente fantaseo con pasarme a Ghostty. Pero creo que está un poco verde aún. Hoy he leído sobre cmux (terminal para agentes de IA). No me da la vida… 😂 — No llego el primero a las fiestas. Cuando sale una herramienta o modelo nuevo, lo observo, pero no lo adopto. Hay tanto «hype» que prefiero ir sobre seguro. Salen muchas cosas que son flor de un día. Yo me adapto a los cambios, pero economizo mi adaptatividad. El enemigo es el FOMO. Ya tengo canas; priorizo el throughput al hype. — No suelo tener más de un agente corriendo, a lo sumo dos, y no sé cómo lo hacéis los que tenéis muchos a la vez (como @steipete), incluso en varios proyectos simultáneos a la vez. A mí no me da la vida 😅. El cuello de botella ya no es mi capacidad de escribir código, sino mi capacidad de entenderlo. — Esta semana controlé un agente desde el móvil mientras me zampaba una palmera de chocolate más grande que Brasil tomando el sol en un banco de la Gran Vía. Muy chulo como concepto, pero aún está algo verde. En dos telediarios será funcional, sin embargo. — He comenzado a probar Claude Design. Tiene una pinta fantástica, pero aún estoy conformándome una opinión. A ver qué saca OpenAI (si es que no ha sacado algo ya…) — Como la mayoría, ya no escribo código, aunque sigo sabiendo hacerlo y, sobre todo, entenderlo. No incorporo código generado por IA si no lo entiendo. No porque esté mal —suele estar bien— sino porque a menudo la IA tiende a la sobrecomplejidad. Entonces yo le apunto donde hay redundancia o barroco, y lo corrige. — Hay mucha gente obsesionada con las skills para agentes. Yo no les veo tanto la gracia, pero seré yo. — Minimalismo en todo. Con la IA es más fácil que nunca complicarse la vida: sobreingeniería, complejidad artificial, feature bloat, dependency hell… La máquina me da soluciones, pero yo estoy continuamente apuntándole simplificaciones. Si le dejo, en unas semanas el proyecto es inmantenible. Hay que ir con luces largas. — Parte del tiempo que la IA me ahorra trato de dedicarlo a pensar, leer, aprender, pasear y hacer deporte. — Adaptatividad. Llevo más de 30 años escribiendo código y ahora he dejado de escribirlo. La resistencia es fútil. Trato de abrazar el cambio. Y divertirme. 🥳 Pasopalabra a @Gsnchez, que es un máquina de todo esto. 😊

👀

We’ve now seen at least four nginx RCEs that require non-default configs: nginx rift, nginx poolslip, and two of our own (including the one in the last tweet). The configs involved are unusual, which raises the obvious question: do these attacks actually work in real-world deployments? We asked Claude to download and analyze more than 4,000 nginx config files from GitHub. The result was embarrassing: none of them were vulnerable to nginx rift or our own attacks. We can’t say anything about nginx poolslip yet, since it hasn’t been published. So don't worry about your nginx yet. Moral of the story: AI can generate FUD, but also help fight FUD. Embrace it!

On the tube

🦔Microsoft canceled its internal Claude Code licenses this week after token-based billing made the cost untenable, even for a company with effectively infinite cloud resources. Uber's CTO sent an internal memo warning the company burned through its entire 2026 AI budget in just four months. American AI software prices have jumped 20% to 37%, and GitHub (owned by Microsoft) is dropping flat-rate plans for usage-based billing across its products. My Take The AI subsidy era is ending in real time. The same company that put $13 billion into OpenAI and built the Azure infrastructure powering most of Anthropic's compute just looked at the bill from a competitor's coding tool and decided it was not worth paying. That is not a productivity failure on Anthropic's end. Token-based pricing is forcing every enterprise customer to confront the actual cost of running these models at scale, and the number turns out to be far higher than the flat-rate experiments suggested. This ties directly to my Gemini Flash post yesterday. Anthropic, OpenAI, and Google all raised effective prices in the last six months. Enterprises that built workflows assuming AI costs would keep falling are now watching annual budgets evaporate in months. Two outcomes look likely from here. Either enterprises scale back AI usage to fit budgets, which slows the revenue ramp the labs need to justify their valuations ahead of IPOs, or the labs cut prices and absorb the losses, which makes the unit economics worse at exactly the wrong moment. Both paths land in the same place, the numbers stop working, and somebody has to take the writedown. Hedgie🤗

it’s in gemini, just create it in ai studio. oh, that’s for your personal google one account. for workspace you need gemini business. no, not gemini advanced, that’s ai pro now. unless you need ai ultra. oh agents? you do that in spark actually. no, not gemini api managed agents, that’s different. for coding use jules. unless you mean the agentic ide, that’s antigravity. no, that’s the old antigravity, download the new one. actually gemini cli is being deprecated, use antigravity cli. no the flash model is smarter than the pro model. unless you need pro. if it’s video, use flow. no, flow uses veo. no, nano banana is images. actually that’s in gemini now. unless you’re in search, then it’s ai mode. no, research is notebooklm. anyway it’s all very simple.

I just learned the sad news that Peter Neumann has passed away. Peter Neumann shaped how a generation of security people learned to think about risk. As editor of RISKS Digest, he gave many of us coming up in the 1990s and early 2000s a steady education in the real-world consequences of computer failures. His work made the field more serious, more thoughtful, and more honest. He will be missed. I first met Peter when we both testified at the 1998 Senate Governmental Affairs Committee meeting on Government Security where the L0pht testified. The combination of Peter and the L0pht made the hearing more powerful even if us hackers stole the spotlight. Neumann and the L0pht made the same argument from two different directions. Neumann gave the institutional, systems-engineering view: the country was becoming dependent on brittle, interconnected systems that were never designed for security, reliability, or survivability. The L0pht gave the field evidence: here are the actual flaws, here is how attackers think, here is how cheaply and quickly these systems can fail in practice. Neumann supplied the credibility of a long-time researcher warning that this was not just “hackers breaking into things,” but a structural failure of technology markets, procurement, engineering discipline, and risk management. The L0pht supplied the proof that the warnings were not theoretical. Together, we made the hearing unusually powerful: the academic risk community and the hacker community were telling the Senate the same thing, in different languages, before the rest of the world had fully caught up.

Switzerland will be spared.