gIA Bui

Early this week, we had a meeting at Apple Park in Cupertino. While there, we also shared with Apple our latest vulnerability research report: the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE. It was laser printed, in honor of our hacker friends. Full story: open.substack.com/pub/calif/p/fi…

We got credited three times in Apple’s latest security drop. Anthropic got named twice, and AISLE once. Does this mean we’re worth more than Anthropic and AISLE combined? Asking for a boss. support.apple.com/en-us/127115

In 2012, six hackers published the iOS Hacker's Handbook. Two of them are joining Calif: Dion Blazakis @justdionysus and Stefan Esser @i0n1c. @i0n1c does not really need an introduction. I'll say a few words about Dion for the uninformed. When @brucedang told me that a hacker named Dion may be joining us, my first reaction was, wait, is that the same Dion who won a Pwnie Award in 2010 for Most Innovative Research? It turns out, it was him. Dion Blazakis is a legendary hacker who has been breaking into just about everything, from basebands and firmware to kernels and browsers. He was one of the earliest people hacking the iPhone and is still at it. In 2011, he and Charlie Miller won Pwn2Own by pwning an iPhone 4. Our next MAD Bugs drops are welcome gifts for Dion and Stefan. Stay tuned!

MAD Bugs: RCE in Ladybird Blog: open.substack.com/pub/calif/p/ma… PoC: github.com/califio/public… youtube.com/watch?v=NQxvMR…

@AzakaSekai_ blog.calif.io/p/mad-bugs-all…

IDA 9.3sp2 has been released. This update addresses... *reads notes* > idaclang: fixed an argument injection in CLANG_ARGV that could lead to arbitrary code execution when opening a malicious database oh

MAD Bugs: All Your Reverse Engineering Tools Are Belong to US Ghidra, radare2, IDA Pro, and Binary Ninja Sidekick. If your tool doesn't show up here, it's not cool enough. Contact us for a free RCE. open.substack.com/pub/calif/p/ma…

Woke up to a stack of good news. 1. OpenAI named @calif_io an official vulnerability research partner, alongside Trail of Bits. 2. We hit the Hacker News front page again, third time in a single week. Hacker News comments are terrible though! Most readers don't really know what they were talking about, but very confident. 3. Microsoft acknowledged our work with Anthropic. A few years from now, when we look back at Calif's history, I suspect that HTTP.sys kernel bug will have a very special place. There's a moment before that bug and after that bug. The entire company has gone all in. We haven't slept much since then. And, honestly, for a bunch of clueless hackers like us, seeing our name next to Anthropic, OpenAI, and Microsoft is something really strange and somewhat uncomfortable 😅

MAD Bugs: Discovering a 0-Day in Zero Day Here’s how I used Claude to find and patch a radare2 0-day on my first day at @calif_io. open.substack.com/pub/calif/p/ma…

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747) To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI. blog.calif.io/p/mad-bugs-cla…

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747) To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI. blog.calif.io/p/mad-bugs-cla…

We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you’re owned. We joked: fine, we’ll switch to Emacs. Then Claude found an RCE there too. Full story: blog.calif.io/p/mad-bugs-vim…

Reverse engineering Apple’s silent security fixes, by @blacktop__ We grabbed the latest iOS update, and diffed it with ipsw. The diff reveals at least two security-relevant changes that were shipped quietly. open.substack.com/pub/calif/p/re…

Taking Apart iOS Apps: Anti-Debugging and Anti-Tampering in the Wild By @Little_34306 and @brucedang open.substack.com/pub/calif/p/ta…

We have some exciting news to share: @blacktop__ is joining Calif to work on a range of R&D projects focused on Apple and AI security. If you work in the Apple security ecosystem, he’s already a household name. He’s the creator of: * ipsw – the ubiquitous Apple firmware analysis tool: github.com/blacktop/ipsw * darwin-xnu-build – reproducible XNU kernel builds: github.com/blacktop/darwi… * ipsw-diffs – automated diffing of Apple releases: github.com/blacktop/ipsw-… * The only public deep-dive on Apple’s Lockdown Mode: github.com/blacktop/prese… His tooling is so good that even Apple engineers use it. If you do reverse engineering, chances are you’ve touched his Rust headless IDA MCP server: github.com/blacktop/ida-m…. People have literally collected CVEs and bug bounties just by digging through the diffs produced by his tools. With @brucedang, @Little_34306 and now @blacktop__, we're building a serious Apple security force at Calif. We’ll have more announcements in this space soon! If you're interested in Apple security, AI, automated bug discovery, reverse engineering, or hacking, we’re hiring: calif.io/jobs.

A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets. A step-by-step guide to exploiting a 20-year-old bug in the Linux kernel to achieve full privilege escalation and container escape, plus a cool bug-hunting heuristic. open.substack.com/pub/calif/p/a-…

I woke up at 6:00am to get ready for a long trip to meet a lead outside the city. Two team members joined me, and the three of us spent 90 minutes driving to the meeting location. I already had doubts. This lead was a livestock firm, which didn't exactly fit our typical client profile. We'd already met online, but they hadn't shared much about what they wanted. Still, their boss insisted on an offline meeting at their office. Something felt odd, but my job is to follow leads, so we eventually agreed to the meeting. I figured maybe they just wanted to show us some hospitality. Not the first time a client has wanted to serve us a fancy meal to show off their success. Maybe I could even score some free eggs. I was so wrong. One minute into the meeting, the lead's boss got straight to the point. He'd heard we were good at hacking and wanted us to hack a foreign entity and steal its secret pig breeding formula (công thức phối giống heo nái). I swear to God this dialogue ensued: * Me (laughing nervously): But isn't that illegal? * Pig boss: Well, there's no law. Trump could even arrest that Venezuelan president. * Me (internally): Oh. He's serious. And prepared for this line of argument. * Me: But Trump has rockets. * Pig boss: Don't worry. I have a lot of chickens. (I might be misremembering the last sentence, but the absurdity level is about right.) At that moment, we absolutely could have stood up, and left. But that felt rude. So we stayed. For the next stretch of time, we learned far more than we ever wanted to know about pig reproduction. Genetics. Breeding cycles. Trade secrets of the pork industry. Did you know that a boar isn't allowed to f*** more than 70 times over its lifetime? Eventually, we found a way to politely excuse ourselves. No free eggs, though. This business has brought a lot of weird characters to our door, but I didn't expect that one day someone would look me in the eye and ask me to commit cybercrime against… pigs.

Today we welcome the legendary @brucedang to Team @calif_io! I first heard of Bruce around 2010, after his talk on Stuxnet. We became fast friends almost immediately, and never really stopped talking about security. Every time I met Bruce, I'd come home having completely lost my voice. Bruce was a co-founder of Veramine, the only EDR that caught us during a red team engagement (four years ago, and yes, we're still salty). Most recently, he was at Apple, working on iOS security and Private Cloud Compute. Bruce now has a big plan for us at Calif!

FYI: Tavis is gonna work on FFmpeg security

Hah, I've been talked into working on research projects with @xorninja at @calif_io! Less drama, safer software! 😆

I’ve lost count of how many systems I’ve breached just using leaked passwords. Now I’m fixing that problem at the source — introducing a Keycloak provider with Google Password Defense, blocking compromised creds before hackers use them github.com/califio/keyclo… #keycloak #hacking