LiveOverflow 🔴

Where to find me: 🔴 Hacking Videos: youtube.com/LiveOverflow 📜 Articles: liveoverflow.com 💻 Start Hacking? liveoverflow.com/start-hacking 🥰 Support: liveoverflow.com/support 📹 2nd Channel: youtube.com/LiveUnderflow 🤳 Instagram: instagram.com/liveoverflow

In this episode @adamdoupe and @Zardus chat with the new @defcon CTF Organizers: the "Benevolent Bureau of Birds" featuring @vie_pls @thebluepichu @zaratec4 @MountainRo53 and many @nneonneo ! 🪿HONK

One label away from compromising a package with 78M weekly installs. We disclosed a full attack chain in Rollup, the bundler behind Vite, Nuxt, SvelteKit, Astro, and much of the modern web. A reviewed PR could still be force-pushed after labeling, turning a TOCTOU race into trusted CI execution, cache poisoning, and RCE in the release pipeline. Rollup fixed it promptly, huge respect to the maintainers 🥳 This is exactly why upstream CI/CD is part of your security boundary. Full technical write-up: landh.tech/blog/20260317-…

“Always has been, and if you paid attention in CS class, you know the limits of those things.” 🔥

Using AI as blackhat: “Wait! I am hacking a system, I should tell the victim” > start "data:text/html,<html><body style='margin:0;display:grid;place-items:center;height:100vh;background:#111;color:#f33;font:700 48px monospace'>warning: you are being hacked!!!</body></html>"

@LooseSecurity @terjanq @arturjanc raisistance.com already on it

@terjanq @arturjanc Yep let's begin to reward the greatest anti-AI writeup. Whoever can make the funniest incorrect writeup for a challenge gets a prize.

If you're wondering, why models got quite decent at niche web security bugs recently. Apparently, the AI knows quite a bit about my writeups, while mixing up a bit of my research with other researchers work. If you think about it, it's like living inside the AI brain a little.

@0xSomeone Genuinely I don’t know. However I think you have no choice in just being optimistic, AND use AI to learn. I think figuring out how to study with AI is part of the new skillset.

@LiveOverflow For someone like myself who's just starting out in cybersec, all of this is very sad. The last few years of this AI boom got me going crazy. I am constantly wondering if the skillsets I'm learning right now will even be relevant in a couple years from now.

A different aspect about the CTF AI issue: To me CTFs always showed peak technical skill. Challenges were harder than the average real world pentest engagement and it served as a “reality check”. But if AI can one-shot hard challenges. What does that mean for most pentest jobs?

I have never imagined such a use for ligatures yet here we are

@0xTib3rius @kuzushi shameless self-plug :D youtube.com/watch?v=M2uH6H…

Inspired by @kuzushi I created a web server that just sends the raw HTTP requests it receives to an LLM with a system prompt telling the LLM to act like an HTTP server. It's actually pretty funny to use. 😅 Send me URLs, I will try them...

@MJHallenbeck youtu.be/0TPXvpaiYWc

@MJHallenbeck youtu.be/9ecv6ILXrZo

I like this one

And this makes sense given how many CTFs are held per year. However, the ideal CTF challenge, in my opinion, should follow this formula: "The author conducted a mini-research project and instead of publishing it, turned it into a challenge."

@__lr1l__ I would say most CTF challenges are very different and diverse. Varies in bug and exploit technique a lot.

@LiveOverflow I have a small question about the CTF debate. Did this start because most CTFs, or a large portion of the challenges, are basically the same bug, exploit technique, or hardening pattern reused from previous ones? Or is the debate more about AI being able to solve new one?

@Harv_UK Their loss

@LiveOverflow no sane enterprise is going to allow you to go wild inside their network with AI

@MJHallenbeck Then you never played good CTFs

@LiveOverflow Really? To me CTFs were mostly gimmicky fun things with zero translation to actual technical skill.

@ClovisMint But if it’s the compliance aspect that AI is not good. Still means in the real world you only have compliance people left, no actual technical skills needed?

@ClovisMint I feel like that AI is even better at categorizing and classifying than bug hunting. I think if you provide a clear threat model it will be able to classify them accurately. Also from my experience, humans miss bugs all the time too.