Claudio Criscione

🚨𝘽𝙍𝙀𝘼𝙆𝙄𝙉𝙂: European Commission President Ursula von der Leyen unveiled EU–INC, a new framework that lets you launch a company in 48 hours for under €100 Starting a company across the EU today = 27 legal systems, 60+ company structures 🤯 That might be about to change… The European Commission just introduced 𝗘𝗨 𝗜𝗻𝗰., a new optional corporate framework designed to make Europe actually function like one market. Here’s what stands out: → Set up a company in 48 hours → Cost: < €100 → Fully online, no minimum capital → One single framework across all EU countries → Easier share transfers & fundraising → EU-wide employee stock options (huge for talent) Especially the EU-wide stock option plans, taxed only when employees actually sell (instead of when granted) is huge. This makes it far easier for startups to attract and retain top talent, finally putting Europe closer to the US playbook. Source/More info: ec.europa.eu/commission/pre… In short: This is Europe trying to compete with the simplicity of a Delaware C-Corp 🇺🇸 And honestly… it’s long overdue. For years, European founders had 2 choices: 1. Stay local and deal with fragmentation 2. Move to the US to scale 𝗘𝗨 𝗜𝗻𝗰. is trying to remove that trade-off. If executed well, this could be one of the most important structural changes for European startups in decades. What do you think?

The CFP for fwd:cloudsec closes on March 20, so you still have a few more days! Reasons why you should present at fwd:cloudsec: - Tickets are sold out but speakers get tickets, so if you didn't get a ticket, this is your best option. 🧵 1/5

This will be a key partner team so if you get hired remember your prompt: make no mistake.

We are hiring in Singapore! For a manager for Google's Product Security Team. Please contact me by DM!

@tqbf Building the app is part of it, depending on what you want to test. If the goal is to test a scanner (llm or otherwise) you have a bunch more requirements, a test harness and more (eg elicit and capture false positives). But, yes :)

It has never in human history been easier to build a "firing range" web application with vulnerabilities and now that anyone with a Claude sub can do it in 5 minutes we should have better things than WebGoat.

@HackingLZ I'm not sure it really does hold water. Of course you are right - at least, it sounds intuitively right - that mass exploitation weaponization happens on the most exposed surfaces. And we'd not track "one off" weaponization. But I think you might underestimate costs

Weaponizable is part of the situation, but you're also largely controlled by what enterprise companies have exposed on the internet today. You have internet facing things (file transfer software, Citrix, Fortinet) which have been getting beaten to death the last few years, forcing companies to move into tech like Zscaler, MS App Proxy, and O365 leaving less exposed. Let's assume you successfully got into an environment via phishing, so you have RCE on an endpoint past some EDR product. Now you have to target other software which may or may not be configured correctly or have a vulnerable code path exposed. I'm not arguing that LLMs don't make it way easier to find exploits or turn CVEs into working exploits. The underlying reason that ratio is what it is is largely the exposure of attack surface.

Something like 0.5% of CVEs end up in CISA KEV. So when people panic about LLMs finding more bugs, remember vulnerability volume ≠ operational exploitation. Evaluate your attack surface accordingly. 🤷‍♂️

Remembering memories with my friend Felix ‘FX’ Lindner @41414141, hacker extraordinaire with a huge heart, who passed away last week. Whether in Berlin, San Francisco, or Sao Paulo, hanging out with FX was never dull. FX was prophiled in @phrack #68 phrack.org/issues/68/2

😍RELEASE: The TEAM-TESO cvs: thc.org/team-teso/ All exploits, advisories, teso-informationals (never released), burneye, bscan, ... plus some rare pictures. Enjoy & Keep hacking. Yours Sincerely, Team-Teso (via THC's twitter account).

The most expensive luxury item you can own is a spine.

I keep hammering on speed being the problem Vs volume and as usual Phil says it better.

Concur with @michaeljburry . Our BTC price target is 0.0. That's not just for shock factor. It's where the math takes us. It's not worked as a dollar hedge, rather it's just a speculative instrument correlated to the Nasdaq. It's not gaining any traction as medium of exchange. No serious central bank will ever own something where Michael Saylor controls the float. The miners (who are the network) are bleeding cash. It's horribly inefficient as a transaction processor and wastes tremendous amounts of energy. Nothing "green" about this "coin". We think it's a zero. ibtimes.co.uk/michael-burry-…

@lcamtuf I suspect this is somewhat modelable no, an article that looks at where the security break-even is given the likelihood of users being compromised via some lame vuln in their software Vs via a dev compromise? Makes for a nice game theory paper too if you add attacker incentives

🇮🇷🇮🇱⚡- Unusually busy traffic at the Falafel shop nearest to the Supreme Leader's office in Tehran

Blog post: On the Coming Industrialisation of Exploit Generation with LLMs sean.heelan.io/2026/01/18/on-… TL;DR: I ran an experiment with GPT-5.2 and Opus 4.5 based agents to generate exploits for a zeroday QuickJS bug. They're pretty good at it. Code: github.com/SeanHeelan/ana…

@halvarflake Was he a similar size as you and thus was the dragging bodily executed, and was there kicking and screaming?

This week I learnt that my grandmother's uncle was responsible for dragging Kaiser Wilhelm away from modernity and thus create the militarism of the Wilhelmian era. For someone of the centre-left, I sure have some hardcore monarchist ancestors.

The CEO just asked me if we're "doing anything with blockchain." I said we're "monitoring the technology landscape" but haven't identified a strong use case for our business yet. Translation: No, and we're never going to. But I can't just say "blockchain is useless for what we do" because then I look like I'm not thinking innovatively. So I position it as "we're being strategic and waiting for the right opportunity." He nodded. Said that made sense. Then he asked about quantum computing. I gave him the same answer. Here's the reality: every few months, executives read an article about some technology trend and want to know if we're "leveraging" it. They don't actually care about the technology. They care about looking informed when they talk to other executives. My job isn't to implement every buzzword. It's to make them feel like we're on top of it without committing to anything. "Monitoring the landscape" is perfect because it sounds proactive but requires zero actual work. Next month it'll be something else. Maybe AR. Maybe autonomous systems. Doesn't matter. The answer is always the same: we're watching it closely, being strategic, and waiting for the right fit.

I built a C++ terminal to scan Polymarket for automated wallets. The first one it flagged was making $152K per week. Account88888. 99% win rate. Over 11,000 trades. The script surfaced it in minutes. I spent three weeks writing a scanner that monitors wallet behavior across Polymarket. Entry patterns. Position sizing. Timing intervals. → Wallet: @Account88888?via=marlowxbt" target="_blank" rel="nofollow noopener">polymarket.com/@Account88888?… The goal was simple find accounts that trade too consistently to be human. The first hit came back with stats that looked like a database error. 99% green. Thousands of executions. Profit curve pointing straight up without a single meaningful dip. I almost dismissed it as bad data. Then I opened the positions manually. The bot buys UP and DOWN on the same BTC window. Every time. Not alternating. Simultaneously. Sounds like guaranteed loss until you look at the pricing. During high volatility, Polymarket misprices both sides. UP costs 48 cents. DOWN costs 46 cents. Together that is 94 cents for two outcomes where one must pay a dollar. The bot buys both. Waits fifteen minutes. Collects $1. Keeps 6 cents. Repeats. It does not care about direction. Does not read charts. Does not react to news. It farms the spread between panic pricing and mathematical certainty. The wallet used to be named JaneStreetIndia before switching to something generic. Smart money stays quiet. My scanner keeps finding more of these. Different strategies but same signature execution patterns too clean and too fast for human hands. I built this tool expecting to learn how the best traders think. Instead I learned they do not think at all. They calculate.

#CVE-2025-67303 ComfyUI-Manager Remote Code Execution 突然想起来我还有推特昨晚用我的Agent 10分钟分析的，之后的RCE就是CVE-2024-21574利用的复活

#CVE-2025-67303 ComfyUI-Manager Remote Code Execution