Vulnerability Research Is Cooked
sockpuppet.org
19 of 33 WebRTC media servers fail DTLS-SRTP authentication. AI agents are finding hundreds of zero-days in C codebases. Enable Security launches DVRTC for VoIP security training. Plus a WebRTC payment skimmer, PJSIP advisories, FreePBX CVEs, and more.
AI agents are autonomously finding zero-day vulnerabilities in large C codebases. Here's what that means for the RTC projects we work with every day.
Arcane curation from the IndieWeb, Fediverse and Cybersecurity realms
Talking fast and swearing more since 2004.
CVE-2026-34980 + CVE-2026-34990: two CUPS vulnerabilities, discovered by an autonomous LLM pipeline, chainable from unauth'd remote print job to root file (over)write.
Talking fast and swearing more since 2004.
After 283 episodes, this will be the final episode of the DAY[0] podcast. We started the podcast on a hopeful note in the days following Ghidra's release. Now, to end it off we've got another discussion about how we see the future of vulnerability research and exploit development going. We recorded this episode before all the hype around "Mythos" and Project Glasswing so it doesn't play into our commentary here. Thank you all for the support over the last seven years. Good luck and happy hacking!
I was a guest on Lenny Rachitsky’s podcast, in a new episode titled An AI state of the union: We’ve passed the inflection point, dark factories are coming, and automation …
No one needs another AI think piece. I’m writing this for myself. I wish I’d started writing about AI in 2023. This is a cataclysmic shift in the world and I wish I’d preserved my thought process so I could look back on it and see how it changed over time. With that in mind this is written to my future self, and includes what’s going on now and some predictions about what’s coming in the future.
A slightly delayed episode of the weakly link. This time, we have a bit of a special outlook on the future in security to do with Quantum and AI. There were a couple of links that really caught my eye and could make a compelling case for usage of the phrase “everchanging landscape…” - stop it Gerald - this is not AI generated! Let’s start with the big announcement: Anthropic announced how their latest Mythos model was so good at vulnerability research that they decided to keep it from the unwashed masses and just give access to select organisations and call it Project Glasswing.
@michael Curious what model/harness you're using? I tried to use Claude Code and Opus 4.6 with the prompt in https://sockpuppet.org/blog/2026/03/30/vulnerability-research-is-cooked/ to audit some s...
In this issue: Defense in Depth, Medieval Style Human Trust of AI Agents Mythos and Cybersecurity Is "Satoshi Nakamoto" Really Adam Back? Mexican Surveillance Company ICE Uses Graphite Spyware FBI Extracts Deleted Signal Messages from iPhone Notification Database Hiding Bluetooth Trackers in Mail Medieval Encrypted Letter Decoded What Anthropic’s Mythos Means for the Future of Cybersecurity Claude Mythos Has Found 271 Zero-Days in Firefox Fast16 Malware A Ransomware Negotiator Was Working for a Ransomware Gang Hacking Polymarket DarkSword Malware Rowhammer Attack Against NVIDIA Chips Smart Glasses for the Authorities Insider Betting on Polymarket LLMs and Text-in-Text Steganography Copy.Fail Linux Vulnerability OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities How Dangerous Is Anthropic’s Mythos AI? Upcoming Speaking Engagements
76 posts tagged ‘careers’.
17 posts tagged ‘ai-security-research’. Using AI tools to help find security vulnerabilities.
602 posts tagged ‘security’.
301 posts tagged ‘ai-ethics’. Ethical concerns related to building and using AI systems.
LLMs now find kernel zero-days at scale. Here's why container isolation fails and why hardware-enforced workload isolation must become the default.
Two weeks ago, Anthropic announced that its new model, Claude Mythos Preview, can autonomously find and weaponize software vulnerabilities, turning them into working exploits without expert guidance. These were vulnerabilities in key software like operating systems and internet infrastructure that thousands of software developers working on those systems failed to find. This capability will have major security implications, compromising the devices and services we use every day. As a result, Anthropic is not releasing the model to the general public, but instead to a ...
Your career is not obsolete, no matter how many vendors/influencers say so lately. Let’s set up a small homelab and a few open source tools to start using AI tools in your work, outlining all the places we still need cybersecurity expertise for these new problems that accompany this new technology along the way.
The new reality rewards systems that can be tested and patched continuously