Olivia
Online
Colby
@ColbyRing
🌊🐝 BD @trailofbits
Joined December 2009
4.1K Following
469 Followers
1.5K Posts
another great example of a project programming security researchers' scanners to do the hard triage work for them: https://t.co/aaiw9tXPfy
Around $3 Trillion dollars were laundered through banks in 2025 and they want you to believe that a bill in Congress that clearly applies AML/BSA obligations to crypto exchanges is somehow the problem. Literally nonsense.
If you work in the software industry and have time to read only one long-form post today, read this one.
If you have time to read two, read this one twice.
Highly #recommend
tl;dr: Stay off the yellow brick road that the frontier model companies are racing down. There is plenty of opportunity to solve hard problems elsewhere. Focus on areas where you can build the system of work (workflows), capture compounding, non-public data and deliver deterministic outcomes that customers need.
PSA: If your project gets a ton of low quality vulnerability reports, you can filter those reports out with very little effort.
All you need to do is update your project’s claude/agents.md file to set your preferred quality threshold and criteria. Use the researcher’s own tokens to verify their work.
- clearly state your project’s threat model
- give examples of a high/medium sev vulnerability.
- instruct the model to spawn adversarial subagents to critique its work.
- PoC or GTFO
just because there is a mountain of security researchers out there who don’t know how to prompt/verify their work, doesn’t mean your project has to suffer in triage overhead
Who to follow
A CI/CD compromise like Trivy → LiteLLM can multiply across the software supply chain. We hardened zizmor, the static analyzer for GitHub Actions, so it reliably catches more workflow misconfigs. 🧵
.@obsdmd asked us to audit their Sync protocol. Our engineers delivered eleven findings.
Five went above and beyond the original scope and found system-level issues that weren't specific to Sync itself.
We see this pattern often with our clients. We respect scope as a delivery contract, but we have a professional obligation to surface what our engineers see.
Anything they catch is flagged, and the client decides what to do. When a finding warrants it, the report includes an Exploit Scenario, the path from observation to working exploit. We take an attacker's mindset, and exploit scenarios show our clients what a bug costs them.
With security-first teams like Obsidian, that meant five system-level findings that were either patched or explicitly acknowledged:
1. Math.random used for password and salt generation (High severity, medium difficulty)
2. Variable-time comparison of password-reset tokens and MFA recovery codes (High severity, high difficulty)
3. TOTP codes replayable within the validity window (High severity, high difficulty)
4. Plaintext storage of MFA secrets and recovery codes (High severity, medium difficulty)
5. Password reset without MFA (Medium severity, medium difficulty)
Dan Guido, the CEO and cofounder of security firm Trail of Bits and a strategic adviser to mobile security firm iVerify, says a stolen phone may only be worth $50 to $200 when it is locked. “But if you unlock it, it’s worth $500, or it’s worth $1,000.”
https://t.co/7Qxw5TRZlc
Senator Warren is wrong to call Tornado Cash a "service." It was immutable software that could never have been effectively sanctioned without full bans on publishing the blockchain. That's why it wasn't sanctionable and the Fifth Circuit agreed. 1/
Two new security audits of Obsidian Sync by @cure53berlin and @trailofbits are now available on our Security page.
All findings have been addressed via remediations and disclosures validated by the respective auditors. Read more:
https://t.co/7fC8f0w29S
A lot of people have been wondering about Mythos, Glasswing, and the vulns we / our partners are fixing. Today, I’m excited for us to start sharing more. (For context, I lead Glasswing @AnthropicAI.)
Two independent evaluations this week—from XBOW and the UK AISI—confirm what we've been seeing internally: Claude Mythos Preview is a step change in autonomous cybersecurity capabilities. We need to start preparing fast for a world of models with this level of capabilities.
The UK AI Security Institute tested the model we shipped at the launch of Project Glasswing and found Mythos Preview is the first model to solve both of their end-to-end cyber ranges, including one (Cooling Tower) which no model had ever cleared. But attackers (and defenders) have sophistication & cost constraints – Mythos is also the only model that clears every one of their tasks estimated over 8 hours under their deliberately low 2.5M-token cap.
XBOW tested it on their offensive security benchmarks, finding "token-for-token, unprecedented precision." It's the only model to succeed at subtle V8 sandbox work.
Other Glasswing partners shared similar stories. In a few weeks of testing, Mythos Preview has helped them find many thousands of (estimated) high + critical severity vulnerabilities, sometimes double what they'd normally find in a year.
I don't share this to boost Mythos. In fact, this is not about Mythos. It’s about preparing for the coming world of models being better, faster, cheaper, and more creative than some of the best human experts at dual use capabilities. Clearly, we need them supporting defenders as widely as can be done safely – and especially the least resourced ones.
Within a year, Mythos will probably look quite dumb (relative to other new models). And others may release openly available or unguardrailed models of Mythos-level capabilities.
We started Project Glasswing because capabilities like Mythos Preview's won't stay rare, or stay in careful hands. We are bringing it to defenders as fast as we responsibly can, while working to figure out, for example, the right safeguards and patching & disclosure processes.
Also, to be clear, compute has never been a limiter in our rollout.
Expect a fuller update on our Glasswing work in the coming days.
XBOW report: https://t.co/Mumtbf3kE3
UK AISI report: https://t.co/vBgqz0AeKJ
code is law in crypto, and as a consequence there was >$700m of exploits in the last couple of months. much of these stemmed from under (or un)audited smart contract code - particularly in relation to off-chain systems (1/3)
We're sponsoring @Offensive_Con in Berlin and sending a crew. If you're there for the AI bughunting training or the main conference, come say hi. https://t.co/JUpgtMEb0r
mewt 3.1.0 adds Sui Move support for mutation testing. @SuiDevelopers can now mutate source code and rerun tests. If your tests still pass, you have a coverage gap. https://t.co/fdVNKPDePW
🎙 For ep 400, @AnnaRRose brings back @danboneh — Stanford professor & one of the sharpest minds in crypto. They cover Google's quantum algorithm announcement, why rushing PQ transitions might be riskier than quantum itself, algebraic vs hash-based signatures, hybrid sig schemes, new ZK advances, and the Ethereum Foundation's $ 1M Proximity Prize. A milestone episode.
https://t.co/crVhKloGbn
30 readers took our C/C++ challenge. Some solved the Linux warmup, but nobody cracked the Windows driver bug. https://t.co/KqfmFXzb4I
VLC has 6B+ downloads. We spent five weeks reviewing libVLC, the C library at its core. 🧵
In our 12 years, Coin Center has never wavered.
We are here for the cypherpunk ethos of the 1990s internet.
For the pioneers, like Satoshi, who brought that ethos to money.
For your constitutional right to be left alone to develop and use crypto with dignity, freedom, and privacy.
We do not defend fake decentralization.
We do not defend the financialization or fiatization of Bitcoin.
We do not lobby the government to support, buy, or use the tech.
We are not here to pump your bags.
We keep it focused:
Research the law.
Educate policymakers.
Fight for safe harbors in Congress.
Demand clear rules from regulators.
Sue agencies when they overreach.
Good takes on the current state of software security inside 💪
https://t.co/7Cq3hsyvqy
Trailmark supports 17 languages. We're also releasing 8 Claude skills built on its API. On Ed448, one classified 73% of surviving mutants as equivalent. Flat lists can't see that. https://t.co/OCyOrpwP22
Vibe coding is changing how software gets built. But as AI agents write more of our code, the question security teams are asking has shifted from "Can AI build this?" to "Can I trust what AI builds?".
At Replit, we believe the answer has to be yes, not through blind faith, but through architecture. Every layer of the Replit infrastructure where customer code runs, from the development sandbox to the production deployment, is designed with defense in depth. The Replit platform itself, our control plane, is also implemented with these principles in mind. No single control is the last line of defense. Every layer assumes the one above it might fail.
This thread is a detailed walkthrough of how we think about security across the stack, written for the people who need to evaluate it: CISOs, security engineers, and teams considering Replit for production workloads. 🧵
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers