Olivia
Online
Carlos Castañeda
@hackadvisermx
professor | father| CEH | infosec enthusiast | ctf player: picoCTF, tryhackme, hackthebox | eternal newbie | bug hunter wanna be
/dev/null
Joined May 2017
1.8K Following
354 Followers
1K Posts
I’ve had a number of conversations with folks inside and outside government about the current situation with Anthropic, and here is what I believe to be true:
— As we know, Anthropic publicly released its Mythos class models earlier this week under the commercial name Fable.
— Fable is Mythos with guardrails. But if those guardrails fail, then you’ve exposed Mythos and its advanced cyber capabilities to people who shouldn’t have them. (Keep in mind that Anthropic itself widely promoted the idea that Mythos was a cyberweapon and needed to be regulated as such. They asked for government regulation of Mythos and championed the guardrails on Fable. If there is a vulnerability — big or small — it is Anthropic’s responsibility to patch.)
— A highly credible trusted partner of both Anthropic and the USG who was testing Fable came forward with a jailbreak of those guardrails. The Admin asked Dario to fix the jailbreak or de-deploy the model. Dario refused.
— In their blog post, Anthropic defended its decision by saying the jailbreak isn’t serious. That is not what the trusted partner and the USG believe; nor is that kind of minimizing language consistent with Anthropic’s brand as the AI safety company. It’s difficult to fathom how they could claim a jailbreak allowing operability of a cyber weapon could be defined as not “serious.”
— In the past, Anthropic has always said that safety must be top priority and taken super seriously. In this case, Anthropic prioritized the continued offering of the consumer model over safety.
— In reaction, the Admin issued the export control. The Admin did this reluctantly. It’s been very surprised that Anthropic hasn’t wanted to cooperate with a reasonable safety request (ie fixing the jailbreak issue). Anthropic’s reaction is very much at odds with their branding and ethos as a safe AI research community.
— The Admin’s hope now is that Anthropic remediates the safety issue, the export control is lifted, and Fable goes back into general release. The Admin wants all of this to happen as soon as possible. It is frankly bewildered that Anthropic hasn’t wanted to comply with safety requests that it previously said were its highest priority.
— Those trying to misdirect and tie this action to the prior DoW/Anthropic issues are wrong. The Admin values Anthropic’s technical capabilities and feels that this issue, while serious, should be easily resolved. The ball is in Anthropic’s court.
🎉 #HackDef CTF turns 10! We've put together a photo gallery spanning 2017–2025: https://t.co/TbYW9UySUJ
Here a short video recapping the whole journey: https://t.co/wwqFq3HZGo
#CTF #Mexico #Community #Cybersecurity
🎺 Introducing #HackDef CTF 10th Anniversary Soundtrack (Spanish) 🎺 !
Enjoy it!
https://t.co/xRpFGnZ07R
Who to follow
Arthur
@artur_t0rres
FortiGuard Labs Threat Intelligence | CISSP | NSE7-ATP | CEH | ECSA | CTIA | eNDP | ITIL | Cybersec Professor at UANL | Cybersecurity passionate and researcher.
PentesterLab 
@PentesterLab
We make learning web hacking and security easier. Online systems, code review, videos & courses that can be used to understand, test and exploit bugs!
Synack Red Team
@SynackRedTeam
The power behind the @Synack platform is an elite team of the world's top cybersecurity researchers. Our best are honored at https://t.co/6bEAyp7HWJ
https://t.co/yj4rXk0DE1
Cyber Security 101 (SEC1) certification is live! 🚀 a Hands-on certification built to show you actually understand the fundamentals. So stop saying you know the cyber fundamentals and start proving it.
And to launch it properly…🎁 We are giving away 500 FREE SEC1 certification attempts!
🔁 Share this post
📝 Fill in the form: https://t.co/uNaxplMD71
🏆 Get Certified
🖇️ Learn more about SEC1 here: https://t.co/hJYUyI4V9a
I just completed Introduction to Cryptography room on TryHackMe. Learn about encryption algorithms such as AES, Diffie-Hellman key exchange, hashing, PKI, and TLS. https://t.co/g98u02bksY #tryhackme a través de @tryhackme
🔓 Google/Mandiant released Net-NTLMv1 rainbow tables that enable cracking password hashes in under 12 hours using consumer hardware.
🔗 Learn more here → https://t.co/YNLx41xxJX
Arrancamos el 2026 con una nueva agenda de Webinars, totalmente gratuitos y dictados por el equipo de @KnowBe4, empresa líder global en concientización y entrenamiento en ciberseguridad. 🚀
🇲🇽 Te presentamos el primero: "Decodificando el Plan Nacional de Ciberseguridad de México: De Cumplimiento a Excelencia” dictado por Rafael Peruch - CISO Advisor y Arquitecto de Ventas LATAM en KnowBe4, y Elena Fraga - Account Executive at KnowBe4.
🤓 Por primera vez, México tendrá una Estrategia Nacional de Ciberseguridad y una próxima Ley General de Ciberseguridad, creando un marco unificado para estandarizar las respuestas a las amenazas cibernéticas en todos los niveles de gobierno. Esta regulación exige no solo planes de ciberseguridad documentados, sino también la implementación de programas de concientización que demuestren efectividad medible.
En este webinar exclusivo, descubriremos cómo transformar los desafíos regulatorios en oportunidades para fortalecer verdaderamente su postura de seguridad. Analizaremos los puntos críticos de la nueva ley y por qué el entrenamiento de concientización en seguridad ha evolucionado de "deseable" a requisito obligatorio de cumplimiento. ✅
🎯 Aprenderemos cómo demostrar la efectividad del entrenamiento a los auditores — reportes detallados y métricas, automatización inteligente para cumplimiento continuo, y ROI comprobado en organizaciones similares — casos reales de empresas latinoamericanas.
💻 Vía Zoom
📆 Lunes 19 de enero
🕔 19hs ARG I 16hs MEX
📌 Se desarrollará únicamente en modalidad en vivo, y se entregará certificado de asistencia a los/as asistentes.
¡Inscribite gratis! 🔥 >> https://t.co/kyPqGKgJJh
I just completed Systems as Attack Vectors room on TryHackMe. Learn how attackers exploit vulnerable and misconfigured systems, and how you can protect them. https://t.co/tGuYj18LBN #tryhackme a través de @tryhackme
I just completed Humans as Attack Vectors room on TryHackMe. Understand why and how people are targeted in cyber attacks and how the SOC helps defend them. https://t.co/bA6k5RllH7 #tryhackme a través de @tryhackme
Lo siento, @Telcel, pero yo no me voy a callar hasta que informen con total transparencia. Su sitio pone en riesgo a millones de personas y deben pensar en ellos, no en su imagen pública. 👇
I just completed SOC Role in Blue Team room on TryHackMe. Discover security roles and learn how to advance your SOC career, starting from the L1 analyst. https://t.co/ljTHPRvZaQ #tryhackme a través de @tryhackme
📵 | Hallan otra vulnerabilidad en la plataforma de registro de @Telcel: se puede enviar spam ilimitado
El desarrollador y especialista en ciberseguridad @tylerwolfx detectó —y documentó con pruebas— una falla grave en el diseño de la plataforma de @Telcel.
🔎 El problema permite abusar de su propia infraestructura para ejecutar campañas de SMS bombing, es decir, saturar líneas telefónicas de forma masiva sin que el sistema dispare alertas o bloqueos.
En términos simples: si una plataforma permite enviar hasta un millón de mensajes SMS sin frenar al usuario, no solo está mal diseñada, está dejando abierta la puerta al abuso sistemático de recursos, con costos reales en dinero, infraestructura y posibles afectaciones a terceros.
Todo esto se sigue documentando, ya que sabemos que la empresa insistirá en que es falso...
🚨 CVE-2026-21858 (NI8MARE): Critical unauthenticated RCE in n8n (CVSS 10.0)
Attackers can execute system commands without authentication. PoC is public
📊 Censys observes 26,512 exposed n8n hosts.
✅ Patch: upgrade to 1.121.0+
🔒 Restrict or take offline if internet-facing
🔗Track exposures →https://t.co/afJt2qcqrl
#infosec #CVE #n8n #RCE
CVE-2026-21858 + CVE-2025-68613: n8n Ni8mare - Full Chain Exploit
Unauthenticated to Root RCE:
- LFI via Content-Type confusion
- Read /proc/self/environ to find HOME
- Steal encryption key + database
- Forge admin JWT token
- Expression injection sandbox bypass
- RCE as root
CVSS 10.0
https://t.co/ztHv10BRLw
🚨 Another CVSS 10.0 n8n vulnerability disclosed.
Researchers found another critical flaw (CVE-2026-21858) in n8n that lets remote attackers take full control with no authentication required.
The bug abuses Content-Type handling in form webhooks to read local files, steal secrets, forge admin sessions, and achieve RCE.
🔗 Details here → https://t.co/eSeZax7Knl
I just completed Exploitation with cURL - Hoperation Eggsploit room on TryHackMe. https://t.co/XWC9wTZbZl #tryhackme a través de @tryhackme
I just completed AWS Security - S3cret Santa room on TryHackMe. Learn the basics of AWS enumeration. https://t.co/f4seruoIu7 #tryhackme a través de @tryhackme
Most Popular Users
Elon Musk
@elonmusk
240.4M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.3M followers
Taylor Swift
@taylorswift13
81.2M followers
Lady Gaga
@ladygaga
72.7M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.4M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.7M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.1M followers
CNN
@cnn
61.9M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.4M followers