belikewater

> be nerds > look into persona (used by discord) > kyc (know your customer) service > used for age verification > search on internet (shodan) > find weird server > image 1 > openai-watchlistdb.withpersona > openai-watchlistdb-testing.withpersona > lolwtf > look inside > supposed to be behind cloudflare to hide ip > openai messed up > not behind cloudflare > real ip shown > using google cloud > lookup cert history > 2023-11-16 created > 2024-02-28 gets cert > 2024-03-04 prod goes live > google stuff > openai and persona partners > partner around timeline of certs > back to searching stuff > find withpersona-gov > look inside > okta (image 2) > lolwtf > look inside > website accidentally leaking stuff > fedramp-private-backend-api > look inside > api .js accidentally exposed > look inside > wtf "SARInstructionsCard" > wtf "app.onyx.withpersona-gov" > wtf "FINTRAC" > wtf "PrivatePartnershipProjectNameCodes" > image 3 > wtf "AsyncSelfie" > look inside > openai, persona, send data to us gov > feds map face to financial records > map face using AI > map face to ICE stuff > api stores data for lots of stuff > image 4 tl;dr persona kyc and openai are frens, using your selfie for verification and sending to ICE (or USGOV in general), using AI to tie to your financial records. see subsequent post for full write-up. its long and not mobile friendly

By the way, if you're on a job search, were laid off, or cannot afford an iximiuz Labs subscription for any other reason, but need it to study or prepare for interviews, do reach out. I'm always happy to provide free temporary access for folks in need. Only expect honesty in return.

Was surfing the internet and found some kid who is sharing his malware proof-of-concepts online. His work is primarily recycling and recreating existing techniques for him to study or to demonstrate the ideas to others. Is his code good? No, God no. It is littered with errors, poor naming conventions, and extremely dangerous control flow. I love it him for this, unironically. This kid having bad code shows he isn't using AI to work. He is legit. He is putting himself out there, demonstrating what he can do (or can't do), and showing he isn't afraid to get criticized. I love seeing people grind and put in the work. It's the pain that makes you good. Taking shortcuts doesn't achieve anything. I don't know if it he is on social media stuff, but you're doing good stuff, "CaptMag". Keep putting in work. You'll go far. I see you, gang.

The open source incentive model completely broke. And it wasn't because of AI. Up until about 2021, hyperscalers like AWS, VMware, Redhat, Microsoft, Google, etc. had been pouring massive engineering resources into open source and supporting their internal open source program offices. It made sense! You wanted a Kubernetes cloud offering? You needed to be a presence in the open source k8s ecosystem and contribute back. You wanted a stable and secure Linux kernel or libcurl? You had kernel engineers on staff whose only job was being on Linux mailing lists and contributing upstream. You use numpy and pytourch in your product's models? You had upstream python contributors pushing features and improving the ecosystem. For companies, you sort of had no other choice: your competition was doing it and it was the most proactive way to be informed on upcoming CVEs, move feature you needed forward, and help drive the direction of your products that deeply integrated with upstream projects. For individuals, if you had a few solid contributions into a big project, this basically guaranteed a great job. In interviews, all you really had to say was "I maintain xyz in this really big project", show off those PRs, and they'd hand you a job. For projects, this meant they could sustain themselves, actually track big features from the community, and scale. I know of very few large projects that were able to grow without help from an engineering org. It was all win-win-win. Until hyperscalers decided it was too expensive and closed their open source program offices and laid everyone off: they broke the delicate balance in open source. Surprise surprise, this wasn't because of AI, it was because interest rates in 2021 went up, money became expensive again, and hyperscalers felt they couldn't afford engineers not working directly on the bottom line. The punch line here is that those deeply ingrained projects in your products might not BE the bottom line, but they sure as heck AFFECT the bottom line. Now, we're in a world where slop AI PRs are everywhere as people cling to the old incentives, there's a 9.8 CVE every other week, people aren't getting hired, projects are shutting down or closing themselves off from outside contributions, and companies don't give back, they only consume. Just look at Kubernetes nginx ingress: an ingress that for years and years was the defacto way to stand up ingress on a cluster. It's being retired because Cisco doesn't want to give back anymore and there's no one else stepping up to maintain it. The alternative is Kubernetes ingress gateway, an abstraction that's much more tightly knit to a cluster provider's ingress gateway product and much more difficult to adopt. I can only imagine the thousands and thousands of clusters and companies now left holding the nginx bag scrambling to figure this out. Big projects also figured out the contributor pipeline years ago before AI coding agents emerged: spam and garbage in open source is nothing new - this is the internet after all - I still remember the first time someone told me to go f myself on GitHub and submitted a PR that deleted all my contributions! Very fun! We didn't need "vouch" or "turn off PRs" because we had process: you wanted to contribute? Join the slack, sign the CLA, show up to the SIG meeting, cut an RFC, review other contributions, comment on issues, make a PR, actually be a an informed member of the community. In my personal opinion, I see this as a massive failure on the side of the tech industry: 1) hyperscalers lack of vision: free and open source is not just the core backbone of basically everything in tech, it's the lifeblood of every single tech company. Just try to name a company where they went and built everything in house from the ground up: you can't. The 2010s were a very weird and magical period where instead of competing in a closed off market, large tech companies entered into "coop-etition" where they worked together on huge projects that benefited everyone! The beauty of it was that there was no other way to build projects at such scale: we would not have Docker, Kubernetes, OpenTelemetry, PyTourch, vLLM, or React without coop-etition! Instead, today, companies are worried about what their stock ticker will look like next quarter, not how their product will work next year. 2) hyperscalers lack of morals: free and open source software is first and foremost about "freedom": the freedom to do with it what you want, the freedom to fork it, the freedom to inspect and study it, and the freedom to use it. Software, by its very nature, is infinite: there is absolutely zero economic cost to copy a piece of software from one computer to the next. But instead of leaning into these principles and building more sustainable businesses around real economic value in software, big companies are closing up shop at the grand OSS bizarre: they feel that they can compete in a closed off market while still consuming open source. 3) hyperscalers risky bet on the future: maybe the biggest failure of all, big companies are placing their bets on AI systems continuing to get better and better. As projects see their contributor and maintainer pipelines dry up, CVEs abound, and important projects get abandoned or close themselves off, hyperscalers hope that they can eventually spin up a team of bots to maintain the bits they need internally. Hilariously, this is something that big tech has been trying for years and years: I still remember looking at the internal VMware mirror of Kubernetes and seeing the graveyard of rejected internal patches in an attempt to automate various bug and security fixes. Soft forks like this almost never work. But still, maintaining software at scale isn't really about the code: it's actually a very human effort. It's about collaboration, communicating and sharing ideas, giving back to the greater good, and sharing in an ideal. Hyperscalers only see the bottom line this quarter. And I do believe eventually the buck will drop and they'll have no other choice but to re-open their open source program offices and re-engage in the grand OSS bizarre.

I found a vulnerability in Oracle VirtualBox (CVE-2026-21957) back in September 2025. It can be turned into AAR/AAW, and then escaping the VM is pretty easy. I originally planned to find a vulnerability for Pwn2Own, but since I found the vuln in September, sitting on a practical vuln for that long didn’t feel very ethical, so I eventually reported it to ZDI. But I still finished the exploitation + demo video as practice.

I've updated my personal website https://t.co/WexX8ukeXy. I've added new ways to do the following: - CaplockString - CopyMemory - StringCompare - StringConcat - StringLength - ZeroMemory You're probably thinking, "why do i give a fuck about this? this all standard crt stuff". The answer is: "idk lol". I like exploring different ways to do things. It is interesting to me. I'm currently working on a way to download files from a remote host using NdrClientCall3 (RPCs with IBackgroundCopyJob) and ended up falling down a weird rabbit hole. Maybe you'll find it mildly interesting, maybe you're rolling your eyes because it is kind of goofy to find seven different ways to zero fill a buffer. But is it goofy I have 18 different ways to hash a string? Yes, it is still goofy, but I admire it for some reason. Cheers,

This is really cool. I like this code, proof-of-concept, and paper A LOT. Basically he is modifying the raw bytes of .LNK files (Windows shortcuts) to make them perform malicious actions while also operating correctly as a .LNK file. When examined from the user they will appear completely legitimate, but it's not. This is really, really, really cool. This is a great malware technique. I can't recall the last time I read anything on .LNK files being abused in this manner. Historically they're "hijacked", not modified at the byte level. My only criticism is he wrote this proof-of-concept in Python (not C or C++, like a gangster). Excellent work.

Yeah, so pretty much that whole Windows 11 Notepad RCE thing was ridiculously stupid. Like, it was so dumb it kind of hurts. Windows 11 Notepad, with the fancy Copilot AI slop, now possesses the ability to handle mark up, or markdown, ... It's mark something, the stuff used in ReadMes. Whatever. Anyway, a security researcher realized that if you used markup in Notepad and instead of a hyperlink to a website with https:// you put file:// (the protocol on Windows for files, like in file explorer), it will arbitrarily execute it. It won't prompt you. Furthermore, he realized you could specify a remote host to execute it from using a different Microsoft specific protocol used for app installation. In other words, if you user clicked the hyperlink in Notepad it would download and run a program from any website ... without alerting the user. Normally, any sort of hyperlink that leads to a different domain, or tries to execute a file, is supposed to prompt you with an alert message, ... or something. However, Microsoft software engineers seemingly forgot to implement this notification Window. With this attack vector which has been present for AT LEAST 9 months, a malicious actor could send a .txt file and if the user clicked the link inside the .txt file it would automatically execute and run anything specified in the hyperlink. Even more silly, forensically under the hood, the logs on Windows, or to an anti malware service, it would look like Notepad was downloading something and then running a program. This is a very unique scenario which (to the best of my knowledge) no security product has encountered before. This could hypothetically result in files being downloaded and executed and being completely ignored by anti malware services because Notepad is a known and trusted program. Why would an anti malware service question Notepad? Basically, the point I'm trying to get to here is that I don't understand why Microsoft has introduced so many new features into Notepad. With new features means a new attack landscape (more stuff to abuse). Whatever man

Just released a new tool that scans for Bluetooth devices including Bluetooth Low Energy (BLE) devices. It will scan for all, filtered by MAC, or if you have the Identity Resolving Keys (IRK), can be used to determine the Resolvable Private Address (RPA). Works on MacOS, Windows, and Linux. https://t.co/4ws9eSaZvn #TrustedSec #BinaryDefense