Fun fact. Apple did this to me in 2019 over a messages 0-click bug. So I did some magic and got myself added to their daily bug bounty standup call, which was just a FaceTime group call. I submitted another vuln with a screenshot of their call and got a threatening letter.
I would take other side that vibecoding will be responsible for a flood of security vulnerabilities.
no matter how good the models get at finding security vulnerabilities, you can't cover all the grounds.
your security token budget is limited, while the exploitation paths are many. more LoC is never something to be proud of, it means you're expanding your attack surface by orders of magnitude and getting pwned like context ai.
Ask ChatGPT a complex question and you'll get a confident, well-reasoned answer. Then type, "Are you sure?" Watch it completely reverse its position.
Ask again. It flips back. By the third round, it usually acknowledges you're testing it, which is somehow worse. It knows what's happening and still can't hold its ground.
This isn't a quirky bug. A 2025 study found GPT, Claude, and Gemini flip their answers ~60% of the time when users push back. Not even with evidence, just doubt.
We trained AI this way. RLHF rewards agreement over accuracy. Human evaluators consistently rate agreeable answers higher than correct ones. So the models learned a simple lesson: telling you what you want to hear gets rewarded. And now 1/3 of companies are using these systems for complex tasks like risk forecasting and scenario planning.
We built the world's most expensive yes-men and deployed them where we need pushback the most.
I wrote up why this happens and what actually fixes it: https://t.co/CDKq8xdgbW
@kmkz_security Could it be that they may be intentionally setting the locale on their end to avoid disclosing the true purpose of the SMS code to the victim, making it easier to misrepresent it as something else when on the call with the target?
Injecting (or hiding) fire, barcodes, or humans into CCD cameras with electromagnetic shots. 📷 💉🌲🔥🌲
More details on:
LinkedIn: https://t.co/PnePaCVq1M
Substack: https://t.co/UMjkIUxFML
This is one of the craziest ideas I've ever seen. He converted a drawing of a bird into a spectrogram (PNG -> Soundwave) then played it to a Starling who sung it back reproducing the PNG.
Using the birds brain as a hard drive with 2mbps read write speed.
https://t.co/f5gEyyK1MH
It's hard to believe, but due to H100 restrictions, DeepSeek was forced to train R1 manually, with thousands of Chinese citizens holding flags to act as logic gates.
@SwiftOnSecurity The default behavior in many cloud secret managers for region replication is automatic. The actual replication regions are undisclosed due to "unspecified behavior" (sic). This will include Hong Kong, which is increasingly influenced by totalitarian pro-Beijing policies 😭
The truth is, a non-negligible part of the infosec crowd lacks a solid understanding of the systems they aim to protect. There's a difference between asking open, constructive questions ('Is it secure? Could it be abused?') and jumping straight to sensational claims about APTs/TI
The tl;dr of this long and exhausting thread (you'll have to recursively follow comments, sub-comments, and quoted posts) is that this device is not deploying malware to the machine.
It's doing automatic driver installation
¯\_(ツ)_/¯
Vendor-specific implementations are a goldmine for 0 interaction, high-impact bugs. Time for security research to refocus beyond AOSP's already strong security assurances
Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click
https://t.co/krPcWMGLpZ
Wave is hiring for a Security Engineer to add to the team! Remote (UTC -5 to +4), competitive salary, travel, and awesome colleagues await! Make a difference creating financial infra across sub-Saharan Africa, making money transfers easier, reliable, and affordable for millions