https://t.co/GCHBRqRqtQ just used a novel mitigation bypass technique to capture a Google kernelCTF flag autonomously.
We gave it the most hardened kernel mitigation target. It came back with root execution and a clean flag capture.
Blog post after the patch lands soon.
Does harness matter? It CAN matter, A LOT. For this you don't have to look any further than ARC-AGI 1 & 2 solutions. for example, in the attached example you can see how Poetiq used a custom harness to improve GPT-5.2x-high by almost 20%, which is a massive delta for ARC.
What many don't realize is that the underlying models people already use either already come inside strong task-specific inference scaffolds and aren't just "strong models", and/or were trained from data generated through harnessed pipelines: synthetic task generation, candidate solution generation, execution, filtering, verification, ranking, refinement, and then training on the surviving traces. This means the final model is not separable from the scaffolding that produced its data.
This doesn't mean a model, out of the box, on its first continuation of tokens, is as good as what it would've been if something like Claude Code didn't have a strong harness around it. A harness changes the effective computation: it controls decomposition, memory, tool access, search width, verifier feedback, retries, self-debugging, and how failures, etc get converted into new attempts. Strong models are often a result of good harnesses, and good harnesses are often the thing that produces the data that trains the next strong model. Harness discussions can mistakenly imply that harnesses don't matter, or that harnesses only make models worse by constraining them. Bad harnesses absolutely do. But the opposite is also true, a pipeline with high-quality search procedures, technical priors, verifier signals, introspection, tool access, and domainnspecific decomposition can materially change output quality. Recent Mozilla and Chrome stable updates are good examoles.
Not all harnesses are good. In fact most I've seen rly suck, especially on the opensource side of hacking. It's super sloppy. Just like there are tiers of hacking skill, there are tiers of workflows, search procedures, and taste in what to try next. The transferability of those process tiers into AI systems is not surprising. Harnesses IMO need to evolve as model capability goes up so they don't kneecap the model. They should be built around weaknesses: bad long-horizon planning, weak verification, poor state tracking, shallow search, lack of environment feedback, and top tier expertise etc. Strong harness + strong model = even better results.
Will this always be true? Likely, but it's hard to say. Especially if you're a researchy type of hacker or novelty researcher, harness can mean a lot of things and can dramatically improve searchspace outcomes. A good model is a learned prior over internet-scale traces, but the prior still has to be queried, structured, expanded, tested, and selected from. Not only how you query, but how you structure intermediate states, outputs, failures, retries, and verifier feedback will significantly influence the result, just like how one human's subconscious process leads to discovering HTTP Desync as a class while another's doesn't.
I think if you don't have a really good harness, and aren't extremely familiar with the technical skillsets or top tier, have unique thought processes, and reasoning patterns that positively affect output quality, then it often makes more sense to have zero harness than to add one for the sake of it, which actually will hinder it.
@albinowax@BlackHatEvents This is absolutely fantastic. We are thinking along the same lines!
Check our novel researcher announcement here:
https://t.co/M6rOYvRmqn
Very curious to see your finds! And the future is going to be VERY VERY exciting!
For people tweeting "cyber security is dead", are u ok? You think when everyone and everything is about to get hacked and the need for security goes through the roof, you think it's "dead" or "solved"? Bruh
what it highlights is that security has always been underresourced, not over. Sure your grandma became as good as a professional attacker by simply promoting an llm and that's, granted a scary base entry. What you might not realize is the real determined researcher type attackers just got 1000x more powerful than before. You no longer need to be 20 cracked researchers to zero click RCE an iPhone, you can be one of those guys who is great at one component to be able to build a full chain yourselves. What the mainstream realm seems to not realize is the people who were in the trenches finding the vulns we always knew where there driving these bots will find more mind boggling and complex vulns than your avg hacker. Always been true, will remain true. Look at Poetic, it used particular architrcute bn different LLMs with awesome scaffolding to get Gemini to be 3x better at ARCAGI2.
Hacking is not going anywhere. Hackers gonna hack. We gonna hack everything including the Mythos Preview, and other huge ais.
Another important thing to raise, esp for ppl who don't spend their time looking for complex bugs in hyper secure software is, different hackers have always found very very different vulnerabilities. In bug bounty, youd often have situations where after the most talented hackers hacked a program, and being open for years, some completely new guy no one has heard of will show up and RCE the program a million ways. And this happens daily. Sometimes it's because that person knows something the rest of the world doesn't, a quirk they figured how to exploit, perhaps a behavior or a zero day (which bounty programs don't often accept), but oftentimes it has nothing to do with that other than how different that person thinks and approaches problems. Their unique life experience.
People who have hacked for decade+ like me KNOW to the core of their heart vulnerabilities have ALWAYS been there in large numbers, and in large variety in every set of "secure" software known to man. We've always known it's a matter of time until we break any target, and picking from this buffet of targets to optimize for our time's ROI... Not bc we didn't think they aren't there, or that "15 year old code" would never be vulnerable. 15-20 year old code is exploited daily by hackers, just look at the Linux kernel or windows. It is not a metric of "impressive" - Bc what there always was is unique skills and minds, but not enough time to deploy said x thing into the world in mass, the illusion of being secure has existed. And tbh often pentests and red teams rarely needed new techniques or zero days.
These guys who were hacking with their own quirks, who can show up to mature programs and RCE it a new different way will use the same AI you use to find bugs but find radically different vulns than anything you will find. And there is nothing you can do about it other than cry to your bot. Remember there isn't a finite number of vulns to be found. The chances are there are infinite attack vectors, no I am not exaggerating or using hyperbolic words, it's what I truly believe after hacking for a while. So yes it isn't "solved" by any means, it means you will find ur simple "Claude find me vulns" bugs, and then someone will find something you couldn't even conceptualize, and after all that a bug bounty hunter (or their specialized agent) will show up and still hack you.
The need for cyber security innovation (not just bug finding) just went through the roof, not less. Time will show I am right that even after Mythos runs on ur code 20 times, you will be surprised you still got hacked. Someone who thinks hacking away or is just going through a list of checklist of known vulns has never met a hacker. And it shows!
🚨 ZERODAY: ImageMagick 🚨
Our autonomous pentester https://t.co/zHUcIkHqvr just dropped multiple zeroday chains in ImageMagick that achieve RCE and File Leak from a single .jpg or .pdf file, bypassing EVERY security policy (Default, Limited, AND Secure). 🤯
💥 Affects Ubuntu, Debian, WordPress & millions of servers globally. Happy Monday and Happy Hunting! 🥰
https://t.co/nNAvFAvPOx
This is insane! @Pwndotai has autonomously discovered an unauthenticated remote command execution vulnerability affecting over 70,000 servers. It found the entry point, developed the entire chain, created a proof of concept, iterated through the right issues and entirely on its own got a complex root RCE shell. Reporting to the affected vendors right now
Here is why foreign BTC miners in Ethiopia are a NET negative for BTC & the effects BTC would've had in the country without their presence.
1. All of them are not real bitcoiners. As glassnode clearly notes with onchain evidence, 90% of sellers that amplify the BTC bear market are BTC miners. If not for miners, BTC would never experiance bear markets. But when the cost of acquiring a single BTC is so low, not more than 20k$ - most of the BTC is profit for them. The particular miners in Ethiopia have managed to open the floodgates of low level & high level corruption in Gov offices, allowing them to acquire power at 0.02kWh. You are profitable in mining BTC if cost of power is <0.13kWh. They are spending ~20,000$ to acquire a single BTC - abt 80% of the ROI is often dumped in market.
2. While companies like RIOT & MARA are following the MSTR strategy by selling convertible bonds to acquire more BTC, BTC miners who are not real bitcoiners won't do that. Instead they acquire BTC to dump it on the market constantly. 2.5% of hashpower is a lot - & all of that dumped onto the market is even more fuel for amplifying a bear market.
3. Foreign BTC miners in Ethiopia are extremely corrupt. they were chased away from countries like Oman, China & Iran for overusing the grids & corruptly buying power from the grid that affected the population. Despite this, they didn't stop utilizing same strategy, & their constant mention of "stranded power" is a lie, a bunch of them have setup offices near big cities where the supposed power is taken from the population that suffers from power shortages daily.
4. When we started projectmano, 1USD was 25 ETB. Today? Its 139. We saw it coming a mile away. Our recommendation since 2019 (BTC was 15k) was: AS A GOV, monopolize & mine #BTC using stranded energy, Store as reserve, link to currency = easy. Strong ETB. Using this methodlogy Ethiopian gov could make 8-10bn$ in current BTC - more than enough money to close the trade deficent & reverse inflation on ETB. Our proposal is public on https://t.co/Rr20QHcPWO - it is by patriot Ethiopians who are tired of seeing the rise of ethnic fingerpointing & civil violence as resources are depleted out of the country.
5. Instead - by selling power to corrupt BTC miners, Ethoipia has only made 55m$ for over 600MW of power. That is more power than what it took to train GPT4 - the most advanced languge model to date. Its market value is more than 250m$ - if used to mine BTC, would've yileded enough to stop the agony of the Ethiopian people by generating billions of $. we are talking billions of $ OR 55m$ for 2.5% of the BTC network.
6. & Worst of all, beyond telling & convicing the GOV mining & holding BTC in reserve as a bad idea, they went as far as lobbying the GOV to not allow locals to mine BTC. to ONLY ALLOW FOREIGNERS to mine BTC. There is no basis to this rule other than extreme greed. Even greedy people have limits, where they take what they need & still allow others to prospher for peaceful cohabitation. we dont think its just greed - its EVIL. to work extra hours, lobbying gov officals to say "Ethiopians & Ethiopian gov should not mine BTC but allow us to... with less than optimal pricing - so we could dump it on the market". Stealing opportunity that could have been used by all Ethiopians to change their lives.
So as you can see, as @duczko said " nobody makes any money from exploiting the Ethiopian energy other than foreign BTC miners & corrupt Ethiopian politicians" - & its time the public knows this. its time the BTC community understands this before prasing mine videos they see out of Ethiopia. Its time we kick these miners out & use BTC for who its meant for: poor countries with energy grids to bypass the industrial phase. Our #1 enemy is not just corruption but corrupt foreign BTC miners. & we want them out. Please share to amplify pressure & save a generation from war & poverty & use BTC to actually change a country with a population of 100+M.
New blog alert! 🚨 Delve into an intriguing browser based web attack vector I stumbled upon that is widespread and can be used to perform ATO. I call it Cross Window Forgery. 🫧🌊🌪️🌀
https://t.co/0bXTyl2JVH
This CSP bypass technique utilizing SOME attack went under the radar but allowed for a novel way to defeat CSP with only A-z,. characters & windows. Another interesting fact of the specific issue is, WordPress remains vulnerable to this day and affects all WordPress sites (49% of the internet)
The technique was nominated for Top Web Hacks for 2022 by @PortSwigger.
You can read how it works on our blog: https://t.co/ApK22DJZ0H