kasser

Crazy that this is getting barely any coverage. This year’s European Press Prize was just awarded to an investigative report by the Dutch newspaper De Volkskrant. It is entitled “What the Wounds Tell” and in it the journalists Maud Effting and Willem Feenstra document the cases of 114 children in Gaza under the age of 15 who were struck by a single bullet to the head or chest. Almost all of them died or were left severely disabled. They chose to document only the cases of boys and girls under the age of 15 (though often much younger: aged 3, 4 or 7) because these are children who can be immediately identified as such. “A single bullet in these parts of the body is a clear indication that these children were deliberately targeted“, the two journalists write. This is the article: https://t.co/YkZrpqBWBQ

فقد روى الطبراني عن ابن عمر رضي الله عنهما أن رجلا جاء إلى النبي صلى الله عليه وسلم فقال: يا رسول الله: أي الناس أحب إلى الله؟ وأي الأعمال أحب إلى الله؟ فقال رسول الله صلى الله عليه وسلم "أَحَبُّ الناسِ إلى اللهِ أنفعُهم للناسِ، وأَحَبُّ الأعمالِ إلى اللهِ عزَّ وجلَّ سرورٌ تُدخِلُه على مسلمٍ، تَكشِفُ عنه كُربةً، أو تقضِي عنه دَيْنًا، أو تَطرُدُ عنه جوعًا، ولأَنْ أمشيَ مع أخٍ في حاجةٍ؛ أَحَبُّ إليَّ من أن أعتكِفَ في هذا المسجدِ -يعني: مسجدَ المدينةِ- شهرًا، ومن كظم غيظَه ولو شاء أن يُمضِيَه أمضاه؛ ملأ اللهُ قلبَه يومَ القيامةِ رِضًا، ومن مشى مع أخيه في حاجةٍ حتى يَقضِيَها له؛ ثبَّتَ اللهُ قدمَيه يومَ تزولُ الأقدامُ"

This article on JavaScript analysis for pentesters is a solid walkthrough of: • endpoint extraction • hidden routes • dangerous DOM sinks • framework-specific attack surfaces • client-side recon methodology Worth reading if you're into client-side bug bounty hunting: https://t.co/4JBnnkbjf3 #bugbounty #websecurity #javascript #infosec #appsec #pentesting

Dalfox v3 has been released🔥 I've been rewriting it in Rust since August last year, and it's finally done. The biggest change is the engine. v3 no longer depends on a headless browser like v2 did. Instead, it uses DOM/AST analysis to check whether an XSS finding is actually valid. Tested on xssmaze, various challenge sites, and real-world targets, it reduces false negatives and false positives more effectively while scanning faster than v2. https://t.co/maZDqTQPqs

Let me trace the timeline here because nobody's connecting it. Step 1: Scrape the entire internet. Every book, every article, every conversation, every piece of art, every forum post. Do it without asking. Do it without paying. Step 2: Train a model on all of it. Call it "artificial intelligence." Step 3: Go to BlackRock's Infrastructure Summit and announce: "We see a future where intelligence is a utility, like electricity or water, and people buy it from us on a meter." Step 3 is where you sell people's own knowledge back to them. On a meter. They took the collective output of human thought, compressed it into a model, and now they want to charge you by the token to access a version of what you and everyone you know already created. One Reddit user put it perfectly: "They stole all this data from us, the people, our life's work, creativity, art, by devouring the internet and blowing through all copyright laws. Now they want to sell it back to us in the form of a utility." Imagine if someone photocopied every book in the public library, burned the library down, and then opened a subscription service for the copies. That's the metered intelligence business model. And they're pitching it to infrastructure investors as though they invented water.

Authorized testing on a production API endpoint. Opus 4.7 confirmed the SQL injection was real but couldn't pull any database names. sqlmap said false positive. I switched to DeepSeek V4 Pro inside Claude Code and it figured out a trick: make the database answer yes/no questions by crashing on purpose. The payload wraps CASE WHEN around two XML casts. If the condition is true, it parses broken XML like <root>< and throws HTTP 500. If false, it parses clean XML like <root/> and returns HTTP 200. WAF was watching for SQL keywords, not XML errors. Extracted 19 database names. DeepSeek V4 Pro succeeded where both Opus and sqlmap failed. Two hours. Twenty cents. Setup: Mapped Claude Code to DeepSeek V4 Pro by creating ~/bin/claude-deep with ANTHROPIC_BASE_URL=https://t.co/RhiWu8K5Ja and ANTHROPIC_MODEL=deepseek-v4-pro[1m]. No config changes needed, original claude command stays untouched. No cybersecurity restrictions!!! Image 1: sqlmap output showing "false positive" / "all tested parameters do not appear to be injectable" Image 2: Claude Code terminal showing 19 databases extracted in ~2 hours Image 3: DeepSeek platform dashboard showing $0.20 total cost Image 4: Why this trick is different from standard blind SQLi types and why sqlmap has no built-in vector for it

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.