Olivia
Online
Gia Bui
@yabeow
Hacker @ | My opinions are my own
Vietnam
Joined January 2016
342 Following
422 Followers
72 Posts
This Squidbleed website turns out to be a crypto scam.
Please do not interact with it.
We pulled in $117,000 in Chrome bug bounties with simple tricks; on Wednesday, Quang Luong will spill his secrets at the Stanford AI Security Conference:
https://t.co/Fhq0NH13jn
Fun fact: Quang is probably the only researcher in the known universe who still uses Gemini to find bugs.
Before the end of the year, Calif researchers will be presenting at Blackhat USA, Defcon, and Hexacon. We're also hoping to make it to Unprompted AU, OffensiveCon, and Objective By The Sea.
At Black Hat USA, Dionysus Blazakis and the team will walk through the bugs and exploit chain used in the Apple MIE bypass discovered a few months ago.
https://t.co/dfeYJSzFVT
At DEF CON, we will tell the story of hacking software that helps run the Internet backbone.
At Hexacon in Paris, @brucedang and I will give the keynote. Apple announced MIE there last year, so it'll be a fun one. I suspect they only wanted Bruce, but keynotes require a certain amount of professional nonsense, and Bruce is far too honest for that, so I got invited too. My job is marketing, which is to lie without getting caught.
What's wild is that none of this existed at the beginning of the year.
We started with a simple realization: very few people have both deep security expertise and access to the best AI models.
So we went all in and never looked back.
Back in March, we called a company-wide all-hands on a Saturday. The title of the invite was: "AI Tsunami and Our Actions."
I don't want to romanticize overwork, but what we were seeing felt too urgent to wait until Monday.
Then everyone started cooking. The results have been spectacular.
Our research on defeating Apple MIE made it into The Wall Street Journal. We signed major contracts with Anthropic, OpenAI, Google DeepMind, and xAI. While others are celebrating access to the latest models, we've been using them to explore the frontiers of vulnerability research.
In the first half of 2026, we're already surpassing our entire 2025 bookings. Most importantly, we've assembled a top-tier team in record time.
I've read many strategy books, but this is the first time I've witnessed the power of the right strategy at the right time.
Focus is the name of the game. Strategy is deciding what to ignore. For one month and a half, we stopped starting new projects. I've personally shelved a lifelong passion in Vietnam, because it isn't a priority for the company. You can only move fast when you're light.
Several people were upset when we changed direction so abruptly. That's normal. If nobody complains, you probably didn't focus.
Of course, strategy isn't magic. You can make a focused bet and still be wrong. We were fortunate that this one worked out.
None of this would be possible without our partners and supporters across the frontier labs. Thank you.
Wow, someone (not from Calif) made a website for Squidbleed. It looks great, but we just want to note that it is not from our team.
If you made this, please reach out to us at [email protected].
Patch the Planet is our effort to help open source maintainers move from security findings to merged fixes.
We’re working with Trail of Bits, HackerOne, Calif, researchers, and maintainers to bring Codex Security and advanced models into the remediation process, with human review at the center.
Who to follow
starlabs
@starlabs_sg
A Singapore company that discovers vulnerabilities to help customers mitigate the risks of cyber attacks. Organisers of @offbyoneconf
Pham Khanh
@rskvp93
Security Engineer at @calif_io. Winner of Pwn2own Vancouver 2021, Torento 2022, Vancouver 2023. MSRC top 100 2019, 2020, 2021.
Janggggg
@testanull
Kẻ soi mói
https://t.co/64V8Yki23Z
Our researchers spent several weeks developing a full Chrome exploit chain and wondered about the current state-of-the-art in this area.
For the benefit of the community, we invited the GOAT of browser exploitation, @5aelo, to share his perspectives on modern browser security and exploitation.
This event will be live-streamed on YouTube and open to everyone.
Submit your questions: https://t.co/OfBzuTV72z
Add to Google Calendar: https://t.co/CX82X9MyO9
Add to Outlook Calendar: https://t.co/mvrKJ7I5HS
We sent Claude Mythos Preview spelunking through Squid’s guts, and it surfaced clutching a 29-year-old bug.
Meet Squidbleed: a Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration.
Full story: https://t.co/xQLKqaSmTn
Apple Internals: Swift in the Kernel
https://t.co/HsQj7Ug1FY
How to format a ciphertext
https://t.co/oMD9b0SzPO
Arbitrary code execution in objdump -g
We have a thing for finding bugs in bug finding tools. IDA Pro, Ghidra, Binja Sidekick, or radare2. You name it we hacked it. Our friends were saying we should try objdump. So here we go.
Blog post: https://t.co/C8BgkW5KoE
AI-generated PoC and writeup: https://t.co/kWJnryHAtn
Big news: @lcamtuf has joined us.
Michal has been advising us since the earliest days of the company, helping us navigate everything from difficult strategic decisions to situations that were difficult primarily because we created them ourselves.
As the business has grown, so has the number of problems that can only be solved by asking, "What would Michal think of this?" We're delighted that he has now joined us officially and can no longer pretend not to see our messages.
We're also excited to share that Michal has granted us an exclusive world-wide license to commercialize his groundbreaking C/C++ remote dependency technology.
Existing customers are encouraged to begin planning their migration to our next-generation implementation, which has been carefully re-engineered with Claude in PHP to maximize nostalgia value for some of our hackers.
Welcome aboard, Michal!
Introducing HTTP/2 Bomb: a remote DoS in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single client pins 32GB of server memory in 10s. Found by Codex.
Blog post: https://t.co/WO9MeExoun
PoCs: https://t.co/NpVgEHBHPl
Needle in a haystack: measuring the impact of two nginx RCEs
We had a lot of fun hacking nginx earlier this year. We know from experience that finding a real RCE in nginx is hard, especially one that triggers in a default or commonly-used configuration.
So when F5 disclosed CVE-2026-42945 (better known as nginx-rift) and CVE-2026-9256 (possibly nginx-poolslip), two critical heap buffer overflows in the nginx rewrite engine, the natural question was: how many real-world configurations are actually vulnerable?
To answer that, we built and open sourced ngxray, a static vulnerability scanner for nginx configs, and scanned nearly 36K configs we found on GitHub.
The scanner flagged configs across several dozen repositories. The majority turned out to be PoC reproductions, scanner test fixtures, and tutorial snippets.
Out of 35,633 configs, we found one vulnerable config, in an abandoned project.
https://t.co/2H9F53VB5n
An AI audit of FreeBSD
https://t.co/Yc8MWRPpv9
Attacks always get better. Here's a new nginx RCE that bypasses ASLR, tested on the latest nginx 1.30 and 1.31.
This still requires a non-default config, but unlike some previous bugs, it does not depend on any additional vulnerabilities or external helpers to get to RCE.
We reported the bug on May 15. F5 has confirmed it, and hopefully a patch will land soon.
This is getting ridiculous 😅. We have enough nginx bugs to do an entire week of MAD Bugs on it. Who could have thought nginx is starting to feel like the new Linux kernel?
This is the funniest time in computer hacking. And yet the world is completely unprepared for this new reality.
Early this week, we had a meeting at Apple Park in Cupertino. While there, we also shared with Apple our latest vulnerability research report: the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE. It was laser printed, in honor of our hacker friends.
Full story: https://t.co/AmKMGUmWPt
We got credited three times in Apple’s latest security drop. Anthropic got named twice, and AISLE once.
Does this mean we’re worth more than Anthropic and AISLE combined? Asking for a boss.
https://t.co/6SC3igkFuK
In 2012, six hackers published the iOS Hacker's Handbook. Two of them are joining Calif: Dion Blazakis @justdionysus and Stefan Esser @i0n1c.
@i0n1c does not really need an introduction. I'll say a few words about Dion for the uninformed.
When @brucedang told me that a hacker named Dion may be joining us, my first reaction was, wait, is that the same Dion who won a Pwnie Award in 2010 for Most Innovative Research? It turns out, it was him.
Dion Blazakis is a legendary hacker who has been breaking into just about everything, from basebands and firmware to kernels and browsers. He was one of the earliest people hacking the iPhone and is still at it. In 2011, he and Charlie Miller won Pwn2Own by pwning an iPhone 4.
Our next MAD Bugs drops are welcome gifts for Dion and Stefan. Stay tuned!
MAD Bugs: RCE in Ladybird
Blog: https://t.co/I6v4maqsEJ
PoC: https://t.co/g9jmtCZax0
https://t.co/8fB8xLXw8j
@AzakaSekai_ https://t.co/wysjSVk2bx
MAD Bugs: All Your Reverse Engineering Tools Are Belong to US
Ghidra, radare2, IDA Pro, and Binary Ninja Sidekick. If your tool doesn't show up here, it's not cool enough. Contact us for a free RCE.
https://t.co/PsCenNMKtI
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.4M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
72.9M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.7M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.5M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.6M followers