NTLM relay works against HTTPS if channel binding is missing. Our new blog post explains why, shows how tooling evolved, and highlights defensive measures. blog.compass-security.com/2025/11/ntlm...

We still need to get from a situation where Russia pretends to negotiate to a situation where they need to negotiate. Extract from my press remarks following today’s informal Foreign Affairs Council ↓

#Finland will begin to #Russia - proof its rail network, integrate with EU train infrastructure. The Finnish government has announced the conversion of its rail network from Russian gauge (1,524 mm) to European standard (1,435 mm). www.trenvista.net/en/news/flas...

Burp now has a command palette (similar to the one in VS Code) 🥳 portswigger.net/cms/images/4...

Kyle Kingsbury is not a journalist. He is not an op-ed writer. He is a computer safety researcher. And he has written one of the most compelling, comprehensive accounts of the ongoing hell in Chicago that you could possibly imagine. In under 1600 words. aphyr.com/posts/397-i-...

It's important for Europeans, and others from visa-waiver countries, to understand they don't have freedom of speech rights when visiting the United States. The Trump regime is still deporting visitors for critical comments made online, because they can.

Starting Monday LinkedIn will begin using data from your profiles/posts to train AI. If you live in EU/EEA/Switzerland/Canada/Hong Kong your data is subject to being used this way, but you can opt out. Go to Settings/Privacy/Data for Generative AI Improvement and toggle the switch to off

Day to day: the user experience of getting a direct answer for simple things compared to scrolling a bloated blog post, with ads and cookie banners. It would be better to solve the state of the web but hey, it's a workaround.

If you know who did this, or if you know how to set it back, the hotel kindly asks you to do so, respecting the fun achievement unlocked :) https://infosec.exchange/@xme/115422139879568495

Great work guys!!

#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...

pagedout.institute ← we've just released Paged Out! zine Issue #7 pagedout.institute/download/Pag... ← direct link lulu.com/search?page=... ← prints for zine collectors pagedout.institute/download/Pag... ← issue wallpaper Enjoy! Please please please share to spread the news - thank you!

The @EUCommission would like to hear your views on the governance and sustainability of critical open source software. The survey closes October 5th. https://ec.europa.eu/eusurvey/runner/FOSSEPS_Governance_and_Sustainability_Survey #OpenSource #governance #sustainability

"Employees are using AI tools to create low-effort, passable looking work that ends up creating more work for their coworkers.[...] it shifts the burden of the work downstream, requiring the receiver to interpret, correct, or redo the work. In other words, it transfers the effort 1/2

It is representative of a *profound* failure of a country that this group of people are up there talking about medicine and science at all

Beyond the message of the talk, the insights on the parliamentary monitoring system are super interesting!

Europe stands with Estonia in the face of Russia’s latest violation of our airspace. We will respond to every provocation with determination while investing in a stronger Eastern flank.

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...

Deterministic LLMs are possible. thinkingmachines.ai/blog/defeati...

We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF. Find out more here: blog.compass-security.com/2025/09/coll... #AppSec #BurpSuite #Pentesting

This is a fascinating move www.reuters.com/world/europe...

Wow "Flashlights from the bow swept over the water. Fearing that they had been spotted, the SEALs opened fire. Within seconds, everyone on the North Korean boat was dead."

EPFL, ETH Zurich, and CSCS released Apertus, Switzerland's first large-scale, multilingual language model (LLM). As a fully open LLM, it serves as a building block for developers and organizations to create their own applications: www.cscs.ch/science/comp... @ethz.ch #AI #Apertus #AIforGood

ChatGPT just shipped the exact memory feature I've always wanted - automatic memory that's scoped to a specific project simonwillison.net/2025/Aug/22/...

In a somewhat better world this ChatGPT suicide case should at minimum trigger resignations from OpenAI top brass. This won't happen of course, showing what kind of people we are dealing with there. And yes, this case is different from finding similar information via search 1/2

Still more evidence that the US under Trump is an enemy of Europe.

This is a magnificent read. "Every warning about AGI danger is also a pitch deck for more funding" "The future is already here. You just have to stop looking for it in the wrong place."

I never managed to do any meaningful work on the train, I need a comfortable setup for it. With chatpgt I can (let it) work on small side projects I never allocated time for.

UK is beta testing all the shittiest ideas, first brexit and now this. At least other countries will see the consequences before wanting to follow.

AppSec Ezine - 597th edition #AppSec #Security pathonproject.com/zb/?0f5e45f0...

To keep up to date on AI topics without being on twitter I recommend news.smol.ai (Newsletter & RSS feed)

One of my coworkers refers to Open Source as “the most incredible thing humanity has ever accomplished.” When he says that, he’s not making a socioeconomic or political statement, nor is he ignoring technical shortcomings. Rather, he is making an observation about how millions of people have […]

We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compass-security.com which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:

Many static site generator templates don't include meta tags for #RSS / #Atom feeds, but the data is generated by default. It's worth to check: /index.xml /feed.xml #syndication Original->

ETH Zurich and EPFL will release a large language model (LLM) developed on public infrastructure. Trained on the #Alps supercomputer at #CSCS, the new LLM marks a milestone in open-source AI and multilingual excellence: www.cscs.ch/science/comp...

LLM-based vuln hunting just leveled up with xvulnhuntr - a fork of vulnhuntr with support for: C#, Java, Go. Read @rationalpsyche.bsky.social's blog post and go grab the project on GitHub. blog.compass-security.com/2025/07/xvul...

We ditched CGI in the late 1990s because of the overhead of starting, executing and stopping a process for every incoming request... turns out modern servers (plus languages like Go or Rust with a fast startup time) mean CGI isn't such a bad idea any more! simonwillison.net/2025/Jul/5/c...

I wrote about how the Everglades experiment fits into the history of concentration camps in the US and abroad, and how it will connect a domestic network of camps to an international one. We’re watching the imposition of a global concentration camp network.

A new @OpenSecurityTraining2 course just dropped! #fuzzing 1001: Introductory white-box fuzzing with AFL++ https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Fuzz1001_Intro_AFL+2025_v1/about

Exploiting the @ubiquiti.bsky.social AI Bullet camera for #Pwn2Own made us sweat more than once. But persistence paid off. Our detailed blog post is now live: blog.compass-security.com/2025/06/pwn2... #penetrationtest #pentest #iot #embedded #cybersecurity www.compass-security.com/en/services/...

[RSS] RedirectionGuard: Mitigating unsafe junction traversal in Windows msrc.microsoft.com -> Original->

Thrilled for #TROOPERS25 Thursday! Emanuele & @yvesbieri.bsky.social share #Pwn2Own wins on #surveillance cams. Method, #exploit, lessons. Drop in, trade war-stories! Talk: troopers.de/troopers25/t... Compass pentest: www.compass-security.com/en/services/... #cybersecurity #iot #hw #fw #ot

When you watch people use AI, you see how absolutely confusing things are, not just the obvious (o3 is better than 4o?), but also how ill-explained features are. For most people, just realizing that you need to switch models to get more serious work done is a major revelation.

3) Summarizing search results. Gemini 2.5-pro has a "grounding" feature where it provides non-hallucinated search results on which the response is based. There are more. It is a very strangely shaped tool indeed, but the job of the artisan is to figure out what the tool can be used for...

My short impulse presentation from Cycon is online: youtu.be/qllU_B_Rmis?...

[IT] There's still hope: smartphones banned in italian high schools from next year.

Whatsapp introduces adds. Take this as an opportunity to install Signal play.google.com/store/apps/d...

The change in tenor from European clients before and after the ICC getting cut off from their MS services is palpable.