From the What Could Possibly Go Wrong?

From the What Could Possibly Go Wrong? department:

"Notable Researchers Join $4 Billion Effort to Build Self-Improving A.I.":

nytimes.com

(www.nytimes.com)

"NGINX Rift: Achieving NGINX Remote Code Execution via an 18-Year-Old Vulnerability":

NGINX Rift: Achieving NGINX Remote Code Execution via an 18-Year-Old Vulnerability | depthfirst

We used the depthfirst system to analyze the NGINX source code, and it autonomously discovered 4 remote memory corruption issues, including a critical heap buffer overflow introduced in 2008. We further investigated the exploitability of the issues, and developed a working proof of concept demonstrating RCE with ASLR off. If you use rewrite and set directives in your NGINX configuration, you're at risk.

(depthfirst.com)

RE: https://infosec.exchange/@BleepingComputer/116571756458489946

Another day, another Linux privilege escalation vulnerability...

Loading... 95%

#cats #catsofmastodon #caturday

Cannot be unseen.

Libertarianism and deregulation for the win.

"How Argentina Cut Home Costs 70%":

How Argentina Cut Home Costs 70%

New York’s Zohan Mamdani and fellow “Democratic Socialists” are racking up the wins on house prices, one of the most painful parts of the affordability crisis.

(www.profstonge.com)

Remember the hype about Mythos discovering a two-decades-old bug? Well...

"Mythos 'Discovered' a CVE Already in Its Training Data - and That’s Still Worrying":

Mythos 'Discovered' a CVE Already in Its Training Data - and That’s Still Worrying

Anthropic made headlines claiming Claude Mythos achieved the “first remote kernel exploit discovered and exploited by an AI.” We went looking for how - and found a 20-year-old bug hiding in plain sight.

(rival.security)

To the surprise of no one,

"Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information":

Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information

Microsoft has disclosed and fully remediated three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge, all released on May 7, 2026, requiring no action from end users or administrators.

Cyber Security News (cybersecuritynews.com)

@malwaretech You should have waited till Friday. That's the Vulnerability Disclosure Day, isn't it?

@GossiTheDog In other news, using a calculator impairs your ability to compute in your head. Also, my constant use of keyboard has impacted negatively the legibility of my handwriting.

@nf3xn I'm dying. I don't fucking care any more. It's up to you youngsters to fix the broken world - or to learn how to live in it.

This.

@atoponce A gigantic rant but no useful, actionable information. Just like the last time. I'm going to ignore this.

Who's gonna tell him that Microsoft installs silently Copilot on Windows PCs?

Man, ChatGPT is so useless for serious programming tasks... I normally use Claude for these and ChatGPT only for simple programming questions (basically, as a substitute for googling), but since this time it made an enticing offer, I decided to try it.

Right now, my RDP honeypot collects only the NTLM response blob from the attacker. I was wondering if these were crackable, e.g., with Hashcat, so I asked ChatGPT. Turns out, they aren't, because the server challenge isn't logged. "If you point me to the source of your honeypot," it said, "I can tell you exactly which lines to patch and how, so that the honeypot logs all the necessary info". Sounds good, so I pointed it at the repo. Its advice?

- Go to the directory rdpy/protocols/rdp/nla. (Doesn't exist; it's "protocol", not "protocols".)

- Edit the file ntlm.py (Okay.)

- Look for a function named "..." (Doesn't exist.)

- Find a line that says "..." (No such line in the entire file.)

- Change it to "..." (I gave up at this point.

@lorenzofb Goddammit, couldn't they have popped the Windows updates instead?!

"OpenAI Really Wants Codex to Shut Up About Goblins":

https://www.wired.com/story/openai-really-wants-codex-to-shut-up-about-goblins/

“Never talk about goblins, gremlins, raccoons, trolls, ogres, pigeons, or other animals or creatures unless it is absolutely and unambiguously relevant,” reads OpenAI’s coding agent instructions.

JFC...

My mother got a Viber message on her tablet, ostensibly from her bank, that her new credit card is ready and she should come and get it. The message listed the first and the last 4 numbers of her card. Except that neither set of numbers matched any of her cards (or mine) and her card isn't set to expire until the next year. I was ready to dismiss it as some kind of elaborate scam, but Viber insisted that the message indeed came from the bank. This isn't e-mail with headers to check and I'm not familiar with Viber, so who knows... Maybe the bank sent the notification to the wrong person by mistake? Anyway, my mother insisted that we go and check.

"PhantomRPC: A new privilege escalation technique in Windows RPC":

https://securelist.com/phantomrpc-rpc-vulnerability/119428/

Unpatched.

@GossiTheDog Imagine if Russia had done something like this to an adversary... Oh, wait, Russia *did* do something like this to an adversary! Remember the outcry back then? Where's the outcry now? Maybe the Western media and the political comentariat are silent because in this case a Western company didn't suffer millions in losses as collateral damage?

OK, I gave Claude.ai a really complex task this time - and it really shat the bed. The result was not just buggy - it was unusable, unfixable, had nothing to do with I had requested. I guess Claude has a problem keeping its attention to a multitude of varying tasks. I guess I'll have to wait for a better model for this particular project.