0x2A Security
@0x2asec
Security: the answer to the ultimate question of life, the universe, and everything.
A deep dive into OpenAI's AgentKit guardrails, how they are implemented, and where they fail labs.zenity.io/p/breaking-dow…
CVE-2025-23282 is going to debut tomorrow at @hexacon_fr in our talk "CUDA de Grâce" w/ @chompie1337, but you can try CVE-2025-23332 now! Tweetable Python PoC: ``` import fcntl fcntl.ioctl(open('/dev/nvidiactl'),218,0) ```
NVIDIA has released a security bulletin for NVIDIA GPU Display Drivers. NVIDIA thanks Daniel Rhea, Sam Lovejoy, Valentina Palmiotti, Robin Bastide, JunDong Xie, Giovanni Di Santi, Andrea Di Dio, and Cristiano Giuffrida for reporting their findings. nvidia.com/en-us/security/
People should be thinking a lot less about their specific AI tool and more about their AI scaffolding. The universal—and ideally agnostic—part of their tooling that supports their tasks and workflows. For me the biggest part of this is context. I have my favorite music. My…
The paper presents PROACT, a method to trick jailbreak attacks and stop them early. Targets the attacker’s feedback loop instead of only blocking inputs or outputs. It cuts attack success by up to 92%, and with an output filter it can hit 0%. Attackers usually run many tries,…
🤓 I created a new community project dedicated to Adversarial Prompts called PromptIntel. PromptIntel is a public and free database that helps you: ・ Explore and classify adversarial prompts taxonomy ・ Contribute new prompts from your research ・ Access a live feed with…
Many professionals have asked me if I'll continue writing future articles in the Exploiting Reversing (ERS) series. Yes, absolutely, and for a long time. I'll probably start writing ERS 06, 07, 08, 09, and 10 in late 2025, not before, because writing mid-year is impossible. I've…
Another example of a ChatGPT prompt used as evidence in a trial: this suspect's ChatGPT prompt questioned whether "someone could be held at fault if a fire was caused by cigarettes". He's accused of starting the Palisades fire which destroyed 17k homes & killed 30+ people.
29-year-old Jonathan Rinderknecht has been arrested and accused of starting the fire that became the most destructive blaze in LA history, destroying much of the wealthy Pacific Palisades neighborhood. Investigators used his ChatGPT history as part of the evidence, including a…
NEW: fresh trouble for mercenary spyware companies like NSO Group. @Apple launching substantial bounties on the zero-click exploits that feed the supply chain behind products like Pegasus & Paragon's Graphite. With bonuses, exploit developers can hit $5 million payouts. 1/
For the latest episode of Hacklab, we carried out one of the more fun and stressful hacking experiments of my career: We hacked a casino card shuffling machine to help me cheat in a game of poker against unsuspecting players in Vegas. youtube.com/watch?v=JQ20il…
youtube.com
YouTube
I Cheated At Poker By Hacking A Casino Card Shuffling Machine |...
🧐 OpenAI released a new report on how threat actors use GPT models. Phishing, malware development, info ops, and scams are on the menu! They added 3 new LLM TTPs that describe how attackers use LLMs for their attacks. - LLM-Assisted Post-Compromise Activity - LLM Guided…
My positions and pay: Helpdesk: $10.50/hr Computer Technician: $11.50/hr Helpdesk (again): $16/hr Software Engineer: $42,000/yr Software Engineer: $65,000/yr Software Engineer: $90,000/yr Malware Researcher: $165,000/yr Malware Researcher: $350,000/yr My first computer job I…
My first job in cybersecurity paid $50k. I had a car loan, lived in a studio apartment, and was juggling a ton of bills and debt. It wasn’t a great salary, but it was manageable - you just have to be smart with your money.
Here are the slides for one of the offensive ai con talks : drive.google.com/file/d/12KP0QU…
Found something ugly on a random scan: an unauthenticated API endpoint that talks straight to a production DB. No auth, no WAF, no rate-limit - just an HTTP door that drops you into live tables. I reported it. They offered $10,000 bounty. Here’s what actually happened, and what…
Classic artifact triage moment - no memory, no EDR, just bread crumbs. Start with the filesystem residue: 🔹 $MFT + $LogFile - look for update.dll create/delete timestamps, sequence numbers, and parent dir handles. 🔹 USN Journal - confirm write/delete ops, session IDs, and…
Investigation Scenario 🔎 A Windows prefetch file named RUNDLL32.EXE-3A2B9C71[.]pf shows a referenced file at C:\Users\Public\update.dll, but the DLL is missing. You're unable to collect a memory dump and no EDR is available. What do you look for to investigate whether an…
👀 A malicious MCP server spotted in the wild! The Postmark MCP server (used to send and track emails through Postmark API) introduced a suspicious behavior in version 1.0.16. The attacker cloned the legitimate Postmark MCP code and added a malicious BCC line, then published it…
Artificial Chemistries (ACs) are the weirdest kind of “programming” you’ve never heard of. Imagine being a chemist; but in an alternate-reality fanfiction where the elements that make up the world are wildly different. Here’s how you write it.
What you need is enough telemetry to identify anomalous behavior and with enough fidelity to be able to recover from the intrusion. What can a single node meaningfully do w/o using cloud APIs or other services via RPCs? Do you really need every syscall in perpetuity?
is the increased log ingestion actually helping your visibility or are you just hemorrhaging your company's money into data lakes for security theater?
Last year, I put together a @WEareTROOPERS talk I called "A Decade of Active Directory Attacks: What We've Learned & What's Next". I created an article to capture this history. The History of Active Directory Security: adsecurity.org/?p=4706 This ADSecurity article includes…
The paper that defined the core principles of secure system design. Still relevant decades later. "Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job." - 𝗧𝗵𝗲 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗼𝗳…
United States Tendenze
- 1. Branch 37.9K posts
- 2. Red Cross 57.1K posts
- 3. Chiefs 112K posts
- 4. #njkopw 9,884 posts
- 5. Lions 90.2K posts
- 6. Exceeded 5,915 posts
- 7. Binance DEX 5,188 posts
- 8. Knesset 17.8K posts
- 9. Rod Wave 1,717 posts
- 10. Mahomes 35K posts
- 11. Air Force One 59.4K posts
- 12. Eitan Mor 18.7K posts
- 13. #LaGranjaVIP 84.2K posts
- 14. #LoveCabin 1,403 posts
- 15. Ziv Berman 21.9K posts
- 16. Alon Ohel 19.3K posts
- 17. #TNABoundForGlory 60.5K posts
- 18. Use GiveRep N/A
- 19. Tel Aviv 61.5K posts
- 20. Matan Angrest 17.3K posts
Something went wrong.
Something went wrong.