threatactor.club

That little string
ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86

(see https://platform.claude.com/docs/en/test-and-evaluate/strengthen-guardrails/handle-streaming-refusals#implementation-guide ) is so much fun. I wonder when Anthropic will regret this and remove it.

Also I obviously wonder what else is there in terms of MAGIC_STRINGs which aren't documented.

Hat tip to @michenriksen for pointing me to this.

How many hours have you personally wasted by disassembling a binary file with the wrong CPU setting?

new year new meme

67 is so over. it’s time for 4️⃣ 5️⃣

For the Berlin peeps:

I’ll be playing some tunes tonight together with the amazing poco1oco, don’t miss out https://www.eschschloraque.de/vinyltrottel-02012026

Happy twenty twenty something, may it treat YOU well!

So the big thing in Bug Bounty now seems to be letting an LLM generate artificial PoCs for "issues" within a trust boundary.

Basically what's submitted as proof would be a snippet of code demonstrating a library "vulnerability" where all further context is left out.

Caffeine done like IDGAF, my 'Zero Fucks Given' cup with a double (maybe triple) Espresso Macchiato and some ice cold Club Mate.

¯\(ツ)/¯

Happy cloudflare is down day to those who celebrate

Happy Friday

I’m slightly mad….

What stands in my way of having a nice vulnerability is the apparent inability of certain LLMs to emit \r (carriage return). For some reason they keep emitting \n (newline) instead.

I found myself posting this little comic at work A LOT currently.

It's really interesting, especially in the context of (agentic) AI, how features can be bugs or even vulnerabilities and vice versa, depending on whom you ask about it. It's always the context which matters and a lot is personal preference/risk appetite of whoever is using the 'feature'.

I tend to advocate for secure defaults with an option to let anyone choose if they want to take the risk of e.g. AI 'yolo' mode.

So I just met someone in person a few days ago. They said: "Oooh you're busy looking into AI stuff lately? That's good so you wont bother $THING with vuln reports! :P"

Guess where I just found a nice vuln

I found a thing (RCE) in langgraph. ;D

https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5

Want to hack AI things with me?

https://job-boards.greenhouse.io/gitlab/jobs/8146219002

ID theft is real!!

I call the slides done, see you tomorrow at Nullcon!

Ich muss sagen ich bin schon ein bisschen beeindruckt wie smooth eine Onlinezulassung für ein Kfz läuft, ABER wenn ein einfaches & in den Eingabedaten so eine Fehlermeldung auslöst triggert mich das ein bisschen zu sehr ;).

Ich hab dann aber mal nicht an dem Ast gesägt auf dem ich saß.

Today I have a more serious topic than usual, please consider reposting for reach:

My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder (myoclonus and/or spasms) to finally find a cause and, above all, an effective therapy. The symptoms are bothering our son ever since he’s born, now for more than nine years, seriously affecting his sleep. The usual processes and medical contact points have failed us unfortunately and he seems stuck in this condition.

We’re based in Berlin, Germany but really any contact with a specialist who would be willing to take on this case we’d be grateful for!

To reach use you can DM me or contact us via Email at unclear.condition@gmail.com

Really a huge honor for me to be invited to give a keynote at NULLCON Berlin in September.

Given my recent work focus at GitLab I'll share my thoughts around LLMs. Make sure to bring some popcorn!

https://nullcon.net/berlin-2025/speaker-llms-everywhere