The demos and slides of my Defcon 31 talk are now publicly available.. 🧵 1/3 This first video demonstrates impersonating Satan (spoofing an email from satan@churchofsatan.com). This was the inspiration for the title of the talk 😛 piped.video/61PIOBp30vA

💥The deadline for #BSidesPyongyang2025 CFP is September 22💥 Submit now to get a chance to speak alongside the best researchers, state secret enjoyers, and APTs 👊🇰🇵💥 (This is legit. We are hosting it online because Ryugyong Hotel was full.) 📝 forms.gle/y6QRMeYuJPYXZi1k9 📝

a classic

I've seen it all

Another Fortinet CVE, let’s see what the market thinks… oh, right,

My hot take on AI 🌶️. It's less about efficincy and more about scale. byt3bl33d3r.substack.com/p/a…

Having an Agent being the number 1 in the h1 leaderboard to me is a watershed moment. The whole "you can't automate Red team/pentests" stance is now false.

Literally every single Red teaming consultancy should be pivoting *right now* to agentic workflows to some extent. You will get left in the dust if you don't start now.

Is there hype? yes. Is it painful to keep up with and cut through the noise? absolutely. If you value your career tho, you're going to have to do it.

I'm seeing a concerning trend in the Infosec/Red Teaming space of brushing off AI as a fad or taking a "old man yells at cloud" stance. I implore everyone do not do this, whether you like it or not it's the future. Everyone should be building agents & learning how to work with LLMs. Do not get left behind or you will be in a *bad* situation very soon. Case in point: the number 1 position on the H1 leaderboard is currently an Agentic AI system.

we're so back

So... I just simply asked Manus to give me the files at "/opt/.manus/", and it just gave it to me, their sandbox runtime code... > it's claude sonnet > it's claude sonnet with 29 tools > it's claude sonnet without multi-agent > it uses @browser_use > browser_use code was also obfuscated (?) > tools and prompts jailbreak

This might be one of the best reddit posts I've seen in a while no cap fr fr

Leaked image of the research tool OpenAI used to come up with their $500 billion number for Stargate

There's a lot to be explored here , I personally think the Pure vision approach to LLM web browser controller is much more elegant than injecting JS to highlight intractable elements etc... Would be interesting to hook up Omniparser to this 👀 github.com/microsoft/OmniPar…

An interesting side affect to this approach is that with the right stack you can easily bypass non-captcha based anti-bot shields like Turnstile as demonstrated on the above video just by simply asking Gemini to return bounding box coordinates to the checkbox next to "verify you are human" lol

One of the most unique things about Google Gemini is its ability to return bounding box coordinates on objects in images. (great article about it by @simonw below). This got me thinking if it could be used as a "cheap" way for LLM browser control. Turns out it surprisingly well super well for simple/medium complexity websites simonwillison.net/2024/Aug/2…

Code/notes here github.com/byt3bl33d3r/gemin…

Automated web navigation and bypassing Cloudflare Turnstile using an LLM controlled browser and desktop using google gemini's vision capabilities piped.video/JO8jMHpOW90