April 23, 2026

Why So Many Control Rooms Were Seafoam Green

The Color Theory Behind Industrial Seafoam Green

LLMs have gotten good enough at reverse engineering to recover source code from obfuscated binaries with real accuracy.

So we asked the obvious next question: how fast and cheap is it to use one to build obfuscation specifically designed to beat it?

We benchmarked Claude Opus… pic.twitter.com/IHZVgl29TL

— Elastic Security Labs (@elasticseclabs) April 22, 2026

holy fuck, a hair dryer at a Paris airport broke Polymarket weather markets & made someone $34,000 richer

- polymarket was settling Paris temperature bets on a single Météo France sensor sitting near the Charles de Gaulle runway perimeter - basically unguarded

- the guy bought… pic.twitter.com/ona2hP3oZc

— @aaronjmars (@aaronjmars) April 22, 2026

New MAD Bugs drop: we had Claude reverse Apple's macOS 26.4 SMB patch end-to-end and build a kernel PoC from just the advisory. CVE-2026-28825, heap OOB in smbfs.kext, reachable by clicking on any smb:// link in Finder, Safari, or Messages.

Root cause is a missing bounds check…

— thaidn (@XorNinja) April 22, 2026

https://t.co/0ZAWkLBpru — Fidelius Schmid (@FideliusSchmid) April 22, 2026

Julia Klöckner ist Opfer des Signal-Hacks - DER SPIEGEL

Nach SPIEGEL-Informationen gehört Bundestagspräsidentin Julia Klöckner zu den Opfern der aktuellen Angriffswelle auf Signal-Nutzer. Auch das Handy des Bundeskanzlers wurde bereits untersucht.

Breaking: Supposedly Russian Hackers compromise phone of Bundestag president Julia Klöckner via Signal, phone of German chancellor Merz vetted for malware as a consequence. Likely more top German politicans affected. Exclusive by @MarcelRosenbach @derspiegel free link below

— Fidelius Schmid (@FideliusSchmid) April 22, 2026

Locked Shields 2026 has kicked off!

The exercise brings together more than 4,000 cyber defenders from 41 nations to strengthen the protection of national systems and critical infrastructure against sophisticated cyber threats.

Over the course of the next two days, teams must… pic.twitter.com/U1CMERqmrZ

— NATO CCDCOE (@ccdcoe) April 22, 2026

Anthropic said Mythos was too dangerous to release. Then four random guys in a Discord gained access on day one by guessing the URL...

This is pretty insane:
→ Group in a private Discord guessed the endpoint from Anthropic's naming conventions
→ They figured out the… https://t.co/HUxd8pwqEH

— Josh Kale (@JoshKale) April 22, 2026

From an economic perspective, once we are back to equilibrium, bugs in critical software will be just as difficult to find as they were before AI agents (and before fuzzing).

More details: https://t.co/fo0WMzsDJ8 (Security as a function of incentive) https://t.co/sfcBKiFBHQ

— Marcel Böhme👨‍🔬 (@mboehme_) April 22, 2026

[2402.01944v5] Fundamental Challenges in Cybersecurity and a Philosophy of Vulnerability-Guided Hardening

Research in cybersecurity may seem reactive, specific, ephemeral, and indeed ineffective. Despite decades of innovation in defense, even the most critical software systems turn out to be vulnerable to attacks. Time and again. Offense and defense forever on repeat. Even provable security, meant to provide an indubitable guarantee of security, does not stop attackers from finding security flaws. As we reflect on our achievements, we are left wondering: Can security be solved once and for all? In...

Fundamental Challenges in Cybersecurity and a Philosophy of Vulnerability-Guided Hardening

Research in cybersecurity may seem reactive, specific, ephemeral, and indeed ineffective. Despite decades of innovation in defense, even the most critical software systems turn out to be vulnerable to attacks. Time and again. Offense and defense forever on repeat. Even provable security, meant to provide an indubitable guarantee of security, does not stop attackers from finding security flaws. As we reflect on our achievements, we are left wondering: Can security be solved once and for all? In this paper, we take a philosophical perspective and develop the first theory of cybersecurity that explains what precisely and fundamentally prevents us from making reliable statements about the security of a software system. We substantiate each argument by demonstrating how the corresponding challenge is routinely exploited to attack a system despite credible assurances about the absence of security flaws. To make meaningful progress in the presence of these challenges, we introduce a philosophy of cybersecurity.

PDF

source: Marcel Böhme👨‍🔬 (@mboehme_)

Despite 271 bugs massacred by Anthropic, our renderer rce and sbx escape alive and well ready unless there is sudden patch before p2o ( mean we dont have enough time for prepare new one ) - wish us luck!https://t.co/3oTRESGt5r pic.twitter.com/b418byfM1Q

— Qrious Secure (@qriousec) April 22, 2026

The zero-days are numbered 

Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser.

Highly recommend reading this if you're into windows kernel vuln research!
Juian found some cool vulns using this technique -which we can't publish :/ -
Something new is also coming out for pypykatz bc of this in the upcoming months https://t.co/cNvWnWZzrv

— SkelSec (@SkelSec) April 20, 2026

SIMULATING NAVY LIFE ASHORE
PART 4

Sleep on the shelf in your closet. Replace the door with a curtain.

Four hours after you go to sleep, have your wife whip open the curtain, shine a flashlight in your eyes, and mumble, "Sorry wrong rack".

Build a wall across the middle of…

— Matt Bracken (@Matt_Bracken48) April 20, 2026

MAD Bugs: All Your Reverse Engineering Tools Are Belong to US

Ghidra, radare2, IDA Pro, and Binary Ninja Sidekick. If your tool doesn't show up here, it's not cool enough. Contact us for a free RCE.https://t.co/PsCenNMKtI

— Calif (@calif_io) April 21, 2026

everyone thinks eBPF = fancy tcpdump. no. it's basically a safe little VM inside your kernel and people are abusing it in wild ways:

- sched_ext lets you write your linux CPU scheduler in userspace. yes. swap out CFS for your own logic. gaming, latency-critical trading, AI… pic.twitter.com/6F9HdQbhY5

— Immanuel (@immanuel_vibe) April 19, 2026

GitHub - qmonnet/awesome-ebpf: A curated list of awesome projects related to eBPF. · GitHub

A curated list of awesome projects related to eBPF. - qmonnet/awesome-ebpf

qmonnet/awesome-ebpf (5,039 stars) A curated list of awesome projects related to eBPF.

source: Immanuel (@immanuel_vibe)

"Replacing long-lived keys with ephemeral keys is, for my money, one of the best uses of security engineering effort." is the best sentence I've read pertaining to my field in awhile. More at:https://t.co/HY8WhrYJjp

— Thomas H. Ptacek (@tqbf) April 20, 2026

You don't want long-lived keys

The security of keys and credentials is a function of time. You can, and should, avoid most long-lived keys and replace them with ephemeral credentials.