👨👩👧👦 Husband. Proud Father. He/Him.
👁️ 🐝 Ⓜ️ IBM Inventor and Cloud Security Solution Architect | Open Innovation Community.
Member of the IBM Academy of Technology (AoT).
ex-#OpenBSD (xsa@). Hacker. Open Source Advocate.
💬 My Own Views. Always.
#ibm #infosec #cloudsecurity #fedi22 #wehackhealth #crossfit #emtb #fieldhockey #porsche #nobot
| 📍 Location | 🇧🇪🇪🇸 @ 🇨🇭 |
| 🌍 Website | https://0x58.santolaria.net |
| :github: GitHub | https://github.com/xsa |
| 🔑 Keybase | https://xsa.keybase.pub/mastodon.html |
| 📨 Newsletter | https://infosec-mashup.santolaria.net/?utm_source=mastodon&utm_medium=social |
| 🗓️ {Cyber,Info}Sec Events | https://xsa.github.io/infosec-events/ |
Most teams still treat system prompts like internal docs for humans.
That breaks fast with coding agents.
If the prompt is weak, the agent does not fail politely. It invents files, skips discovery, and makes risky edits with too much confidence.
I wrote down a practical way to review these prompts before they hit production: grounding, continuity, safety, decomposition, and efficiency.
https://www.the-main-thread.com/p/bob-meta-scorecard-agent-system-prompts-production
🐛 Faster Bugs, Same Backlog — #Mythos Preview found thousands of zero-days across every major OS and browser in a matter of weeks. Anthropic was nervous enough about it to not release it publicly. That's notable. What's also notable is that "thousands of critical vulnerabilities" describes a perfectly ordinary patch Tuesday for most security teams — the backlog isn't new, the speed is.
The uncomfortable truth Project #Glasswing surfaces isn't that attackers are about to get a superpower (they are), it's that defenders have been relying on a fundamentally broken triage model for years. CVSS 10 gets the fire drill. The exploitable CVSS 6 sitting on an internet-facing legacy box gets the backlog. That gap is the actual attack surface. AI-accelerated discovery doesn't fix it — it just makes it more expensive to ignore.
→ Week #16/2026 also covers: AI vishing platforms hit the cybercrime market, NIST quietly caps CVE coverage, and Russia goes after a Swedish power grid.
Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-16-2026-faster-bugs-same-backlog
If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI
RE: https://fosstodon.org/@iscdotorg/116416426577631380
In case you’re wondering: while not as extreme as illustrated by ISC (we don’t offer a bug bounty program), NLnet Labs suffers from a similar situation, in particular for Unbound.
Handling vulnerability reports, both valid ones and false positives, has now become a full time job for the entire Unbound team.
You can argue that it ultimately makes our resolver more secure, it also means we cannot work on building and releasing new features, like:
"A large part of conquering daily fear is simply doing things that we don't know how to do—yet."
— Virginia H. Pearce
The call for papers for BSides Saskatoon 2026 is open.
The CFP submission URL is https://buff.ly/nKcBjPo
We accept first time as well as veteran speakers and encourage submissions from diverse perspectives—whether you're proposing a talk about AI, blue teaming, red teaming, or anything in between.
We look forward to your proposals.
CFP Closes July 31, 2026
#BSidesYXE #BSides #Saskatoon #CallForPapers #infosec #Conference
⚠️ Surfing the #Anthropic wave.
We spent years teaching people not to paste secrets into Slack. Turns out we should've been watching the AI they're pasting them into instead.
https://api.cyfluencer.com/s/camoleak-how-github-copilot-became-an-exfiltration-channel-26630
Markus Eisele
NLnet Labs
Michael Downey 
BSides Saskatoon - 2026-09-26
BSides312
DEF CON
Javvad Malik 
Jan Wildeboer 😷