NEW RESEARCH - I'm pretty proud we were able to pound out and ship a piece on this within 3 days. But its importance may get lost in the news cycle.

While we continue to struggle with things like keeping private keys secret, we're also busy introducing autonomous, nondeterministic agents into every place possible that are subject both to all the problems we still struggle with *AND* largely interminable new problems that can't be easily guardrailed-away.

Sure, this is a Chinese company so it's difficult for many folks to envision the same thing happening in the US, but we are 100% setting ourselves up for it, and companies and professionals not gleefully joining in the regressions are being continually punished.

This is a warning sign, and unfortunately, we will fail to heed it.

https://dti.domaintools.com/research/exposure-of-tls-private-key-for-myclaw-360-in-qihoo-360-security-claw-ai-platform

Your UEFI firmware can inject a PE binary into Windows on every boot via WPBT (Windows Platform Binary Table). smss.exe extracts it to disk and runs it as SYSTEM. OEMs use this to survive OS reinstalls. Attackers use it the same way.

One registry key tells Windows to ignore the table entirely:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v DisableWpbtExecution /d 1 /t REG_DWORD /f

Won't stop real firmware implants, but kills a whole class of cheap persistence for free.

With the recent integration of CERT-VDE’s CSAF advisories, it becomes even clearer why diverse vulnerability data sources are essential.

CSAF delivers direct vendor remediation information, and when correlated with the CVE Program , it highlights how important federation and data correlation are for remediation efforts and vulnerability management as a whole. (See example below)

🔗 https://db.gcve.eu/vuln/vde-2025-066

#gcve #cve #vulnerabilitymanagement #cybersecurity #opensource

@circl
@gcve
@CVE_Program

I suspect most people outside of the UK won't have heard about the post office scandal, but it seems highly relevant to learn about now (given *waves* this):

For over 15 years, the software post offices in the UK had to use contained severe bugs, particular in accounting, that everyone at Fujitsu/horizon and the post blissfully ignored. Over 900 (!!!) postmasters were sentenced for alleged theft and fraud, some went to jail, some committed suicide. All because the software was shit and everyone who could do something about it didn't care and swept it under the rug.

Everything, including how it was uncovered, about this seems bizarre and Kafkaesque, but we better prepare for it to happen more often.

https://en.wikipedia.org/wiki/British_Post_Office_scandal

https://types.pl/@pigworker/116211919028571818

systemd goes AI agent slopware https://github.com/systemd/systemd/blob/c1d4d5fd9ae56dc07377ef63417f461a0f4a4346/AGENTS.md

has slop documentation now too

Got an AI-written reply from a vendor we pay tens of millions of dollars a year to, and it doesn't feel good.

Three people spent enormous
deliberative effort for a whole day in very expensive company time to make every word of that.

You put it in an answer shredder and spit it at me with some editing.

Feels bad.

"AI is giving attackers a huge advantage!"

"Yes, it is. It's amazing how quickly it has destroyed dev, sec, ops, management, company missions and priorities, regulations, information literacy, and civil society, making everyone more vulnerable."

at the end of the day I realize over and over

* knowing technology really well, knowing how "it" works is worth investing time
* you only need a handful tools and a few languages to build practically everything you want
* good documentation is worth it - reading it and writing it
* testing, validating, measuring - whatever you want to call it is worth knowing really well