Observed Agent Sandbox Bypasses

https://voratiq.com/blog/yolo-in-the-sandbox/

#HackerNews #ObservedAgentSandbox #Bypasses #Security #Research #Cybersecurity #Threats #Exploit #Techniques

From somewhere at #39c3

#quantum #cryptography #security

When I was working for a large defense contractor, we tested rolling out AI tools for our developers.

The deployment numbers looked great: 52% increase for junior devs, 32% for mid-level, and 12% for senior engineers.

But we spent more than 80% of our time fixing bugs in deployed code(support burden). This has only gotten worse as people trust AI more, not less.

So when I see people like Rohit Agnihotri pitching charts saying we need less humans in the loop, or Chris Hughes peddling this narrative when he should know better, it tells me "expert" doesn't mean what it used to.

This is dangerous advice from people who shouldn't be positioning themselves as experts. Having a title doesn't mean you understand what happens in production where mistakes have real consequences.

If someone is telling you to reduce human oversight because AI is maturing, they don't understand the problem.

Do your own testing. Trust your own data. Be careful whose advice you're betting your systems on.

#AI #security #compliance

We've enabled SASL2 and XEP-0474: SASL SCRAM Downgrade Protection on http://XMPP.is via https://github.com/unredacted/xmpp.is/commit/ed656a71d112b3a8eb3b54427c164f483cce4b54

This solves one of the most important issues mentioned in our blog post https://unredacted.org/blog/2023/11/what-were-doing-in-response-to-the-jabber-ru-mitm-attack/

#XMPP #Security #TLS

We've enabled SASL2 and XEP-0474: SASL SCRAM Downgrade Protection on http://XMPP.is via https://github.com/unredacted/xmpp.is/commit/ed656a71d112b3a8eb3b54427c164f483cce4b54

This solves one of the most important issues mentioned in our blog post https://unredacted.org/blog/2023/11/what-were-doing-in-response-to-the-jabber-ru-mitm-attack/

#XMPP #Security #TLS

From somewhere at #39c3

#quantum #cryptography #security

Sabotaging Bitcoin

https://blog.dshr.org/2025/12/sabotaging-bitcoin.html

#HackerNews #Sabotaging #Bitcoin #cryptocurrency #blockchain #security #innovation #economic #impact

NYC Mayoral Inauguration bans Raspberry Pi and Flipper Zero alongside explosives

https://blog.adafruit.com/2025/12/30/nyc-mayoral-inauguration-bans-raspberry-pi-and-flipper-zero-alongside-explosives/

#HackerNews #NYC #Mayoral #Inauguration #Raspberry #Pi #Flipper #Zero #Security #News

Escaping containment: A security analysis of FreeBSD jails [video]

https://media.ccc.de/v/39c3-escaping-containment-a-security-analysis-of-freebsd-jails

#freebsd #security

Escaping containment: A security analysis of FreeBSD jails [video]

https://media.ccc.de/v/39c3-escaping-containment-a-security-analysis-of-freebsd-jails

#freebsd #security

When I was working for a large defense contractor, we tested rolling out AI tools for our developers.

The deployment numbers looked great: 52% increase for junior devs, 32% for mid-level, and 12% for senior engineers.

But we spent more than 80% of our time fixing bugs in deployed code(support burden). This has only gotten worse as people trust AI more, not less.

So when I see people like Rohit Agnihotri pitching charts saying we need less humans in the loop, or Chris Hughes peddling this narrative when he should know better, it tells me "expert" doesn't mean what it used to.

This is dangerous advice from people who shouldn't be positioning themselves as experts. Having a title doesn't mean you understand what happens in production where mistakes have real consequences.

If someone is telling you to reduce human oversight because AI is maturing, they don't understand the problem.

Do your own testing. Trust your own data. Be careful whose advice you're betting your systems on.

#AI #security #compliance

A Vulnerability in Libsodium

https://00f.net/2025/12/30/libsodium-vulnerability/

#HackerNews #Libsodium #Vulnerability #Security #Cybersecurity #OpenSource #TechNews

If you want to comply with dependency reporting requirements (⇒ SBOM: Software Bill of Materials) for a program of any kind, this is now very easy with #Guix:

https://www.draketo.de/software/bsi-grundschutz#CON.8.A8-sbom-guix

TLDR: guix graph --backend=cyclonedx-json <package-name> gives you an SBOM.

To do that for your own packages, even if they are not in the distro, write a guix.scm (instructions and links in the article).

It works across languages and to arbitrary depth.

#software #owasp #security #gnu #FreeSoftware #programming

Great shout out to Kagi on the Security Weekly podcast, and why it's the gift of choice this holiday season:

https://youtu.be/Jm5t53rsfTs?si=MrXsg-9PnV1_t896&t=2262

(Note: not a paid or sponsored endorsement)

#Kagi #Search #Podcast #Security

no strpy either

https://daniel.haxx.se/blog/2025/12/29/no-strcpy-either/

#HackerNews #no-strcpy #programming #blog #post #security #coding #best-practices

MongoDB Server Security Update, December 2025

https://www.mongodb.com/company/blog/news/mongodb-server-security-update-december-2025

#HackerNews #MongoDB #Security #Update #December2025 #ServerUpdate #DatabaseSecurity

Aroma: Every TCP Proxy Is Detectable with RTT Fingerprinting

https://github.com/Sakura-sx/Aroma

#HackerNews #Aroma #TCP #Proxy #RTT #Fingerprinting #Network #Security #Cybersecurity