I read Siddhartha by Herman Hesse this week. I highly recommend this book as it offers some insight at whatever age you are. Some people view this book as a kind of blueprint or guide for living, but I disagree with those people; it’s a book about the life of a person, nothing more, nothing less. You can certainly derive insights from that person’s life, but you miss the entire point of the book if you use it like a guide.

I also read The Stranger (published as The Outsider outside of America) by Albert Camus. This was also a relatively short book, about a murder on a beach, and the price of being different (albeit told through a morbid lens). I recommend this book also.

I did a lot of hacking this week because the LHE kicked off. It’s been going reasonably well; I’m collaborating with Busfactor again, as well as two more friends from the CTF scene. We’re doing some good work, but it’s unlikely that I’ll be able to talk about this any further as the customer is quite secretive.

There was some drama this week in the community about whether or not platforms were training AI hackbots using researcher reports. HackerOne’s leadership provided clarification that they were not using researcher reports, and while I’d like to believe it, I struggle to see what data HackerOne would have that isn’t researcher data. Why would they compete in the space without any competitive edge? What data could there be that would make the product worthwhile at all? It just doesn’t add up. It’s not all bug bounty platforms, either. Just the ones that have crowdsourced pentest products that make up a significant portion of their revenue. The other platforms should be as transparent as Intigriti about what they’re using AI for, and how they’re training and tuning their models.

I watched the LHE kickoff call with my good friend Hakupiku (he’s also competing, and he lives in Japan now) in Hakupiku’s office. I’ve also been hanging out with Busfactor on most of the days since I arrived. It’s been a fun few days and it’s always nice to kill time with my close hacker friends in one of my favourite cities in the world.

PhoneLeak: Data Exfiltration in Gemini via Phone Call: I’m going to shout myself out here and link my own blog post. It’s worth reading, I promise.

Trailing Danger: exploring HTTP Trailer parsing discrepancies: Absolutely brilliant research on a new type of HTTP request smuggling and header smuggling using Trailer headers. A real contender for next year’s Portswigger Top Ten.

RCE in Google's AI code editor Antigravity: Hacktron AI’s recent research on Antigravity.

Using HMAC collisions to forge password reset tokens: Very clever delimiter confusion technique from lil_endian. Very elegant!