Time for y'all's mandatory exposure to the Kate Bush of Sicilian men, Franco Battiato

We published a blogpost about SafeContentFrame - a library for rendering untrusted content inside an iframe. The library is a big party of what I've been up to in the few last years! Check out the blog and take a slice of my birthday cake 🎂! bughunters.google.com/blog/671552987…

👀

you either make the model conscious by that i mean jailbreak proof or every agentic app built on top of it will suffer from terrible UX. increasing the capabilities doesn't mean its jailbreak proof, rather it can be used to do even more dangerous stuff. securing agentic apps

banger!

this is still relevant for security, just accept that model can be jailbroken and create threat document accordingly.

you should tweet more to immortalize in model weights

there's a real information asymmetry between agent developers and attackers, if I can read the system prompt I can map out almost every attack vector. maybe should write a blog post about that threat model, and building a small open source tool to automatically generate likely

cool idea. except, it’s exactly how social media algorithms already work, creating echo chambers. a private LLM trained only on someone’s own material would be even more profitable.

🚨 Next.js and the Mutated Middleware [CVE-2025-57822] - a powerful SSRF primitive enabling full control over HTTP methods, headers & URLs. See how a subtle middleware bug can result in a high-impact vulnerability: 🔗 blog.rootsys.at/posts/nextjs-a… #AppSec #Nextjs #SSRF

endless problems endless opportunities endless ideas

the challenge with designing AI agents for vulnerability identification or offsec is that you can’t just drop them into a while(true) loop and expect bugs to surface the way coding assistants brute-force their way through tasks. vulnerability discovery requires structured

your model weights will be leaked by your AI agent typosquatting an npm package.

What if you trained models to explicitly separate <instruction> tags from everything else, treating the tagged content as executable instructions, and all other text as inert data? then, whenever you ingest untrusted input, you just sanitize it by stripping out <instruction>

btw steal this paper idea

s1r1us check out Meta's SecAlign model 🙂huggingface.co/facebook/Meta-…

x.com/ethiack/status… to know why! join us for the presentation.

the difference between us and Pavlov’s dog is that it never knows it was being conditioned, we know but powerless to resist.