Nicolò Fornari
@rationalpsyche.bsky.social
Penetration Tester. Art passionate. Friends call me "grandpa".
Reposted by Nicolò Fornari
Reposted by Nicolò Fornari
In a new video, Nicolò @rationalpsyche.bsky.social walks through how to fuzz with AFL++, how to pick targets, avoid common pitfalls, and boost effectiveness. Find performance tips, fuzzing theory, and AFL++ internals.
Watch here: youtu.be/L5Tin7m5sbE?...
#security #fuzzing #AFLplusplus #appsec
Watch here: youtu.be/L5Tin7m5sbE?...
#security #fuzzing #AFLplusplus #appsec
Fuzzing and AFL++
YouTube video by Compass Security
youtu.be
December 16, 2025 at 8:39 AM
In a new video, Nicolò @rationalpsyche.bsky.social walks through how to fuzz with AFL++, how to pick targets, avoid common pitfalls, and boost effectiveness. Find performance tips, fuzzing theory, and AFL++ internals.
Watch here: youtu.be/L5Tin7m5sbE?...
#security #fuzzing #AFLplusplus #appsec
Watch here: youtu.be/L5Tin7m5sbE?...
#security #fuzzing #AFLplusplus #appsec
Super interesting and highly recommended.
There's so much to unpack that I bookmarked it for a second read.
There's so much to unpack that I bookmarked it for a second read.
Recently I presented over at TU Delft on the Science of Security. Learn all about radar, stealth, penicillin, hydrogen bombs & my thoughts on how in Europe we have no good avenues for doing military tech research & how this could end up badly + some ideas how to do better:
berthub.eu/articles/pos...
berthub.eu/articles/pos...
TU Delft lecture: Security of Science - Bert Hubert
This is a mostly verbatim transcript of my lecture at the TU Delft VvTP Physics symposium “Security of Science” held on the 20th of November.
Audio version (scroll along the page to see the associated...
berthub.eu
December 11, 2025 at 10:08 PM
Super interesting and highly recommended.
There's so much to unpack that I bookmarked it for a second read.
There's so much to unpack that I bookmarked it for a second read.
Reposted by Nicolò Fornari
NTLM relay works against HTTPS if channel binding is missing. Our new blog post explains why, shows how tooling evolved, and highlights defensive measures.
blog.compass-security.com/2025/11/ntlm...
blog.compass-security.com/2025/11/ntlm...
November 26, 2025 at 9:54 AM
NTLM relay works against HTTPS if channel binding is missing. Our new blog post explains why, shows how tooling evolved, and highlights defensive measures.
blog.compass-security.com/2025/11/ntlm...
blog.compass-security.com/2025/11/ntlm...
Reposted by Nicolò Fornari
We still need to get from a situation where Russia pretends to negotiate to a situation where they need to negotiate.
Extract from my press remarks following today’s informal Foreign Affairs Council ↓
Extract from my press remarks following today’s informal Foreign Affairs Council ↓
November 26, 2025 at 2:54 PM
We still need to get from a situation where Russia pretends to negotiate to a situation where they need to negotiate.
Extract from my press remarks following today’s informal Foreign Affairs Council ↓
Extract from my press remarks following today’s informal Foreign Affairs Council ↓
Reposted by Nicolò Fornari
#Finland will begin to #Russia - proof its rail network, integrate with EU train infrastructure.
The Finnish government has announced the conversion of its rail network from Russian gauge (1,524 mm) to European standard (1,435 mm).
www.trenvista.net/en/news/flas...
The Finnish government has announced the conversion of its rail network from Russian gauge (1,524 mm) to European standard (1,435 mm).
www.trenvista.net/en/news/flas...
November 23, 2025 at 4:11 PM
#Finland will begin to #Russia - proof its rail network, integrate with EU train infrastructure.
The Finnish government has announced the conversion of its rail network from Russian gauge (1,524 mm) to European standard (1,435 mm).
www.trenvista.net/en/news/flas...
The Finnish government has announced the conversion of its rail network from Russian gauge (1,524 mm) to European standard (1,435 mm).
www.trenvista.net/en/news/flas...
Reposted by Nicolò Fornari
November 14, 2025 at 1:07 PM
Reposted by Nicolò Fornari
Kyle Kingsbury is not a journalist. He is not an op-ed writer.
He is a computer safety researcher.
And he has written one of the most compelling, comprehensive accounts of the ongoing hell in Chicago that you could possibly imagine.
In under 1600 words.
aphyr.com/posts/397-i-...
He is a computer safety researcher.
And he has written one of the most compelling, comprehensive accounts of the ongoing hell in Chicago that you could possibly imagine.
In under 1600 words.
aphyr.com/posts/397-i-...
November 9, 2025 at 8:49 PM
Kyle Kingsbury is not a journalist. He is not an op-ed writer.
He is a computer safety researcher.
And he has written one of the most compelling, comprehensive accounts of the ongoing hell in Chicago that you could possibly imagine.
In under 1600 words.
aphyr.com/posts/397-i-...
He is a computer safety researcher.
And he has written one of the most compelling, comprehensive accounts of the ongoing hell in Chicago that you could possibly imagine.
In under 1600 words.
aphyr.com/posts/397-i-...
Reposted by Nicolò Fornari
It's important for Europeans, and others from visa-waiver countries, to understand they don't have freedom of speech rights when visiting the United States.
The Trump regime is still deporting visitors for critical comments made online, because they can.
The Trump regime is still deporting visitors for critical comments made online, because they can.
How My Reporting on the Columbia Protests Led to My Deportation
As an Australian who wrote about the demonstrations while on campus, I gave my phone a superficial clean before flying to the U.S. I underestimated what I was up against.
www.newyorker.com
November 5, 2025 at 8:05 AM
It's important for Europeans, and others from visa-waiver countries, to understand they don't have freedom of speech rights when visiting the United States.
The Trump regime is still deporting visitors for critical comments made online, because they can.
The Trump regime is still deporting visitors for critical comments made online, because they can.
Reposted by Nicolò Fornari
Starting Monday LinkedIn will begin using data from your profiles/posts to train AI. If you live in EU/EEA/Switzerland/Canada/Hong Kong your data is subject to being used this way, but you can opt out. Go to Settings/Privacy/Data for Generative AI Improvement and toggle the switch to off
Update to our Terms and data use | LinkedIn Help
Update to our Terms and data use
www.linkedin.com
October 30, 2025 at 4:13 PM
Starting Monday LinkedIn will begin using data from your profiles/posts to train AI. If you live in EU/EEA/Switzerland/Canada/Hong Kong your data is subject to being used this way, but you can opt out. Go to Settings/Privacy/Data for Generative AI Improvement and toggle the switch to off
Day to day: the user experience of getting a direct answer for simple things compared to scrolling a bloated blog post, with ads and cookie banners. It would be better to solve the state of the web but hey, it's a workaround.
here’s my litmus test: is AI improving your day to day life? Is it actually helping you to create, connect, feel joy, chase ambition?
If not - what’s the point?
If not - what’s the point?
October 30, 2025 at 10:41 PM
Day to day: the user experience of getting a direct answer for simple things compared to scrolling a bloated blog post, with ads and cookie banners. It would be better to solve the state of the web but hey, it's a workaround.
Reposted by Nicolò Fornari
If you know who did this, or if you know how to set it back, the hotel kindly asks you to do so, respecting the fun achievement unlocked :)
https://infosec.exchange/@xme/115422139879568495
https://infosec.exchange/@xme/115422139879568495
Xavier Mertens 🇧🇪 (@[email protected])
Attached: 1 image When you leave a coffee machine unprotected at a hacker conference… #hacklu2025
infosec.exchange
October 23, 2025 at 7:27 AM
If you know who did this, or if you know how to set it back, the hotel kindly asks you to do so, respecting the fun achievement unlocked :)
https://infosec.exchange/@xme/115422139879568495
https://infosec.exchange/@xme/115422139879568495
Great work guys!!
🎉Success. Our #Pwn2own team combined #zeroday bugs to #exploit @home-assistant.io green which earned them $20'000 and 4 pts. Congratz to @bcyrill.bsky.social Emanuele, Lukasz @muukong.bsky.social and @yvesbieri.bsky.social.
Respect to @stephenfewer.bsky.social and the Summoning Team for the wins.
Respect to @stephenfewer.bsky.social and the Summoning Team for the wins.
October 22, 2025 at 6:55 PM
Great work guys!!
Reposted by Nicolò Fornari
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
October 21, 2025 at 11:38 AM
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
Reposted by Nicolò Fornari
pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
October 4, 2025 at 10:39 AM
pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
Reposted by Nicolò Fornari
The @EUCommission would like to hear your views on the governance and sustainability of critical open source software. The survey closes October 5th.
https://ec.europa.eu/eusurvey/runner/FOSSEPS_Governance_and_Sustainability_Survey
#OpenSource #governance #sustainability
https://ec.europa.eu/eusurvey/runner/FOSSEPS_Governance_and_Sustainability_Survey
#OpenSource #governance #sustainability
Study of the European Commission: Survey on the Governance and Sustainability of Critical Open Source Software
ec.europa.eu
September 30, 2025 at 2:24 PM
The @EUCommission would like to hear your views on the governance and sustainability of critical open source software. The survey closes October 5th.
https://ec.europa.eu/eusurvey/runner/FOSSEPS_Governance_and_Sustainability_Survey
#OpenSource #governance #sustainability
https://ec.europa.eu/eusurvey/runner/FOSSEPS_Governance_and_Sustainability_Survey
#OpenSource #governance #sustainability
Reposted by Nicolò Fornari
"Employees are using AI tools to create low-effort, passable looking work that ends up creating more work for their coworkers.[...] it shifts the burden of the work downstream, requiring the receiver to interpret, correct, or redo the work. In other words, it transfers the effort
1/2
1/2
September 23, 2025 at 11:10 AM
"Employees are using AI tools to create low-effort, passable looking work that ends up creating more work for their coworkers.[...] it shifts the burden of the work downstream, requiring the receiver to interpret, correct, or redo the work. In other words, it transfers the effort
1/2
1/2
Reposted by Nicolò Fornari
It is representative of a *profound* failure of a country that this group of people are up there talking about medicine and science at all
September 22, 2025 at 9:13 PM
It is representative of a *profound* failure of a country that this group of people are up there talking about medicine and science at all
Beyond the message of the talk, the insights on the parliamentary monitoring system are super interesting!
And there is now also a transcript of this 41 minute presentation: berthub.eu/articles/pos...
Microstacks or megadependencies over at Webdevcon 2025 - Bert Hubert
tl;dr: A meandering talk that reminds us of the risks of shipping unknown build time dependencies (as from npm), and also highlights how many services now have runtime third party service dependencies...
berthub.eu
September 22, 2025 at 5:24 PM
Beyond the message of the talk, the insights on the parliamentary monitoring system are super interesting!
Reposted by Nicolò Fornari
Europe stands with Estonia in the face of Russia’s latest violation of our airspace.
We will respond to every provocation with determination while investing in a stronger Eastern flank.
We will respond to every provocation with determination while investing in a stronger Eastern flank.
September 19, 2025 at 3:19 PM
Europe stands with Estonia in the face of Russia’s latest violation of our airspace.
We will respond to every provocation with determination while investing in a stronger Eastern flank.
We will respond to every provocation with determination while investing in a stronger Eastern flank.
Reposted by Nicolò Fornari
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
September 17, 2025 at 1:20 PM
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Deterministic LLMs are possible.
thinkingmachines.ai/blog/defeati...
thinkingmachines.ai/blog/defeati...
Defeating Nondeterminism in LLM Inference
Reproducibility is a bedrock of scientific progress. However, it’s remarkably difficult to get reproducible results out of large language models.
For example, you might observe that asking ChatGPT the...
thinkingmachines.ai
September 15, 2025 at 3:51 PM
Deterministic LLMs are possible.
thinkingmachines.ai/blog/defeati...
thinkingmachines.ai/blog/defeati...
Reposted by Nicolò Fornari
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
September 9, 2025 at 11:54 AM
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Reposted by Nicolò Fornari
