Sunday, 28 June 2026
Anonymous actor mass-drops 30+ zero-days; Asian AI fills the Mythos vacuum; Meta's chilling campaign keeps backfiring
Today's Lead
EngineeringGitHub (bikini/exploitarium)
Anonymous GitHub Account Mass-Dropping Undisclosed Zero-Days
An anonymous GitHub account published Exploitarium, a repository of 30+ proof-of-concept exploits targeting Firefox, PHP, Docker, OpenVPN, and other widely-used software — framing it as educational while explicitly encouraging researchers to "claim CVE credit for unreported findings," confirming that many of these are previously undisclosed vulnerabilities. Rather than coordinating quietly with vendors, the author is using public transparency as a forcing function: once a working PoC is public, the clock on vendor timelines effectively resets to zero. The security community's response is split between condemning irresponsible disclosure and acknowledging that coordinated disclosure has long been structurally tilted toward vendors who can extend timelines indefinitely. The incident surfaces a persistent tension in the vulnerability ecosystem: the formal disclosure process is often a courtesy extended to vendors at the public's expense, and the actor here appears to have decided the asymmetry is no longer tolerable.
TechCrunch
Asian AI Startups Launch Mythos-Like Models as Anthropic's Export Ban Drags On
Following the Trump Administration's export ban on Anthropic's Mythos and Fable 5 models, Chinese cybersecurity firm 360 unveiled Tulongfeng (positioned as competitive with Mythos) and Tokyo-based Sakana AI launched Fugu (matching Fable 5 and Mythos Preview capabilities) — Sakana explicitly framing the launch as frontier AI "without the risk of export controls." 360's founder raised a structural asymmetry concern: when U.S. security tools are restricted while Chinese equivalents are not, attackers gain a one-way transparency advantage. The pattern raises a question that export-control policy has not yet answered: whether restrictions designed to slow adversary access to frontier models are instead accelerating the development of alternatives that are simply less constrained by Western safety and governance frameworks — achieving the opposite of their intended effect.
Read →lyra.horse
A Peek into Reddit's Anti-Spam Internals
Reddit's anti-spam stack evolved from CRM114 classifiers through Lua-based rule engines ("Spamurai") to the current Snooron architecture, which combines ML scoring via Perspective API, account-age and karma signals, posting-velocity heuristics, TLS-fingerprint-based browser identification, and URL inspection with full redirect chain following to identify coordinated abuse rings. The most structurally revealing detail: minor text modifications can still evade detection, meaning that despite enormous architectural complexity, determined adversaries retain a meaningful advantage. Anti-abuse at platform scale is fundamentally an asymmetric arms race — defenders must close every gap across the whole surface, attackers need only find one — and this tour of Reddit's internals makes that asymmetry vivid.
Read →blog.weineng.me
Data Access Patterns That Make Your CPU Really Angry
An 8-page stride access pattern can cause a 33% slowdown compared to fully random access — a counterintuitive result explained by cascading failures across every layer of the memory hierarchy simultaneously: L1 cache set associativity conflicts, hardware prefetcher disablement from page-boundary crossings, and degraded TLB/PTE cache locality all compound at once. The key insight is that hardware optimisations are calibrated for common-case access patterns, and specific unlucky strides fall through all caching abstractions at the same time — meaning some seemingly "orderly" patterns are worse than chaos. For systems programmers and anyone doing performance-sensitive data layout work, this is a concrete illustration of why micro-benchmarks can produce results that feel like they contradict basic memory hierarchy intuitions.
Read →blog.einval.com
It's Dead, Jim! The 2011 Microsoft UEFI CA Expired Today
The Microsoft UEFI Certification Authority issued in 2011 expired on June 27, 2026 — a certificate that has underpinned Secure Boot signing across the Linux ecosystem for over a decade, and whose unmanaged expiry could have caused widespread boot failures. The Linux community mitigated this through an accelerated shim-review process: Debian, Ubuntu, and others deployed dual-signed binaries compatible with both old and new CAs in the weeks before expiry, and the transition was smooth. The episode is a useful case study in PKI lifecycle management at ecosystem scale — coordinated, proactive, and largely invisible to end users — and a reminder to ask how many other critical certificates are silently approaching similar cliffs without the same level of organised attention.
Read →Pluralistic (Cory Doctorow)
Zuckerberg's War on Whistleblowers
Cory Doctorow argues that Meta's escalating legal campaign against whistleblower Sarah Wynn-Williams — demanding over $50,000 per criticism, with one arbitration ruling seeking $111 million for her merely appearing silent onstage — is not a rational suppression strategy but a terror mechanism aimed at current and former employees watching from the inside. Each escalation generates exactly the publicity that boosts Wynn-Williams's book sales (the Streisand Effect, compounded), yet Meta continues because the intended audience for the terror is not the public but internal: people who have seen what happens when you speak and are deciding whether to. Doctorow frames this as a structural feature of platform power rather than Zuckerberg's personal pathology: corporations use asymmetric access to legal systems as a mechanism of social control, and the goal is not to win individual cases but to price whistleblowing out of reach.
Read →Jay Acunzo
The Best Response to AI Slop and Online Noise Is from Robin Williams
Jay Acunzo invokes Robin Williams's monologue from Good Will Hunting — standing in the Sistine Chapel versus merely reading about it — to argue that the fundamental distinction between human creativity and AI-generated content is not information but lived experience. AI can synthesise everything published on the internet but cannot have been embarrassed at the worst possible moment, watched someone die, or read a room from a lifetime of social failures and recoveries; it has access to descriptions of experience but not to experience itself. For anyone building with or around generative AI, this frames what the real competitive advantage looks like: work rooted in irreducible personal experience and vulnerability carries a weight that technically competent but experientially empty output cannot replicate — and the market has not yet fully priced that distinction.
Read →