Friday, 03 July 2026

GPT-5.5-Cyber builds a zlib fuzzing lab in a single day; someone translated the entire Rust compiler to C; GitHub's nine-month march to zero secret-scanning alerts

Today's Lead

Engineering

Trail of Bits

GPT-5.5-Cyber Built a Zlib Fuzzing Lab in a Day — and Decided What Counted as a Bug

As part of Patch the Planet, its security research collaboration with OpenAI, Trail of Bits pointed GPT-5.5-Cyber at zlib — a compression library so thoroughly reviewed there's little left to find by reading the source — and told it to find a specific dangerous bug class via Codex's /goal command. Without being told how, the model judged static review a poor use of tokens and instead spent a day building a full fuzzing campaign from scratch: ASan/UBSan builds, harnesses across a dozen entry points (inflate, gzFile, MiniZip, puff, blast, and more), seed corpora derived from existing edge-case tests, and compile-time variant builds that reach code the default build hides. What impressed Trail of Bits most wasn't the tooling but the judgment: the model hit a real crash in inflateBack, correctly recognized the triggering state was unreachable in practice, logged it as such, and moved on to find several higher-impact issues instead of padding its report with noise. That reporting discipline — knowing which crashes are real threats versus which are unreachable curiosities — used to be the expensive, expert part of fuzzing; now it's bundled into the automation. The upshot cuts both ways at once: a skilled researcher can now audit far more code per week, but the tedious expertise-gated work of standing up a bespoke fuzzing campaign is no longer a barrier for less sophisticated attackers either, which is exactly why Trail of Bits frames finding these bugs first as a race against whoever else points a similar model at the same target.

Read →

Engineering

GitHub (FractalFir/crustc)

Someone Translated the Entire Rust Compiler to C

crustc transpiles rustc itself into roughly 46 million lines of C, buildable with plain GCC and make instead of LLVM — and it successfully compiles Rust's core, alloc, and std libraries. The engine behind it, cilly, is a custom Rust-to-C backend that probes a target C compiler's capabilities and generates code adapted to what it can actually handle, and even supports remote compilation over TCP. The practical motivation is bootstrapping: platforms like Plan 9 or obscure embedded targets that have a C compiler but no LLVM port have historically been locked out of Rust entirely, and a C-based rustc sidesteps that dependency completely. The project's creator is upfront that the output is rough and still has optimization gaps, and cilly itself isn't public yet — but as a proof that a 46-million-line compiler can be mechanically retargeted off LLVM's toolchain monopoly, it's a striking one-person feat that generated one of the day's largest Hacker News threads.

Read →

GitHub Blog

How GitHub Cleared 20,000 Secret-Scanning Alerts Down to Zero — in Nine Months

When GitHub Security first piloted its own secret-scanning tooling internally, it surfaced more than 20,000 alerts across 15,000+ repositories — a number that turned out to be almost entirely misleading. Five repositories accounted for roughly 18,000 of those alerts, every one an inactive test fixture or fake-but-valid-looking credential (GitHub builds secret scanning, so naturally its own test suites are full of decoy secrets). That left just over 2,000 alerts needing real triage, which GitHub worked through via a six-phase playbook: enforce scanning and push protection everywhere with no opt-outs, bulk-close proven noise, build validity checks to determine which credentials were still live, fix an underlying repository-ownership gap that made remediation impossible without knowing who to notify, hand-triage the long tail, and finally tie secret hygiene to its internal engineering-accountability program so it stayed fixed. The most transferable lesson isn't the tooling — GitHub has since productized the validity-checking and metadata work natively — it's the reframing: a scary alert count is almost never the real scope of the problem, and the actual bottleneck is organizational (who owns this credential, who can rotate it) rather than technical.

Read →

Geoffrey Litt

'Understand to Participate': The Cognitive-Debt Problem of Working With Coding Agents

Geoffrey Litt's framing, delivered as a talk at the AI Engineer World's Fair, cuts against the instinct to treat code comprehension as a verification chore AI lets you skip: understanding the code an agent produces is what lets you keep participating in shaping it. Skip that understanding to move faster in the short term, and you accumulate 'cognitive debt' — your mental model drifts from what the system actually does, until you can no longer meaningfully steer the next round of changes and are reduced to accepting or rejecting whatever the agent proposes. Litt's practical countermeasures are concrete: structured code explainers with built-in comprehension checks, AI-generated interactive micro-worlds for exploring unfamiliar code, and shared environments designed to keep a team's mental models of a system aligned with each other, not just with the agent. It's a sharper version of a worry surfacing across the industry as agents take on larger, more autonomous changes — echoed the same week at AIEWF by Anthropic's Mike Krieger, who described his own team as increasingly 'bottlenecked on reviews' and on 'human ability to fully conceptualize what we're doing.'

Read →

Matthew Garrett

Fifteen Years of Failed Attempts to Stop Token Theft

Matthew Garrett traces a fifteen-year graveyard of proposals to bind authentication tokens to the device or session that created them — Origin-Bound Certificates, Channel IDs, Token Binding (RFC 8471), and now Device-Bound Session Credentials — each technically capable of defeating the malware-exfiltration attacks that render multi-factor authentication moot once a token is stolen. None of them stuck. The common thread isn't technical failure but coordination failure: shipping a binding scheme requires broad browser buy-in and forces trade-offs no single vendor wants to own alone, so proven defenses keep getting proposed, prototyped, and quietly abandoned rather than deployed. It's a useful corrective to the assumption that security problems persist because no one's solved them — sometimes the solution has existed for over a decade, and the actual blocker is standardization politics.

Read →
Humanities

JSTOR Daily

How Each Generation Has Refought the Meaning of the Fourth of July

JSTOR Daily's holiday roundup collects essays that treat Independence Day's meaning as contested rather than fixed, anchored by Frederick Douglass's 1852 oration 'What to the Slave is the Fourth of July?' — delivered a day after the holiday at his own insistence, and still the sharpest available statement of the gap between the republic's founding rhetoric and who it actually included. That contest didn't end with emancipation: after the Civil War, white Southerners treated July Fourth as a bitter reminder of Confederate defeat, while Black Southern communities pointedly built it into a celebration of their own freedom and civic arrival, using the same date to assert a claim the holiday's original framing had denied them. A third essay traces how the US Constitution's separation-of-powers structure and protections for personal liberty drew on the political architecture of the Iroquois Confederacy and other Native governance systems — a debt the founding narrative rarely acknowledges. Together the pieces make a simple point that outlasts any single anniversary: a nation's founding symbols don't have one meaning handed down intact, they get fought over and re-appropriated by whoever the original telling left out.

Read →