OpenAI has a negative 122% operating margin and growth of usage has stopped. https://www.theinformation.com/articles/openai-held-1-billion-revenue-lead-anthropic-first-quarter
Kevin Beaumont
@GossiTheDog@cyberplace.social
Cybersecurity weather person and award winning shitposter. Shitposting is an anagram of Top Insights. You may be surprised to know I am not representing my employer here and these are not their opinions.
I have Direct Messages disabled - you can send them, but I will never receive them.
Posts
Latest notes
No posts yet.
RE: https://techhub.social/@Techmeme/116596312742431654
This is the dumbest fucking thing I’ve read since the last AI thing.
I will likely be one of the first people banging the drum to patch and mitigate if any of the recent AI vulns results in serious harm. Otherwise, keep calm and carry on patching as usual.
Regarding CVE-2026-42945 in nginx - no modern (or even old) Linux distribution runs nginx without ASLR.
The way the PoC exploit works is they spawn nginx like this:
> exec setarch x86_64 -R /nginx-src/build/nginx -p /app -c /app/nginx.conf
Setarch -R disables ASLR. I've had a look through Github and I can't find any other software which actually does this for nginx either.
So, cool, sweet technical vuln - it's valid - but the RCE apocalypse ain't coming.
There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.
A thread on a few of them.
CVE-2026-34486 - Tomcat
- Only exploitable if a certain feature is used, if its endpoint is reachable and if port 4000 is available. It's pretty niche.
CVE-2026-42945 - Nginx (otherwise branded Nginx Rift)
It relies on a specific Nginx config to be vulnerable, and for attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.
The PoC they've built specifically disabled ASLR, deploys a specifically vulnerable config and the exploit knows about the vulnerable config endpoint.
me toot from last week about the world going to shit around the time Gamestop realised it could just pretend to be a functioning mega company, so have this video with the CEO trying to explain how they'll buy eBay instead.
I have a theory about when the business world went to shit.
At the beginning of 2021.
Reddit bros realised they could inflate the value of GameStop - a business selling physical video games which is as doomed as Blockbuster - by just... vibing and pretending.
And now everybody just vibes and pretends across business. Everybody knows everything is bullshit, e.g. GenAI's largely bullshit... but as long as we vibe along, who cares!
GameStop's worth $11bn (lol) and they swapped CEO to a bro.
Notepad++ have released a new version to fix the auto update process being hijacked https://notepad-plus-plus.org/news/v889-released/
I reported the vulnerability, it is being hijacked by threat actors in China. https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
Not a joke btw, they missed a 1 off the end of bit.ly link
When I did the promotion for the Firefly movie back in 2005, Universal gave the website and Browncoats stuff to me (unpaid) and instead spent the marketing money on merchandise to give out.
Unfortunately they got the website name wrong and printed a porn site name on everything, so it had to be destroyed.
Well done to the person in Philadelphia government who sent an emergency text to everybody in area with a link to chubbyparade.com, a porn site, instead of a weather site