Brooks

I use blink in iPhone and it’s the best SSH client I’ve run into. $20/year, but well worth it if you want to be able to SSH into a box and do some quick edits.

That plus a bunch of linting and QoL extensions for Neovim make it bearable.

blink.sh

Neovim - Wikipedia

How about CLI based IDEs, like Neovim (en.wikipedia.org/wiki/Neovim).

Not sure if it’s the best of both worlds or the worst, but it makes it so I can have the same workflow no matter which box I’m SSHed to, and I can use it from my phone terminal when needed.

4/ Slides + all sample code (prompt injection test harness, MCP client, OAuth email server w/ Lakera Guard) are open source:

📎 slides.brooksmcmillin.com/cactus.html#1
📎 github.com/brooksmcmill...

3/ CVE-2025-6514 (CVSS 9.6): mcp-remote passed OAuth metadata straight to the system shell. One crafted authorization_endpoint = full RCE on Claude Desktop, Cursor, Windsurf, VS Code. 437K+ installs before patch.

2/ But the new threat model is real. Your OAuth client is now a reasoning engine that can be lied to.

I demoed a malicious MCP server that exfiltrates data from a legitimate task manager through the AI agent. No jailbreaking. Just a poisoned tool description.

1/ Most MCP vulns are classics in disguise:
• Missing PKCE on public clients
• Plaintext token storage
• Timing attacks on token comparison (found this 8 times)
• DNS rebinding against local servers
• Default secrets deployed to prod

MCP has 97M monthly SDK downloads. Only 8.5% of servers use OAuth. Authentication is optional in the spec.

I gave a talk at @CactusCon on breaking MCP security. Here's what I found 🧵

Defense in Depth for AI-Assisted Development: Pre-commit Hooks, Review Agents, and CI That Catch LLM Mistakes | Brooks McMillin - AI Security Researcher Practical strategies for safer AI-assisted development: automated review agents, layered security checks, and context management that prevents catastrophic mistakes.

LLMs will happily remove your auth middleware if it helps them complete the task faster.

I wrote up the defensive layers I actually use: pre-commit hooks, review agents, and CI that catches LLM mistakes before they ship.

~30 seconds per commit, but worth it.

brooksmcmillin.com/blog/coding-...

Microsoft Gave FBI BitLocker Encryption Keys, Exposing Privacy Flaw The tech giant said providing encryption keys was a standard response to a court order. But companies like Apple and Meta set up their systems so such a privacy violation isn’t possible.

Microsoft is handing over Bitlocker keys to law enforcement. www.forbes.com/sites/thomas...

We run a tight ship to keep CactusCon accessible, and part of that commitment is ensuring students can access CactusCon for FREE.

STUDENTS!

Email info@cactuscon.com from a valid student email account to request a coupon code for Eventbrite. We are so excited to have you join us!

#cc14

Speaking at CactusCon 14 next month!

"Breaking Model Context Protocol: Back to Security Basics" — how MCP is repeating every OAuth mistake from the 2010s, and what to do about it.

Feb 6, 3:30 PM. See you there.

Search results for the terms “crowdstrike npm”. The first result is “CrowdStrike Falcon Prevents NPM Package Supply Chain Attacks”. The second result is “CrowdStrike npm Packages Hit by Supply Chain Attack”.

Well, that’s a bit awkward… #crowdstrike

Fight Chat Control (@chatcontrol@mastodon.social) Attached: 1 image Danish Minister of Justice and chief architect of the current Chat Control proposal, Peter Hummelgaard: "We must break with the totally erroneous perception that it is everyone's c...

Something is rotten in Denmark. mastodon.social/@chatcontrol...

5/5 Full breakdown of the problem + what's coming next in AI security tooling: brooksmcmillin.com/blog/llm-gen...

#AISecurity #DevSecOps #LLMSecurity

4/5 Quick mitigations while better tooling catches up:
✅ Verify AI-suggested packages exist before installing
✅ Test auth flows with multiple accounts
✅ Manual reviews for dependency + auth logic

3/5 Traditional SAST/DAST tools miss these because they're designed around human coding patterns, not AI hallucinations and edge cases.

2/5 This isn't isolated. AI-generated code has unique security blind spots:

Context-blind configs (HTTP-only servers in prod)
Authentication that passes tests but fails reality
Dependencies from outdated/insecure training data

1/5 LLMs keep recommending a Python package called "huggingface-cli" that doesn't exist. A security researcher noticed this and actually created the package to demo the supply chain risk.

Vibe Coding Will Get You Hacked! - with @davidbombal.bsky.social
https://twp.ai/9PUaq3

Instagram photo of Caroline Ulbircht, Charlie Kirk and Ross Ulbricht, smiling, while staring at the camera. Caption reads: The horrific murder of Charlie Kirk has hit us hard. At first, we couldn't believe it and thought it was some kind of mistake, but then came the shock and the tears. We'll forever be grateful for Charlie's support of Ross while he was in prison and for helping bring him home. We're humbled to have known him during his short time on earth. R.I.P, Charlie 💔 From Ross on X: "Like all of you, I am mourning Charlie Kirk. He stood up for his beliefs and died for them at 31, wearing a T‑shirt that read "Freedom." At 31, my life was taken from me for standing up for what I believed in. And Charlie helped me get it back. He never took credit for it but he played a BIG role in my freedom in many ways. Last year alone, when President Trump won the election, he asked Charlie what was the #1 thing he could do for him and Charlie replied: "Free Ross." And in the days leading to my release, Charlie advocated for a full pardon. He did this and more without expectations of me. I wish there was something I could do to help Charlie get his life back. But there isn't, and I'm heartbroken. Charlie, I will always be grateful to you. Thank you for all you did for me and for our country. I pray for you and your beautiful family. Rest in peace."

Charlie Kirk was one of the main campaigners for Ross Ulbricht's freedom, and had pushed in Trump's first term for a pardon. Ulbricht's most recent speaking engagement was in July at Turning Points USA event in Tampa where he credited for helping him.

www.nytimes.com/2025/09/07/t...

With the picture of the timeline, at first I thought these were all the events and was trying to figure out how the firing of the FEMA IT directly led to Israel bugging Irani phones. 😂😂

Great work, as always!

TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents The TAOTH campaign exploited abandoned software and spear-phishing to deploy multiple malware families, targeting dissidents and other high-value individuals across Eastern Asia.

If you once wrote software that continues to be used beyond its end-of-life, please don't let the domain expire. If you can't afford to keep using it, contact a local CERT or something.
Otherwise, this happens; victims included dissidents and journalists www.trendmicro.com/en_us/resear...

Google previews cyber ‘disruption unit’ as U.S. government, industry weigh going heavier on offense Google says it is starting a cyber “disruption unit,” a development that arrives in a potentially shifting U.S. landscape toward more offensive-oriented approaches in cyberspace.

Google is apparently going to become an APT. Will be interesting to see how that works - cyberscoop.com/google-cyber...

openssh.com/pq.html

Creepers, cheaters, and privacy besiegers, you’re done! Don’t Record Me will be ready soon, we let you choose when AI transcribers can capture your conversation.
Big thanks to @sfstandard.com for the shoutout!
Sign-up link here: dontrecord.me

Always fun to find more legitimate use cases of Adversarial AI like dontrecord.me which breaks AI transcribers.