Nicolò Fornari
@rationalpsyche.bsky.social
Penetration Tester. Art passionate. Friends call me "grandpa".
Reposted by Nicolò Fornari
We have exciting news to share. Compass folks made the Alpine car infotainment system to run arbitrary code and earn a 10‘000 USD. 🎉🎉🎉
January 21, 2026 at 6:22 AM
We have exciting news to share. Compass folks made the Alpine car infotainment system to run arbitrary code and earn a 10‘000 USD. 🎉🎉🎉
Reposted by Nicolò Fornari
Confirmed! Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) exploited one exposed dangerous method/function bug on the Alpine iLX-F511, winning Round 2 for $10,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto
January 21, 2026 at 4:17 AM
Reposted by Nicolò Fornari
[RSS] wtf is NS_ERROR_INVALID_CONTENT_ENCODING? investigating shared dictionaries and ChatGPT breakage in Firefox
joshua.hu ->
Original->
joshua.hu ->
Original->
January 16, 2026 at 6:44 PM
[RSS] wtf is NS_ERROR_INVALID_CONTENT_ENCODING? investigating shared dictionaries and ChatGPT breakage in Firefox
joshua.hu ->
Original->
joshua.hu ->
Original->
Reposted by Nicolò Fornari
Joint statement by 4 former officials in Democratic and Republican Administrations—including four NATO Ambassadors, 3 Assistant Secretaries of State for Europe, and 3 NSC Senior Directors.
Excellent opening in particular.
Excellent opening in particular.
America’s Strategic Alliance with Denmark and NATO
A statement by 14 former officials in Democratic and Republican Administrations—including four NATO Ambassadors, 3 Assistant Secretaries of State for Europe, and 3 NSC Senior Directors
newsletter.ivodaalder.com
January 11, 2026 at 6:09 PM
Joint statement by 4 former officials in Democratic and Republican Administrations—including four NATO Ambassadors, 3 Assistant Secretaries of State for Europe, and 3 NSC Senior Directors.
Excellent opening in particular.
Excellent opening in particular.
Reposted by Nicolò Fornari
January 11, 2026 at 9:55 AM
Reposted by Nicolò Fornari
Bloomberg's X account has more than 800k followers. Their most recent post was shared five times
It would basically come at close to zero cost for outlets like Bloomberg to delete their X accounts, and "We don't want to use a non-consensual deepfake abuse app as a comms platform" is a fine excuse
It would basically come at close to zero cost for outlets like Bloomberg to delete their X accounts, and "We don't want to use a non-consensual deepfake abuse app as a comms platform" is a fine excuse
January 7, 2026 at 7:19 AM
Bloomberg's X account has more than 800k followers. Their most recent post was shared five times
It would basically come at close to zero cost for outlets like Bloomberg to delete their X accounts, and "We don't want to use a non-consensual deepfake abuse app as a comms platform" is a fine excuse
It would basically come at close to zero cost for outlets like Bloomberg to delete their X accounts, and "We don't want to use a non-consensual deepfake abuse app as a comms platform" is a fine excuse
Reposted by Nicolò Fornari
I hope the Danes and the other European forces are training in guerrilla warfare as that always works against the USA, especially on hostile territory (cf. Greenland).
January 6, 2026 at 10:05 AM
I hope the Danes and the other European forces are training in guerrilla warfare as that always works against the USA, especially on hostile territory (cf. Greenland).
Reposted by Nicolò Fornari
Why do I have to read an Irish paper for a feature about this?
‘It’s surreal’: US sanctions lock International Criminal Court judge out of daily life
Canadian judge Kimberly Prost is unable to use credit cards, transfer money or book everyday services in what she calls an attack on the independence of the judiciary
www.irishtimes.com
January 1, 2026 at 12:24 PM
Why do I have to read an Irish paper for a feature about this?
Reposted by Nicolò Fornari
So, what did we achieve for 🇪🇺's cloud situation in 2025? It is now crystal clear our governments can't continue to run on 🇺🇸 clouds. Yet even now, neither buyers or sellers of cloud tech in 🇪🇺 sense the urgency. Below I elaborate & discuss an unorthodox way out of this mess: berthub.eu/articles/pos...
The European Cloud Situation at the end of 2025 - Bert Hubert
As the year draws to an end now is a good time to review where we are with Europe’s cloud situation, and what has been achieved. One thing is certain, a lot has happened, and also quite a lot has beco...
berthub.eu
December 23, 2025 at 10:39 AM
So, what did we achieve for 🇪🇺's cloud situation in 2025? It is now crystal clear our governments can't continue to run on 🇺🇸 clouds. Yet even now, neither buyers or sellers of cloud tech in 🇪🇺 sense the urgency. Below I elaborate & discuss an unorthodox way out of this mess: berthub.eu/articles/pos...
Reposted by Nicolò Fornari
Reposted by Nicolò Fornari
In a new video, Nicolò @rationalpsyche.bsky.social walks through how to fuzz with AFL++, how to pick targets, avoid common pitfalls, and boost effectiveness. Find performance tips, fuzzing theory, and AFL++ internals.
Watch here: youtu.be/L5Tin7m5sbE?...
#security #fuzzing #AFLplusplus #appsec
Watch here: youtu.be/L5Tin7m5sbE?...
#security #fuzzing #AFLplusplus #appsec
Fuzzing and AFL++
YouTube video by Compass Security
youtu.be
December 16, 2025 at 8:39 AM
In a new video, Nicolò @rationalpsyche.bsky.social walks through how to fuzz with AFL++, how to pick targets, avoid common pitfalls, and boost effectiveness. Find performance tips, fuzzing theory, and AFL++ internals.
Watch here: youtu.be/L5Tin7m5sbE?...
#security #fuzzing #AFLplusplus #appsec
Watch here: youtu.be/L5Tin7m5sbE?...
#security #fuzzing #AFLplusplus #appsec
Super interesting and highly recommended.
There's so much to unpack that I bookmarked it for a second read.
There's so much to unpack that I bookmarked it for a second read.
Recently I presented over at TU Delft on the Science of Security. Learn all about radar, stealth, penicillin, hydrogen bombs & my thoughts on how in Europe we have no good avenues for doing military tech research & how this could end up badly + some ideas how to do better:
berthub.eu/articles/pos...
berthub.eu/articles/pos...
TU Delft lecture: Security of Science - Bert Hubert
This is a mostly verbatim transcript of my lecture at the TU Delft VvTP Physics symposium “Security of Science” held on the 20th of November.
Audio version (scroll along the page to see the associated...
berthub.eu
December 11, 2025 at 10:08 PM
Super interesting and highly recommended.
There's so much to unpack that I bookmarked it for a second read.
There's so much to unpack that I bookmarked it for a second read.
Reposted by Nicolò Fornari
NTLM relay works against HTTPS if channel binding is missing. Our new blog post explains why, shows how tooling evolved, and highlights defensive measures.
blog.compass-security.com/2025/11/ntlm...
blog.compass-security.com/2025/11/ntlm...
November 26, 2025 at 9:54 AM
NTLM relay works against HTTPS if channel binding is missing. Our new blog post explains why, shows how tooling evolved, and highlights defensive measures.
blog.compass-security.com/2025/11/ntlm...
blog.compass-security.com/2025/11/ntlm...
Reposted by Nicolò Fornari
We still need to get from a situation where Russia pretends to negotiate to a situation where they need to negotiate.
Extract from my press remarks following today’s informal Foreign Affairs Council ↓
Extract from my press remarks following today’s informal Foreign Affairs Council ↓
November 26, 2025 at 2:54 PM
We still need to get from a situation where Russia pretends to negotiate to a situation where they need to negotiate.
Extract from my press remarks following today’s informal Foreign Affairs Council ↓
Extract from my press remarks following today’s informal Foreign Affairs Council ↓
Reposted by Nicolò Fornari
#Finland will begin to #Russia - proof its rail network, integrate with EU train infrastructure.
The Finnish government has announced the conversion of its rail network from Russian gauge (1,524 mm) to European standard (1,435 mm).
www.trenvista.net/en/news/flas...
The Finnish government has announced the conversion of its rail network from Russian gauge (1,524 mm) to European standard (1,435 mm).
www.trenvista.net/en/news/flas...
November 23, 2025 at 4:11 PM
#Finland will begin to #Russia - proof its rail network, integrate with EU train infrastructure.
The Finnish government has announced the conversion of its rail network from Russian gauge (1,524 mm) to European standard (1,435 mm).
www.trenvista.net/en/news/flas...
The Finnish government has announced the conversion of its rail network from Russian gauge (1,524 mm) to European standard (1,435 mm).
www.trenvista.net/en/news/flas...
Reposted by Nicolò Fornari
November 14, 2025 at 1:07 PM
Reposted by Nicolò Fornari
Kyle Kingsbury is not a journalist. He is not an op-ed writer.
He is a computer safety researcher.
And he has written one of the most compelling, comprehensive accounts of the ongoing hell in Chicago that you could possibly imagine.
In under 1600 words.
aphyr.com/posts/397-i-...
He is a computer safety researcher.
And he has written one of the most compelling, comprehensive accounts of the ongoing hell in Chicago that you could possibly imagine.
In under 1600 words.
aphyr.com/posts/397-i-...
November 9, 2025 at 8:49 PM
Kyle Kingsbury is not a journalist. He is not an op-ed writer.
He is a computer safety researcher.
And he has written one of the most compelling, comprehensive accounts of the ongoing hell in Chicago that you could possibly imagine.
In under 1600 words.
aphyr.com/posts/397-i-...
He is a computer safety researcher.
And he has written one of the most compelling, comprehensive accounts of the ongoing hell in Chicago that you could possibly imagine.
In under 1600 words.
aphyr.com/posts/397-i-...
Reposted by Nicolò Fornari
It's important for Europeans, and others from visa-waiver countries, to understand they don't have freedom of speech rights when visiting the United States.
The Trump regime is still deporting visitors for critical comments made online, because they can.
The Trump regime is still deporting visitors for critical comments made online, because they can.
How My Reporting on the Columbia Protests Led to My Deportation
As an Australian who wrote about the demonstrations while on campus, I gave my phone a superficial clean before flying to the U.S. I underestimated what I was up against.
www.newyorker.com
November 5, 2025 at 8:05 AM
It's important for Europeans, and others from visa-waiver countries, to understand they don't have freedom of speech rights when visiting the United States.
The Trump regime is still deporting visitors for critical comments made online, because they can.
The Trump regime is still deporting visitors for critical comments made online, because they can.
Reposted by Nicolò Fornari
Starting Monday LinkedIn will begin using data from your profiles/posts to train AI. If you live in EU/EEA/Switzerland/Canada/Hong Kong your data is subject to being used this way, but you can opt out. Go to Settings/Privacy/Data for Generative AI Improvement and toggle the switch to off
Update to our Terms and data use | LinkedIn Help
Update to our Terms and data use
www.linkedin.com
October 30, 2025 at 4:13 PM
Starting Monday LinkedIn will begin using data from your profiles/posts to train AI. If you live in EU/EEA/Switzerland/Canada/Hong Kong your data is subject to being used this way, but you can opt out. Go to Settings/Privacy/Data for Generative AI Improvement and toggle the switch to off
Day to day: the user experience of getting a direct answer for simple things compared to scrolling a bloated blog post, with ads and cookie banners. It would be better to solve the state of the web but hey, it's a workaround.
here’s my litmus test: is AI improving your day to day life? Is it actually helping you to create, connect, feel joy, chase ambition?
If not - what’s the point?
If not - what’s the point?
October 30, 2025 at 10:41 PM
Day to day: the user experience of getting a direct answer for simple things compared to scrolling a bloated blog post, with ads and cookie banners. It would be better to solve the state of the web but hey, it's a workaround.
Reposted by Nicolò Fornari
If you know who did this, or if you know how to set it back, the hotel kindly asks you to do so, respecting the fun achievement unlocked :)
https://infosec.exchange/@xme/115422139879568495
https://infosec.exchange/@xme/115422139879568495
Xavier Mertens 🇧🇪 (@xme@infosec.exchange)
Attached: 1 image When you leave a coffee machine unprotected at a hacker conference… #hacklu2025
infosec.exchange
October 23, 2025 at 7:27 AM
If you know who did this, or if you know how to set it back, the hotel kindly asks you to do so, respecting the fun achievement unlocked :)
https://infosec.exchange/@xme/115422139879568495
https://infosec.exchange/@xme/115422139879568495
Great work guys!!
🎉Success. Our #Pwn2own team combined #zeroday bugs to #exploit @home-assistant.io green which earned them $20'000 and 4 pts. Congratz to @bcyrill.bsky.social Emanuele, Lukasz @muukong.bsky.social and @yvesbieri.bsky.social.
Respect to @stephenfewer.bsky.social and the Summoning Team for the wins.
Respect to @stephenfewer.bsky.social and the Summoning Team for the wins.
October 22, 2025 at 6:55 PM
Great work guys!!
Reposted by Nicolò Fornari
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
October 21, 2025 at 11:38 AM
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
Reposted by Nicolò Fornari
pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
October 4, 2025 at 10:39 AM
pagedout.institute ← we've just released Paged Out! zine Issue #7
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!
pagedout.institute/download/Pag... ← direct link
lulu.com/search?page=... ← prints for zine collectors
pagedout.institute/download/Pag... ← issue wallpaper
Enjoy!
Please please please share to spread the news - thank you!