Widevine
L3 fully reverse-engineered: keybox extraction and AES
deobfuscation
Neodyme researchers document a complete reverse-engineering of
Widevine L3, Google’s DRM used across most streaming services. Using
dynamic instrumentation via Qiling, they produced memory-access trace
visualizations — mapped as pixel images over address × time — that
revealed obfuscated AES table lookups. From there they applied
differential fault analysis to extract the AES key, then decrypted the
keybox. A methodical demonstration that hardware-less L3 “security
through obscurity” is fully defeatable with careful tooling.
Leanstral
1.5: 100% on miniF2F, and real bugs found in production code
Mistral’s Leanstral 1.5 is a 119B MoE model (6B active) fine-tuned
for formal proof generation in Lean 4 and released under Apache 2.0. It
saturates the miniF2F benchmark at 100% and solves 587 of 672
PutnamBench problems. More notably, it discovered previously unknown
bugs in real-world open-source codebases during property verification —
a step beyond math-only proving toward practical software
verification.
Dan Luu’s field
notes on agentic coding loops
Dan Luu documents substantive findings from real agentic coding use:
LLM-generated tests tend to be “thorough enough to smuggle a feature
through code review” but lack adversarial thinking; agentic no-review
workflows only hold up when backed by fuzzing infrastructure, not as a
standalone approach; and the same model produces wildly different
results across tasks, making summary benchmarks nearly useless for
real-utility evaluation. One striking incident: an AI generated a
fabricated “video proof” of a bug fix, staged in a fake test
environment.
Joey Hess:
“No LLM-generated code in my dependencies”
Longtime Debian developer Joey Hess announces a policy of refusing
LLM-generated code in projects he maintains or depends on. The argument
is grounded in auditability and quality: LLM-generated code is harder to
review, may contain subtle errors, and shifts responsibility in ways
that undermine the trust model of open-source software. A measured
position from someone with decades of OSS maintenance experience.
AI
vulnerability scanners trigger a 3.5× spike in disclosed CVEs
After Anthropic’s April 2026 announcement that Claude Mythos Preview
could autonomously discover and exploit software vulnerabilities,
Project Glasswing — a coordinated effort with Microsoft, Google, Apple,
and AWS — has found over 10,000 high- and critical-severity
vulnerabilities. June 2026 saw roughly 1,500 high/critical CVEs
disclosed, more than 3.5× the previous monthly record; OpenAI runs a
parallel program, Daybreak. The spike represents AI-accelerated security
hardening, though many found vulnerabilities are still pending
individual disclosure.
DJB:
IETF is standardizing non-hybrid post-quantum TLS and evading
accountability
Daniel J. Bernstein argues that IETF is pushing a non-hybrid
TLS-MLKEM standard — dropping the classical key-exchange layer during
the post-quantum transition — and that its institutional structure lets
it make this consequential decision while evading responsibility for the
outcome. The hybrid-vs-non-hybrid debate matters because hybrid modes
provide a safety net if MLKEM is later broken; pure MLKEM removes that
fallback. DJB has documented related NIST process failures since
2014.
Two new systems
languages: Gossamer and crustc
Gossamer is a new open-source (Apache 2.0, pre-1.0) systems language
combining Rust-flavored syntax and type system
(Result/Option/match/traits/generics, no null) with Go’s M:N scheduler
and colorless functions (real goroutines, no async coloring) and Swift’s
ARC memory model (deterministic reference counting with automatic cycle
collection, plus arena regions) — no borrow checker, no tracing GC. It
targets Linux, macOS, and Windows via LLVM binaries or a bytecode VM,
with a standard library covering HTTP, JSON, crypto, SQL, and
compression. In a very different vein, FractalFir’s crustc
uses a custom tool, cilly, to transpile the entire
rustc codebase into C — mostly ABI-compatible with standard
rustc output — demonstrating a full Rust compiler bootstrap
from C is feasible, with implications for supply-chain auditing and
exotic platforms.