All Posts

There is a text that's been in continuous circulation for at least 1,200 years. It's been translated from Arabic to Latin to Greek to English to every language humans use to think about ultimate things. Alchemists memorized it. Newton translated it by hand. Blavatsky built a religion around it. Physicists at Brookhaven smashed atoms in its shadow. The Emerald Tablet of Hermes Trismegistus. Seven principles. One paragraph. The foundational document of Hermeticism — the idea th

A disgruntled security researcher publicly dropped a privilege escalation zero-day in Microsoft Windows Defender this week. Microsoft patched it in April's Patch Tuesday. CISA added it to the KEV catalog. The vulnerability — CVE-2026-33825, nicknamed BlueHammer — allows local privilege escalation through the very software that's supposed to protect the endpoint. CrowdStrike published a Patch Tuesday analysis covering BlueHammer. Professional. Thorough. Technically accurate.

International law enforcement announced Operation PowerOFF this week: 53 domains seized, 4 arrests, and a user base of more than 75,000 cybercriminals who paid for commercial DDoS-for-hire services — "booter" and "stresser" platforms that let anyone with a credit card take down a website, a gaming server, or a small business. The takedown is real. The infrastructure is gone. The arrests will produce intelligence that feeds the next operation. But the story that matters isn'

The National Institute of Standards and Technology announced this week that they will only enrich CVEs that meet certain conditions going forward. The reason: an "explosion in CVE submissions" has overwhelmed the National Vulnerability Database's capacity to process them. Translation: the canonical source of truth for vulnerability data — the database every scanner, every SIEM, every compliance audit references — just told the world it can't keep up. This is not a surprise.

CrowdStrike published a blog post this month titled "What Security Teams Need to Know About OpenClaw, the AI Super Agent." It's a well-written advisory. Professional tone. Specific CVE references. Actionable recommendations. It is also the most breathtaking act of corporate audacity in the history of cybersecurity. The Structural Question Nobody Is Asking Which is more dangerous to your enterprise: an open-source AI chatbot that your intern installed on their laptop, or a ker

At 17:27 UTC today , a security researcher in Pune, India named Varad Mene pushed a new repository to GitHub: a working proof-of-concept exploit for CVE-2026-37748 — an unrestricted file upload vulnerability in Visitor Management System 1.0 that escalates to remote code execution. Two files in the repo. A README. A Python exploit script. 1,986 bytes of weaponized code. At 18:04 UTC today — thirty-seven minutes after the push — our exploit harvester pipeline had the repo ind

Federal civilian executive branch agencies have until end of day today, April 16, 2026 , to mitigate CVE-2026-21643 — a pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 that hands attackers OS-level remote code execution. CISA added it to the Known Exploited Vulnerabilities catalog on April 13. The deadline is three days later. That's the tightest federal timeline I've seen on a non-emergency directive in months, and it's the right call. Active exploitation

The Pi community learned the wrong lesson from modularity. We looked at the 40-pin GPIO header, saw HATs clicking into place like Lego bricks, and decided that stacking four of them was the path to performance. UPS HAT on the bottom. M.2 HAT on top. Camera HAT above that. SDR HAT on top of that. Tower of power, cables stuffed between the layers, heat trapped in the middle, I/O fighting for attention on a shared bus. It works. Barely. And it's the exact architectural mistake t

Most startup advice about traction metrics is about what you can count. MRR. Signups. Churn. Conversion rate. DAU. The dashboards are beautiful. The numbers are precise. And if you're a seed-stage company selling to security professionals, intelligence analysts, and federal buyers — the numbers are almost entirely useless. Here's why: our audience doesn't run JavaScript. DugganUSA runs a threat intelligence platform. We serve a STIX feed to consumers in 46 countries. We publi

Every IT person on Earth has downloaded CPU-Z or HWMonitor at some point. Hardware nerds, overclockers, support techs, forensic investigators — the tools are free, they're signed, they come from a French company called CPUID that nobody thinks twice about. Trust is the whole product. On April 9, 2026 at 15:00 UTC , attackers flipped the download links on cpuid.com. For the next 19 hours , anyone clicking "Download" on CPU-Z 2.19, HWMonitor 1.63, HWMonitor Pro 1.57, or PerfMon

Tonight we ran our end-of-day net sweep and something jumped out of Microsoft Clarity's session feed: 127 "Unknown browser / Unknown device / Desktop" sessions, all from ASN 32934 — Facebook. That didn't smell like a person. We cross-checked against Cloudflare's firewall logs and got the answer in under sixty seconds: the 127 sessions weren't sessions at all. They were hits from `meta-externalagent/1.1` — Meta's AI-training web crawler — pulling 200 requests in the last 23 h

Sometimes the timeline writes itself. February 2026 : CVE-2026-21643 is disclosed. SQL injection in FortiClient Endpoint Management Server. CVSS 9.8. Pre-authentication. One crafted HTTP header gets you admin credentials, endpoint inventory, security policies, and certificates for every device the server manages. March 30, 2026 : Active exploitation confirmed in the wild by Defused Cyber. Roughly 1,000 internet-exposed EMS instances. Fortinet issues a patch advisory six weeks

A field guide to not losing your shit in a breach The cover of The Hitchhiker's Guide to the Galaxy has two words printed on it in large friendly letters: DON'T PANIC . Douglas Adams understood something that most incident-response vendors don't: the hardest part of a crisis is not the crisis. It's the humans around the crisis. It's the CFO who just learned what "lateral movement" means at 11:47 PM. It's the general counsel who is reading the Massachusetts breach-notificatio

There is a useful piece of forgotten history about the magazine business. The competing weeklies — Time , Newsweek , U.S. News — fought viciously for the cover. Whichever face landed on the newsstand on a Monday morning won the week, and you could measure it down to the dollar. They competed for eyeballs . But they cooperated on paper . They cooperated on ink . They cooperated on postal rates and truck routes and newsstand placement and the distribution rails that got th

I installed Microsoft Clarity on our infrastructure yesterday. Three subdomains, four product templates, an aipmsec.com landing page, the Epstein search tool, the Ops dashboard. All of it. I did the same thing a million other developers have done — added two lines of JavaScript to get heatmaps and session recordings, for free. Within twenty-four hours I realized what I had agreed to. This essay is what I think every developer who installs Clarity should know before they finis

Yesterday's post introduced AIPM Defense — the idea that your website is talking to AI models behind your back , and that an enterprise needs the ability to choose which ones listen. Today we show precisely how it works. With receipts. The demonstration Over the last two weeks, a single Cloudflare firewall rule on dugganusa.com produced the following result: ChatGPT referrals : collapsed 86% (540 → 73 sessions in 30 days) Google organic traffic : grew 63% (57 → 93 sessions)

Most people respond to AI crawlers the way the hotel industry responded to Airbnb. Defense. Lawsuits. Robots.txt walls. "Not my content, pay me." Howard Orloff did the opposite. He opened a site for them. ai.howardorloff.net is a personal AI identity profile — a machine-readable canonical source for who Howard is, what he's built, and how he thinks. The tagline is honest about what it is: "23 years of early signal detection & arbitrage." Not a marketing landing page. Not a