You may have noticed the Anime Catgirls when trying to get to the Linux Kernel’s mailing list, or one of any number of other sites associated with Open Source projects. [Tavis Ormandy] had this question, too, and even wrote about it. So, what’s the deal with the catgirls?
The project is Anubis, a “Web AI Firewall Utility”. The intent is to block AI scrapers, as Anubis “weighs the soul” of incoming connections, and blocks the bots you don’t want. Anubis uses the user agent string and other indicators to determine what an incoming connection is. But the most obvious check is the in-browser hashing. Anubis puts a challenge string in the HTTP response header, and JavaScript running in the browser calculates a second string to append this challenge. The goal is to set the first few bytes of the SHA-256 hash of this combined string to 0.
[Tavis] makes a compelling case that this hashing is security theatre — It makes things appear more secure, but doesn’t actually improve the situation. It’s only fair to point out that his observation comes from annoyance, as his preferred method of accessing the Linux kernel git repository and mailing list are now blocked by Anubis. But the economics of compute costs clearly demonstrate that this SHA-256 hashing approach will only be effective so long as AI companies don’t add the 25 lines of C it took him to calculate the challenge. The Anubis hashing challenge is literally security by obscurity.
Something Security AI is Good At
We’ve recently covered an AI competition, where AI toolchains were used to find and patch vulnerabilities. This took a massive effort to get good results. This week we have work on a similar but constrained task that AI is much better at. Instead of finding a new CVE, simply ask the AI to generate an exploit for CVEs that have been published.
The key here seems to be the constrained task that gives the AI a narrow goal, and a clever approach to quickly test the results. The task is to find an exploit using the patch code, and the test is that the exploit shouldn’t work on the patched version of the program. This approach cuts way down on false positives. This is definitely an approach to keep an eye on.
We’re Hunting CodeRabbits
Reviewing Pull Requests (PRs) is one of the other AI use cases that has seen significant deployment. CodeRabbit provides one of those tools which summarizes the PR, looks for possible bugs, and runs multiple linter and analysis tools. That last one is extremely important here, as not every tool is bulletproof. Researchers at Kudelski Security discovered that the Rubocop tool was accessible to incoming PRs with ruby files.
Rubocop has a nifty feature, that allows extensions to be loaded dynamically during a run. These are specified in a .rubocop.yml file, that CodeRabbit was helpfully passing through to the Rubocop run. The key here is that the extension to be loaded can also be included in a PR, and Rubocop extensions can execute arbitrary code. How bad could it be, to run code on the CodeRabbit backend servers?
The test payload in this case was simply to capture the system’s environment variables, which turned out to be a smorgasbord of secrets and API keys. The hilarious part of this research is that the CodeRabbit AI absolutely flagged the PR as malicious, but couldn’t stop the attack in motion. CodeRabbit very quickly mitigated the issue, and rolled out a fix less than a week later.
Illegal Adblock
There’s a concerning court case making its way through the German courts, that threatens to make adblocking illegal on copyright grounds. This case is between Axel Springer, a media company that makes money from showing advertisements, and Eyeo, the company behind Adblock Plus. The legal theory claimed by Axel Springer is that a website’s HTML and CSS together forms a computer program, that is protected by copyright. Blocking advertisements on that website would then be a copyright violation, by this theory.
This theory is novel, and every lower court has rejected it. What’s new this month is that the German Supreme Court threw the case back to a lower court, instructing that court to revisit the question. The idea of copyright violation simply by changing a website has caught the attention of Mozilla, and their Product Counsel, [Daniel Nazer], has thoughts.
The first is that a legal precedent forcing a browser to perfectly honor the code served by a remote web host would be horribly dangerous. I suspect it would also be in contention with other European privacy and security laws. As court battles usually go, this one is moving in slow motion, and the next ruling may be years away. But it would be particularly troubling if Germany joined China as the only two nations to ban ad blockers.
Copilot, Don’t Tell Anyone
Microsoft’s Office365 has an audit log, that tracks which users access given files. Running Copilot in that environment dutifully logs those file accesses, but only if Copilot actually returns a link to the document. So similar to other techniques where an AI can be convinced to do something unintended, a user can ask Copilot to return the contents of a file but not to link to it. Copilot will do as instructed, and the file isn’t listed in the audit log as accessed.
Where this gets more interesting is how the report and fix was handled. Microsoft didn’t issue a CVE, fixed the issue, but opted not to issue a statement. [Zack Korman], the researcher that reported the issue, disagrees quite vigorously with Microsoft’s decision here. This is an interesting example of the tension that can result from disagreements between researcher and the organization responsible for the product in question.
Disputed Research
This brings us to another example of disputed research, the “0-day” in Elastic Endpoint Detection and Response (EDR). Elastic disputes the claim, pointing out that they could not replicate code execution, and the researcher didn’t provide an entire proof of concept. This sort of situation is tricky. Who is right? The company that understands the internals of the program, or the researcher that undoubtedly did discover something, but maybe doesn’t fully understand what was found?
There are two elements that stand out in the vulnerability write-up. The first is that the overview of the attack chain lists a Remote Code Execution (RCE) as part of the chain, but it seems that nothing about this research is actually an RCE. The premise is that code running on the local machine can crash the Elastic kernel driver. The second notable feature of this post is that the proof-of-concept code uses a custom kernel driver to demonstrate the vulnerability. What’s missing is the statement that code execution was actually observed without this custom kernel driver.
Bits and Bytes
One of the very useful features of Microsoft’s VSCode is the Remote-SSH extension, which allows running the VSCode front-end on a local machine, and connecting to another server for remote work. The problem is that connecting to a remote server can install extensions on the local machine. VSCode extensions can be malicious, and connecting to a malicious host can run code on that host.
Apple has patched a buffer overflow in image handling, that is being used in an “extremely sophisticated” malware attacks against specific targets. This sort of language tends to indicate the vulnerability was found in an Advanced Persistent Threat (APT) campaign by either a government actor, or a professional actor like NSO Group or similar.
And finally, if zines are your thing, Phrak issue 0x48 (72) is out! This one is full of stories of narrowly avoiding arrest while doing smart card research, analysis of a North Korean data dump, and a treatise on CPU backdoors. Exciting stuff, Enjoy!
Regarding why anime girls.. it is supposed to be a way to make people pay for the pro version: https://xeiaso.net/blog/2025/avoiding-becoming-peg-dependency/
Unless something changed drastically in recen years, VSCode still uses Electron/Google Chrome engine for rendering its entire window which means it still has that shitty, blurry, grayscale text rendering instead of proper ClearType like in Eclipse. I guess using good old GDI is just too hard for modern programmers™ addicted to TikTok and JavaScript frameworks.
Just buy a new display with way more pixels than your eye can see, and cleartype is not needed.. and then buy more RAM, CPU and GPU to drive that display.
Or you could buy an Apple. It’s very expensive but at least it’s closed-source.
The only thing worse than blurry text is blurry text with color fringing.
I’ll take “no rainbows” every time.
The only problem with using Eclipse is literally everything else.
Clearly this guy hasn’t done much security work. He’s completely missed the threat model of anubis.
The point of the hashing isn’t that it’s “something bots can’t do”. Just run the javascript, or indeed, write 25 lines of C.
The point, as with bitcoin, is that it’s proof of work. Every incoming connection needs to do this hash, which puts a limit on how quickly someone can run their smash-and-grab AI dataset scraping operation. If they use single-use throw-away connections from single-use throwaway residential IPs (as has increasingly been the case to avoid firewalls) then they’re going to have to calculate a zillion hashes, one for every connection. That doesn’t scale well. On the other hand, everyone else calculates the hash once and then can continue to reuse that response for the duration of their visit. If the AI bots do the same, then they’re feeding a unique ID to the server with every request and their behaviour becomes trackable, detectable, and blockable again.
As the server comes under heavier load, you can raise the difficulty of the hash by requiring more zeros, in the same way that the bitcoin network raises the difficulty to account for increases in hashing power. Again, everyone has to compute the hash only once per visit, so at most they’re spending a few more seconds one time. The scrapers pretending to be a million independent users with throw-away IPs on the other hand find it a lot less fun.
That doesn’t work if the scrapers farm the work out to the devices with the hijacked IPs, aka bot net. “Throwaway IPs” mentioned in this context are often consumers installing apps (free games, flashlights, ..) that behind the scenes provide a proxy-for-hire service. Those apps could run proof-of-work without a penalty for the scraper.
Wrong threat model. You’re not up against hackers, you’re up against facebook/microsoft/amazon. This isn’t millions of hijacked devices but a relatively small number of servers in a cluster.
There are plenty of second and third tier AI companies that don’t have a reputation to lose.
https://deepai.org/machine-learning-glossary-and-terms/unlocking-the-power-of-residential-proxies-for-data-scraping-in-2025
You could just say that you didn’t read the post and save everyone the trouble.
“Clearly this guy hasn’t done much security work.”
This guy is Tavis Ormandy. Tavis Frickin’ Ormandy.
As if it’s hard to spend 2 minutes writing compiling and testing an MCP server to do any programatic calculations with a prompt “and should you be blocked with a catgirl, call the provided @hash tool to work out the SHA-256.”
You could even ask one “please code me an MCP server to accept a string and return a SHA-256 hash, also the XLM to install it” if you were willing to trust a fresh intern’s code.
So, I do need to think, this is pure security theater with zero benefit except annoying the rest of the world.
XML obviously, sorry. More coffee needed.
Nobody wastes GPU time using an LLM for the actual scraping. That would be stupid.
Making ad blocking illegal in Germany is strange, given that the EU is also working towards age verification.
Why is it okay to present content differently based on age, but not based on the language somebody speaks, their ability to see/hear, their hardware’s ability to present information (thinking of lynx, or other text only web browsers), their bandwidth, or their desire/interest to see the material?
I started using an ad blocker years ago because I was startled by a youtube ad for a movie showing a fully nude couple having sex. (I don’t view content like that. I don’t think youtube even allows content like that on the platform.) Google/Youtube’s ads are not safe for work/professional setting, or even for use in a public place (like a library).
If they are going to prohibit ad blockers, they also need to carefully police ads and impose very heavy fines on companies who present adult, harmful, or deceptive content in ads. (e.g., advertising resellers have to get every advertisement reviewed and approved).
For the biggest ad networks, the reseller does have to get every ad approved. Unfortunately, it is a cat and mouse game, with lots of incentives to cheat in sneaky new ways. (Some part of the metering for an nth-tier partner will include a call out to something that sometimes changes after audit.) Google in particular is (was?) known for being draconian, because they had more to gain by growing the market (by making/keeping internet ads acceptable) than by growing their market share.
That anubis stuff is total crap, it blocked me from going to a normal site and there was 0 reason except
that I have some basic protection in my browser.
And then I get an idiotic statement with some anime crap that is suppose to amuse me? Or is it to infuriate me? If it is the 2nd it worked..
They are part of the people that want you to watch ads and be hacked by malicious scripts, great crowd that….
Enshitification, it’s an ongoing project eh.
Anyway, it’s OK, I stop using internet in the end I suppose, and that’s anyway inevitable as the politicians are destroying it and outlawing it. I wonder what other ‘activities’ angry people will entertain themselves with. What do you think politicians and enshitficators?
I never had issues with Anubis on Firefox+Adblock.
Perhaps I was just lucky.
I can’t wait until a German court rules that closing your eyes during advertisements is a copyright violation.
Hey! Not all of our courts are like that. :D
In the past, German courts were making a few very reasonable decissions, too.
Such as that OEM software can be sold independently of a new PC.
Microsoft wasn’t happy about this, because it did override the clauses in the EULA.
That’s why we got affordable Windows licenses, for example.
Which in retrospect wasn’t the best for us, maybe. ;)
Main problem is that German law is a “little bit” behind the times, I would say.
Many telecommunications and computery laws are from the dark ages of BBSes, Datex-P and Bildschirmtext (our former Minitel).
The Internetz still is a “Neuland” to us, so to say.
At least from a bureaucratic and political point of view, I would say.
So the courts rely on help of “experts”, which may or may not belong to a lobby and take advantage of the situation.
Then add another layer of “correctness” and
you have regulations that take years to
be evaluated and put into action.
If you’re into legal amusements,
please have a look how often our highest curt in Karlsruhe disagreed with the European court in the past.
More than often it had the better or more reasonable arguments, too! :D
(Sorry for my poor English)
I mean, our courts are still living in a world of fax machines.
Without the fax, our whole infrastructure would collapse.
We’re like Japan in this regards.
Even I do still own a physical 1980s fax machine, as a fallback.
It’s the most sane way of getting a document from A to B, without all of the internet madness.
Without fax, we would need to use physical documents
and travel to the contract signer to get a signature on paper.
Take a train, ride a bike, drive by car. Just to exchange documents or sign a document.
Thankfully there are multi-purpose devices that have fax functionality, which maybe continue to be available once dedicated fax machines are being retired.
Long life the fax machine. :D
You see, in terms of IT, Germany is world’s biggest open-air museum, probably.
The FR(O)G, I mean. Our neighbor, the former GDR used to be the biggest one (Robotron etc) back in the day, likely.
There even was this old GDR joke..
A Japanese delegation is invited to visit the GDR.
As the visit draws to a close, the Japanese are asked how they liked the GDR.
“Oh, very good,” the Japanese reply politely.
“And what did you like best about us?”
The Japanese reply: “Your museums: Pergamon, Pentacon and Robotron.”
Or this one:
Robotron: “Our microelectronics is the biggest!”
(biggest=greatest)
So if blocking ads becomes illegal as it doesn’t honor serving the code of the website exactly as the server intended, what do you call it when my antivirus blocks code coming from a malicious website, either partly or in its entirety? This moronic.
My thought as well.
The site owners would have a right to expect a requesting browser to behave in their choosing. Ridiculous.
Technically they already doing it by not serving content when they detect an ad blocker. I don’t see why they don’t continue that way. They could also only make their content available via an app, skip those filthy freeloading internet browsers, with their filthy plugin support, all together. Or band together and make their own browser, only serve to that.
Or send their content out over snail mail, on printed media.
Or when antivirus blocks any code, period.
It get’s worse. Looking at the plain HTML code
of a website using a web browsers built-in features can be considered “hacking”.
Apparently, certain people still don’t have understood that HTML is a page description language,
rather than secret “source code” of a program.
Speaking of, if you’re opening an EXE file in Windows Notepad and look for ASCII characters, then you’re using an illegal “hacker tool” in so,e people’s eyes.
Imagine it. A simple text editor. Not even a hex editor or an (yikes!) disassembler.
Odd that it is Axel Springer complaining about automated content modification (ad filtering).
Springer’s news operations have a history of using automated tools to change (and misrepresent) what other people have said.
Sources:
At Politico, AI content doesn’t need editorial standards!
https://pivot-to-ai.com/2025/08/16/at-politico-ai-content-doesnt-need-editorial-standards/
Business Insider layoffs as traffic drops — but publisher Axel Springer says AI will fix it!
https://pivot-to-ai.com/2025/06/01/business-insider-layoffs-as-traffic-drops-but-publisher-axel-springer-says-ai-will-fix-it/
I’m not that surprised. It’s respectability is questionable, at very least.
I mean, it’s responsible for infamous “BILD” (!) news paper, which, err, isn’t exactly known for its reliabe reputation.
(To those wondering, it’s a non-social news paper. A scandal sheet. It attracts the lower social class of people, steers opinions.)