Joe Beeton

@PositivFuturist I think you are missing the point, when talking about paid for software. If you can pay 1/10 of the price for something that is "good enough". You will pick that.

Name a software product you use that’s second or third best.. then you can claim vibe coding will dominate software.

@PositivFuturist Bitbucket

@trufflesec Im guessing part of the reason its taking so long to fix, is working out the best way to unravel this mess. Do you block older keys from accessing gemini? Create a new type of key meant to be publicly accessible? Any fix breaks some existing users workflows.

🚨 Google told devs: API keys aren't secrets. Gemini changed that. 😱 We found ~3,000 public keys silently authenticating to Gemini - exposing private files, cached data & charging for LLM usage 💥Even Google's own keys were vulnerable. 🔗 trufflesecurity.com/blog/google-ap…

@Dinosn I imagine they have lost alot more than that in lost customers/sales.

LastPass hammered with £1.2M fine for 2022 breach fiasco theregister.com/2025/12/11/las…

youtu.be/5QXGfquhx2Y?fe… Ive done a few talks on this attack vector especially as a way to target developers that run services on localhost. Essentially js running in the browser can be used to interact in some circumstqnces with services bound to localhost leading to RCE on the devs machine in Spring, Quarkus, spring mcp. Several POCs can be found at joebeeton.github.io its good to see it fixed at the browser level. Although another popup is not the way to do it.

What's happening with websites recently? All want local network access...

You can if course. You shouldnt Esp in a business Apart from the technical issues of limited library support, memory safety etc. The main issue is you find it impossible to get skilled enough developers to maintain it after you have moved on. Java web devs are cheap and plentiful

I would argue that even "Web Applications" can be predominantly written -- and written well -- in C. In fact, this was a common approach in years gone by. Programming a CGI, in C, and dropping that compiled bad boy in the "cgi-bin" directory is an approach that most big websites (like Amazon) used until fairly recently.

@Osinttechnical Im suprised they still havent built relatively cheap hangars for their aircraft. These are relatively light fpv drones. Either hangars or just netting would have made this attack less effective. I know this is far from the front, but still.

Today, Ukrainian forces conducted a simultaneous strike on Russia's Belaya, Dyagilevo, Olenya, and Ivanovo airbases using FPV drone swarms. The strikes destroyed a number of high-value Russian aircraft (Ukrainian SBU sources tell the FT nearly 40), including heavy bombers.

@jaketeater @Osinttechnical Thats true, that makes fibre optic unlikely. So radio link to the container is most likely. I doubt they had rf jammers running at a airfield that far away.

@JosephBeeton @Osinttechnical One of the drones flies over a fire. I assume if it had a fiber connection to a mothership/container the pilot would avoid the fire below, which might melt his fiber.

@UKDefJournal 5 inches, thats the size of a tooth brush, how can they defend themselves with that!

HMS Glasgow, the lead ship of the Royal Navy's new Type 26 frigates, has reached another key milestone with the fitting of the barrel on its 5-inch (127mm) Mk 45 Mod 4A naval gun. ukdefencejournal.org.uk/barrel-fitted-…

Why are cash machines so intent on convincing me to check my bank balance?

@JackRhysider Also works for LLM prompt injection

New blog post: plORMbing your Django ORM - Part one of a series about ORM Leak vulnerabilities and attacking the Django ORM. elttam.com/blog/plormbing…

POC for Netflix Genie Path Traversal to RCE ( CVE-2024-4701 ) is available github.com/JoeBeeton/CVE-…

Who else learned in high school that you could use a file open or file save dialog to run executables?

@josephfcox This is why penetration testing is so important!

New from 404 Media: claims a vibrator delivered malware went viral. So, we bought a couple of them and put them through "404 Media's forensic lab" (some old computers). Also did a tear down. 404media.co/spencers-vibra…

@PeteNorth303 @NavyLookout @Telegraph Something like this is planned. The modern equivalent of the skyraider/super tucano bomb truck are drones ukdefencejournal.org.uk/project-ark-ro… it will provide the high / low mix, with the f35s for high threat environments, where stealth matters and drones for low threat environments.

Unfortunately, Lewis Page is now defence editor @Telegraph and is endlessly saying not fitting QEC carriers with CATOBAR is a disaster and it was a "conspiracy" that prevented it. In an ideal world where defence spending was north of 3% of GDP & manpower was abundant the RN would have CATOBAR carriers but this is completely unrealistic with resources available. telegraph.co.uk/news/2024/02/0…

Reminder, JAVA is *NOT* designed for Nuclear Facilities

MLflow vulnerability enables remote machine learning model theft and poisoning trib.al/Iz67hOP