RootMonsteR

governance, permission modeling, and replayability were all built assuming human-paced change. AI tooling moved the clock forward and nobody updated the controls. GitHub is just the most visible example because the blast radius is public. the same gap exists at every company shipping AI assisted code right now.

Interesting seeing people like @Thomas_Tao_1, @sethwbarton, @RootMonsteR and @vladsazonau all circling different parts of the same structural issue from different angles. The hardening patterns being discussed here — delayed package adoption, static analysis, reduced permissions, self-hosting, deterministic CI controls — are all effectively attempts to reintroduce bounded authority and replayable execution into software systems that are becoming increasingly autonomous and mutation-heavy through AI tooling. The deeper problem isn’t just security. It’s that AI-assisted development is compressing assist → execute → delegated infrastructure authority faster than governance, permission modeling, and replayability systems are maturing. A lot of the work we do at Decision Governance Group is helping companies map those exposure surfaces before they become incident-response problems.

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

@TheBTCkrab @github a wallet gets drained once. a poisoned CI pipeline pays out for years.

@RootMonsteR @github It is a gold pot fullx of crypto stuff. A lot of incentive for hackers to focus in it.

@emcarnahan @github april 28 was the warning shot. nobody heard it.

@RootMonsteR @github Exactly

this is the part that should be keeping people up at night. exfiltration leaves traces in egress logs. injection doesn't. three weeks of write access to internal repos, if any of it touched signing or CI infrastructure, every downstream artifact is provenance suspect until proven otherwise. we're in solarwinds territory and nobody's saying it yet.

@RootMonsteR @github exactly. and the window was three weeks. everyone asking what they took. nobody asking what you can prove was in there before they got in. that's the gap. post-incident investigation tells you what's missing. it can't tell you what the state was before the window opened.

Shipped Qwen3-14B Abliterated - tuned for autonomous security agents. 📊 Refusals: 99/100 → 10/100 📊 KL: 0.0333 (near-zero capability loss) 🧠 Thinking mode + tool-calling preserved by design 🔁 Reproducible via Heretic For red-team agent loops. Free, open weights. Take it. 🔗 in reply 👇

Spent the last year building AI agents and systems for offensive security work. The models aren't the bottleneck. They never were. What actually breaks production: – Context windows you didn't budget for – Tools the agent uses creatively wrong – Evals that pass in dev and miss the real failure mode – Cost spirals from one bad recursion And the thing nobody on this app wants to admit.. a properly scaffolded 8B local model handles a shocking amount of agent work. Recon, log triage, structured extraction, repetitive tool calls. You don't need Claude or GPT for every step of every pipeline. You need to know which step needs which model. I learned that the expensive way. What's the worst agent failure you've shipped?

You're right about the censorship. You're right about Ofcom. But the Online Safety Act was passed by the Tories in 2023 and a good number of Reform's current MPs and defectors voted for it back then. Labour are wielding the weapon. The benches Reform is filling helped forge it. Naming that makes the case against the Act stronger, not weaker.

🚨 Labour is using the “Online Safety Act” to silence political opponents, and TikTok is doing their dirty work. First, TikTok removed my video announcing Reform UK’s new policy to place secure illegal migrant detention centres in non-Reform constituencies, prioritising Green ones.  TikTok explicitly cited the Online Safety Act as the reason for its removal. This is hard evidence of this draconian legislation being weaponised to silence political opponents.  That same video has 6.2 million views on other platforms. Today, the censorship escalated.  TikTok has now removed my video outlining the key policies I would implement as Home Secretary, claiming it is “Hate Speech and Hateful Behaviour.”  They warned me that any further "violations" will result in a strike, potentially leading to being de-platformed altogether. This is all the more staggering given TikTok happily hosts hundreds of videos of people calling for the assassination of Nigel Farage. My TikTok videos had received 18 million views over the previous 28 days. This is a chilling attempt to silence one of the biggest and fastest-growing UK political accounts on the platform. TikTok is engaging in direct political interference in the midst of the most pivotal elections in our country’s history. All under the auspice of the “Online Safety Act” that the Tories and Labour claimed to be about protecting children. It is, and always will be about silencing voices the open-borders political establishment don’t like. @TikTokComms have decided to try and suppress Reform. Sow the wind, reap the whirlwind.

Sold as protecting kids. Deployed to scrub opposition policy the moment it threatens the government. Free speech isn't free when the regulator decides which politics you're allowed to hear or see. Ofcom answers to the same Parliament that wrote the Act and benefits from its enforcement, that's not oversight, it's a closed loop. No ballot. No appeal. No regulator above them. Tell me again how this is a democracy and not a dictatorship in a suit?

@ThePosieParker @SBarrettBar @SpeechUnion @metpoliceuk Pre-announce a speech tomorrow and they'll be at your door by breakfast. Chant for intifada down Whitehall and you get a police escort. Same country, same week, different rules depending who's marching

@SBarrettBar @SpeechUnion @metpoliceuk I plan to do a hate speech.

Right. Lovely Marchers Tomorrow, Please: - Join the @SpeechUnion - Stay peaceful, ignore provocation - Smile at the police - And if possible, get word to me if you face legal issues, I can coordinate - offer the police biscuits And @metpoliceuk - I will be watching you.

@Grummz You can reset a breached password. You can't reset your date of birth, your ID number, or your face. Centralised identity databases aren't a public service, they're a honeypot with a government logo on it. France didn't get unlucky. It got predictable

France lost 18M private citizen Digital IDs to hackers. They got biometric passports, national ID cards and driver’s licenses. Today the King of England announced a sweeping Digital ID initiative. All this means is that hackers will breach it all and over time, have it all. Age verification has the same problems. Your data is secured by the gov's lowest bidder. The age of privacy is over and there is no way to secure any of this. It's a matter of when, not if.

The lying rat that is @Keir_Starmer has just gave a speech following hundreds of his own party demanding he resign During it, he openly admitted he's banning anyone from entering the UK for our Unite The Kingdom and the West rally. This is including American citizens, he lied to your faces @JDVance @realDonaldTrump This pathetic little man does not speak for the UK. Our borders remain wide open to invaders, yet people fighting for free speech are denied entry. All eyes on May 16th.

Half-assed ban is the base case, they get the headline, technical users shrug, nothing changes. Full dystopia is doable but expensive. AI traffic analysis, mandatory DPI, criminalising self-hosted servers. The bottleneck isn't tech anymore, it's political will. And that's the bit that actually scares me.

@RootMonsteR @IntCyberDigest Presumably at the most they’re going to implement some half-assed “ban” that is easy to get around, but lets them say they did something. But in the worst case dystopia (especially with AI assistance), they can lock things down pretty hard, I think.

THEY ARE GOING TO BAN VPNs THEY ARE GOING TO BAN VPNs THEY ARE GOING TO BAN VPNs THEY ARE GOING TO BAN VPNs THEY ARE GOING TO BAN VPNs THEY ARE GOING TO BAN VPNs THEY ARE GOING TO BAN VPNs THEY ARE GOING TO BAN VPNs THEY ARE GOING TO BAN VPNs THEY ARE GOING TO BAN VPNs

@laitinlok @IntCyberDigest AWS, GCP, Azure, Oracle's free tier all of it. The infrastructure VPN evasion runs on is the same infrastructure the FTSE 100 runs on. You can't ban one without killing the other. Pick a lane.

@RootMonsteR @IntCyberDigest You can also run a vpn in AWS too

@pchapuis @IntCyberDigest Fair point, they can absolutely subpoena the host. But threat model matters, average user dodging age-gates isn't getting that treatment. And if you're actually worried about state-level adversaries, you're on Tor + a burner identity, not a £4 VPS. Consumer ban, consumer evasion.

@RootMonsteR @IntCyberDigest Your £4 VPS has an identified owner so they don't really care.

@EverydayisZOG @IntCyberDigest Mullvads bridges are genuinely one of the better implementations out there. Combined with their no-logs and cash-by-post payment, you'd need a court order against air to identify a user. Good shout.

@RootMonsteR @IntCyberDigest Mullvad has pretty awesome obfuscation buddy idk if you know. You can even request a private bridge from the company.

@myonlinetrust @IntCyberDigest Mixmaster, I2P, Tor bridges with meek transport, their's a whole ecosystem of stuff that doesn't even pretend to be a VPN. The regulators are fighting 2010's threat model with 2026's internet. They've already lost, they just don't know it yet.

@RootMonsteR @IntCyberDigest Outlawing encryption to unapproved IP addresses? I guess it’ll be hard for them to close down asynchronous Mixmaster type communications.

@laitinlok @IntCyberDigest Exactly. WebSocket over Cloudflare is the nuclear option, they'd have to nuke half the modern web to touch it. Same reason China's Great Firewall plays whack-a-mole rather than blanket blocking CDNs.

@RootMonsteR @IntCyberDigest You can mask your vpn under a CDN using websocket, they have to block Cloudflare to kill your VPNs