西塚 要
2.5K posts
西塚 要 retweetledi
注意事項としてはGitHub Pagesのサブドメインテイクオーバーは、
- ワイルドカードではないCNAMEレコード設定
- GitHubアカウントを手放していない
という条件下でも起こります。
speakerdeck.com/mikit/sabudome…
iwashi / Yoshimasa Iwase@iwashi86
自分のドメインのサブドメインが、GitHub Pages で見知らぬ人に使われていたという話だった。 仕組みはこんな感じ。 ・前提①:筆者はDNSの設定で「*.immersivepoints.com へのアクセスは、すべてGitHubに向ける」というワイルドカード設定をしている ・前提②:GitHub Pagesでは、誰でも自分のページに好きなドメイン名を紐づける設定(CNAME)ができる ・この状態で、攻撃者は自分のアカウントで「kafka\.immersivepoints\.comは自分のページだ」と勝手に設定して待ち構える ・誰かが、そのアドレスにアクセスすると、被害者の設定(前提①)によって強制的にGitHubへ ・GitHub側は「このアドレスを使いたいと設定しているユーザー(前提②)」を見つけ、そのまま攻撃者の詐欺ページを表示してしまう ・この現象はサブドメイン乗っ取りとして知られている ・悪用可能なドメインを探すツールまで存在している ・調べた結果、他にも複数のサブドメインが勝手に作成され乗っ取られていたことが判明した meertens.dev/blog/github-en…
日本語
西塚 要 retweetledi
日記にしました。これはまずいです。
takagi-hiromitsu.jp/diary/20260511…
個人情報保護法改正案に重大な欠陥、2001年「メディア規制」法案の再来、修正が必要 - 高木浩光@自宅の日記(2026年5月11日)
日本語
西塚 要 retweetledi
日本語
西塚 要 retweetledi
‼️🚨 BREAKING: An AI found a Linux kernel zero-day that roots every distribution since 2017. The exploit fits in 732 bytes of Python. Patch your kernel ASAP.
The vulnerability is CVE-2026-31431, nicknamed "Copy Fail," disclosed today by Theori. It has been sitting quietly in the Linux kernel for nine years.
Most Linux privilege-escalation bugs are picky. They need a precise timing window (a "race"), or specific kernel addresses leaked from somewhere, or careful tuning per distribution. Copy Fail needs none of that. It is a straight-line logic mistake that works on the first try, every time, on every mainstream Linux box.
The attacker just needs a normal user account on the machine. From there, the script asks the kernel to do some encryption work, abuses how that work is wired up, and ends up writing 4 bytes into a memory area called the "page cache" (Linux's high-speed copy of files in RAM). Those 4 bytes can be aimed at any program the system trusts, like /usr/bin/su, the shortcut to becoming root.
Result: the next time anyone runs that program, it lets the attacker in as root.
What should worry most: the corruption never touches the file on disk. It only exists in Linux's in-memory copy of that file. If you imaged the hard drive afterwards, the on-disk file would match the official package hash exactly. Reboot the machine, or just put it under memory pressure (any normal system load that needs the RAM), and the cached copy reloads fresh from disk.
Containers do not help either. The page cache is shared across the whole host, so a process inside a container can use this bug to compromise the underlying server and reach into other tenants.
The original sin was a 2017 "in-place optimization" in a kernel crypto module called algif_aead. It was meant to make encryption slightly faster. The change broke a critical safety assumption, and nobody noticed for nine years. That bug then rode every kernel update from 2017 to today.
This vulnerability affects the following:
🔴 Shared servers (dev boxes, jump hosts, build servers): any user becomes root
🔴 Kubernetes and container clusters: one compromised pod escapes to the host
🔴 CI runners (GitHub Actions, GitLab, Jenkins): a malicious pull request becomes root on the runner
🔴 Cloud platforms running user code (notebooks, agent sandboxes, serverless functions): a tenant becomes host root
Timeline:
🔴 March 23, 2026: reported to the Linux kernel security team
🔴 April 1: patch committed to mainline (commit a664bf3d603d)
🔴 April 22: CVE assigned
🔴 April 29: public disclosure
Mitigation: update your kernel to a build that includes mainline commit a664bf3d603d. If you cannot patch immediately, turn off the vulnerable module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
For environments that run untrusted code (containers, sandboxes, CI runners), block access to the kernel's AF_ALG crypto interface entirely, even after patching. Almost nothing legitimate needs it, and blocking it shuts the door on this whole class of bug...
English
西塚 要 retweetledi
Deutsche Telekom is considering a full combination with its American arm T-Mobile, a move that would create a multinational telecom group and rank as the largest-ever public M&A deal. Manuel Baigorri reports on the Bloomberg scoop bloom.bg/3QCPku5
English
@__kaname__ 動画のハイライトをまとめるAIも消費AIの一種なんですかね。「この週末はアニメ1000本も観たよ!(ハイライト)」のように娯楽すら自分の代わりにAIにやってもらう時代。
日本語
西塚 要 retweetledi
LLMは指示通り確率的な振る舞いが出来るか。個人的にもずっと解いてみたかった問題だったんですが、一風変わったプロンプト(だけ)でとても上手くいくことを発見できました。今週からの #ICLR2026 で発表あります。
こういった確率的な指示に対する追従性は、ある種 "言語モデル" としての本能に逆 らう部分があります。このプロンプトを発見するに至る経緯は結構面白く、最初は工夫した追加学習で解決しようとしてたのですが、学習に使うプロンプトを試行錯誤していると、いつしか最初のイテレーションから出来てない?となり、気づいたらプロンプトだけで解決していたという。
このプロンプトには実用性があり、アイディア出しや創作等の状況における出力の多様性を上げる効果も観測出来ました。言うまでもなくこれは推論時スケーリングととても相性が良いんですよね。手軽に多様性をブーストする方法として社内でも既に試してもらってます。
Sakana AI@SakanaAILabs
LLMは頭の中でコイントスができるか? ブログ:pub.sakana.ai/ssot 論文(#ICLR2026):arxiv.org/abs/2510.21150 一見簡単そうで奥深いこの問題を「プロンプトだけ」で解決した論文 "SSoT: Prompting LLMs for Distribution-Faithful and Diverse Generation" が #ICLR2026 に採択されました。 LLMに「コイントスをして」と100回プロンプトすると、出力の表と裏の比率は50:50から大きく離れてしまいます。明示的に確率の指示が与えられても、LLMがそれに忠実に従って出力を生成することは難しい問題です。 このことは、コイントスに留まりません。LLMに小説のアイデアを何本か出してもらったら似たような案ばかり出てきた、という経験はないでしょうか。コイントスを歪ませるのと同じ確率的な偏りが、創作やブレインストーミングなど多様な出力が求められるタスク全般で多様性を抑制しています。 私たちはこれらの問題の解決策として、String Seed of Thought (SSoT)というプロンプトを発見しました。SSoTは、LLMに頭の中で一旦ランダムな文字列を考えさせ、その文字列を操作させて結果を出力させるという非常にシンプルな手法です。外部の乱数生成器は一切使いません。 SSoTにより出力のバイアスはオープンモデルでもクローズドなモデルでも幅広いLLMで低減されます。一部のreasoningモデルでは、実際に乱数を使った場合とほぼ変わらない精度を達成しました。これは、2択の選択肢だけでなく一般の離散分布について有効です。 さらに重要なのは、SSoTはモデル出力の多様性を高めるのに使えることです。創作的な文書作成などにおいて、SSoTをプロンプトに加えるだけで、出力される文書などの多様性が高まることがわかりました。 本手法はコンテンツ生成やアイディア出し、推論時スケーリングの新手法の開発など、LLMを実世界のシステムに組み込んでいく上で重要な基盤になると考えています。 SSoTのメカニズム、理論的な解析、インタラクティブなデモについてはブログと論文をご覧ください。 OpenReview:openreview.net/forum?id=luXtb…
日本語
西塚 要 retweetledi
Because we get asked a lot.
The Technological Republic, in brief.
1. Silicon Valley owes a moral debt to the country that made its rise possible. The engineering elite of Silicon Valley has an affirmative obligation to participate in the defense of the nation.
2. We must rebel against the tyranny of the apps. Is the iPhone our greatest creative if not crowning achievement as a civilization? The object has changed our lives, but it may also now be limiting and constraining our sense of the possible.
3. Free email is not enough. The decadence of a culture or civilization, and indeed its ruling class, will be forgiven only if that culture is capable of delivering economic growth and security for the public.
4. The limits of soft power, of soaring rhetoric alone, have been exposed. The ability of free and democratic societies to prevail requires something more than moral appeal. It requires hard power, and hard power in this century will be built on software.
5. The question is not whether A.I. weapons will be built; it is who will build them and for what purpose. Our adversaries will not pause to indulge in theatrical debates about the merits of developing technologies with critical military and national security applications. They will proceed.
6. National service should be a universal duty. We should, as a society, seriously consider moving away from an all-volunteer force and only fight the next war if everyone shares in the risk and the cost.
7. If a U.S. Marine asks for a better rifle, we should build it; and the same goes for software. We should as a country be capable of continuing a debate about the appropriateness of military action abroad while remaining unflinching in our commitment to those we have asked to step into harm’s way.
8. Public servants need not be our priests. Any business that compensated its employees in the way that the federal government compensates public servants would struggle to survive.
9. We should show far more grace towards those who have subjected themselves to public life. The eradication of any space for forgiveness—a jettisoning of any tolerance for the complexities and contradictions of the human psyche—may leave us with a cast of characters at the helm we will grow to regret.
10. The psychologization of modern politics is leading us astray. Those who look to the political arena to nourish their soul and sense of self, who rely too heavily on their internal life finding expression in people they may never meet, will be left disappointed.
11. Our society has grown too eager to hasten, and is often gleeful at, the demise of its enemies. The vanquishing of an opponent is a moment to pause, not rejoice.
12. The atomic age is ending. One age of deterrence, the atomic age, is ending, and a new era of deterrence built on A.I. is set to begin.
13. No other country in the history of the world has advanced progressive values more than this one. The United States is far from perfect. But it is easy to forget how much more opportunity exists in this country for those who are not hereditary elites than in any other nation on the planet.
14. American power has made possible an extraordinarily long peace. Too many have forgotten or perhaps take for granted that nearly a century of some version of peace has prevailed in the world without a great power military conflict. At least three generations — billions of people and their children and now grandchildren — have never known a world war.
15. The postwar neutering of Germany and Japan must be undone. The defanging of Germany was an overcorrection for which Europe is now paying a heavy price. A similar and highly theatrical commitment to Japanese pacifism will, if maintained, also threaten to shift the balance of power in Asia.
16. We should applaud those who attempt to build where the market has failed to act. The culture almost snickers at Musk’s interest in grand narrative, as if billionaires ought to simply stay in their lane of enriching themselves . . . . Any curiosity or genuine interest in the value of what he has created is essentially dismissed, or perhaps lurks from beneath a thinly veiled scorn.
17. Silicon Valley must play a role in addressing violent crime. Many politicians across the United States have essentially shrugged when it comes to violent crime, abandoning any serious efforts to address the problem or take on any risk with their constituencies or donors in coming up with solutions and experiments in what should be a desperate bid to save lives.
18. The ruthless exposure of the private lives of public figures drives far too much talent away from government service. The public arena—and the shallow and petty assaults against those who dare to do something other than enrich themselves—has become so unforgiving that the republic is left with a significant roster of ineffectual, empty vessels whose ambition one would forgive if there were any genuine belief structure lurking within.
19. The caution in public life that we unwittingly encourage is corrosive. Those who say nothing wrong often say nothing much at all.
20. The pervasive intolerance of religious belief in certain circles must be resisted. The elite’s intolerance of religious belief is perhaps one of the most telling signs that its political project constitutes a less open intellectual movement than many within it would claim.
21. Some cultures have produced vital advances; others remain dysfunctional and regressive. All cultures are now equal. Criticism and value judgments are forbidden. Yet this new dogma glosses over the fact that certain cultures and indeed subcultures . . . have produced wonders. Others have proven middling, and worse, regressive and harmful.
22. We must resist the shallow temptation of a vacant and hollow pluralism. We, in America and more broadly the West, have for the past half century resisted defining national cultures in the name of inclusivity. But inclusion into what?
Excerpts from the #1 New York Times Bestseller The Technological Republic: Hard Power, Soft Belief, and the Future of the West, by Alexander C. Karp & Nicholas W. Zamiska
techrepublicbook.com
English
定期的にIETFに投稿される釣り提案に既視感しかないので、心構えとしてIPv8の前にIPv10の話を知っとこう
janog.gr.jp/meeting/janog3…
日本語