yan

could not for the life of me figure out how to buy a bus ticket in Milan. it was literally easier to get a shell 😆

@komplexkonjugat @cremieuxrecueil @CogniCarbon i'm so glad he'll never live this down

@cremieuxrecueil @CogniCarbon I'm surprised Huberman didn't get 120%, which would be a different thing all together. x.com/bcrypt/status/…

I built a tool that ranks health influencers by how well their claims match 150,000 research papers. Here's the leaderboard. Will post more results soon!

@sumlac i added the marin data, lmk if you see any issues!

@bcrypt This is good stuff! I’m in Marin, may need to add coverage there 😆

in light of the tragic news that a 2-year old died at a licensed SF daycare earlier this month, i made a site to show childcare license violations and complaints in the Bay Area: azuki.vip/childcare/

@sumlac i'll add it with my next data refresh!

* the data is public at ccld.dss.ca.gov/carefacilityse… but i found that site hard to use * PRs welcome github.com/diracdeltas/ch… * i am aware this does not show small home daycares; working on that * very grateful to Claude for making this a sunday project instead of a multi-week one

why is Claude installing a Native Messaging host in Brave's profile directory if code.claude.com/docs/en/chrome explicitly doesn't support Brave??

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

wow it turns out that some of those AI slop reports that every bug bounty program is now flooded with are from security companies trying to get free training input @Bugcrowd please name them! bugcrowd.com/blog/bugcrowd-…

AI agents that can browse the Web and perform tasks on your behalf have incredible potential but also introduce new security risks. We recently found, and disclosed, a concerning flaw in Perplexity's Comet browser that put users' accounts and other sensitive info in danger.

long thread about a phishing attack that has proper headers from google’s domain but for true DKIM stans, the interesting part starts here

📣🚨 BAT SIGNAL: A law in France that would mandate a backdoor in end to end encrypted communications is set for a vote within the next day, after some start-stop skirmishes.  The French Narcotraffic law would require encrypted communications providers—like Signal—create a backdoor by giving the government the ability to add themselves to any group or chat they like. In the name of (checks notes) fighting drug trafficking.  While those hyping this bad law have rushed to assure French politicians that the proposal isn’t’ ‘breaking encryption’ their arguments are as tedious as they are stale as they are laughable. For those catching up, let’s review the basics: end to end encryption must only have two ‘ends’—sender and recipient(s). Otherwise, it is backdoored. Whatever method is devised to add a ‘third end’ —from a perverted PRNG in a cryptographic protocol, to vendor-provided government software grafted onto the side of secure communications that allow said government to add themselves to your chats—it rips a hole in the hull of private communications and is a backdoor.  Indeed, the ghost participant proposal was roundly rebuked (humiliated, even) when it was first proposed in 2019 in the UK. The technical community was united, and it was never implemented in law or otherwise.  We cannot accept any backdoor, however it’s dressed up. Communications don’t stay within jurisdictional boundaries. Which means a hole created in France becomes a vector for anyone wanting to undermine Signal’s robust privacy guarantees, anywhere. Instead of contending with unbreakable math, they only have to compromise a French government employee, or the vendor-provided software used to sideload government operatives into your private chats.  This is why, as always, Signal would exit the French market before it would comply with this law as written. At this moment especially, there is simply too much riding on Signal, on our being able to forge a future in which private communication persists, to allow such pernicious undermining.  We hope—WE HOPE—that this callow, dishonest attack will fail, and will be the last. We would love to get back to the work of maintaining and improving our core technologies, instead of fighting legislation which is distinguished in nothing as much as its refusal to listen to decades of expert consensus in its drive to imperil global cybersecurity and the human right of privacy.

(this is the sort of tweet that would have absolutely slapped on infosec twitter circa 2015, RIP)

ecdsa private key leak due to nonce reuse strikes again, this time in the elliptic npm library github.com/advisories/GHS…

@AmandaAskell @bratwebb ALSO recall that i won the plank and wall sit competitions at Anya's birthday party!!

@AmandaAskell @bratwebb my default protein intake is pretty low (like 1 g/kg at most) and i didn’t get much benefit from going higher! if you’re consistent you should still gain muscle. my main metric is climbing and i went from 11b’s to 12b’s in like a year of strength training with no diet changes

I knew strength training would be hard because lifting heavy things is hard. But it also seems to involve eating protein like it's a part time job. If any seasoned people have tips for beginners, I'd love to know them!

@KumailNanji i heard this works even better: rm -rf /

Mac tip of the year: Go to "~/Library/Caches" and delete everything inside I just reclaimed 500gb of storage 🤯😤

@thdxr october 2023

has anyone generated an impressive logo you'd actually ship with ai? this feels like a good benchmark

@troyhunt haha i got this too

You absolute muppet, Ghulam 🤦‍♂️

target.com prices delivery items based on your local store setting, not your delivery address, so if you live in SF just set your local store to Missouri or something lol

@TheCinesthetic wearing shoes while lying on a bed

What something that’s completely normal in movies but would be weird and even psychotic in real life?