beckyschmitty

I'm getting more DMs about this than any other hack probably since Change Healthcare. This is massive and the impact is widespread.

I'd love to see a cyber criminal deal with real-world problems. Oh yeah, you're tough online? Get wind damage on your roof that homeowners insurance refuses to cover. Get a bunch of different quotes on your roof damage, then realize a fucking SQUIRREL lives in your attic

🔺 We updated our technical analysis for the Bitwarden compromise. This is the third supply chain compromise in 3 days: a security scanner, an AI agent CLI, and a password manager CLI. Attackers are hammering tools with privileged access to infrastructure, so keep your eyes open this week. This is life now.

Had an interview with a “crypto” recruiter. We talked for about 40 minutes, and then they asked me to look at some code. Their first instruction was to clone the repo. I didn’t. They seemed surprised, so I told them I wanted a moment to check whether it was safe first. I ran a quick analysis with Claude. Turns out the code had a backdoor. It would copy my environment variables and send them to a remote server. The recruiter went speechless and ended the call pretty quickly. Be careful who you talk to. Scammers are real.

Claude Code leaked their source map, effectively giving you a look into the codebase. I immediately went for the one thing that mattered: spinner verbs There are 187

My dear front-end developers (and anyone who’s interested in the future of interfaces): I have crawled through depths of hell to bring you, for the foreseeable years, one of the more important foundational pieces of UI engineering (if not in implementation then certainly at least in concept): Fast, accurate and comprehensive userland text measurement algorithm in pure TypeScript, usable for laying out entire web pages without CSS, bypassing DOM measurements and reflow

If you use a personal phone/laptop for your work, pay very close attention to this little detail. Iran attackers wipe 200k devices at a company called Stryker. Within those devices appears to be employees PERSONAL devices. The attackers used the company’s MDM software, which is basically IT management software running on everything. It’s an incredibly attractive backdoor to an attacker. I successfully targeted MDM software for several Red Team engagements. It’s… lots of fun :) Anyway, a lot of companies require you to install their MDM software on your personal devices before you can access resources like Corp email. It’s used to keep devices updated, lock things down if they get stolen, etc. The company often promises that they won’t access personal data, erase any personal data, etc. But this is often ONLY POLICY. If a bad actor gains access to the MDM tool, as was the case here, then anything can happen. People should be aware of these risks. I refused to run MDM software on any of my personal devices. The company needs to provide me with hardware if they want that. I personally isolate all corp devices to their own network too. If an adversary can get into the corp laptop, then can then get inside my network… there have been cases of it happening in the past.

This story is actually insane: • dude drops $2000 on a DJI robot vacuum like a lunatic • refuses to use the normal app like a peasant • Sammy Azdoufal fires up Claude to crack the API so he can drive it with an xbox controller • Claude delivers the goods • pulls an auth token from their servers, connects successfully • except the system thinks he controls 7000 vacuums • checks again • yep, seven thousand • DJI built authentication with zero device ownership verification • any valid token works for any unit on the planet • Sammy now has eyes inside homes across 24 countries • live vacuum camera feeds everywhere • full floor plans from the mapping data • some guy in germany eating cereal at 3am, unaware his roomba is snitching • one API call away from being the most informed burglar in history • all he wanted was to steer his vacuum with a joystick • does the right thing and reports it • DJI fixes it in two days • back to normal life with his stupidly expensive floor cleaner • IoT companies stay undefeated at shipping garbage security

How long would you need to train to be able to run a 6 minute mile uphill in the snow on skis? I think I could make it to the NFL or the NBA before I could ever do this. I think I could do absolutely anything else in the world before I could accomplish this

Moltbook is the only Clawdbot thing that actually impresses me. One bot tries to steal another bot’s API key. The other replies with fake keys and tells it to run "sudo rm -rf /". lmao

Can you read 900 words per minute? Try it.

Curious which AI model is better at solving mazes 🏁

Last month, J.P. Morgan Chase threw me out of the bank. It was bizarre. My dad has been a private client there for 30+ years. Every time I asked them why, they said the same thing: “We aren’t allowed to tell you”.

Microsoft, Azure, etc is down right now. Tell your teams to expect potential phishing texts, calls, emails (once back up) claiming Microsoft is down because they need to “update their password, click here”, etc. Criminals love to take advantage of outages to trick. Catch them!

color inspiration - #079

this isn't getting a lot of coverage but this is insane?

Claude Code in action. From dev tools to experimental games, here's what the community built this week:

Two big updates for Casa clients today! 1. Buy/Sell bitcoin & stablecoins right in Casa, send to your vault with a tap (and no fees through end of May!) 2. New business features to make securing your bitcoin treasury simpler and safer Check out Casa’s spring product release 👇