Keith Crawford

Let’s Go Hogs!! #MarchMadness #WPS 🏀🐗

It’s Thursday, we ball.

Behold, the bracket. Thoughts??????

I call few articles must read… this brilliant piece is must read.

Do you have any idea how badly I want a Duke vs Arkansas national championship game ?!!! 🏀🐗🔥 Like I’d seriously lose my mind. #MarchMadness #WPS

🦔 Researchers at Aikido Security found 151 malicious packages uploaded to GitHub between March 3 and March 9. The packages use Unicode characters that are invisible to humans but execute as code when run. Manual code reviews and static analysis tools see only whitespace or blank lines. The surrounding code looks legitimate, with realistic documentation tweaks, version bumps, and bug fixes. Researchers suspect the attackers are using LLMs to generate convincing packages at scale. Similar packages have been found on NPM and the VS Code marketplace. My Take Supply chain attacks on code repositories aren't new, but this technique is nasty. The malicious payload is encoded in Unicode characters that don't render in any editor, terminal, or review interface. You can stare at the code all day and see nothing. A small decoder extracts the hidden bytes at runtime and passes them to eval(). Unless you're specifically looking for invisible Unicode ranges, you won't catch it. The researchers think AI is writing these packages because 151 bespoke code changes across different projects in a week isn't something a human team could do manually. If that's right, we're watching AI-generated attacks hit AI-assisted development workflows. The vibe coders pulling packages without reading them are the target, and there are a lot of them. The best defense is still carefully inspecting dependencies before adding them, but that's exactly the step people skip when they're moving fast. I don't really know how any of this gets better. The attackers are scaling faster than the defenses. Hedgie🤗 arstechnica.com/security/2026/…

AI crawlers hit your site every day — training bots, search bots, user-action fetchers. Most sites give them nothing useful. Here are the files you should add (robots.txt AI rules, llms.txt, Content Signals) with copy-paste examples. keithcrawford.me/blog/your-webs…

CALL THE HOGS 🙌🐗🏆

Holy cow! Let’s go Vandy!!

ICE IN HIS VEINS 🧊 @RazorbackMBB x 📺 @SECNetwork

The concept of the social media account for the gambling app that lets you bet on war announcing the existence of a human rental service for chatbots.

Dusting off the steganography threat model…

Let’s see an AI model pick the March Madness winner #MarchMadness

"For the first time since we began publishing the CTHR in 2021, we observed a tactical pivot by threat actors. They’re now targeting third-party software vulnerabilities more than weak or missing credentials as the primary initial access vector." cloud.google.com/blog/products/…

Today @GoogleMaps is getting its biggest upgrade in over a decade. By combining our Gemini models with a deep understanding of the world, Maps now unlocks entirely new possibilities for how you navigate and explore. Here’s what you need to know 🧵

Just called Thomas Massie. Phone rings. Thomas answers. Me: hey what are you doing? Massie: I’m at Kroger. Call you back in 10. lol, he’s knows the grocery prices. Do you think Trump has been to a grocery store to do his own grocery shopping in the past 30 years? Nope.

Kim calls out a detail in the attack on Stryker attack that will get lost in medical/national security headlines. Executives had personal phones wiped because corporate MDM was installed on their private devices!! Without proper personal backups, personal assets are potentially irrevocable. As an executive, I'd be pretty sour about this 'occupational hazard.' From the company perspective, during a major incident, their key decision makers lost: • their phone • their contacts • their communications • access to company systems With a stock price diving, this is operational blackout. Feel so bad for the security team...

The point I was making is that in a world where MFA apps are often sitting on BYOD phones, then those devices are wiped/locked out… then people can’t respond because they can’t get to slack, email, or much if anything. Also makes recovery longer to get everyone securely informed and re-enrolled.

@tsudo What am I missing here? Their personal data would be linked to a cloud, surely. Should they assume personal data compromised, or simply deleted?

If your Auth process primarily relies on personally owned devices… you should factor this into response & contingency planning