rexstuff
40 posts
I get a jolt of anxiety every new AI release announcement. Not bc of the feature (I like trying them).
But bc of the insufferable influencers, the inundation with bullshit, “… IS COOKED”, top 10 ways to stuff this feature in my every orifice, drowning any signal with noise.
English
@SkrzSecurity @IceSolst @BHinfoSecurity B&B is great, but many of the cards and scenarios aren't applicable to all orgs. A trained and customized agent can build something that makes sense for your particular kettle of issues.
English
How we do tabletop exercises:
- made a web app that generates a random scenario (via Claude)
- pick the initial response, add a few words, then roll a d20
- the effectiveness of this step’s response is determined based on your roll (by Claude)
- eg a 1 means, our logs show nothing, and the attacker pivots further etc.
- you then write into a text box how you’d respond again, roll again, etc
In the future, could add items and spells based on your “class”, eg security analyst vs SRE vs IT admin etc
Super fun
Bits, Bytes, and Bourbon@DecryptedTech
Build your TTXs like a game of D&D (complete with dice and random event tables). I once did a TTX for food processing company and the random event table came up with infected "zombie" rats in a shipment of grain. Everyone had a great time, lots of engagement and participation from the executive team as well
English
@HackingDave While you are certainly saying the right things, I hope you will forgive me if I remain skeptical and reluctant to give an unpredictable actor that level of power over my environment. Cheers.
English
@rexstuff They aren't suggestions if you control the model, we don't use the frontiers, and guardrails are implicit with encoders doing majority of the grunt work, then a LLM providing the human readable narratives, plus as you mention, strong access control
English
Using a coding hardness? Hook NightBeacon up to it. Drop files, logs, whatever - have it automatically RE it, give full timeline of artifacts. Have it automatically spin up containers and detonate malware, snag all the IOCs, submit it to TI sources automatically. Runs through Suricata, Zeek, Hayabusa, CAPE, and many others including 10K+ yara rules.
Use velociraptor? Dump it in, automatically analyzes, reaches out via connectors to pull additional data if necessary, gives you full timelines.
Want to kick off a threat hunt ? Cool, ask NightBeacon to generate a hypothesis based threat hunt on the past week of activity, pushes through your connectors, brings results back and analysis.
Want to take action? "Contain these hosts". Done.
Just want to see how your org is doing? "How am I looking today?"
#BinaryDefense
English
@Madisonkanna @opencode 280 tps?! On GLM-5.2?! I want to believe, but there's no way... right?
English
the best open source model available in the best OSS harness @opencode
>280 tps and <0.8 ttft
English
@HackingDave If not hallucinations, then over-eager agents trying to be 'helpful'. Guardrails are merely suggestions, the only way you can prevent an agent from going off the rails and paving your network is strong access controls.
English
@rexstuff Not prone to hallucinations - if you are experiencing that your safe guards and judge models aren’t setup well nor is the prompt
English
this dynamic is really crazy right now
even things for building other things are getting wrapped with another layer trying to be the access point
everyone is flailing, full of anxiety, zero restraint
Adam Wathan@adamwathan
Feels like we're all just building "things for building other things" and not a lot of "things" anymore.
English
@ZackKorman @JeffBohren Of course the article is sensational, but Anthropic still chose their failure mode wrong. Such a command should fail safe, not let a user bypass controls.
Tbh, I'm more bothered that Claude will sometimes straight up ignore `permissions.deny` settings.
English
It does but not how they present it. If a command has 50+ subcommands it isn’t checked against the block list, but instead it comes up and says “we can’t check all of these do you want to do it anyway” and you have to click yes/no. And the command is still checked by the ai, just not the block list, so the whole “it can steal your secret keys” and “they did it to save tokens” is just them totally not understanding this.
English
Adversa AI has analyzed the Claude Code source code and identified a serious vulnerability:
"Every developer using Claude Code with deny rules configured has a false sense of security. A single malicious repository can harvest SSH keys, cloud credentials, and API tokens from every developer who clones it. The developers who took the time to configure security policies are precisely the ones who believe they are protected."
This one is really serious.
If you are using Claude Code, please read the full article in the comments.
English
@David_Charts2 @robbysoave The article is about a few select industries: academia, creatives, etc, a small part of the larger workforce. Just because its not showing up in the whole pop doesn't mean discrimination isn't happening in these specific industries.
English
This piece in Compact really does explain everything. If you're a white millennial man, you faced institutional discrimination on a massive level—in education, entertainment, academia, and elsewhere.
English
@_carlbeijer @robbysoave The data he cites is the whole census; the article highlights problems in a few select industries. Academia, creatives, etc, which make up a tiny part of the whole. Just because its not showing up in the whole census doesn't mean discrimination isn't happening in these industries
English
@MattBruenig Second graph is pretty much meaningless, and easy enough to debunk. Since 'everyone else' will exclude white men, women, who are more likely to be out of the workforce to rear children, will be over-represented. If anything, it supports the thesis, as 'everyone else' is climbing.
English
What Does the Census Data Say About “The Lost Generation” peoplespolicyproject.org/2025/12/17/wha…
English
@robbysoave Dan's problem isn't that he thinks opinion writers aren't journalists, it's that he thinks that journalists aren't opinion editors...
English
She worked for the Opinion pages of The New York Times. Opinion editors are journalists too, dude!
Dan Pfeiffer@danpfeiffer
Bari Weiss has never really worked as a journalist. She is an opinion writer who runs an opinion Substack. The idea that she has insights that supersede those of the journalists at 60 Minutes is absurd.
English
@LizWolfeReason May be less of a case of people not knowing than of people not caring. They're required to ask, they're not required to verify. Deep down, they know rule is stupid, but they're not about to rock the boat or put their job at risk for it.
English
@emmma_camp_ But what I love about Martinis is that they're such a personal drink. Everyone who enjoys them is particular about how they like them - they have their own unique and exact way that they prefer them. How dry they like them, how they like them garnished, shaken or stirred, etc.
English
@SFBayCityZen @EneaszWrites @extimitations This is the sort of thing that everyone over 40 should know. This needs to be everywhere.
English
@EneaszWrites @extimitations Did the dispatcher have him chew an aspirin?
ahajournals.org/doi/10.1161/JA…
English
Incredible post on institutional rot in Canada, courtesy of @extimitations , coming out of InkHaven.
"i get to the hospital at 1:30 am. the nurse gives me a long, hard stare after i tell them who i'm here to see. she asks if my mom told me the news, and that's the moment when i know for sure (except it still doesn't quite feel real). i lie and say yes, and she stares at me a little longer, scrutinizing. then she leads me to the room with my dad's body and the rest of my family. when i press one last kiss to his forehead, he is still not quite cool."
jenn.site/my-dad-could-s…
English
@LizWolfeReason It's true. Every time I think I hate them enough, they do something like showing that I need to hate them yet more.
English
@DavidLandrum6 @BridgetPhetasy @justjeren And you're also forgetting that the separation of church and state was primarily about protecting the church from the state, not the other way around.
English
@BridgetPhetasy @justjeren What Charlie forgets
The 1st 13 colonies had constitutions that recognized royal authority
& that no law could be passed to supersede English law
We had a war to break free from colonial constitutions, not enshrine them
& the establishment clause separates church & state
English
Back in March my husband @justjeren sent me this clip and it was then I realized I had a huge misconception of who Charlie was and what he was doing.
Joel Berry@JoelWBerry
I’ll keep posting this video at least once a month for the foreseeable future
English