d!giD0F

Meteors have been seen in Turkey, Australia, Ohio, and Pennsylvania this past week

We're laying the wiring for anti-censorship infrastructure

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

POKÉMON GO PLAYERS TRAINED 30 BILLION IMAGE AI MAP Niantic says photos and scans collected through Pokémon Go and its AR apps have produced a massive dataset of more than 30 billion real-world images. The company is now using that data to power visual navigation for delivery robots, letting them identify exact locations on city streets without relying on GPS. Source: NewsForce

Hardware using software to make hardware that can run software.

🚨 Holy shit… Stanford just exposed that every major AI company is using your private conversations to train their models by default. They analyzed the privacy policies of OpenAI, Google, Meta, Anthropic, Microsoft, and Amazon. Reviewed 28 separate documents across all 6 companies. The findings are worrisome. Every prompt you type. Every file you upload. Every personal detail you share. All of it feeds directly into model training the moment you hit send. That health question you asked ChatGPT at 2am? Training data. Legal situation you described to Claude? Training data. The photo you uploaded to Gemini? Training data. Some companies retain your conversations INDEFINITELY. Amazon, Meta, and OpenAI have no confirmed deletion timeline for certain chat data. Your most private conversations could sit on their servers forever. It gets worse for kids. Four out of six companies allow children aged 13-18 to use their chatbots, and most don’t treat children’s data any differently. Kids’ conversations are likely getting fed into model training by default. Kids who can’t legally consent to it. Here’s something most people missed: enterprise customers are opted OUT of training by default. You, the consumer paying $20/month? Opted IN. Companies paying thousands? Protected automatically. There’s a two-tiered privacy system and you’re on the wrong side of it. OpenAI even frames the opt-in with guilt. Their settings page says “Improve the model for everyone.” Stanford’s researchers flagged this as a textbook dark pattern designed to make you feel bad for protecting your own data. Meta’s contractors told reporters they routinely see identifiable personal information in the chat data they review. Journalists were able to positively identify at least one real person from chat transcripts shared with them. The privacy policies themselves? Stanford had to dig through 6 separate documents just for OpenAI alone. Most real disclosures were buried in sub-policies no normal person would ever find. The researchers said it was challenging for THEM to piece it together. For consumers? “Practically impossible.” Only Microsoft explicitly stated they try to remove personal data like names, phone numbers, and addresses before training. The rest are either vague about it or completely silent.