yan

could not for the life of me figure out how to buy a bus ticket in Milan. it was literally easier to get a shell 😆

wow it turns out that some of those AI slop reports that every bug bounty program is now flooded with are from security companies trying to get free training input @Bugcrowd please name them! bugcrowd.com/blog/bugcrowd-…

AI agents that can browse the Web and perform tasks on your behalf have incredible potential but also introduce new security risks. We recently found, and disclosed, a concerning flaw in Perplexity's Comet browser that put users' accounts and other sensitive info in danger.

long thread about a phishing attack that has proper headers from google’s domain but for true DKIM stans, the interesting part starts here

📣🚨 BAT SIGNAL: A law in France that would mandate a backdoor in end to end encrypted communications is set for a vote within the next day, after some start-stop skirmishes.  The French Narcotraffic law would require encrypted communications providers—like Signal—create a backdoor by giving the government the ability to add themselves to any group or chat they like. In the name of (checks notes) fighting drug trafficking.  While those hyping this bad law have rushed to assure French politicians that the proposal isn’t’ ‘breaking encryption’ their arguments are as tedious as they are stale as they are laughable. For those catching up, let’s review the basics: end to end encryption must only have two ‘ends’—sender and recipient(s). Otherwise, it is backdoored. Whatever method is devised to add a ‘third end’ —from a perverted PRNG in a cryptographic protocol, to vendor-provided government software grafted onto the side of secure communications that allow said government to add themselves to your chats—it rips a hole in the hull of private communications and is a backdoor.  Indeed, the ghost participant proposal was roundly rebuked (humiliated, even) when it was first proposed in 2019 in the UK. The technical community was united, and it was never implemented in law or otherwise.  We cannot accept any backdoor, however it’s dressed up. Communications don’t stay within jurisdictional boundaries. Which means a hole created in France becomes a vector for anyone wanting to undermine Signal’s robust privacy guarantees, anywhere. Instead of contending with unbreakable math, they only have to compromise a French government employee, or the vendor-provided software used to sideload government operatives into your private chats.  This is why, as always, Signal would exit the French market before it would comply with this law as written. At this moment especially, there is simply too much riding on Signal, on our being able to forge a future in which private communication persists, to allow such pernicious undermining.  We hope—WE HOPE—that this callow, dishonest attack will fail, and will be the last. We would love to get back to the work of maintaining and improving our core technologies, instead of fighting legislation which is distinguished in nothing as much as its refusal to listen to decades of expert consensus in its drive to imperil global cybersecurity and the human right of privacy.

(this is the sort of tweet that would have absolutely slapped on infosec twitter circa 2015, RIP)

ecdsa private key leak due to nonce reuse strikes again, this time in the elliptic npm library github.com/advisories/GHS…

@AmandaAskell @bratwebb ALSO recall that i won the plank and wall sit competitions at Anya's birthday party!!

@AmandaAskell @bratwebb my default protein intake is pretty low (like 1 g/kg at most) and i didn’t get much benefit from going higher! if you’re consistent you should still gain muscle. my main metric is climbing and i went from 11b’s to 12b’s in like a year of strength training with no diet changes

I knew strength training would be hard because lifting heavy things is hard. But it also seems to involve eating protein like it's a part time job. If any seasoned people have tips for beginners, I'd love to know them!

@KumailNanji i heard this works even better: rm -rf /

Mac tip of the year: Go to "~/Library/Caches" and delete everything inside I just reclaimed 500gb of storage 🤯😤

@thdxr october 2023

has anyone generated an impressive logo you'd actually ship with ai? this feels like a good benchmark

@troyhunt haha i got this too

You absolute muppet, Ghulam 🤦‍♂️

target.com prices delivery items based on your local store setting, not your delivery address, so if you live in SF just set your local store to Missouri or something lol

@TheCinesthetic wearing shoes while lying on a bed

What something that’s completely normal in movies but would be weird and even psychotic in real life?

@_brianclifton @LukeDashjr @slvrbckt @BitcoinShud @brave @fmarier in general you can find this info by searching the CVE on NIST (ex: nvd.nist.gov/vuln/detail/CV…), copy the chromium fixed version, then search for it on brave.com/latest/

@LukeDashjr @slvrbckt @BitcoinShud @brave Our release notes captures the diff log for Chromium (where you could find what is included): github.com/brave/brave-br… But maybe instead of linking to Chromium we can capture the upstream CVEs fixed. cc: @bcrypt @fmarier

Never run a web browser on a computer of any importance. The most well-maintained browser, Chromium/Chrome, has a security issue on average once every week. Almost everything else, including apps that embed browsers like Signal Desktop and KMail, is a deriviative of Chromium and quite poorly maintained. Even when they backport security fixes, it's usually very late, and rarely complete. (I don't keep track of Firefox, but I would be surprised if it had fewer issues. If it has fewer fixes, I would just assume that means more of them are undiscovered/unfixed.)

@LukeDashjr @slvrbckt @BitcoinShud @brave it was fixed in v1.73.104 of Brave, we fix CVEs within a few days of Chromium fixing them.

@slvrbckt @BitcoinShud @brave When did Brave release a fix for CVE-2024-12695? How can I take it seriously when there's no easy way to find out?

I benchmarked over 100 HTML tags so you don't have to and here are the visualized results. Not all HTML tags are created equal!

@nocrimez @adamshurwitz @brave @Google we started out more similar to them but it turns out people want the option to use google services

@nocrimez @adamshurwitz @brave @Google i don’t believe we are; we would consider it though

If Ungoogled Chromium does what it says that is huge because it means browsers like @brave would not be dependent on @Google support of Chromium for core libraries or services.

A little over 10 years ago I and @dugdep stood up the first Yahoo! Red Team when I joined the Paranoids under @alexstamos. Despite low morale through economic downturns, a failing business, terrible headlines, waves of layoffs and a legacy tech stack the Paranoids punched well above their weight. They detected and disrupted multiple nation state adversaries, offered encrypted email to millions of people when there was enormous political pressure not to (@bcrypt), enabled TLS for web properties even when a % of users were still on IE5/6, encrypted data center links as a result of the Snowden leaks and countless other efforts even when the odds were stacked against them. I have no doubt the people still there will continue delivering great work, and those who were let go will bring that same level of greatness wherever they land.

@karrisaarinen this is the future DOJ wants

got a new computer, went to download Chrome for testing. Google: here is your 5 sponsored random links a top