Notices by Adam Shostack :donor: :rebelverified: (adamshostack@infosec.exchange)

@ryanc Hey look I’m not the one who under specified the requirements! 😂

@ryanc a trapdoor?

I find myself really irked by the headline here. The problem is not a "simple website bug", the problem is that they wrote thousands of lines of code without ever thinking about what the trust boundaries are, or should be.

This is a massive design flaw. The idea that cars should be controllable from some mothership is bizarre (and not needed for app control - have a digital signature from the mobile device). The idea that cars are enrolled even if the user didn't set up an account is similarly broken. This isn't a "simple website bug" but a massive failure to consider the security implications of features.

@luckytran @inthehands In reading about this, I learned there are already nasal vaccines, which no one had ever mentioned to me. They require administering by a professional, what’s new is the “at home?”

@noondlyt @inthehands Why is that, Leon?

@ryanc I don't do this because the 30-60 second lag to get the email, plus all the shiny distractions in my email, but, yeah, it's not stupid.

@patrickcmiller "Sinister Sysadmin" is my new threat actor/prog rock band name.

Hmmm, no thank you I think I don't want to run this code

sudo rm -rf "${studio_path}/" -mindepth 1 -maxdepth 1 ! -name "ldraw" -exec rm -rf {} +

(Bricklink studio /scripts/preinstall)

@inthehands @paul_ipv6 Did you try youtube or tiktok (or something else?) I've found that fix it videos are MUCH better on tt because they impose time limits rather than using minutes watched as a signal of quality.

I don't know if that applies to explainers like you're looking for, but I watched 5 minutes of a YT video on Alcatraz doors and learned exactly nothing.

@ryanc Thank you.

@ryanc @tess @sophieschmieg @david_chisnall @Vrimj I'm fond of asking "are you asking that because you don't know how to fix it, or because you really think it'll never happen?" (1/3)

@patrickcmiller

"They are requesting $22 million this year, up from $5 million last year, to test autonomous weapons software against complex scenarios involving ethical decisions. "

I can guess the answer for only $50,000. Why so much? Editing my "You idiots" into acceptable text is going to be expensive.

@paul_ipv6 @inthehands I was thinking about Paul’s comment as I wondered why a ^ disappeared between generative2 in a post here

@paul_ipv6 @inthehands Well, correct fractions or not, no one would ever have struggled with underfull hboxes like they have to in css

@inthehands @Haste IANALE, but if you're relying on a tool that says "Hey, this thing is full of errors" maybe that's a sign that you should be.

Of course, fancy lawyers will make a case that it's unsettled law

@Haste @inthehands We don’t need a new law. There’s no reason to think “the devil made me do it” is a defense.

@eaton I’ve found the ui in happyscribe to be really helpful even if I can get transcription elsewhere.

@petergleick @inthehands I see this is CPI adjusted (cool!). Is there a version that normalizes against population growth?

(Yes there’s complexity of overall growth vs growth in high danger areas).

@linear @irenes The US office of science and tech policy has an open call for comments about the future of open source security. I want to encourage you to tell them about your choices so they don’t randomly default to “of course wallet names are a fine thing”

This is next level APT TTP right here. https://twitter.com/llm_sec/status/1667573374426701824

“* People ask LLMs to write code

• LLMs recommend imports that don't actually exist
• Attackers work out what these imports' names are, and create & upload them with malicious payloads
• People using LLM-written code then auto-add malware themselves”

https://vulcan.io/blog/ai-hallucinations-package-risk
“