Notices by Bill (sempf@infosec.exchange)

@mttaggart Do not let perfect stand in the way of good.

Uhyup

#claude #orly

h/t @SheHacksPurple

@horse Camera adds a few inches.

@horse Need to recharge.

Did I mention the incredibly talented and handsome @horse? #codemash

@horse Well, yeah kinda

Does anyone else do the urinal kata in their head every time they go to the bathroom at a developer con? Just me? #codemash

@palefailmel @stux In general, I love the idea of "parental controls" are for the mid-aged to control what their parents can see online.

@horse I personally think it reads worse than it is.

There is a non-zero chance someone took the gpg source to meet Claude. I'll leave validation to the reader.

https://gnu.gl/@wtfismyip/115793251410790858

One thing I do miss about old infosec Twitter is that I had people there who would yell at me for coiling up ethernet cables. Those were the days.

@stux What gets me is shop.com and the like who recognise me by cc number and then send receipts to the last email they saw. That was fun this Christmas for gift buying. I've never set up an account or installed an app ner nuttin.

@requiem You'll be coding in Perl soon. Godspeed.

Here we go, @cR0w this should make your day. Why LLMs are Less Intelligent than Crows

https://hackaday.com/2025/12/10/why-llms-are-less-intelligent-than-crows/

#llm #corvid

@horse Something like that.

Aah, iseethe thawed Buble out for the season.

Threat intel is utterly impossible. Look at this. All from a fake browser update. One person, just clicking on a website causes all of this. How do you create a threat model for this shit?

https://thehackernews.com/2025/11/romcom-uses-socgholish-fake-update.html?m=1

#threatintel #blueteam

@jerry I gotta come up woth a solution for this shit. Problem is, we are bumping up against human nature. "Tough programming problem? Here, take this free code that will solve it for you!"

But we can't live like that. I said it when we started, what, 20 years ago. I was right. But now what the fuck do we do? I'm stuck for ideas.

@creativegamingname So far as my actual answer is concerned, we already have something similar to this basic concept with the idea of code signing. Code signing is really common in binaries, but we need to be signing the hashes of JavaScript components and stuff as well.

That doesn't solve the problem straight up because if the attacker is altering the underlying code, that hash won't save you. What the hash will do, though, is confirm that you're running the right version—the not vulnerable version—of the code. That would be a step in the right direction, and we already have the pattern in place for code signing.

@creativegamingname FINE JUST BE A DOWNER!

No, you are exactly right. I dunno how we are gonna do it. Though, we have set standards with the IEEE and W3C and like that so maybe it is possible that way. Not enforced, just standard. Better than nothing.