Notices by Sophie Schmieg (sophieschmieg@infosec.exchange)

@femme_mal @dangoodin why is American Express even a thing? I don't know any stores that support it, and this fees table kind of shows why.

@inthehands @august don't forget that in the case of using a web interface, you have no guarantees that the JavaScript sent to you is the same JavaScript that was sent to someone else, or even the same that was sent to you yesterday. So if you want to target an individual, you can just ship a special version of the code that includes a line saying "and now send the private key unencrypted to the NSA", and you're unlikely to ever notice.

With downloaded apps such as signal (even signal desktop), this attack is far more difficult to pull off (but not mitigated fully if you want updates regularly)

@mekkaokereke you famously cannot not communicate. And choosing not to listen, and walking away is the ultimate counterargument, that does not even need a word. It is a show of force, saying "your opinion isn't even important enough for me to respond", and they cannot abide by that. They need their words to define reality, and every indication that it doesn't needs to be destroyed.

@lauren so far, there is still no evidence of person to person transmission. So I think for the moment the pandemic part 2 risk is contained. Let's hope it stays that way.

@david_chisnall @ryanc @Lookatableflip and don't forget the whole Debian random number generator debacle. That was probably one of the motivating factors for adding RDRAND and friends to modern CPUs.

@ireneista technically Bas got this one. But I do get my fair share of cranks, and have been for a while, cryptography just has a very high crank density.

@paulehoffman oh yeah, he founded a company, apparently. It doesn't say if he actually found anyone dumb enough to invest in it, but yeah.

Remember, it's only fraud if you actually understand that what you're doing is nonsense!

In case you do not know how GenAI works, here is a very abridged description:
First you train your model on some inputs. This is using some very fancy linear algebra, but can be seen as mostly being a regression of some sorts, i.e. a lower dimensional approximation of the input data.
Once training is completed, you have your model predict the next token of your output. It will do so by creating a list of possible tokens, together with a rank of how good of a fit the model considers the specific token to be. You then randomly select from that list of tokens, with a bias to higher ranked tokens. How much bias your random choice has depends on the "temperature" parameter, with a higher temperature corresponding to a less biased, i.e. more random selection.

Now obviously, this process consumes a lot of randomness, and the randomness does not need to be cryptographically secure, so you usually use a statistical random number generator like the Mersenne twister at this step.

So when they write "using a Gen AI model to produce 'true' random numbers", what they're actually doing is using a cryptographically insecure random number generator and applying a bias to the random numbers generated, making it even less secure. It's amazing that someone can trick anyone into investing into that shit.

I was forwarded this screenshot and it just is living rent free in my head right now.

@gsuberland my money is on Crown Sterling

@dalias from HIV prevention, we know that penalizing transmission is a very bad idea.

The tradition is only known as "the holidays" to most, but it's important to remember what we are celebrating this time of year: the Herculean effort to fix the log4j vulnerability caused by needless use of JNDI.

@inthehands @Crell the fun thing about ostensibly defined concepts is that you get edge cases that still very much can claim to be the thing, but which have mutually empty intersection. In this case: implementing NAND gates, wires, and delay lines using Venus fly traps is programming (it's creating a Turing complete device, after all), and writing a markdown document is programming (it's telling a computer how to do stuff, after all), but their intersection is empty (unless, of course, you use a lot of Venus fly traps and implement x86).

I feel like the world is more fun that way, compared to excluding random things.

@wizzwizz4 @apsmith @jasongorman
This is the paper. And yeah, it's as far as I know quite a nice accomplishment, even if the press releases are very cringe.
https://arxiv.org/abs/2408.13687

@bortzmeyer @shaft unfortunately only in English and German, though, my highschool French is a bit rusty

@mekkaokereke they somehow promoted me to senior staff engineer doing this, so I do hope it is mildly useful to the company.

Me: a SQL inner join is a pullback from category theory, an outer join is a pushforward.
Colleague: SQL really is this lone survivor from a bygone era of computer science, where correctness still mattered.
Me: I didn't know, I for one, am still waiting on the commutative algebra DLC, where both joins behave the same way.

Important sets:
ℂ the complex numbers
ℕ the natural numbers
ℚ the rational numbers
ℝ the real numbers
𝕏 the set of fascists wannabes
ℤ the integers

To correct the common misunderstanding:
Eve (they/them), Alice (she/her), and Bob (he/him) are in a consensual, BDSM relationship, featuring Eve as service top, Alice as the bratty bottom, and Bob, who just likes to watch.

Their safe word is "indistinguishability obfuscation"

Eve only "breaks" Alice's encryption because she's super into it, not to cause harm.

@ryanc yeah, SFO