buherator

buherator, 10 days ago to random

RFC for 700 HTTP Status Codes

https://github.com/joho/7XX-rfc

gsuberland, 11 days ago (edited 11 days ago) to random

normal EMF things

#emf2024

buherator, 15 days ago to random

#LangSec Bugs of the Year Awards results are in (still from X :P)!

“The Most Impactful Parser Bug Of The Year Award is given to the WebP 0day” - awarded to @benhawkes

“The hardest to fix parser bug goes to the http://Binarly.io team for the LogoFAIL bugs.”

“The Best Parser Differential Awards goes to the inconsistent interpretation of YAML foods between Go and Rust.” - There is a link on the captured slide, and I’m pretty sure it’s @joern ‘s bug, but I can’t find a proper CVE anywhere…seriously people, references!

“The Weirdest Machine Award goes to Ian Beer @i41nbeer @benhawkes and @saelo “

Full thread with runner ups:

https://x.com/jvanegue/status/1793801911650676915

buherator, 17 days ago to random

[RSS] Inside the iOS bug that made deleted photos reappear

https://www.synacktiv.com/en/publications/inside-the-ios-bug-that-made-deleted-photos-reappear

buherator, 18 days ago to random

We should start using phrases such as "AI infested" in regards to software.

Viss, 22 days ago to random

you know what?
ai would be beter than this, i think.

whitequark, 22 days ago to random

found some extremely Normal code in one of my projects

buherator, 27 days ago to random

LangSec Bug of the Year Discovery awards
https://langsec.org/spw24/bug-of-the-year.html?s=09

buherator, 1 month ago to golang

This latest writeup by @joern mentions the #documentation of Go’s filepath.Clean is “not really obvious” when dealing with relative paths.

I think this is something all #golang devs should be aware of to avoid similar vulnerabilities.

The language is kind of amazing:

• Step 3. only applies if there is a parent path to be eliminated together with the subsequent “..” (“/foo/..” -> “/“)
• Step 4. only applies to “rooted” (absolute) paths, so “/../foo” would become “/foo”, but “../“ is left untouched (as there is no relative parent path to eliminate either).

This makes the docs technically correct (“the best kind of correct!”), but even with the solution at hand it took some head scratching to figure out the true meaning.

GossiTheDog, 1 month ago to random

Microsoft's CEO has emailed the company telling everybody to prioritize security. My thoughts, which 4 people will read.
https://doublepulsar.com/breaking-down-microsofts-pivot-to-placing-cybersecurity-as-a-top-priority-734467a8db01

buherator, 1 month ago to random

No, LLM Agents can not Autonomously Exploit One-day Vulnerabilities

https://struct.github.io/auto_agents_1_day.html

buherator, 1 month ago to random

Who does updates over HTTP and without signature enforcement in 2024? Of course it's an AV: https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/

buherator, 1 month ago to random

Let me get this straight: on-prem Exchange doesn't support DMARC/DKIM, but if you want to send e-mail to O365 users your messages need to be properly demagnezited by The Hawk himself?

https://learn.microsoft.com/en-us/answers/questions/1071500/dmarc-and-pkim-for-exchange-2019

buherator, 1 month ago to random

[RSS] This Man Wants to ‘Save the World’ By Letting You Jerk Off Into a Computer

https://www.404media.co/orifice-ai-sex-toy/

A true hero!

zhuowei, 1 month ago to random

Was Sleeping Beauty/Briar Rose's kingdom, castle, or town receive names in any major adaptation?

Neither the Perrault, Grimm, Tchaikovsky, or Disney versions had names for the castle/kingdom/town.

Disney's Maleficient did name the kingdom "Ulstead", but spin-offs doesn't count, and anyways, it doesn't name the castle or town.

troed, 2 months ago to llm

I see lots of posts here on Mastodon where people state that today's "AI" (LLMs) have no use, waste energy and are just doing copyright infringement on a vast scale.

I don't get it.

I just put together "summarize.sh" - a bit of glue between some open source and self-hosted LLMs. It takes a Youtube URL as its only parameter, and outputs a summary in text of the important parts of the spoken words in the video.

That is, I run yt-dlp, Whisper and finally Mixtral 8x7b. And I no longer need to sit through someone yapping about for a few minutes to tell me what should've been a short blog post.

Example output from a 4 minute video:

"The text describes a video tutorial on how to reset a Corsair keyboard when it's not working properly. The keyboard in question has three white flashing lights at the top and is experiencing issues with its RGB lighting and key input. To reset the keyboard, the user should unplug the USB cables from the computer, hold down the escape key, and then plug the USB cables back into the computer while still holding down the escape key. After releasing the escape key, the keyboard's lights should flash, indicating that it has been reset. The tutorial notes that this method has worked for other Corsair keyboards as well."

How is this not a great thing to have?

#LLM #AI #Whisper #Mixtral

buherator, 2 months ago to random

[RSS] Advisory X41-2024-001: Weak Chilkat PRNG

https://x41-dsec.de/lab/advisories/x41-2024-001-chilkat-prng/

buherator, 2 months ago to random

Bold emphasis is mine:

“So we have the ability to get text on demand that looks like legal contracts, or looks like medical diagnoses, or looks like therapeutic conversations, or looks like a news article, or looks like scientific research papers. But it actually is none of those things, because in all cases the textual artifact isn’t really the point; the point is rather the thought processes and relationship-building that led to and follow from the textual artifact.” - @emilymbender

https://buttondown.email/maiht3k/archive/doing-their-hype-for-them/

buherator, 2 months ago to random

"For example, someone would need to have the skills, time, and enough long-term interest specifically for [maintaining xz].”

It turns out someone had all three!

Great post about xz's takeover:

https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/

simon, 2 months ago to random

I put together some detailed notes showing how I use Claude and ChatGPT as part of my daily workflow - in this case describing how I used them for a 6 minute side quest to create myself a GeoJSON map of the boundary of the Adirondack Park in upstate New York
https://simonwillison.net/2024/Mar/22/claude-and-chatgpt-case-study/

buherator, 2 months ago to random

The real problem with anonymity - by @pluralistic

"There is a category of person who reliably uses a certain, specific kind of anonymity to do vicious things that inflicts serious harm on whole swathes of people: corporate bullies."

https://pluralistic.net/2024/03/04/greater-corporate-fuckward-theory/#counterintuit-ive

buherator, 2 months ago to random

MS Word autocorrects "HTTP" to lowercase, but it doesn't do so with "HTTPS".

I'd like to request a CVE.

buherator, 3 months ago to random

To commemorate its death, here are some of my favorite pieces of journalism from Vice:

https://medium.com/@therealsexycyborg/shenzhen-tech-girl-naomi-wu-my-experience-with-sarah-jeong-jason-koebler-and-vice-magazine-3f4a32fda9b5

https://www.wired.com/2012/12/how-vice-got-john-mcafee-caught/