A Gray Jedi Capybara / weirdo geek into socio-technical systems resilience. Part-time #coffee and #Arduino nerd. If you “move fast and break things”, I’m the one who makes you clean up. #devsecops and #securityResearch focused on #appsec and #productSecurity.
Do not bother to follow me if you have anything against LGBTQIA+ folks, I have no patience left
- Security Research Advocate for Checkmarx;
- Managing Principal Consultant for Substance 36 LLC;
Opinions here are mine alone, not necessarily shared by organizations I work with or for
#embedded #espresso #biking #electronics
| blog | https://darrenpmeyer.com/ |
| photos | https://pxlmo.com/darrenpmeyer |
GitHub is at least partly fixing the `pull_request_target` weaknesses, and that's a very good thing. More: https://medium.com/@cx0-darren/github-actions-vs-supply-chain-attacks-using-pull-request-target-6b1569edf503
(And yeah, it's Medium. Seems like the least bad option for low-friction blogging; open to suggestions for alternatives though...)
@willasaywhat I think the assumption is that what they learn from working at large scale early, and gains from training and being early to market, will help them capture a large share of the AI market over the long term.
I remain skeptical that the long-term market for LLM and similar AI systems is big enough and profitable enough for that to make sense, but I suppose I could be wrong…
I don’t understand the argument that “there is no AI bubble because chip prices and demand keep going up”. Like… that’s what a bubble IS: asset prices keep going up without real sustainable demand justifying it.
The demand for the chips is fueled by *speculative* investment in them. The buyers are betting that AI will become profitable enough, soon enough, that investing in that capacity early will make a material difference. But as far as I can tell, that bet isn’t based on anything more concrete than a mix of vibes, hopes, and dreams.
There is, however, a lot for society to gain from the people who want subjugation and slavery and murder knowing that they will be pariahs if they let those thoughts out of their mouth. There’s a lot to gain from everyone around them seeing them greeted with revulsion and shunned.
That, too, is part of free speech. It is the •foundation• of free speech.
This is insane! A few researchers from UCSD and UMCP scanned bunch of satellite links, found much of the traffic is not encrypted, and went on to decode them. It's amazing what came out.
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
- AT&T Mexico cellular backhaul: Raw user internet traffic
- TelMex VOIP on satellite backhaul: Plaintext voice calls
- U.S. military: SIP traffic exposing ship names
- Mexico government and military: Unencrypted intra-government traffic
- Walmart Mexico: Unencrypted corporate emails, plaintext credentials to inventory management systems, inventory records transferred and updated using FTP
While it is important to work on futuristic threats such as Quantum cryptanalysis, backdoors in standardized cryptographic protocols, etc. - the unfortunate reality is that the vast majority of real-world attacks happen because basic protection is not enabled. Lets not take our eyes off the basics.
Great work, Wenyi Zhang, Annie Dai, Keegan Ryan, Dave Levin, Nadia Heninger and Aaron Schulman!
https://satcom.sysnet.ucsd.edu/docs/dontlookup_ccs25_fullpaper.pdf
@drwho @jon I’ve mostly avoided working at places that draconian, but I’ve definitely seen it with colleagues. One of my friends had to take remedial policy/awareness training because their employer’s EDR is configured to flag any browser other than Edge as effectively malware unless you have an exception with a documented business need.
I get wanting a degree of control, but yikes that’s really weird.
Willa 
Paul Cantrell
Vinoth (Mobile security)