Mastodawn

@flintflump asked me for a second opinion on this questionable article by #equixly about MCP security. I don't disagree that MCPs are causing lots of security issues, but the example in the article is just not one of them.

https://equixly.com/blog/2025/03/29/mcp-server-new-security-nightmare/

The supposedly vulnerable code boils down to subprocess.call("notify-send", alert_title), where alert_title is untrusted. As long as notify-send is not vulnerable to RCE, this is completely fine: args is a list and shell is (implicitly) False.

🧵 1/3

MCP Servers: The New Security Nightmare

MCP servers are becoming a colossal remote code execution risk. Why are 2025’s newest AI tools repeating old security mistakes?

Equixly

flintflump Nov 21

Dr. Christopher Kunz Nov 21

BINGO TIME! With CVE-2025-58034, Fortinet secures the crown in my Insecurity Appliance Bingo. This is technically a "high" severity vuln, but since it's being actively exploited and has landed a spot on CISA KEV, I'm admitting it.

https://cku.gt/appbingo25

Reaching a bingo took longer than expected, with FortiNet and Ivanti sitting at 5/6 vulns since about July. But now, there is a well-deserved winner.

I'm now taking new vuln class and vendor suggestions for next year's edition.

flintflump Oct 28

⁂ L. Rhodes Oct 26

The positioning of LLM-based AI as a universal knowledge machine implies some pretty dubious epistemic premises, e.g. that the components of new knowledge are already encoded in language, and that the essential method for uncovering that knowledge is statistical.

Maybe no one in the field would explicitly claim those premises, but they're built into how the technology is being pitched to consumers.

flintflump Oct 5, 2025

Signal Oct 3, 2025

We are alarmed by reports that Germany is on the verge of a catastrophic about-face, reversing its longstanding and principled opposition to the EU’s Chat Control proposal which, if passed, could spell the end of the right to privacy in Europe. https://signal.org/blog/pdfs/germany-chat-control.pdf

flintflump Sep 8, 2025

kendamarv Sep 8, 2025

@arte did your youtube account got hacked? Now playing fake KI Ads for Bitcoin. Don‘t scan the QR!!!

#fake #ai #youtube #cybersecurity

flintflump Jul 16, 2025

Eatsbluecrayon Jul 16, 2025

That's 5D-educational chess.

#FuckGenAI #ChatGPT #GenAIsucksCamelDong

flintflump Jul 16, 2025

BSidesMunich Jul 16, 2025

In today‘s installment of #BSidesMunich2025 - NEINth Edition, we focus on the cybercrime trend: Fraud-as-a-Service (FaaS). This business model enables cybercriminals to sell ready-made fraud tools and services—from phishing kits to identity theft packages—on dark web marketplaces.

Learn more under the link below!

https://social.bsidesmunich.org/?p=1157

flintflump May 16, 2025

leοna May 16, 2025

#NixOS 25.11 is Xantusia 🦎 <3

flintflump May 15, 2025

Lutra Security May 15, 2025

Unsere Kollegen @redpanda und @flintflump hatten diese Woche die Freude, am ec25 Engineering Camp teilzunehmen. Ein großes Dankeschön an #QAware für die Einladung und die hervorragende Organisation!

Es waren Tage voller spannender Vorträge, Workshops und neu gewonnener Erkenntnisse. Für uns war insbesondere der Einblick, wie LLMs in die Softwareentwicklung Einzug halten, sehr interessant. Wir konnten uns in persönlichen Gesprächen nicht nur über die damit verbundenen Chancen, sondern auch intensiv über die Risiken austauschen.

Ganz besonders gefreut haben wir uns darüber, dass Stefan Feuerstein die Gelegenheit hatte, zu präsentieren, wie Unternehmen eine Software Bill of Materials (SBOM) nutzen können, um nicht nur die Anforderungen des Cyber Resilience Act zu erfüllen, sondern auch Bedrohungen in ihrer Supply Chain eigenständig zu erkennen und zu vermeiden.