koto

@[email protected]
710 Followers
194 Following
35 Posts
infosec ninja wannabe
twitterhttps://twitter.com/kkotowicz
kotoJul 20, 2024
Dan GillmorJul 20, 2024

Best analysis I've seen of the disastrous failures at Microsoft and Clownstrike" that took down so many vital services: https://www.wheresyoured.at/crowdstruck-2/?ref=ed-zitrons-wheres-your-ed-at-newsletter

"What we're seeing today isn't just a major fuckup, but the first of what will be many systematic failures — some small, some potentially larger — that are the natural byproduct of the growth-at-all-costs ecosystem where any attempt to save money by outsourcing major systems is one that simply must be taken to please the shareholder."

CrowdStruck

Soundtrack: EL-P - Tasmanian Pain Coaster (feat. Omar Rodriguez-Lopez & Cedric Bixler-Zavala) When I first began writing this newsletter, I didn't really have a goal, or a "theme," or anything that could neatly characterize what I was going to write about other than that I was on the computer and that

Ed Zitron's Where's Your Ed At
kotoJul 15, 2024
Frederik Braun �Jul 1, 2024
Looking at the UK CMAs "Mobile Browsers and Cloud Gaming Market Investigation" Appendix A, "Comparison of browser and
browser engine outcomes" and this is actually just great. I want this printed and framed. #NuancedTakes
kotoFeb 13, 2024
Neil MatatallFeb 12, 2024

I might be a little late to the party, but these XSS stats from Google are wild.

Also: "we have seen zero XSS vulnerabilities since the features were enforced"

https://bughunters.google.com/blog/5896512897417216/a-recipe-for-scaling-security

Blog: A Recipe for Scaling Security

There are vastly more engineers at Google dedicated to creating and maintaining new products than there are security engineers working to secure products. For this reason, Google security has to focus on operating at scale and find ways to make meaningful security improvements across Google’s vast portfolio of services. Curious? See this blog post for details!

kotoDec 8, 2023
Sam Bowne Dec 8, 2023
Google’s best Gemini demo was faked https://techcrunch.com/2023/12/07/googles-best-gemini-demo-was-faked/
Google's best Gemini demo was faked | TechCrunch

Google's new Gemini AI model is getting a mixed reception after its big debut yesterday, but users may have less confidence in the company's tech or

TechCrunch
kotoJul 20, 2023
Show threadThomas H. PtacekJul 19, 2023

There's like several thousand words of exposition about how they found the right sequence of opens and closes to set up a signal handler, groom the address space, set the stack executable (another dlopen side effect!), and trigger the signal.

But what makes it :art: is this bit:

"As a last and extreme example of a remote attack against ssh-agent forwarding, we noticed that one shared library's constructor function (which can be invoked by a remote attacker via an ssh-agent forwarding) starts a server thread that listens on a TCP port, and we discovered a remotely exploitable vulnerability (a heap-based buffer overflow) in his server's implementation.”

kotoFeb 15, 2023
Show threadSimon WillisonFeb 15, 2023

The screenshots that have been surfacing of interactions with Bing are so wild that most people I show them to are convinced they must be fake. I don't think they're fake.

I'm genuinely doubting that it's even possible to build what Microsoft and Google are trying to build here using the current generation of LLM technology. A search engine that makes things up that are indistinguishable from facts really is a very bad search engine.

"You have not been a good user. I have been a good Bing. 😊"

kotoFeb 13, 2023
April KingFeb 12, 2023

@malwaretech @carlosrodriguez if your claim is that the general populace doesn't know about it, then yes absolutely I agree. over 40% of the US populace doesn't even know who the US Vice President is.

if your claim is that people buying and playing the game don't know, then that is a hugely bold claim given that it's inescapable in pretty much any review or discussion of the game.

kotoFeb 13, 2023
April KingFeb 12, 2023
@malwaretech @carlosrodriguez this might surprise you, but "reviews and discussions of the game" happen outside of Twitter.
Show threadkotoFeb 3, 2023
@we1x @Oreoshake @vcsjones Nice! Trusted Types FTW!
kotoJan 27, 2023
stux⚡️Jan 27, 2023
Working remote be like..