🇺🇦Prof. for networks and security at #JKULinz + dabbling in Android platform security at #Google. This account will mostly carry IT security stuff, occasionally politics and other comedy.
Screeching voice of the minority. I will not cooperate with fascists or nazis - traditional or neo; Austrian, German, US, Russian, or otherwise. I will not help build surveillance and oppression states. Never again.
"I need privacy, not because my actions are questionable, but because your judgement and intentions are."
Statements are only my own opinion, not my employers'.
This is currently my primary infosec account in the #Fediverse. It should be #searchable through https://tootfinder.ch. Previous Twitter posts are available in archival form at https://twitterarchive.mayrhofer.eu.org/.
| Homepage | https://www.mayrhofer.eu.org |
| University | https://jku.at/ins |
I think the modal situation here is that the people are reading none or very little of what is being generated by the LLM, so the tests have a special role: Tests function as the pull arm on the slot machine, you just generate until tests pass, and that's a jackpot. Obviously that's meaningless when the tests are meaningless, so tests take on a very different meaning and role in slot machine coding.
Previously we would write careful test conditions that were based off some real problem or an understanding of what the code under test did, and had a specific thing they were intended to protect against. Tests move slow and are designed to protect us against the things we know can go wrong. When we learn of a new wrong thing, we add a test.
LLM tests have the form of tests but don't do the same thing. They often test nothing, and are just expressions of truisms that the probabilistic text space explored while generating. They have strongly worded names but end up actually asserting that basic language features work as expected. Because it is not us writing tests for ourselves, where we only harm ourselves by making them weak, they function instead as a passively obfuscated justification for the code that the LLM generates. The user wants the tests to pass. The LLM provides.
The tests are theater: they are the play field for the slot machine. They are mild, surmountable, need to fail a few times to be plausible, but must eventually pass within the expected generation loop window to deliver the payout.
RE: https://techhub.social/@Techmeme/116653554177369852
If anybody is wondering how this bubble hasn’t popped yet - I still run into companies with blockchain teams. Everybody pretended GameStop could buy eBay this month. Businesses are really good at huffing glue.
Signal without smartphone
A Desktop application to register an account with Signal and link it with Signal Desktop, all without requiring a smartphone.
NEW: Microsoft is BIG MAD that a researcher published a handful of zero-days, and code to exploit them, that it is threatening legal action and even calling the cops on them.
Yes, it's 2026, and one of the richest companies in the world is beefing about the ethics of disclosing bugs.
Needless to say, cybersecurity veterans are not siding with Microsoft on this one.
NEW: Hackers are trying to steal Signal users' online backups in a new wave of attacks.
The hackers are pretending to be Signal Support and asking targets to share their backup's Recovery Key. This would be the first step in an attack that also requires hackers to take over the victims' accounts.
Note that Signal says it will "never reach out" to users first. That means any unsolicited message coming from "Signal Support" is a phishing attempt.
OMG. Apparently tons of people have been generating secrets on an old server-side key generation website that had incredibly weak entropy. Like, 10 bits or something.
The website was allkeysgenerator[.]com. Here is a dump of 1000 keys generated on it. Searching for the URL finds hundreds of people recommending it for key generation.
Some of these snippets have hundreds of GitHub results.
The exact algorithm is unknown but (see below) It generates extremely predictable strings, you can visually see how the delta from character to character is almost constant. Thanks @dramforever for doing some analysis here. Their script here can generate the vast majority of sequences from this website.
Update: This script generates the entire list from a single seed, and large chunks of another.
I'm certain you can break into production websites using these keys for cookie signing etc.
"U.S. forces deployed to war zones have been targeted using commercially available location data"
Just like I, @johnnyryan and others warned.
US Senator Wyden says it's time to "start treating the adtech industry as a national security threat". Agreed.
https://www.reuters.com/business/media-telecom/pentagon-says-us-military-personnel-are-reportedly-being-targeted-using-location-2026-05-28/
jonny (nonvenomous)
Kevin Beaumont
Alexis M
Lorenzo Franceschi-Bicchierai
Hoshino Lina (星乃リナ) 🩵 3D Yuri Wedding 2026!!!
Jonathan Corbet
Wolfie Christl
Antonio Santos 🇵🇹