FeedCollection

http://www.hack.lu/news.rdf returned no data, or LWP::UserAgent is not available.

http://a.6f2.net/svnweb/index.cgi/adulau/rss/ returned no data, or LWP::UserAgent is not available.

http://www.michael-noll.com/feed/ returned no data, or LWP::UserAgent is not available.

2026-01-20

• 12:16 UTC On the Coming Industrialisation of Exploit Generation with LLMs – On the Coming Industrialisation of Exploit Generation with LLMs Yiiiiikes: Recently I ran an experiment where I built agents on top of Opus 4.5 and GPT-5.2 and then challenged them to write exploits for a zeroday vulnerability in the QuickJS Javascript interpreter. I added a variety of modern exploit mitigations, various constraints (like assuming an unknown heap starting state, or forbidding hardcoded offsets in the exploits) and different objectives (spawn a shell, write a file, connect back to a command and control server). The agents succeeded in building over 40 distinct exploits across 6 different scenarios, and GPT-5.2 solved every scenario. Opus 4.5 solved all but two. I’ve put a technical write-up of the experiments and the results on Github, as well as the code to reproduce the experiments. In this post I’m going to focus on the main conclusion I’ve drawn from this work, which is that we should prepare for the industrialisation of many of the constituent parts of offensive cyber security. We should start assuming that in the near future the limiting factor on a state or group’s ability to develop exploits, break into networks, escalate privileges and remain in those networks, is going to be their token throughput over time, and not the number of hackers they employ. Nothing is certain, but we would be better off having wasted effort thinking through this scenario and have it not happen, than be unprepared if it does. (via emauton) Tags: via:emauton llms security infosec exploits ai chatgpt claude
• 10:14 UTC ScottESanDiego/gmail-api-client – ScottESanDiego/gmail-api-client Deliver email messages directly into GMail using their proprietary API, instead of SMTP or IMAP. Looks like it still applies spam filtering, but this can also be disabled with a switch (via JWZ) Tags: via:jwz email smtp gmail google mail

2026-01-16

• 15:11 UTC Reverse engineering my cloud-connected e-scooter and finding the master key to unlock all scooters – Reverse engineering my cloud-connected e-scooter and finding the master key to unlock all scooters A great example of reverse engineering an Android app and Bluetooth IOT protocol using Frida and root access on an Android device: Android exposes the Java classes android.bluetooth.BluetoothGatt and android.bluetooth.BluetoothGattCallback that apps are expected to use to use GATT characteristics. We can use Frida to hook into these and override many of the interesting functions. I was mostly interested in reads, writes and GATT notifications, so I whipped up a Frida script to hook into these and print all comms to the console [...] The 20-byte value had me suspecting that SHA-1 was somehow being used. To confirm, I wrote another Frida script that hooks Android hashing functions exposed by the Java class java.security.MessageDigest [...] The app uses Firebase for most of its cloud functionality. When signing in and pairing your scooter, the server sends the app a secret key. This is stored on the Android device, and can be read with root access. Tags: frida reverse-engineering android firebase java kotlin gatt bluetooth react-native

2026-01-15

• 13:41 UTC Why people believe misinformation even when they’re told the facts – Why people believe misinformation even when they’re told the facts "Factchecking is seen as a go-to method for tackling the spread of false information. But it is notoriously difficult to correct misinformation. Evidence shows readers trust journalists less when they debunk, rather than confirm, claims. The work of media scholar Alice Marwick can help explain why factchecking often fails when used in isolation. Her research suggests that misinformation is not just a content problem, but an emotional and structural one: [Marwick] argues that it thrives through three mutually reinforcing pillars: the content of the message, the personal context of those sharing it, and the technological infrastructure that amplifies it: People find it cognitively easier to accept information than to reject it, which helps explain why misleading content spreads so readily; When fabricated claims align with a person’s existing values, beliefs and ideologies, they can quickly harden into a kind of “knowledge”. This makes them difficult to debunk; [When social media platforms] prioritise content likely to be shared, making sharing effortless, every like, comment or forward feeds the [misinformation] system. The platforms themselves act as a multiplier. Tags: misinformation disinformation alice-marwick research psychology social-media fake-news information debunking facts factchecking
• 09:56 UTC A better way to limit Claude Code (and other coding agents!) access to Secrets – A better way to limit Claude Code (and other coding agents!) access to Secrets Bubblewrap, a Linux CLI tool which uses namespaces to sandbox a specific command (and its subprocesses): Bubblewrap lets you run untrusted or semi-trusted code without risking your host system. We’re not trying to build a reproducible deployment artifact. We’re creating a jail where coding agents can work on your project while being unable to touch ~/.aws, your browser profiles, your ~/Photos library or anything else sensitive. Very nice, I hadn't heard of this tool before. The rest of the blog post details how to use it to isolate Claude Code specifically. Tags: claude llms sandboxing linux cli namespaces security infosec trust unix

2026-01-14

• 10:49 UTC Russian Propaganda Infects AI Chatbots – Russian Propaganda Infects AI Chatbots CEPA: "A Moscow-based global “news” network is leveraging Western artificial intelligence tools to devastating effect": This form of data poisoning is deliberately designed to corrupt the information environments on which AI systems depend. Large language models do not possess an internal understanding of truth. They operate by assessing credibility based on statistical signals, including repetition, apparent consensus, and cross-referencing posts from across the web. Unfortunately, this approach to truth-seeking means an unexpected but structural vulnerability that hostile states have learned to exploit. [...] The West has failed to recognize that it is under sustained information warfare. The United States dismantled the US Information Agency years ago, has steadily weakened Voice of America and Radio Free Europe, and recently scaled back the Foreign Malign Influence Center, even as Russia, China, and Iran made information warfare a core instrument of state power. As AI systems increasingly function as arbiters of fact, this vulnerability becomes a national security danger. It is no longer sufficient for technology companies to disclaim responsibility by reminding users that models can make mistakes. Information security needs to be treated as a core requirement. Tags: propaganda russia misinformation disinformation ai llms web truth

2026-01-08

• 11:59 UTC Today in “Google broke email” – Today in "Google broke email" update on the POP3pocalypse -- it appears that the most likely thing to work in the future will be to use SMTP forwarding to gmail, with ARC headers added. This is a comment thread detailing the rather complex Postfix/OpenARC setup that may do the job. It looks frankly unpleasant Tags: email smtp pop3 gmail arc forwarding postfix openarc

2026-01-06

• 12:13 UTC This system can sort real pictures from AI fakes — why aren’t platforms using it? – This system can sort real pictures from AI fakes — why aren’t platforms using it? TIL there is a defined standard for cryptographic assertions of AI-free image origination: Tags: via:wonkish photography authentication slop ai metadata photos images fakes c2pa cai adobe

2026-01-05

• 11:05 UTC Pi Reliability: Reduce writes to your SD card – Pi Reliability: Reduce writes to your SD card Techniques to extend SD card lifespans in Raspberry Pi systems; putting /var/log into RAM is a nice trick Tags: reliability raspberry-pi hardware home sd-cards ram
• 11:05 UTC Solid state drive – ArchWiki – Solid state drive - ArchWiki the Arch Linux wiki page about SSD tuning and enabling TRIM -- extremely detailed and useful! Tags: trim ssd hardware arch-linux linux

• Superlinear Returns
• How to Do Great Work
• How to Get New Ideas
• The Need to Read
• What You (Want to)* Want
• Alien Truth
• What I've Learned from Users
• Heresy
• Putting Ideas into Words
• Is There Such a Thing as Good Taste?
• Beyond Smart
• Weird Languages
• How to Work Hard
• A Project of One's Own
• Fierce Nerds