Reading [entries|reading|network|archive]
simont

[ userinfo | dreamwidth userinfo ]
[ archive | journal archive ]

[syndicated profile] hacker_news_daily_feed Fri 2025-09-19 00:00
Daily Hacker News for 2025-09-18

The 10 highest-rated articles on Hacker News on September 18, 2025 which have not appeared on any previous Hacker News Daily are:

LinkReply
[personal profile] kaberett Thu 2025-09-18 19:19
[growth] pineapple is go!

A little while ago the toddler's household told me that you could turn the top of a pineapple into a whole entire pineapple plant (with the caveat that at least 60% of the time it goes mouldy). My first attempt at this had got as far as growing a whole entire root network but then suffered a Tragic Incident from which it never recovered; the second had been sat around with partially-browned but no-longer-becoming-more-browned and definitely-still-partially-green leaves for Quite Some Time. I had more or less hit the point of "... is this actually doing anything? at all?" and then upon my return from the most recent round of Adventures I rotated it in service of watering it, to discover...

a pineapple crown, growing a whole new set of leaves

... that it's growing a WHOLE NEW SET OF LEAVES. Look at it go! I am very excited!

(My understanding is that if I manage to keep it alive that long it'll take somewhere in the region of 3 years to fruit, and then in the fashion of all bromeliads will die having produced said single fruit. Happily this is about the rate at which we eat fresh pineapple...)

LinkReply
[syndicated profile] schneier_no_tracking_feed Thu 2025-09-18 11:06
Time-of-Check Time-of-Use Attacks Against LLMs

Posted by Bruce Schneier

This is a nice piece of research: “Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents“.:

Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security implications. While prior work has examined prompt-based attacks (e.g., prompt injection) and data-oriented threats (e.g., data exfiltration), time-of-check to time-of-use (TOCTOU) remain largely unexplored in this context. TOCTOU arises when an agent validates external state (e.g., a file or API response) that is later modified before use, enabling practical attacks such as malicious configuration swaps or payload injection. In this work, we present the first study of TOCTOU vulnerabilities in LLM-enabled agents. We introduce TOCTOU-Bench, a benchmark with 66 realistic user tasks designed to evaluate this class of vulnerabilities. As countermeasures, we adapt detection and mitigation techniques from systems security to this setting and propose prompt rewriting, state integrity monitoring, and tool-fusing. Our study highlights challenges unique to agentic workflows, where we achieve up to 25% detection accuracy using automated detection methods, a 3% decrease in vulnerable plan generation, and a 95% reduction in the attack window. When combining all three approaches, we reduce the TOCTOU vulnerabilities from an executed trajectory from 12% to 8%. Our findings open a new research direction at the intersection of AI safety and systems security.

LinkReply
[personal profile] andrewducker Thu 2025-09-18 12:00
Interesting Links for 18-09-2025
Link16 comments | Reply
[syndicated profile] xkcd_feed Wed 2025-09-17 04:00
Question Mark
Although now people will realize three-per-em space that all this time I've been using weird medium mathematical space whitespace characters in my hair space hair space hair space speech dot dot dot...
Link4 comments | Reply
[syndicated profile] hacker_news_daily_feed Thu 2025-09-18 00:00
Daily Hacker News for 2025-09-17

The 10 highest-rated articles on Hacker News on September 17, 2025 which have not appeared on any previous Hacker News Daily are:

LinkReply
[personal profile] andrewducker Wed 2025-09-17 17:36
Whining about online t-shirt purchases.
Ooh, I thought, that's a really cool t-shirt! And the price is only £24, that's actually pretty reasonable!

Except no, it's £24 plus £6 tax plus £7 shipping *that takes up to 6 weeks*.

And this for an item that's print on demand. Which means, theoretically, they could print it in the UK in the first place and not have to presumably ship it to me by alpaca from Kazakhstan!

Shame, really, it's a nice t-shirt. But not £37 nice.
Link2 comments | Reply
[personal profile] rmc28 Wed 2025-09-17 17:17
I have had the call

Or rather the text message to book my covid & flu vaccinations. "For 75+ and immunosuppressed". I just double-checked and "have had a blood cancer" is still top of the NHS list of qualifying conditions, so that's my armour when the GP surgery gatekeepers are like, you're too young and you might be DEPRIVING someone of this vaccine who NEEDS it. (This has been the conversation the last three times I got invited to get vaccinated, sigh, and then they get a manager to look at my medical record, and then they grudgingly admit that maybe I can has jabs.)

Date is the Saturday when all the Cambridge undergraduates arrive, so just in time. I'll mostly be avoiding students for the first couple weeks of term to let the freshers flu play out, but I will be playing ice hockey so not entirely. Also getting in and out of the city centre that day may be entertaining, probably best done on foot.

Link4 comments | Reply
[syndicated profile] schneier_no_tracking_feed Wed 2025-09-17 11:05
Hacking Electronic Safes

Posted by Bruce Schneier

Vulnerabilities in electronic safes that use Securam Prologic locks:

While both their techniques represent glaring security vulnerabilities, Omo says it’s the one that exploits a feature intended as a legitimate unlock method for locksmiths that’s the more widespread and dangerous. “This attack is something where, if you had a safe with this kind of lock, I could literally pull up the code right now with no specialized hardware, nothing,” Omo says. “All of a sudden, based on our testing, it seems like people can get into almost any Securam Prologic lock in the world.”

[…]

Omo and Rowley say they informed Securam about both their safe-opening techniques in spring of last year, but have until now kept their existence secret because of legal threats from the company. “We will refer this matter to our counsel for trade libel if you choose the route of public announcement or disclosure,” a Securam representative wrote to the two researchers ahead of last year’s Defcon, where they first planned to present their research.

Only after obtaining pro bono legal representation from the Electronic Frontier Foundation’s Coders’ Rights Project did the pair decide to follow through with their plan to speak about Securam’s vulnerabilities at Defcon. Omo and Rowley say they’re even now being careful not to disclose enough technical detail to help others replicate their techniques, while still trying to offer a warning to safe owners about two different vulnerabilities that exist in many of their devices.

The company says that it plans on updating its locks by the end of the year, but have no plans to patch any locks already sold.

LinkReply
[personal profile] andrewducker Wed 2025-09-17 12:00
Interesting Links for 17-09-2025
Link1 comment | Reply
[personal profile] andrewducker Wed 2025-09-17 09:43
Life with two kids: International Demon-Hunter Shipping
A week and a half ago I ordered a couple of K-Pop Demon Hunters hoodies for the kids from Amazon. I didn't realise quite how much of a trip they'd be making:

8th - Taken from warehouse in Shenzhen (China) and handed to massive chinese shipment company SF Express.
8th - Driven an hour up the road to Dongguan shipment centre.
11th - Transported (presumably by road) 1,100 km to Ezhou (SF Express hub airport, also China))
12th - Flown to Liège Airport (Belgium), stopping over in Almaty International Airport (Kazakhstan)
14th - Flew in to Heathrow
14th - Then arrived in Stansted for customs
15th - Then handed to Hermes in London
16th - Who got it to me in Edinburgh the next day

Total cost, including shipping: £24 (£12 per top).

I am both impressed and somewhat aghast.
Link7 comments | Reply
[syndicated profile] hacker_news_daily_feed Wed 2025-09-17 00:00
Daily Hacker News for 2025-09-16

The 10 highest-rated articles on Hacker News on September 16, 2025 which have not appeared on any previous Hacker News Daily are:

LinkReply
[personal profile] kaberett Tue 2025-09-16 22:24
tired. so tired.

Have spent most of the day asleep.

  1. Attempt #2 at pineapple-from-trimmed-top has NEW LEAVES.
  2. I am also fairly sure that attempt #2 at lemongrass is taller than it was when we set off on our terrible adventures about ten days ago.
  3. Actual bed. Favourite mattress.
  4. I got to make someone's entire day by sending an "... I think I have your object" e-mail.
  5. Leftovers for dinner: curry from the crew party on Sunday night. Didn't have to think about food. Extremely grateful for this fact.
Link1 comment | Reply
[personal profile] andrewducker Tue 2025-09-16 09:58
Photo cross-post


No, daddy, it's definitely not a "pointy duck"! Have you even read the sign?
Original is here on Pixelfed.scot.

Link2 comments | Reply
[syndicated profile] schneier_no_tracking_feed Tue 2025-09-16 11:06
Microsoft Still Uses RC4

Posted by Bruce Schneier

Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system.

LinkReply
[personal profile] andrewducker Tue 2025-09-16 12:00
Interesting Links for 16-09-2025
LinkReply
[syndicated profile] hacker_news_daily_feed Tue 2025-09-16 00:00
Daily Hacker News for 2025-09-15

The 10 highest-rated articles on Hacker News on September 15, 2025 which have not appeared on any previous Hacker News Daily are:

LinkReply
[syndicated profile] xkcd_feed Mon 2025-09-15 04:00
-Style Pizza
If you want to see true audacity, do an image search for 'Altoona-style pizza.'
Link1 comment | Reply
[personal profile] andrewducker Mon 2025-09-15 19:39
Interesting Links for 15-09-2025
Link11 comments | Reply
[syndicated profile] schneier_no_tracking_feed Mon 2025-09-15 11:05
Lawsuit About WhatsApp Security

Posted by Bruce Schneier

Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission.

The lawsuit, alleging violations of the whistleblower protection provision of the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,000 WhatsApp users had their accounts hacked every day. By last year, the complaint alleged, as many as 400,000 WhatsApp users were getting locked out of their accounts each day as a result of such account takeovers.

Baig also allegedly notified superiors that data scraping on the platform was a problem because WhatsApp failed to implement protections that are standard on other messaging platforms, such as Signal and Apple Messages. As a result, the former WhatsApp head estimated that pictures and names of some 400 million user profiles were improperly copied every day, often for use in account impersonation scams.

More news coverage.

LinkReply
navigation
[ viewing | most recent entries ]
[ go | earlier ]