|
|
|
|
Daily Hacker News for 2025-09-18 |
| | |
|
|
[growth] pineapple is go! A little while ago the toddler's household told me that you could turn the top of a pineapple into a whole entire pineapple plant (with the caveat that at least 60% of the time it goes mouldy). My first attempt at this had got as far as growing a whole entire root network but then suffered a Tragic Incident from which it never recovered; the second had been sat around with partially-browned but no-longer-becoming-more-browned and definitely-still-partially-green leaves for Quite Some Time. I had more or less hit the point of "... is this actually doing anything? at all?" and then upon my return from the most recent round of Adventures I rotated it in service of watering it, to discover...

... that it's growing a WHOLE NEW SET OF LEAVES. Look at it go! I am very excited!
(My understanding is that if I manage to keep it alive that long it'll take somewhere in the region of 3 years to fruit, and then in the fashion of all bromeliads will die having produced said single fruit. Happily this is about the rate at which we eat fresh pineapple...)
|
| | |
|
|
Time-of-Check Time-of-Use Attacks Against LLMs Posted by Bruce Schneier https://www.schneier.com/blog/archives/2025/09/time-of-check-time-of-use-attacks-against-llms.html https://www.schneier.com/?p=70832 This is a nice piece of research: “Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents“.:
Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security implications. While prior work has examined prompt-based attacks (e.g., prompt injection) and data-oriented threats (e.g., data exfiltration), time-of-check to time-of-use (TOCTOU) remain largely unexplored in this context. TOCTOU arises when an agent validates external state (e.g., a file or API response) that is later modified before use, enabling practical attacks such as malicious configuration swaps or payload injection. In this work, we present the first study of TOCTOU vulnerabilities in LLM-enabled agents. We introduce TOCTOU-Bench, a benchmark with 66 realistic user tasks designed to evaluate this class of vulnerabilities. As countermeasures, we adapt detection and mitigation techniques from systems security to this setting and propose prompt rewriting, state integrity monitoring, and tool-fusing. Our study highlights challenges unique to agentic workflows, where we achieve up to 25% detection accuracy using automated detection methods, a 3% decrease in vulnerable plan generation, and a 95% reduction in the attack window. When combining all three approaches, we reduce the TOCTOU vulnerabilities from an executed trajectory from 12% to 8%. Our findings open a new research direction at the intersection of AI safety and systems security.
https://www.schneier.com/blog/archives/2025/09/time-of-check-time-of-use-attacks-against-llms.html https://www.schneier.com/?p=70832 |
| | |
|
|
Interesting Links for 18-09-2025 |
| | |
|
|
|
|
Daily Hacker News for 2025-09-17 |
| | |
|
|
Whining about online t-shirt purchases. Ooh, I thought, that's a really cool t-shirt! And the price is only £24, that's actually pretty reasonable!
Except no, it's £24 plus £6 tax plus £7 shipping *that takes up to 6 weeks*.
And this for an item that's print on demand. Which means, theoretically, they could print it in the UK in the first place and not have to presumably ship it to me by alpaca from Kazakhstan!
Shame, really, it's a nice t-shirt. But not £37 nice. |
| | |
|
rmc28 |
Wed 2025-09-17 17:17 |
|
I have had the call Or rather the text message to book my covid & flu vaccinations. "For 75+ and immunosuppressed". I just double-checked and "have had a blood cancer" is still top of the NHS list of qualifying conditions, so that's my armour when the GP surgery gatekeepers are like, you're too young and you might be DEPRIVING someone of this vaccine who NEEDS it. (This has been the conversation the last three times I got invited to get vaccinated, sigh, and then they get a manager to look at my medical record, and then they grudgingly admit that maybe I can has jabs.)
Date is the Saturday when all the Cambridge undergraduates arrive, so just in time. I'll mostly be avoiding students for the first couple weeks of term to let the freshers flu play out, but I will be playing ice hockey so not entirely. Also getting in and out of the city centre that day may be entertaining, probably best done on foot.
|
| | |
|
|
Hacking Electronic Safes Posted by Bruce Schneier https://www.schneier.com/blog/archives/2025/09/hacking-electronic-safes.html https://www.schneier.com/?p=70818 Vulnerabilities in electronic safes that use Securam Prologic locks:
While both their techniques represent glaring security vulnerabilities, Omo says it’s the one that exploits a feature intended as a legitimate unlock method for locksmiths that’s the more widespread and dangerous. “This attack is something where, if you had a safe with this kind of lock, I could literally pull up the code right now with no specialized hardware, nothing,” Omo says. “All of a sudden, based on our testing, it seems like people can get into almost any Securam Prologic lock in the world.”
[…]
Omo and Rowley say they informed Securam about both their safe-opening techniques in spring of last year, but have until now kept their existence secret because of legal threats from the company. “We will refer this matter to our counsel for trade libel if you choose the route of public announcement or disclosure,” a Securam representative wrote to the two researchers ahead of last year’s Defcon, where they first planned to present their research.
Only after obtaining pro bono legal representation from the Electronic Frontier Foundation’s Coders’ Rights Project did the pair decide to follow through with their plan to speak about Securam’s vulnerabilities at Defcon. Omo and Rowley say they’re even now being careful not to disclose enough technical detail to help others replicate their techniques, while still trying to offer a warning to safe owners about two different vulnerabilities that exist in many of their devices.
The company says that it plans on updating its locks by the end of the year, but have no plans to patch any locks already sold. https://www.schneier.com/blog/archives/2025/09/hacking-electronic-safes.html https://www.schneier.com/?p=70818 |
| | |
|
|
Interesting Links for 17-09-2025 |
| | |
|
|
Life with two kids: International Demon-Hunter Shipping A week and a half ago I ordered a couple of K-Pop Demon Hunters hoodies for the kids from Amazon. I didn't realise quite how much of a trip they'd be making:
8th - Taken from warehouse in Shenzhen (China) and handed to massive chinese shipment company SF Express. 8th - Driven an hour up the road to Dongguan shipment centre. 11th - Transported (presumably by road) 1,100 km to Ezhou (SF Express hub airport, also China)) 12th - Flown to Liège Airport (Belgium), stopping over in Almaty International Airport (Kazakhstan) 14th - Flew in to Heathrow 14th - Then arrived in Stansted for customs 15th - Then handed to Hermes in London 16th - Who got it to me in Edinburgh the next day
Total cost, including shipping: £24 (£12 per top).
I am both impressed and somewhat aghast. |
| | |
|
|
Daily Hacker News for 2025-09-16 |
| | |
|
|
tired. so tired. Have spent most of the day asleep.
- Attempt #2 at pineapple-from-trimmed-top has NEW LEAVES.
- I am also fairly sure that attempt #2 at lemongrass is taller than it was when we set off on our terrible adventures about ten days ago.
- Actual bed. Favourite mattress.
- I got to make someone's entire day by sending an "... I think I have your object" e-mail.
- Leftovers for dinner: curry from the crew party on Sunday night. Didn't have to think about food. Extremely grateful for this fact.
|
| | |
|
|
|
|
|
|
Interesting Links for 16-09-2025 |
| | |
|
|
Daily Hacker News for 2025-09-15 |
| | |
|
|
|
|
Interesting Links for 15-09-2025 |
| | |
|
|
Lawsuit About WhatsApp Security Posted by Bruce Schneier https://www.schneier.com/blog/archives/2025/09/lawsuit-about-whatsapp-security.html https://www.schneier.com/?p=70758 Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission.
The lawsuit, alleging violations of the whistleblower protection provision of the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,000 WhatsApp users had their accounts hacked every day. By last year, the complaint alleged, as many as 400,000 WhatsApp users were getting locked out of their accounts each day as a result of such account takeovers.
Baig also allegedly notified superiors that data scraping on the platform was a problem because WhatsApp failed to implement protections that are standard on other messaging platforms, such as Signal and Apple Messages. As a result, the former WhatsApp head estimated that pictures and names of some 400 million user profiles were improperly copied every day, often for use in account impersonation scams.
More news coverage. https://www.schneier.com/blog/archives/2025/09/lawsuit-about-whatsapp-security.html https://www.schneier.com/?p=70758 |
| | |
|
navigation |
[ |
viewing |
| |
most recent entries |
] |
[ |
go |
| |
earlier |
] |
| | | |