could not for the life of me figure out how to buy a bus ticket in Milan. it was literally easier to get a shell 😆

Developers from Signal (including its protocol's co-creator) along with Microsoft and Harvard unveil Encrypted Spaces, an open-source codebase for a new generation of private collaboration apps. Think Slack, Discord, Google Docs, all end-to-end encrypted. wired.com/story/signal-alums…

haha this reminds me that at one point during internal testing of Brave's AI agent (Leo), it refused to execute Step 3 on a todo list when Steps 1 and 2 were black text and Step 3 was white text (therefore invisible). but it got tricked into executing it when Steps 1 and 2 were red and blue, i guess because it thought Step 3 was trying to be patriotic instead of deceptive.

Today we launched the community-requested Brave Origin: an optional, paid version of our browser that offers Brave's leading privacy protections and ad blocker without its extra features. Origin is live now on desktop and Android, and coming soon to iOS: brave.com/origin

why is Claude installing a Native Messaging host in Brave's profile directory if code.claude.com/docs/en/chro… explicitly doesn't support Brave??

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

wow it turns out that some of those AI slop reports that every bug bounty program is now flooded with are from security companies trying to get free training input @Bugcrowd please name them! bugcrowd.com/blog/bugcrowd-p…

AI agents that can browse the Web and perform tasks on your behalf have incredible potential but also introduce new security risks. We recently found, and disclosed, a concerning flaw in Perplexity's Comet browser that put users' accounts and other sensitive info in danger.

long thread about a phishing attack that has proper headers from google’s domain but for true DKIM stans, the interesting part starts here

📣🚨 BAT SIGNAL: A law in France that would mandate a backdoor in end to end encrypted communications is set for a vote within the next day, after some start-stop skirmishes.  The French Narcotraffic law would require encrypted communications providers—like Signal—create a backdoor by giving the government the ability to add themselves to any group or chat they like. In the name of (checks notes) fighting drug trafficking.  While those hyping this bad law have rushed to assure French politicians that the proposal isn’t’ ‘breaking encryption’ their arguments are as tedious as they are stale as they are laughable. For those catching up, let’s review the basics: end to end encryption must only have two ‘ends’—sender and recipient(s). Otherwise, it is backdoored. Whatever method is devised to add a ‘third end’ —from a perverted PRNG in a cryptographic protocol, to vendor-provided government software grafted onto the side of secure communications that allow said government to add themselves to your chats—it rips a hole in the hull of private communications and is a backdoor.  Indeed, the ghost participant proposal was roundly rebuked (humiliated, even) when it was first proposed in 2019 in the UK. The technical community was united, and it was never implemented in law or otherwise.  We cannot accept any backdoor, however it’s dressed up. Communications don’t stay within jurisdictional boundaries. Which means a hole created in France becomes a vector for anyone wanting to undermine Signal’s robust privacy guarantees, anywhere. Instead of contending with unbreakable math, they only have to compromise a French government employee, or the vendor-provided software used to sideload government operatives into your private chats.  This is why, as always, Signal would exit the French market before it would comply with this law as written. At this moment especially, there is simply too much riding on Signal, on our being able to forge a future in which private communication persists, to allow such pernicious undermining.  We hope—WE HOPE—that this callow, dishonest attack will fail, and will be the last. We would love to get back to the work of maintaining and improving our core technologies, instead of fighting legislation which is distinguished in nothing as much as its refusal to listen to decades of expert consensus in its drive to imperil global cybersecurity and the human right of privacy.

target.com prices delivery items based on your local store setting, not your delivery address, so if you live in SF just set your local store to Missouri or something lol

I benchmarked over 100 HTML tags so you don't have to and here are the visualized results. Not all HTML tags are created equal!

A little over 10 years ago I and @dugdep stood up the first Yahoo! Red Team when I joined the Paranoids under @alexstamos. Despite low morale through economic downturns, a failing business, terrible headlines, waves of layoffs and a legacy tech stack the Paranoids punched well above their weight. They detected and disrupted multiple nation state adversaries, offered encrypted email to millions of people when there was enormous political pressure not to (@bcrypt), enabled TLS for web properties even when a % of users were still on IE5/6, encrypted data center links as a result of the Snowden leaks and countless other efforts even when the odds were stacked against them. I have no doubt the people still there will continue delivering great work, and those who were let go will bring that same level of greatness wherever they land.

70 mb/24 hours, call it hurricane comcast

just drove by the same people we drove by 4 hours ago. proof the universe is running out of memory.