November 23, 2023

                            November 23, 2023

                November 23, 2023

                        November 23, 2023

            Skyview

To be very clear. I believe Ilya Lichtenstein took the blame. I believe his Father, Eugene, was a Russian Asset. I believe Eugene responsible for the Bitfinex Theft.  And there isca WHOLE lot more https://t.co/6M1pGdBZ11
— Brett Johnson (@GOllumfun) November 23, 2023

Don’t ever let anyone Jedi mind trick you out of the fact that the “Disclosure” in “Vulnerability Disclosure” stands for Disclosure to parties at risk so they can protect themselves, NOT disclosure to a vendor so they can sit on it & call you irresponsible if you warn the public.
— Katie🌻Moussouris (she/her) (@k8em0) November 23, 2023

Not to brag, but I've been crying in the car since way before the high gas prices
— Jason Not Evil (@JasonNotEvil) March 10, 2022

🚨 cool vehicle alert 🚨 pic.twitter.com/786bMJpcrl
— america's lounge singer (@KrangTNelson) November 22, 2023

Annual P&L for a very large cybercrime org. Customer acquisition is the expensive bit (70% of revenue just for affiliate fees) but EBITDA still ends up at ~28%.

It’s hypothetical but indicative & pieced together by @TrendMicro from leaked data & estimates https://t.co/PIl8Cil1Y8 pic.twitter.com/HatWGymnzg
— Artturi Lehtiö (@lehtior2) April 10, 2023

Excellent analysis on the (reportedly) #CIA hardware implant (bug) discovered in #Germany in 2018 to spy on a #WikiLeaks activist. Also used to spy on Julian Assange.

It was installed in a #CryptoPhone IP19.https://t.co/1TLWNrWzAF#Tradecraft #BlackBagOp
— Spy Collection (@SpyCollection1) March 24, 2023

Can we emulate Arm64 #PinePhone with @Unicorn_Engine ... To automate the testing of Apache #NuttX Real-Time Operating System with #RustLang? Let's find out!

Article: https://t.co/OFJLhbGaO7 pic.twitter.com/tIWu4y98um
— Lup Yuen Lee 李立源 (@MisterTechBlog) February 25, 2023

infosec interview tip: it's okay to say "i don't know", for example your interviewer also doesn't know how to pronounce "@thegrugq"
— “Alex” (@mangopdf) March 1, 2022

I get this all the time. “How do you pronounce grugq?” Simple, just like it’s spelled.

New idea: Airdropping these into the parking lot of the Iranian nuclear program https://t.co/J5h8ShhZ1d
— SwiftOnSecurity (@SwiftOnSecurity) November 23, 2023

20 8TB external harddrives.

These will be cloned with 5.22TB of malware and mailed to nerds.

Please pray for any inspector who decides to mount these on a Windows machine to inspect them 🙏 pic.twitter.com/IeEAyBJHLL
— vx-underground (@vxunderground) November 22, 2023

This is kinda a good point actually. People know not to plug in USB sticks they find in the parking lot… but what about external hard drives they win are sent as part of a survey to solicit “honest reviews” from “real users”? “We want bias free reviews which is why regardless of your feedback, the drive is yours to keep!” 
Next month… free home wifi routers…

            lcamtuf :verified: :verified: :verified:: ""AI safety" is such an interesting but nebulous c…" - Infosec Exchange
            "AI safety" is such an interesting but nebulous concept. If you're thinking about building a career in this space, I think it can be broadly divided into several subcategories:

1) Traditional infrastructure security & IP protection for AI platforms. We know this, we kinda suck at it. Boring. There are some novel bits here about extracting some knowledge about the model or the underlying training data via prompting, but the bulk of it is just traditional infosec.

2) Brand safety: making sure that your LLM can't be made to praise Hitler, deny climate change, or generate porn. This is where the vast majority of commercial "AI safety" efforts are focused today. Because we cherry-pick contemporary hot button issues, the results are inconsistent and sometimes funny, but I get it. You can't have it any other way. There's certainly money to be made by developing standardized, comprehensive evaluation frameworks.

3) Functional safety: making sure that the LLM can't be tricked into performing unwanted actions once deployed in commercial settings (e.g., customer support). Arguably the hardest problem; if it doesn't outright derail adoption, it's going to be a major source of infosec lolz in the coming years. Specialize in this early and get ahead.

4) Doomsday safety. Intellectually stimulating but not terribly scientific, as it deals with the technology we don't have right now and that we don't know much about. Has two major flavors:

- "Hard" doomerism, which posits that we won't be able to reliably contain a superhuman AGI, so we shouldn't attempt to build it. I think that's a pretty coherent view.

- "Soft" doomerism, which posits that AGI is safe if aligned with human values. Seems pretty hand-wavy to me. Because we can't intuitively grasp what's going on inside an LLM, this gets reduced to #2 (brand safety): ask the LLM what it thinks about Hitler and puppies and don't release it if gets the answers wrong. The dodgy assumption here is that the answer is a reflection of an internal moral compass and that it will remain constant no matter what.

I don't think there's money to be made on "hard" doomerism unless you want to monetize a podcast or a blog; as for "soft" doomerism, the prescription listed in #2 certainly holds, and it's something that the recent White House order will help you sell.

                            Don't miss what's next. Subscribe to the grugq's newsletter: