select known-vulnerable dependency versions 50% more often than humans.

A deliberately planted backdoor doesn’t have a CVE.

The median JavaScript project on GitHub has 755 transitive dependencies

the entities making dependency decisions are increasingly not human.

Socket, an a16z portfolio company, detected the malicious dependency in the Axios attack within 6 minutes of its publication. That's roughly 63,000 times faster than the industry average.

Hallucinated packages are the sleeper threat. LLMs regularly invent package names that don't exist. One study found that nearly 20% of AI-recommended packages were fabrications, and 43% of those hallucinated names appeared consistently across queries.

Gemma 4 models undergo the same rigorous infrastructure security protocols as our proprietary models.

Security has always been a team sport, and the defenders who have protected this industry for decades have never succeeded by working in isolation.

New AI models, especially those from Anthropic,have triggered a new set of actions for how we build and secure our products.

There will be more attacks, faster attacks, and more sophisticated attacks. Now is the time to modernize cybersecurity stacks everywhere.

In the past, security expertise has been a luxury reserved for organizations with large security teams. Open source maintainers—whose software underpins much of the world's critical infrastructure—have historically been left to figure out security on their own.

AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.

using "Open File..." dialog (`⌘+O`) you could still open and view any file on the system and could preview any file that safari could preview (e.g. `.html`, `.htm`, `.txt`, `.pdf`, and image files)

by "saving" the webpage (`file->save as`) instead of downloading it (which Safari automatically adds an extension for) I could force it to save it as `malicious_file` (with no extension).

macOS decides to boot the `Volumes` partition which includes `Data`, `Macintosh HD`, `macOS Base System`, and `Preboot` systems, and when you choose the `Macintosh HD` it allows you to save the file to the Mac's permanent disk.

computer-use agents extend language models from text generation to persistent action over tools, files, and execution environments

verifiers and observer models inside the action-memory loop reduce silent failure and information leakage while remaining vulnerable to misspecification.

How I Dropped Our Production Database and Now Pay 10% More for AWS

most front-end developers have normalised doing daily trust falls with their codebases

What Your Bluetooth Devices Reveal About You

a user will want to move their passkeys to the Credential Manager of a different vendor or platform. This is currently challenging to do, but FIDO and vendors are actively working to address this issue and we wait to see support for this take hold across the market.

Like the Elliptic curve Diffie-Hellman (ECDH) protocol that Signal has used since its start, KEM is a key encapsulation mechanism. Also known as a key agreement mechanism, it provides the means for two parties who have never met to securely agree on one or more shared secrets in the presence of an adversary who is monitoring the parties’ connection. RSA, ECDH, and other encapsulation algorithms have long been used to negotiate symmetric keys (almost always AES keys) in protocols including TLS, SSH, and IKE. Unlike ECDH and RSA, however, the much newer KEM is quantum-safe.

These foods offeredat least a semblance of preparedness in a time of turmoil

EASY STEPS ON HOW TO CHANGE YOUR HIVE WALLET KEYS

Whatever is at the center of our life will be the source of our security, guidance, wisdom,and power. Security represents your sense of worth, your identity, your emotionalanchorage, your self-esteem, your basic personal strength or lack of it.Guidance means your source of direction in life. Encompassed by your map, yourinternal frame of reference that interprets for you what is happening out there, arestandards or principles or implicit criteria that govern moment-by-moment decision-making and doing.Wisdom is your perspective on life, your sense of balance, your understanding of howthe various parts and principles apply and relate to each other. It embraces judgment,discernment, comprehension. It is a gestalt or oneness, an integrated wholeness.Power is the faculty or capacity to act, the strength and potency to accomplish something.It is the vital energy to make choices and decisions. It also includes the capacity toovercome deeply embedded habits and to cultivate higher, more effective ones.

As an interdependent person, I have the opportunity to share myself deeply,meaningfully, with others, and I have access to the vast resources and potential of otherhuman beings.

If I amemotionally interdependent, I derive a great sense of worth within myself, but I alsorecognize the need for love, for giving, and for receiving love from others. If I amintellectually interdependent, I realize that I need the best thinking of other people to joinwith my own.

Manypeople who give mechanically or refuse to give and share in their marriages and familiesmay never have experienced what it means to possess themselves, their own sense ofidentity and self-worth

To this day, if you know the right people, the Silicon Valley gossip mill is a surprisingly reliable source of information if you want to anticipate the next beat in frontier AI – and that’s a problem. You can’t have your most critical national security technology built in labs that are almost certainly CCP-penetrated

The "move fast and break things" ethos of Silicon Valley is incompatible with the security demands of superintelligence

the lion's share of American federal outlays every year are in things like Medicare, Social Security, entitlement programs that Americans rely on. Yeah, I think Elon Musk has brought that to attention many times over the last couple of months when talking doge

If I follow the new examples and implement them in my code (e.g. Passkeys), how will I know if a security issue is found in the examples in the future? Currently, libraries get updated and I pull in the new version. Unless I remember to check back occasionally, I'll never know if the example code is updated or fixed.

Using any of the authentication mechanisms (login, password reset, or password recovery), an application must respond with a generic error message regardless of whether: The user ID or password was incorrect. The account does not exist. The account is locked or disabled.

Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.

Once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as username and password, passphrases, one-time passwords (OTP),

Europe should build its foreign policy on a coordinated response to the climate question.

We believe the bill unduly dictates one particular technical approach, and does so without considering the privacy, security, and equity risks it poses.

restricted sites and critical infrastructure.

Emotional security. The feeling of being at home in the presence of another. Safe to be who you are, good times or bad.

one man in his half a page which I actually acquired in the process of writing a book 15 years ago typ written a typewritten half a page he said what we must do we must treble our deficit treble our deficit we have a deficit which is bad we must make it three times as big and make the capitalists of the rest of the world pay for it which is exactly what happened the United States should increase its deficit and use it to create aggregate demand for the net exports of Germany and Japan and later on China

when he saw the macroeconomic statistics and he saw that from 1968 from 1968 onwards America for the first time since the 1930s had become a deficit country

It comesafter a couple believes they have achieved a level of financial stability.

The architect of the Official PovertyMeasure—the poverty line—was a bureaucrat working at the SocialSecurity Administration named Mollie Orshansky.

Having plans and mechanisms in place to prevent, detect, and respond to cyber or physical security threats

@user = GlobalID::Locator.locate_signed params[:id]

First, the complexity of modern federal criminal law, codified in several thousand sections of the United States Code and the virtually infinite variety of factual circumstances that might trigger an investigation into a possible violation of the law, make it difficult for anyone to know, in advance, just when a particular set of statements might later appear (to a prosecutor) to be relevant to some such investigation.

On call. Incident response. Compliance deadlines. Like any IT job, stuff breaks. Long unpaid hours keeping up on tech to remain competitive. Dealing with the politics of your management not sincerely wanting to spend the money required to do things right and

writing code, reviewing code, deploying configs to harden environments, reading CVEs to know just how bad that vulnerability in our environment is and where it prioritize it in patching and what it could affect, trying to make sense of logs to determine if that oddity is an indicator of compromise or not

this company's got not good for safety

open AI literally yesterday published securing research infrastructure for advanced AI

this is a serious problem because all they need to do is automate AI research 00:41:53 build super intelligence and any lead that the US had would vanish the power dynamics would shift immediately

the model Waits are just a large files of numbers on a server and these can be easily stolen all it takes is an adversary to match your trillions 00:41:14 of dollars and your smartest minds of Decades of work just to steal this file

our failure today will be irreversible soon in the next 12 to 24 months we will leak key AGI breakthroughs to the CCP it will 00:38:56 be to the National security establishment the greatest regret before the decade is out

here are so many loopholes in our current top AI Labs that we could literally have people who are infiltrating these companies and there's no way to even know what's going on because we don't have any true security 00:37:41 protocols and the problem is is that it's not being treated as seriously as it is

and the security of the system and its content

http://example.com/didcomm

If you are okay with the user appending arbitrary query params without enforcing an allow-list, you can bypass the strong params requirement by using request.params directly:

Performing a redirect by constructing a URL based on user input is inherently risky, and is a well-documented security vulnerability. This is essentially what you are doing when you call redirect_to params.merge(...), because params can contain arbitrary data the user has appended to the URL.

Identify, prioritize, and resolve dependency risk Once dependencies are identified, Black Duck Security Advisories enable teams to evaluate them for associated risk, and guides prioritization and remediation efforts. Is it secure? Receive alerts for existing and newly discovered vulnerabilities, along with enhanced security data to evaluate exposure and plan remediation efforts. Is it trustworthy? Perform a post-build analysis on artifacts to detect the presence of malware, such as known malicious packages or suspicious files and file structures, as well as digital signatures, security mitigations, and sensitive information. Is it compliant? For every component identified, Black Duck SCA provides insights into license obligations and attribution requirements to reduce risk to intellectual property. Is it high quality? Black Duck SCA provides metrics that teams use to evaluate the health, history, community support, and reputation of a project, so that they can be proactive in their risk mitigation process.

Black Duck® software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers.

Alternatively, a simple public key canserve as an identifier, eliminating the DID/DIDDoc abstraction2

Youtube Kids is an example of how the product designed for kids differs from the one targeting adults. It’s much easier to navigate thanks to bigger buttons and fewer content boxes on the page. Plus the security settings on the platform make sure that younger users are safe and have access to appropriate content. Those all are parts of a thought-through design interface for children.

He marveled at how the SouthCarolinians deluded themselves in believing they were safe, burdened asthey were with a large slave population—“stupid security,” he called it.

Likewise, we “trusted the process,” but the process didn’t save Toy Story 2 either. “Trust theProcess” had morphed into “Assume that the Process Will Fix Things for Us.” It gave ussolace, which we felt we needed. But it also coaxed us into letting down our guard and, in theend, made us passive. Even worse, it made us sloppy.

Update email template to indicate that the link needs to be kept secure (e.g. do not share it)

Do not pass arguments right into subshell, it's as unsafe as eval.

The mortgage document which secures the promissory note by giving the lender an interest in the property and the right to take and sell the property—that is, foreclose—if the mortgage payments aren't made.

So we have 50 independent electoral systems that kind of work in conjunction in tandem, but they're all slightly different and they're all run by the state.

less secure sign-in technology

To keep your account more secure, Gmail no longer supports third-party apps or devices which require you to share your Google username and password. Sharing your account credentials with third-parties makes it easier for hackers to gain access to your account.

Prepare to transition away from Google Sync Google Sync doesn’t support OAuth authentication, 2-factor authentication, or security keys, which leaves your organization’s data less secure.

for security, app access token should never be hard-coded into client-side code, doing so would give everyone who loaded your webpage or decompiled your app full access to your app secret, and therefore the ability to modify your app. This implies that most of the time, you will be using app access tokens only in server to server calls.

This can result in an unwanted increase in fraudulent account creations, or worse; attackers successfully stealing social media account credentials from legitimate users.

Given the security implications of getting the implementation correct, we strongly encourage you to use OAuth 2.0 libraries when interacting with Google's OAuth 2.0 endpoints. It is a best practice to use well-debugged code provided by others, and it will help you protect yourself and your users. For more information, see Client libraries.

Warning: Do not accept plain user IDs, such as those you can get with the GoogleUser.getId() method, on your backend server. A modified client application can send arbitrary user IDs to your server to impersonate users, so you must instead use verifiable ID tokens to securely get the user IDs of signed-in users on the server side.

It would have been fantastic to eschew this ridiculousness, because we all make fun of branded vulnerabilities too, but this was not the right time to make that stand.

permanent security”

Feminist analyses see both the state and trafficking networks as threats to security, as trafficked persons lack freedom of movement and are at risk of abuse and poor health

Improving reproductive health and addressing gender inequalities are crucial for promoting human security.

health impacts of violent conflict, bioterrorism, pandemics, and endemic diseases disproportionately affecting certain regions are all linked to health and security

World Health Organization (WHO) and policymakers recognize the importance of health for international peace, stability, and human security.

onsidering gender in discussions of human security and argues for a balanced focus on both freedom from fear and freedom from want.

evidenced by the lack of involvement of women in drafting the new constitution and the passing of repressive legislation.

"responsibility to protect" (R2P).R2P suggests that states have a responsibility to intervene and protect civilians in other states if they are unable or unwilling to do so themselves.Some feminist scholars argue that the language of protection can reinforce gendered and racialized narratives.

issues of human security and human rights are sometimes used as justifications for military intervention.

The focus on individuals in human security discourse may overlook vulnerabilities and threats that are linked to larger associations such as gender, class, and ethnicity.

International Criminal Court

providers of human security, and that NGOs and international organizations

mphasizes empowering individuals to take action for their own security and well-being.

he United Nations Development Programme and the Commission on Human Security have played important roles in promoting and defining the concept of human security.

Human security includes freedom from fear and freedom from want, and encompasses various elements such as economic security, food security, health security, environmental security, personal security, community security, and political security.

wars, conflicts, famine, and poverty are all examples of insecurity that can harm individuals and communities.

"environmental security" and how it can be linked to traditional security ideas.Some view this connection as a positive way to address the threats posed by environmental degradation, while others see it as adding unnecessary complexity to the concept of security.

human security, shifting the focus from states to individuals.

authenticate_by addresses the vulnerability by taking the same amount of time regardless of whether a user with a matching email is found: User.authenticate_by(email: "...", password: "...")

Implement restrictive defaults (potentially allowing an explicit bypass) I understand that easy usability and rich out-of-the-box functionality is likely essential to this library's appeal to its users. Nevertheless I'd like to propose making the authorization properties ransackable_[attributes/associations/etc.] empty sets by default, forcing the developer to explicitly define whitelists for their use case. To soften the usability blow, a new ransack_unsafe(params[:q]) or ransack_explicit(params[:q], ransackable_attributes='*', ransackable_associations=(:post, :comment)) method could be introduced to offer developers a shorthand to bypass or override the whitelists for specific queries (after they've had to read a warning about why these methods can be dangerous).

Browsers can of course choose to ignore this. Again, CORS protects your client - not you.

Inspect the proposed changes in the pull request and ensure that you are comfortable running your workflows on the pull request branch. You should be especially alert to any proposed changes in the .github/workflows/ directory that affect workflow files.

Apparently, Google uses some additional heuristics to decide whether the link should be displayed or not. The List-Unsubscribe header could be abused by spammers to validate that their target got the message, and thus, GMail only shows the unsubscribe link if the source of the message has accumulated sufficient trust.

npx link is a tool I developed as a safer and more predictable alternative to npm link.