描述了高达54,000欧元的账单激增现象，表明AI API使用监控和防护存在严重漏洞，这种自动化滥用突显了当前API安全机制的脆弱性，对AI服务提供商和开发者都是警钟。

这一统计洞察颠覆了“AI写代码更安全”的迷思。AI代理在优化代码功能性时，往往以牺牲安全性为代价，倾向于选择存在已知漏洞的旧版本依赖。这反映出当前AI模型在训练时对安全维度的忽视，也警示我们在AI辅助开发流程中必须强制引入自动化的安全卡点。

Hitzewellen bedrohen durch ihre zunehmende Zahl und Intensität das globale Ernährungssystem. Der Guardian hat Experten zu den Folgen von Hitzewellen am Land und in den Ozeanen für die Ernährungssicherheit befragt. Hitzewellen haben dramatische Auswirkungen etwa auf die Erträge von Nutzpflanzen und auf Lebensbedingungen von Fischen. Die Folgen sind im Detail oft nur unzureichend erforscht. https://www.theguardian.com/environment/2023/jul/21/rampant-heatwaves-threaten-food-security-of-entire-planet-scientists-warn

Whaaat ?!

Good question: Why do the big players like Azure not seem to worry? Microsoft, Amazon, Google, etc. too probably. In fact, any email provider. So once someone knows your email address, you are (more) vulnerable to someone trying to hack your account. Makes me wonder if the severity of this problem is overrated.

Irony: He (using his full real name) posts:

1. Information about which account ("my Azure account is my email address"), and
2. How high-value of a target he would be ("both sites manage highly valuable information that could take a whole company out of business...")

thus making himself more of a target. (I hope he does not get targetted though.)

Love, D., Allison, E. H., Asche, F., Belton, B., Cottrell, R. S., Froehlich, H. E., Gephart, J. A., Hicks, C., Little, D. C., Nussbaumer, E. M., da Silva, P. P., Poulain, F., Rubio, A., Stoll, J. S., Tlusty, M. F., Thorne-Lyman, A. L., Troell, M., & Zhang, W. (2020). Emerging COVID-19 impacts, responses, and lessons for building resilience in the seafood system [Preprint]. SocArXiv. https://doi.org/10.31235/osf.io/x8aew

McKee, M., Stuckler, D. If the world fails to protect the economy, COVID-19 will damage health not just now but also in the future. Nat Med (2020). https://doi.org/10.1038/s41591-020-0863-y

Certain HP laptops have flawed audio drivers that record all your keystrokes to: C:\Users\Public\MicTray.log

If these files exist, delete them: C:\Windows\System32\MicTray64.exe C:\Windows\System32\MicTray.exe

Thousands of poorly secured MongoDB databases have been deleted by attackers recently. The attackers offer to restore the data in exchange for a ransom -- but they may not actually have a copy.

In November 2016, a bug was discovered in Kaspersky Anti-Virus software that was effectively disabling SSL certificate validation.

Malware hidden in ad banners with steganography.

A race condition bug that has existed in most versions of the Linux kernel for nine years can be exploited for privilege elevation.

The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords."

"We demonstrate that well-known compression-based attacks such as CRIME or BREACH (but also lesser-known ones) can be executed by merely running JavaScript code in the victim’s browser. This is possible because HEIST allows us to determine the length of a response, without having to observe traffic at the network level."

HEIST attacks can be blocked by disabling 3rd-party cookies.

https://twitter.com/vanhoefm<br> https://twitter.com/tomvangoethem

These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible.

...

Tuesday's advisory is only the latest to underscore game-over vulnerabilities found in widely available antivirus packages.

https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html

HID VertX and Edge controllers for security doors were discovered to have a command injection vulnerability that made it possible for attackers to open them via the Internet.

https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

Businesses need to be more careful to avoid revealing customers' personal information. And they should record calls, and watch them collectively over time for signs of suspicious activity.

The harasser in this article tricked customer service representatives into giving him private details about his victims. Starting with whatever information he could find online (a birthdate, the name of a pet) he would call repeatedly until he succeeded in getting other details -- which would make him still more convincing, so he could get more details.

In one case, he pretended to be a company technician for ISP Cox Communications. They didn't have a procedure to verify the ID of their own technicians?

Social engineering)

"At issue is a root certificate installed on newer Dell computers that also includes the private cryptographic key for that certificate. Clever attackers can use this key from Dell to sign phony browser security certificates for any HTTPS-protected site."