W̷a̷w̷a̷S̷e̷b̷ @wawa@nanao.cybtex.fr

@jpmens The domination of Google is a fake news. The real power in the Internet is curl.

On a couvert les fichiers Wad de Doom, y compris un mini fichier fait main, les Wad de la Nintendo Wii, des appareils Leica, et de Sonic Robo Blast 2.
Une belle structure d’archive simple et efficace.
https://youtube.com/live/kn_gzJRDHBk?feature=share

🎁 GenAI x Sec Advent #20

Did you know there is an Nmap for LLMs? 🤔

So we are building more and more GenAI systems, but how do we know if they are secure enough for production? 👇

Let’s talk about @garak_llm, the "Nmap for LLM"!

Garak is a tool from NVIDIA that lets you scan your model for potential vulnerabilities or weaknesses by sending probes!

☠️ A probe is basically a targeted input designed to test and expose vulnerabilities or failures in a language model’s behavior.

🤓 Think of it like a locksmith testing every key on a ring to find the one that unlocks a door that shouldn’t be open.

There is already more than a hundred different probes for encoding, malware generation, prompt injection, and more… 🤯

➡️ Garak: https://github.com/NVIDIA/garak/tree/main

#Genai #cybersecurity #llm #infosec #redteam

If everything around you
seems dark, look again
you may be the light.

-- Rumi

(1207-1273)

Sometimes Google's AI results are accurate.

I think in hindsight I regret not job hopping more early in my career. I was always cautious of the fact that you don’t know how good or bad a job will be until you already start working there. So my logic was if I’m happy with my current job, why quit for a shot at a slightly better one? Which wasn’t helped by that fact that a friend and I both got job offers from a company I’ve wanted to work at my whole life. I turned it down because anxiety, he joined and ended up quitting the second he could because it turned out to be a bureaucratic nightmare 😆

The times are a’ changing…for the better in many ways!

Did you realize that we live in a reality where SciHub is illegal, and OpenAI is not?

this is the real trolley problem

TIL that printer cartridges may come with a printer firmware update

"Am I pro-Israel or pro-Palestine? I have no idea.

I'm pro-not-killing-civilians.

I'm pro-not-trapping-millions-of-people-in-open-air-prisons.

I'm pro-not-shooting-grandmas-in-the-back-of-the-head.

I'm pro-not-flattening-apartment-complexes.

I'm pro-not-raping-women-and-taking-hostages.

I'm pro-not-unjustly-imprisoning-people-without-due-process.

I'm pro-freedom and pro-peace and pro- all the things we never see in this conflict anymore.

Whatever this is, I want none of it."

Isaac Saul

The year is 2029. I have lost my job because programmers have been replaced by LLMs and badly paid "fine tuners." So, now I'm selling CDs out of my trenchcoat. On these CDs is a text-only archive of Wikipedia which I downloaded in 2017, burned on an old laptop that has been airgapped ever since. (All other repositories of knowledge have since been irrecoverably corrupted by LLMs.)

Just in case other vi(m) folks are also a few years late to the following party:

:%!jq

is magical

so, the reddit API protest has taken a different direction, now people are uploading gigabtyes of videos to reddit which are just noise. i cannot stress this enough, do NOT run the command ffmpeg -filter_complex "nullsrc=s=1920x1080,geq=random(1)*255:128:128[vout]" -map "[vout]" -t 46 -c:v libx264 out.mp4 in order to generate one of these large video files then upload them en masse in order to slow down their servers, that totally will not help with the protest

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

Don't forget to use @misp feed overlap matrix. It's a quick way to spot the overlapping/similar feeds from different sources such as external CTI feeds but also the cached MISP instances.

#CTI #threatintel #misp

If you want to check on your instance, it's in /feeds/compareFeeds

Well, #twitter's last move is nuts... ???
https://twitter.com/ericfreyss/status/1604538198054535169

Several Mastodon instances (including Newsie) have come under cyber-attack recently by state-level actors.

If you are the admin of a Mastodon Instance that overlaps arts, human rights, civil society, journalism, or democracy and would like FREE cyber security protection from Cloudflare as part of Project Galileo please reach out as Fourth Estate is a long-time Project Galileo partner

See: https://www.cloudflare.com/galileo/

#mastoadmin #mastodon

Finally it is there: A GUI version of PortexAnalyzer🔎

PortexAnalyzer is a free PE parser tailored for malware analysis. It uses the library PortEx.

🔽Download: https://github.com/struppigel/PortexAnalyzerGUI/releases
#PortEx #PortexAnalyzer

The best advice I have for anyone just coming here is to replace the location of the Twitter app on your phone with Mastodon and let your own muscle memory force you into adapting.