This isn’t an Obsidian thing, it’s just the next iteration of the GTD mania of the aughts or the Atomic Habits people or whatever other trend. There will always be people trying to optimise their organisational workflow to no end. Some of the least prolific coders I know have the most heavily customised vim. The problem with adding AI is these people are addicted to the brain crack of doing it themselves so AI is sort of antithetical to the philosophy.
Absolutely right! The immediate feedback and sense of accomplishment from doing things yourself can be incredibly satisfying. But AI actually excels at providing instant positive reinforcement in this area—especially Vibe Coding. It's seriously addictive... hahaha
In high school, an acquaintance of mine made the website "e-imagesite.com" [1]. It was a very easy-to-use image uploading site (and honestly less irritating than ImageShack and predated imgur). It was just being hosted on HostGator, I believe, and written in PHP and used jQuery.
I believe he had to eventually shut it down because people kept uploading horrifying stuff to it, and it was never even that popular. Child porn and bestiality were constantly being uploaded and I don't think he liked having to constantly report stuff to the FBI.
After building a proper comment section for my blog (including tripcodes!), I've thought about making my own "chan" site, since I think that could be fun, but I am completely terrified of people uploading horrible stuff that I would be forced to sift through and moderate pretty frequently. User submissions open up a huge legal can of worms and I am not sure that's a path that I'm willing to commit myself going down.
When there's strong anonymity, I suspect that this problem could be even worse.
It's a little depressing, because decentralized and distributed computing is one of the most interesting parts of computer science to me, but it feels like whenever I mention anything about it, people immediately assume piracy or illicit material.
Yeah, I’m fully in support of a decentralised web but the internet is old enough now that being naive about this stuff has become equivalent to being maliciously incompetent. Without designing for things like community or self-governance and moderation, you’re designing for trouble. Thinking about ways to healthily cultivate a peer-to-peer web doesn’t make someone a Nazi, it makes them a responsible member of a community.
> If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures.
You mean... the thing that they had? FTA:
"Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building."
There's also no indication that they damaged property (they used a UDT to trip a sensor to bypass the door). Neither of us were there, but based on the actual reporting it sounds like the worst anyone could accuse these people of being is stupidly unprofessional and bad communicators, which if you worked with pentesters shouldn't seem like an unprecedented aberration.
Read the article further. When the police called the phone number on the document, the person on the other end denied that they were authorized to be in the building.
But I’m responding to the notion that they should’ve had signed documentation with the scope with them. They did. The fact that their own company hung them out to dry by not informing everyone on that list is not the pentesters’ fault.
I wasn't trying to suggest they did or didn't have the right documentation. I honestly don't know. I was just explaining how we normally operated. The idea that the emergency contact wouldn't answer, or even worse deny we had authority seems impossible to me... At least if you're doing things the way we did.
> The idea that the emergency contact wouldn't answer...seems impossible to me
I can’t understand how you think this is impossible if you do things “the right way”.
Phones gets stolen or dropped in the toilet. Your contact has been taken to the hospital. Bad cell service. And so on.
These episodes of Darknet Diaries were my favorite. Very suspenseful. I also always thought the people doing the testing were insane for assuming a piece of paper keeps them from getting dragged to jail or worse.
I mean this is stuff the security people tell you not to do. If you get an email from “your bank” saying “call us at this number”, you're supposed to independently verify by calling the main number, not the number they give you, right?
Those were always my favourite episodes too! Enough to get into a career doing social engineering and physical intrusions. It's very tense! You're right to think it's insane; the nature of these jobs is that unlike most kinds of pentesting, very few people are aware that a test is occurring. We will sometimes bring a fake "get out of jail free" card to test the very thing you mention, whether people will actually verify out of band. I've been on jobs where we've been called out and they've checked our fake details and you see people's whole body language change in those moments between them figuring out you're not who you say you are and figuring out what they're willing to do about it. You absolutely see the thought "Do I need to hurt these guys? Are they going to hurt me?" go through someone's mind. It's never come to anything truly harrowing in my experience, professionalism and good communication skills go a long way, but they also can only go so far. It's much more common to have zero issues though, because as you can surmise, social engineering is extremely effective, so getting challenged at all is pretty rare.
The purpose of the paper isn't to act as a "get out of jail free" card. It's to (hopefully) prevent the handcuffs from coming out while they verify the information. They're expected to contact the appropriate people before letting anyone go. Usually the emergency contact would be nearby and come to the site to discuss the project with their security team.
The best use? Probably not. But if I built a website that let people generate extremely convincing unlimited photos of you wearing an SS uniform and forcing your dog to smoke meth and sent them to everyone you’ve ever met, this might seem like a less worthy hill to die on. Or is that just a sticks and dirt thing too?
Everybody I care about would know that those pictures are not real so I think that the harm to me would likely be lower than the harm to society if building websites were impossible.
The people who are sending the pictures are criminally liable, regardless where they got them.The fact that somebody built a website for it is irrelevant, the act of sending them unsolicited is the immoral act here. (And frankly it's probably gonna be laughed off or end up as spam unless somebody you associate with is an idiot.)
If you follow the X chatter on this, some folks got into the groups and tracked all the numbers, their contributions, and when they went "on shift" or "off".
I don't really think Signal tech has anything to do with this.
Yeah. It's notable they didn't crack the crypto. In the 90s when I was a young cypherpunk, I had this idea that when strong crypto was ubiquitous, certainly people would be smart enough to understand its role was only to force bad guys to attack the "higher levels" like attacking human expectations of privacy on a public channel. It was probably unrealistic to assume everyone would automatically understand subtle details of technology.
As a reminder... if you don't know all the people in your encrypted group chat, you could be talking to the man.
Yes, but they have their own weaknesses. For instance, Briar exposes your Bluetooth MAC, and there's a bunch of nasty Bluetooth vulns waiting to be exploited. You can't ever perfectly solve for both security and usability, you can only make tradeoffs.
Briar has multiple modes of operation. The Bluetooth mode is not the default mode of operation and is there for circumstances where Internet has been shut down entirely.
For users who configure Briar to connect exclusively over Tor using the normal startup (e.g., for internet-based syncing) and disable Bluetooth, there is no Bluetooth involvement at all, so your Bluetooth MAC address is not exposed.
Both Session and Briar are decentralized technologies where you would never be able to approach a company to get any information. They operate over DHT-like networks and with Tor.
Signal does give out phone numbers when the law man comes, because they have to, and because they designed their system around this identifier.
Signal can still tell law enforcement (1) whether a phone number is registered with Signal, and (2) when that phone number signed up and (3) when it was last active. That's all, and not very concerning to me.
To prevent an enumeration attack (e.g. an attacker who adds every phone number to their system contacts), you can also disable discovery my phone number.
While Session prevents that, Session lacks forward secrecy. This is very serious- it's silly to compare Session to Signal when Session is flawed in its cryptography. (Details and further reading here https://soatok.blog/2025/01/14/dont-use-session-signal-fork/ ). Session has recently claimed they will be upgrading their cryptography in V2 to be up to Signal's standard (forward secrecy and post-quantum security), but until then, I don't think it's worth considering.
I agree that Briar is better, but unfortunately, it can't run on iPhones. I'm in the United States and that excludes 59% of the general population, and about 90% of my generation. It's not at fault of the Briar project, but it's a moot point when I can't use it to talk to people I know.
A society which took psychological safety seriously would never have created ChatGPT in the first place. But of course seriously advocating for safety would cost one their toys, and for one unwilling to pay that cost, empowering the surveillance apparatus seems very reasonable and easily confused for safe. When one’s children or friends’ children can no longer enter an airport because some vibe-coded slop leaked their biometrics, we’ll see if that holds true.
Using any variant of NTLM is insecure, which is why Microsoft is phasing it out in Windows 11/Server 2025. Which means we should be free of it some time around 2060.
A lot of good information for infra teams to internalise, although I worry that it gets a bit lost in the structure of the piece (there's kind of like 3-5 separate essays here but nothing a good edit couldn't fix.) One thing I'll add (or at least crystallise because I think the pieces are there) is that attack surface management is critical. A lot of the issues here are relevant in exactly the same scenario as exposing web applications. I have reported vulnerabilities in a lot of AI applications in prod and the issues aren't magic or even novel. They're typically the same authorisation and injection issues people have been talking about for decades. The methods of securing them are the same. Unfortunately it's not uncommon for companies to get compromised via a good old fashioned REST API on an exposed dev domain, but I probably wouldn't go so far as to say "REST APIs will compromise your cybersecurity posture." I would just say companies have found another tool to flex their indifference towards protecting user and company data.
Properly securing LLMs goes agains branding, I guess. "this tool is like getting new intern every 15 minutes! they read and write fast and know a lot of stuff, but can accidentally attack or sabotage you if they get distracted! oh, and they work remotely only!" doesn't sound like a good pitch
I have been asking if the business would be happy to employ an extremely gullible insider with a short memory, who sometimes just makes things up, with no fear of any legal repercussions or being fired, to work on important stuff.
reply