FeedCollection

http://www.hack.lu/news.rdf returned no data, or LWP::UserAgent is not available.

RSS parsing failed for http://a.6f2.net/svnweb/index.cgi/adulau/rss/: not well-formed (invalid token) at line 3, column 24, byte 77 at /usr/local/lib/perl/5.18.2/XML/Parser.pm line 187.

http://www.michael-noll.com/feed/ returned no data, or LWP::UserAgent is not available.

2025-09-17

• 11:32 UTC A better future for JavaScript that won’t happen – A better future for JavaScript that won't happen This is 100% spot on, regarding the never ending series of exploits of failures of npm's security model: This could be the moment where npm comes to terms with its broken design, and with a well-funded effort (recall that, ultimately, npm is GitHub is Microsoft, market cap $3 trillion USD), will develop and roll out the next generation of package management for JavaScript. It could incorporate the practices developed and proven in Linux distributions, which rarely suffer from these sorts of attacks, by de-coupling development from packaging and distribution, establishing package maintainers who assemble and distribute curated collections of software libraries. By introducing universal signatures for packages of executable code, smaller channels and webs of trust, reproducible builds, and the many other straightforward, obvious techniques used by responsible package managers. Maybe other languages that depend on this broken dependency management model, like Cargo, PyPI, RubyGems, and many more, are watching this incident and know that the very same crisis looms in their future. Maybe they will change course, too, before the inevitable. [....] No one will learn their lesson. This has been happening for decades and no one has learned anything from it yet. This is the defining hubris of this generation of software development. I have been saying this for YEARS. I could not agree more with this post. Bravo! (via Oisin) Tags: via:oisin supply-chain-attacks security infosec npm dependencies exploits javascript coding development

2025-09-16

• 14:00 UTC xcapture and xtop – xcapture and xtop "0x.Tools: X-Ray vision for Linux systems". Linux Performance Analysis with Modern eBPF and DuckDB; dig into the captured DuckDB files using "xtop": "xtop is like the Linux top tool, but extended with x-ray vision and ability to view your performance data from any chosen angle [..]. This enables dimensional performance analysis on Linux and tools like top for wall-clock time and much more. You can use it for system level overview and drill down into indivual threads’ activity and even into kernel events like lock waits or memory stalls." Tags: os debugging sysadmin ops monitoring xtop xcapture ebpf linux duckdb syscalls
• 11:15 UTC The Elephant in The Biz: outsourcing of critical IT and cybersecurity functions risks UK economic security – The Elephant in The Biz: outsourcing of critical IT and cybersecurity functions risks UK economic security This is pretty messy. UK companies have taken to outsourcing core IT and infosec to low-cost service providers, then inevitably get hacked -- then make huge insurance claims and look for government support. We’ve ended up in a situation where to deliver shareholder value, large organisations are incentivised to outsource core IT and cybersecurity functions to a low cost managed service providers abroad — and then when hit with ransomware, the insurance will cover paying the ransom (some insurers will actually push for payment to criminal groups, to cover their potential losses). This cycle plays into the ransomware economy, where the same criminal groups can then reinvest the money into purchasing exploits and gaining initial access to other organisations. Because ransomware is such big business, many of the groups have far bigger research and development funds than the organisations they’re attacking. Especially when the organisations they’re attacking have outsourced key areas to low cost providers. The net effect is ransomware and extortion groups continue to gain access to more organisations, and risk UK economic security. It is only a matter of time before they hit some kind of essential UK service that directly impacts millions of people — by which point millions of people will be asking what is being done about the problem. And the answer is: not enough. When we’re at the stage of having to look at urgent furlough schemes for JLR’s suppliers to rightly save jobs, it isn’t so much a sign as the canary in the coalmine has died, but that the coalmine is also about to collapse on people. Also this is terrible PR for Tata Consultancy Services, wow. Tags: tata tcs security infosec lapsus outsourcing it uk ransomware insurance

2025-09-15

• 15:31 UTC Hosting a WebSite on a Disposable Vape :: BogdanTheGeek’s Blog – Hosting a WebSite on a Disposable Vape :: BogdanTheGeek's Blog Turns out disposable vapes contain a quite capable ARM microcontroller! So here are the specs of a microcontroller so bad, it’s basically disposable: - 24MHz Coretex M0+; - 24KiB of Flash Storage; - 3KiB of Static RAM; - a few peripherals, none of which we will use. A cool hack ensues. Tags: computers hosting hacking diy electronics arm microcontrollers kernel vapes

2025-09-11

• 16:04 UTC Defeating Nondeterminism in LLM Inference – Thinking Machines Lab – Defeating Nondeterminism in LLM Inference - Thinking Machines Lab Reproducibility is a bedrock of scientific progress. However, it’s remarkably difficult to get reproducible results out of large language models. For example, you might observe that asking ChatGPT the same question multiple times provides different results. This by itself is not surprising, since getting a result from a language model involves “sampling”, a process that converts the language model’s output into a probability distribution and probabilistically selects a token. What might be more surprising is that even when we adjust the temperature down to 0This means that the LLM always chooses the highest probability token, which is called greedy sampling. (thus making the sampling theoretically deterministic), LLM APIs are still not deterministic in practice (see past discussions here, here, or here). Even when running inference on your own hardware with an OSS inference library like vLLM or SGLang, sampling still isn’t deterministic (see here or here). The levels of non-deterministic variation throughout the LLM stack discussed here are massive! It's kinda crazy that this doesn't produce incorrect output more often. Tags: llms ml machine-learning ai determinism testing inference reproducibility randomness floating-point
• 15:52 UTC After ‘humiliating’ raid, Burkina Faso halts ‘gene drive’ project to fight malaria – After ‘humiliating’ raid, Burkina Faso halts ‘gene drive’ project to fight malaria Oh great. Russian psyops are now disrupting the fight against malaria: The move is “a real blow” to hopes for gene drives, says Fredros Okumu, a vector biologist at the University of Glasgow and the Ifakara Health Institute in Tanzania. “Target Malaria has made a huge investment in Burkina Faso” by training scientists and engaging with communities, he says. And although lab research can continue, finding sites for field tests has now become a lot harder, says Mark Benedict, a mosquito geneticist who until recently worked for Target Malaria. “Burkina Faso and Target Malaria were the most fully developed partnership, so it’s chilling.” The collapse of the project there may discourage other possible host countries. [...] Opposition to the project has grown, fueled in part by false accusations spread through social media, such as that Target Malaria was weaponizing mosquitoes to spread disease or sterilize people. The claims are part of a wider pattern of disinformation campaigns in the region often linked to Russian networks, says Mark Duerksen, a security expert at the Africa Center for Strategic Studies, which is funded by the U.S. Department of Defense. “We’ve seen this kind of public health disinformation really take off in the last 12, 18 months,” he says. The campaigns aim to sow “distrust of the West as having nefarious plots in Africa,” Duerksen says—and they play into the “sovereignist narrative” of Burkina Faso’s government, led by Ibrahim Traoré, a young military officer who took power in 2022 after two coups. Traoré has emphasized national autonomy and has revoked the licenses of many foreign nongovernmental organizations. Tags: malaria russia propaganda disinformation mosquitos gene-drive

2025-09-09

• 11:54 UTC TLDs’ grace periods – TLDs' grace periods WTF! some TLDs allow anyone to buy the domain BEFORE they expire; e.g. ".pe" allowed a squatter to steal a domain 12 days prior to its expiration. How does this make sense? Tags: expiration domains cctlds tlds domain-squatting infosec
• 11:49 UTC GOP Cries Censorship Over Spam Filters That Work – GOP Cries Censorship Over Spam Filters That Work LOL. Republican political email campaigns (like WinRed) keep getting marked as spam, because they're using shitty lists: Tossavainen told KrebsOnSecurity that WinRed’s emails hit its spamtraps in the .com, .net, and .org space far more frequently than do fundraising emails sent by ActBlue. Koli-Lõks published a graph of the stark disparity in spamtrap activity for WinRed versus ActBlue, showing a nearly fourfold increase in spamtrap hits from WinRed emails in the final week of July 2025. Tags: spam anti-spam spamtraps winred us-politics gop republicans filtering

2025-09-08

• 15:28 UTC Where’s the Shovelware? Why AI Coding Claims Don’t Add Up – Where's the Shovelware? Why AI Coding Claims Don't Add Up One dev crunched the numbers on AI coding -- and found absolutely 0 noticeable impact: I discovered that the data isn’t statistically significant at any meaningful level. That I would need to record new datapoints for another four months just to prove if AI was speeding me up or slowing me down at all. It’s too neck-and-neck. That lack of differentiation between the groups is really interesting though. Yes, it’s a limited sample and could be chance, but also so far AI appears to slow me down by a median of 21%, exactly in line with the METR study. I can say definitively that I’m not seeing any massive increase in speed (i.e., 2x) using AI coding tools. If I were, the results would be statistically significant and the study would be over. That’s really disappointing. Tags: productivity chatgpt github technology business culture work llms metr ai

2025-09-05

• 08:51 UTC Google quietly demotes its net zero pledge – Google quietly demotes its net zero pledge "An investigation by Canada’s National Observer has found that Google’s net-zero pledge has quietly been scrubbed, demoted from having its own section on the site to an entry in the appendices of the company's sustainability report." Tags: net-zero climate-change google dont-be-evil sustainability

• Superlinear Returns
• How to Do Great Work
• How to Get New Ideas
• The Need to Read
• What You (Want to)* Want
• Alien Truth
• What I've Learned from Users
• Heresy
• Putting Ideas into Words
• Is There Such a Thing as Good Taste?
• Beyond Smart
• Weird Languages
• How to Work Hard
• A Project of One's Own
• Fierce Nerds