One of the most interesting things I've learnt since doing security-related things is how much security is not really about security at all.

For example, to get a good rate on house insurance, you have to have a fancy lock that's difficult to pick on your front door. My front door has one. It also has a glass panel in the middle. If I wanted to break in in a hurry, I wouldn't even try the lock, I'd smash the glass and open the door. From the insurance company's perspective, that's fine: they don't care about it preventing burglaries, they care about attribution. They need a sign of forced entry to pay out and want to avoid having to argue about whether you left the door unlocked. It's about tamper evidence, not about preventing tampering.

The same is true for a lot of embedded security. It isn't about preventing things from going wrong, it's about knowing which vendor gets to pay for a costly recall. If you can accurately attribute failures to a third-party software component, then you can invoke penalty clauses in your contract with that vendor. If you can't, then you pay.

If you can actually prevent attacks, that's a nice bonus, but it's often not the thing that people care most about. Often because they don't really believe it's possible (or, at least, possible within a budget that is lower than the cost of being attacked sometimes).

Sometimes y’all, there is the perfect meme.

#witchy #infosec #darkarts #updates #funny

Death by a thousand slops

https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/

#curl #AI #bugbounty

This is your regular reminder that if you are the smartest person in the room, go find another room. You are not going to run out of people or rooms.

TIL: Ever wanted to compress data or use cryptographic algorithms but you don't want to link to link to C libraries or you're just plain lazy?

The Linux kernel has you covered! Create a socket of type AF_ALG, bind to your favorite algorithm, send() in your data and recv() it back!

This seems to support deflate, SHA, RSA and some more on ppc64le and additionally even zstd, chacha, lzo, hmac and more on ARM!

https://www.kernel.org/doc/html/latest/crypto/userspace-if.html

“Artificial intelligence is the opposite of education”

https://helenbeetham.substack.com/p/artificial-intelligence-is-the-opposite

> But what if there isn’t a middle of this road? What if the project of ‘artificial intelligence’ is not a road to new kinds of education - not even a slow and bumpy one – but the reversal of everything education stands for?

It is weird to see the continuing fallacy in the software world that 'source code' is the most valuable asset, by far.

The most valuable asset is the knowledge, design decisions, rationale and intent encoded therein. Just because we don't have good languages to encode that does not change the value proposition.

That misplaced value equation is also at the root of the LLM-for-SE hype.

📨 Today, EDRi and 51 civil society organisations, academics, and experts have written to the European Commission to oppose any attempts to suspend or delay the #ArtificialIntelligence #AI Act.

These attempts, especially in light of the growing trend of #deregulation of #FundamentalRrights and environmental protection, could undermine accountability and hard-won rights for people, the planet, justice and democracy 🚨

Read the open letter ➡️ https://edri.org/our-work/open-letter-european-commission-must-champion-the-ai-act-amidst-simplification-pressure/

Everyone who said virtme-ng is a great tool for kernel development was absolutely correct

a blog post by my friend eevee which is, y’know, preaching to the choir about exactly what you think, but. yeah. https://eev.ee/blog/2025/07/03/the-rise-of-whatever/

Så har BEC implementeret Googles "sikkerhedssystem" mod rootede telefoner så jeg nu ikke længere kan bruge netbank på min telefon med /e/os. Det gør mig så vred at danske virksomheder kræver at danske borgere giver deres privatliv til Google og tillader at Google sælger ens profil til hvem der vil betale.
Digital uafhængighed min bare r...!

I always hated being told to show my working as a child, but it took me until recently to understand why it annoyed me so much.

Some thing in a sequence of reasoning steps are obvious. A small number of them are obvious to everyone. Some are obvious to me. A (probably overlapping) set are obvious to you but, typically, they are not the same set.

Over the last few years, I've had a lot of conversations with really smart people where they got stuck on something I consider to be so obvious it doesn't need explaining, and then they skip over the next three reasoning steps that I thought needed very careful explanation because they consider those to be obvious.

A huge part of effective communication (especially in teams with diverse expertise) revolves around understanding which steps in your working you need to show. Showing all of them will just bore your reader. Showing the ones that you think need to be shown will work only if your reader has the same background as you.

I was at small house party a few months ago and some guy was there talking about his New App. Being curious I asked. LLM coding assistant.

Told him what I thought: stuff’s dogshit.

He got upset and claimed it was helping people. I simply said “no” and then said that to every other bullshit claim he offered. Someone eventually told me “hey you have to be nice” so I laughed in their face because the thing is..

No, I fucking don‘t. Why the fuck would I be nice to people who are destroying one of the greatest works of art humanity has ever produced: the internet? Because from the foundations to (almost) everyone on it, it’s so obvious to me that the internet is art. It does not just simply contain it, or provide a medium for it, or facilitate it’s propagation, it is art. Though it certainly is all those other things as well.

The internet is gift to the idea that knowledge should be, must be available to everyone.

Me, two weeks ago:

"Strange days indeed; imagine listening to a carpenter describe themselves as "hammer-first."

"But do you... build houses?"

"Incidentally, yes; but our main focus is on hitting nails with hammers."

Microsoft today:

"AI is now a fundamental part of how we work," Liuson wrote. "Just like collaboration, data-driven thinking, and effective communication, using AI is no longer optional - it's core to every role and every level."

https://www.businessinsider.com/microsoft-internal-memo-using-ai-no-longer-optional-github-copilot-2025-6

A thing I'm quite tired of seeing in technical spaces are exceptions being made for engineers because they are "smart". Widely known as the brilliant asshole.

This is code. It can be difficult, doing it well is even more difficult. It's also table stakes for this job. Especially when it comes to OSS. We are not so unique that we can't be replaced with another coder. I have replaced myself with very competent engineers at Meta in my work with btrfs.

What makes "smart" engineers is their ability to work with other people. This fantasy that "ideas" are how we communicate and the best idea wins, the most technical argument wins, is simply not true. You get your code in because you know how to communicate. Does that include technical arguments? Of course it does. But if you bring that technical argument to the table with "I can't believe you were so stupid to do it this other way, you should all thank me for being here" you are going to be far less successful.

That doesn't make you smart. To me, "smart" includes all the things necessary to accomplish your task as quickly and efficiently as possible. Part of that for us is coding, but the larger part is communication and the relationships we build with each other by being consistent with how we communicate and treat other people.

I work with the smartest people in the world. They are smart because they can code. They are smart because they are kind and gracious with their communication. They are smart because they build community in the work that they do.

If your community is a developer of 1 and nobody wants you around, it doesn't matter how good of a coder you are. You have failed at one of the core tenants of your job. In the real world, with real stakes, real bosses, real accountability, you would be fired. And that would be the correct outcome.

The power of OSS is the fact that it's many developers working on a thing. We all witness the power of this every day, but still cling to this fantasy that it's one smart asshole that keeps the whole thing together.

We are all replaceable in OSS. That's the beauty of it. It will outlast every once of us.

It just occurred to me that Free, Libre, Open Source Software is inevitable (outside rare niches).

Yes, it takes time. But eventually, some FLOSS that's "good enough" arises. And network and scale effects make it easier everywhere with every win.

And once the switch has happened — have you ever heard of someone going back to proprietary software? No? Me neither.

It's a one way street.

And thus, the proprietary world keeps shrinking.

#OpenSource

This graph is the one I'm most excited about: the lifetime of security flaws in Linux is finally starting to get shorter (and the number of fixed flaws continues to rise).

https://hachyderm.io/@LinuxSecSummit@social.kernel.org/114750428620118674