But also why would Claude need to run `rm -rf node_modules && npm install`? Without the context of seeing what changes it’s made, I’d be inclined to assume that Claude has added a new dependency, which I definitely…
Interesting. If that’s possible (I haven’t tested it, but I’m sure it is) then you wouldn’t even need to log the password. You could just alias sudo to a bash script that runs your malicious payload using the real sudo.…
Well it led to the creation of BOINC, a distributed computing system that probably has led to scientific advances in other fields So I wouldn’t say it was all for nothing, but it’s main benefit was the idea, and not the…
Agreed, although the reimbursement should be based on whether a reasonable person could consider that to be a vulnerability. Often it’s tricky for outsiders to tell whether a behaviour is expected or a vulnerability
Companies wouldn’t send it because they know that most websites would block them
Rubbish. That analogy is like comparing a gun manufacturer to a hitman service. Elon Musk is willingly allowing Grok to be used to harass women (and children). He could easily put in safeguards to prevent that, but…
Not sure about you, but I personally prefer my websites not to be able to be plagiarised by AI
Thanks, will definitely check this out Has anyone else been avoiding typing FFmpeg commands by using file:// URLs with yt-dlp
Sadly not, those devices don’t have an exploit afaik
> It would be great if we could download the solver manually with a separate command Download a random video and then copy ejs from yt-dlp’s cache directory (I think it’s in /home/username/.cache) > being able to…
Youtube’s tv app is actually just a website (youtube.com/tv, although you need a tv user agent). So yeah, I think most tvs are using JavaScript and the rest are using the tvlite api which has less formats than…
"Attack vectors" is a very interesting choice of words. Yt-dlp is literally using a public API for its intended purpose (accessing videos). The only difference is how yt-dlp is delivering the videos to the user.…
yt-dlp dev here The Android app uses an API which does not require a JS runtime, but it does require a Play Integrity token. The iOS app uses an API which is assumed to require an App Attest token. Also, neither API…
> How come they needed to replace their pagers AT ONCE recently? Hezbollah recently switched to using only pagers for communication, because they were worried about Israel hacking their phones. It's likely they all…
Use https://xcancel.com/ (eg https://xcancel.com/githubstatus)
It doesn't say anything about CORS in the networking tab: https://i.imgur.com/yeH6bGi.png It correctly identifies that Twitter is trying to load a tracking site, which Firefox blocks by default (with an allowlist).…
> some binary test files were added later that are probably now suspect That's confirmed From https://www.openwall.com/lists/oss-security/2024/03/29/4: > The files containing the bulk of the exploit are in an obfuscated…
This PR from July 8 2023 is suspicious, so it was very likely a long con: https://github.com/google/oss-fuzz/pull/10667
> That's quite backwards. Governments are far more likely to deploy a complex attack against a single target (see also: Stuxnet); other attackers (motivated primarily by money) are far more likely to cast a wide net.…
Where does that comment mention the other maintainer (Lasse Collin)?
But also why would Claude need to run `rm -rf node_modules && npm install`? Without the context of seeing what changes it’s made, I’d be inclined to assume that Claude has added a new dependency, which I definitely…
Interesting. If that’s possible (I haven’t tested it, but I’m sure it is) then you wouldn’t even need to log the password. You could just alias sudo to a bash script that runs your malicious payload using the real sudo.…
Well it led to the creation of BOINC, a distributed computing system that probably has led to scientific advances in other fields So I wouldn’t say it was all for nothing, but it’s main benefit was the idea, and not the…
Agreed, although the reimbursement should be based on whether a reasonable person could consider that to be a vulnerability. Often it’s tricky for outsiders to tell whether a behaviour is expected or a vulnerability
Companies wouldn’t send it because they know that most websites would block them
Rubbish. That analogy is like comparing a gun manufacturer to a hitman service. Elon Musk is willingly allowing Grok to be used to harass women (and children). He could easily put in safeguards to prevent that, but…
Not sure about you, but I personally prefer my websites not to be able to be plagiarised by AI
Thanks, will definitely check this out Has anyone else been avoiding typing FFmpeg commands by using file:// URLs with yt-dlp
Sadly not, those devices don’t have an exploit afaik
> It would be great if we could download the solver manually with a separate command Download a random video and then copy ejs from yt-dlp’s cache directory (I think it’s in /home/username/.cache) > being able to…
Youtube’s tv app is actually just a website (youtube.com/tv, although you need a tv user agent). So yeah, I think most tvs are using JavaScript and the rest are using the tvlite api which has less formats than…
"Attack vectors" is a very interesting choice of words. Yt-dlp is literally using a public API for its intended purpose (accessing videos). The only difference is how yt-dlp is delivering the videos to the user.…
yt-dlp dev here The Android app uses an API which does not require a JS runtime, but it does require a Play Integrity token. The iOS app uses an API which is assumed to require an App Attest token. Also, neither API…
> How come they needed to replace their pagers AT ONCE recently? Hezbollah recently switched to using only pagers for communication, because they were worried about Israel hacking their phones. It's likely they all…
Use https://xcancel.com/ (eg https://xcancel.com/githubstatus)
It doesn't say anything about CORS in the networking tab: https://i.imgur.com/yeH6bGi.png It correctly identifies that Twitter is trying to load a tracking site, which Firefox blocks by default (with an allowlist).…
> some binary test files were added later that are probably now suspect That's confirmed From https://www.openwall.com/lists/oss-security/2024/03/29/4: > The files containing the bulk of the exploit are in an obfuscated…
This PR from July 8 2023 is suspicious, so it was very likely a long con: https://github.com/google/oss-fuzz/pull/10667
> That's quite backwards. Governments are far more likely to deploy a complex attack against a single target (see also: Stuxnet); other attackers (motivated primarily by money) are far more likely to cast a wide net.…
Where does that comment mention the other maintainer (Lasse Collin)?