Definitely, disclosing (either private or publicly) a vulnerability that has been verified is significantly better than passing on the LLM output without verifying it.

It isn’t my intention to argue one specific case. What I think is that normalizing public disclosure of LLM-inspired vulnerabilities would lead to a wide distribution of cases. We would have some successful cases like yours, and also some cases of the type that I have mentioned. Increase in disclosures will raise the noise floor, and the fact that it is done publicly adds the additional pressure that I mentioned.

I see your point, but I don’t agree that the benefit of public awareness offsets the increase in noise. This disagreement isn’t rooted in aspects that we can objectively quantify though - we just have a difference of opinion here.

And in that world, doing a private disclosure made a lot of sense because you did a lot of hard work to find it, and it wasn’t easy for somebody to replicate. This was valuable and dangerous knowledge that had to be communicated in a responsible fashion.

Private disclosure still makes sense to me when you add LLMs into the mix. It is possible that an LLM outputs some plausible-sounding story that over-estimates the actual risk and impact of the exploit. If this story is publicly announced to people who use the software but are not capable of assessing these risks themselves, this can easily have a negative unnecessary consequence - for example, people may bring their server down until an expert or developer provides an assessment or fix.

This is a source of noise, and I don’t agree that this is better than private disclosure. Via public disclosure one is applying a lot of pressure to the developer(s) to prioritize whatever is being disclosed, which may not always be the nicest thing to do, especially if the impact is not as significant as the LLM suggests. This may not have been what happened in your case (I don’t know the details), but I am thinking about the idea of the average person disclosing publicly LLM-discovered vulnerabilities.

Since my work involves sensors, I set up a continuous testing setup on a raspberry pi and got its IP whitelisted. I ssh into it when something is annoying to do in the Windows laptop.

I think that the TinyTapeout concept is super cool (https://tinytapeout.com/). In the past, it was not really feasible to design and manufacture a semiconductor device as a hobbyist… Unless maybe an extremely wealthy one.

Now, we have open source design tools, open process design kit, and the ability but small part of a manufactured wafer.

There are also now multi-project wafer runs for photonic chips at reasonable prices for startup/academia. I think these developments are pretty cool.

Thanks a lot for the examples! I have been looking through these, and, as far as I can tell:

1. In SSL stripping, the site would appear to your client as HTTP, not HTTPS. If that’s the case, I think SSL stripping is blocked when using ‘HTTPS-Only’ mode
2. For DNS spoofing, the visited site would show up as insecure because they would not be able to generate a valid certificate for the target website

I still have not had the chance to look into leaky metadata. But, generally, I think metadata issues can in part be addressed by not generating much metadata.

Probably the biggest vulnerability is the captive portal. There is no way to verify you’re connecting to an official Starbucks router. I think that when connecting to a public router it is wise to assume that it is malicious.

I’m curious about an example that comes to your mind as you say this. In your view, what is a privacy risk associated with public WiFi use that is not easily mitigated?

By hand. We are only two people, and we usually clean after we cook/eat. When one is cleaning only 2 plates + a pot/pan at a time, it is easy to use little water. Spray of soap, metal scrub, sponge scrub, and then turn the tap on to rinse for a few seconds. Utensils get individually scrubbed and then all rinsed together for a few seconds.

Maybe when we have kids a dish washer will make sense.

AGUCUAGCAUAC

I have been happy with my Garmin. It is functional without having to connect to anything, and data can be easily exported to a computer for more advanced processing. It is a handy GPS receiver that lets me monitor heart rate and log running metrics.

Woah! Congratulations!!! 🥳 🎉

Hopefully the English language is developed and Rick Astley gets to make his song before anyone figures it out!

I’d rather pay for preventing the front passenger from reclining into me.

I would take a portable CD player, place a CD with Rick Astley’s Never Gonna Give You Up on it playing backwards, hook up solar panels, remove the ability to shut it on/off, and set it up a circuit that will:

• As the device solar charges, keep it off until some voltage threshold is exceeded
• Once the voltage is high enough, start a random timer (8 - 100 hours), so that it is not immediately obvious that the sun activated the device
• When the timer ends, turn the music on on repeat mode
• Sometimes turn the music off at random, and then turn it on again at random after a long delay, so that in some cases you can have turn ‘ON’ events without the device being exposed to the sun
• When the voltage drops below a low threshold, turn the device off until it is charged again

I speak spanish natively and at during uni I would hang out with a group of Brazillian friends. I would speak a mixture of portuguese and spanish with them.

The mom of one of these friends made a Brazilian dish for us (Feijoada) and asked me how it was as it was the first time I tried it. I answered that the dish as ‘exquisito’, which in Spanish means delicious (similar ‘exquisite’). She seemed somewhat disappointed and upset by my response so I probed a little and found out that ‘esquisito’ in Portuguese actually means ‘weird’. She thought I was calling her dish weird tasting. I found quickly enough to clarify, but I did feel bad about making her fell that way… She was very excited about sharing her cooking and she thought I called it weird.

No worries! If you need me to test something with it I can this week, just let me know

I am currently near Cologne in Germany. I placed one of these LycaMobile SIM cards from NL and it activated automatically. It does recognize that it is connected to the German network and roaming, and still activates data and assigns a phone number.

So, it seems to work fine

El del presidente de los eeuu no lo vi… Cual es? Mi favorito es el de Willem Alexander: https://www.youtube.com/watch?v=HbgPqccCQcs

The use-cases that I see advertised are not things that I do in my day-to-day. I usually place my phone on a drawer or leave it in my backpack - I definitely don’t want it on my face.

So, to me, smart glasses feel like an uncomfortable gimmick at this point. Maybe there is something amazing about them that has not yet clicked with me, but for the time being I don’t see me buying one of these for the foreseeable future.

I also did not know of him at all. I did know who Ben Shapiro is. This week has been an educational one: I have learned about Nick Fuentes and ‘groypers’, Candace Owens, and that the change my mind meme guy is called Steven Crowder (I first thought it was this guy when I saw the video of Kirk).

The US political commentator that I do watch some times is Hasan, but not too often. The US lore goes too deep and moves too quickly, hard to keep up.

Jajaja, al menos lo intentó 😅 Un 8 por el esfuerzo!