Posts by jcoglan@mastodon.social
(DIR) Post #AwVIfUglKDZIsseZCi by jcoglan@mastodon.social
2025-07-25T17:56:11Z
0 likes, 1 repeats
between this and the steam/itch censorship by payment providers, everything feels very bleak. the same people will come for books, comics, film and music, they went for videogames first as they're an easier target for the "corrupting young minds" and "this isn't art" talking points
(DIR) Post #AwWnvSetvpoKxUpv4y by jcoglan@mastodon.social
2025-07-26T14:34:46Z
0 likes, 0 repeats
@divVerent @glyph @mathcolorstrees this is a non solution, there are tons of things an app developer is "authorized" to do that they constantly decide not to do because it would be a bad idea in their current circumstances
(DIR) Post #AwWoFi3mNcPUW580au by jcoglan@mastodon.social
2025-07-26T14:38:24Z
0 likes, 0 repeats
@divVerent you can run LLM based agents on your machine to interact with your source code and infrastructure, which is what this is referring to
(DIR) Post #AwWpCDty9QG04GROzo by jcoglan@mastodon.social
2025-07-26T14:49:01Z
0 likes, 0 repeats
@divVerent even when using an agent that only I was notionally in control of, it kept disobeying my explicit instructions. these things will by and large do whatever *they* believe would be useful, with the full privileges of the current userI'm *allowed* to delete everything in $HOME, but I don't, for obvious reasons
(DIR) Post #AwWpYpaGjJXhJA0Sw4 by jcoglan@mastodon.social
2025-07-26T14:53:06Z
0 likes, 0 repeats
@divVerent I'm not sure you can categorise behaviour that agents exhibit routinely as a bug unless their vendors have a massive crackdown on such behaviour
(DIR) Post #AwWr18k7BvFKn4ft7Q by jcoglan@mastodon.social
2025-07-26T15:09:25Z
0 likes, 0 repeats
@divVerent the "intern" analogy is mostly revealing of what people think of interns, and it's not good. the two things are not remotely analogous
(DIR) Post #AwyEfBCXCucoDElXHM by jcoglan@mastodon.social
2025-08-08T19:27:43Z
0 likes, 1 repeats
part of my resentment towards LLMs is to do with them crowding out anything else we could be talking about. there are so many things I could be reading to get better at my craft but I'm presented with "you should actually get worse at it on purpose because nothing matters any more"
(DIR) Post #AwyEfGkOaRgJPhe9Fg by jcoglan@mastodon.social
2025-08-08T19:28:42Z
0 likes, 0 repeats
like I feel like I've been working in an information vacuum the last 2 years and it sucks
(DIR) Post #AyMeUzAcX4Jcdc4qFk by jcoglan@mastodon.social
2025-09-19T11:49:35Z
0 likes, 1 repeats
ruby 20 years ago: check out this quirky fun little proglang ruby now: the web framework is run by a fascist and the package hosting team all got shit canned, have fun
(DIR) Post #B0Qr0HtshXPCb1KM5Y by jcoglan@mastodon.social
2025-11-19T17:46:58Z
1 likes, 1 repeats
no. no!
(DIR) Post #B0bYoeQuj6xQf0W6CW by jcoglan@mastodon.social
2025-11-25T10:30:36Z
0 likes, 0 repeats
it is really astonishing that npm has not even publicly acknowledged the potentially ongoing credential-stealing worm attack. what is going on in there
(DIR) Post #B0bYog3agnUPhFcV7o by jcoglan@mastodon.social
2025-11-25T10:31:10Z
0 likes, 0 repeats
I'll also note that this is being framed as "supply chain security" when the actual problem is the combined set of capabilities of npm and github, both of which are the property of microsoft. this is a microsoft problem
(DIR) Post #B0bYohY78nV2KCuOLA by jcoglan@mastodon.social
2025-11-25T10:33:26Z
0 likes, 0 repeats
as long as npm continues to allow any form of unsupervised publishing, this will continue to be a problem. I don't think that reducing token lifetime will help; it is an annoyance that people will just work around. you have to *require* the active participation of the publisher
(DIR) Post #B0bYoiS7mYIp7v77dw by jcoglan@mastodon.social
2025-11-25T10:36:14Z
1 likes, 0 repeats
this doesn't mean you can't *automate* publishing; there's a lot to like about automation and I won't pretend I love doing my publishing "manually". but you do need it to be *actively supervised* and prove that the package owner has specifically authorised each release
(DIR) Post #B1qIncK2iclcCISOrA by jcoglan@mastodon.social
2025-12-29T21:03:46Z
1 likes, 1 repeats
amazing how many talks at c3, defcon et al boil down to "we looked at the protocol format and it's as though nobody ever thought to do this before"
(DIR) Post #B1qInift6Jo1tmivjs by jcoglan@mastodon.social
2025-12-29T21:04:58Z
1 likes, 0 repeats
talk: so the bluetooth frame includes a flag to say if it's a firmware updateme: I see
(DIR) Post #B1qInvKO3ZKd8rlRWy by jcoglan@mastodon.social
2025-12-29T21:06:04Z
0 likes, 0 repeats
bluetooth lets you read/write arbitrary device memory?! https://www.youtube.com/watch?v=TK5Tz4Bt94Y
(DIR) Post #B1qIo1yfKj7FlWeh96 by jcoglan@mastodon.social
2025-12-29T21:26:15Z
1 likes, 0 repeats
so you can exploit bluetooth to hijack call control on headphones and use that to take over a whatsapp accountfrom there you hijack amazon, which offers whatsapp as an auth channelgreat demo of why all this big tech platforms using one another as auth channels was a terrible idea
(DIR) Post #B1qIo8Dm7Sld87lqWu by jcoglan@mastodon.social
2025-12-29T21:27:35Z
0 likes, 0 repeats
oauth's idea to let you grant access to a resource was fine. escalating that to having said resource be your identity was not
(DIR) Post #B1qIoEGTeKUfsF55Zg by jcoglan@mastodon.social
2025-12-29T21:29:18Z
0 likes, 0 repeats
also loads of services adopting phone numbers (and associated channels like whatsapp) as credentials, when they often have not verified them at all, is absolutely wild