remixtures

joined 2 years ago
 

"Inherent security flaws are raising questions about the safety of AI systems built on the Model Context Protocol (MCP).

Developed by Anthropic, MCP is an open source specification for connecting large language model-based AI agents with external data sources — called MCP servers.

As the first proposed industry standard for agent-to-API communication, interest in MCP has surged in recent months, leading to an explosion in MCP servers.

In recent weeks, developers have sounded the alarm that MCP lacks default authentication and isn’t secure out of the box — some say it’s a security nightmare.

Recent research from Invariant Labs shows that MCP servers are vulnerable to tool poisoning attacks, in which untrusted servers embed hidden instructions in tool descriptions.

Anthropic, OpenAI, Cursor, Zapier, and other MCP clients are susceptible to this type of attack..."

https://thenewstack.io/building-with-mcp-mind-the-security-gaps/

#AI #GenerativeAI #AIAgents #AgenticAI #MCP #APIs #CyberSecurity #LLMs

 

"The office of Hannah Neumann, a member of the German Greens and head of the delegation spearheading work on European Union-Iran relations, was targeted by a hacking campaign that started in January, she said. Her staff was contacted with messages, phone calls and emails by hackers impersonating a legitimate contact. They eventually managed to target a laptop with malicious software.

"It was a very sophisticated attempt using various ways to manage that someone accidentally opens a link, including putting personal pressure on them," Neumann said.

Neumann was made aware of the ongoing ploy four weeks ago by the German domestic intelligence service, she said.

The group thought to be behind the attack is a hacking collective associated with the Iranian Revolutionary Guard, known as APT42, according to a report by the Parliament’s in-house IT service DG ITEC and seen by POLITICO. Another Iranian hacking group, called APT35 or Charming Kitten, was initially considered a culprit too. The two Iranian threat groups are closely related."

https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

#EU #Germany #Iran #CyberSecurity #StateHacking #Spyware #APT42 #APT35

 

"Following a RightsCon 2025 session about the flaws and risks of such an interpretation, we are releasing this week a technical statement (see below) pointing out why Ecuadorean courts must reaffirm Bini’s innocence and repudiate misconceptions about technology and technical knowledge that only disguise the prosecutor’s lack of evidence supporting the accusations against Bini.

Let’s not forget that Bini was unanimously acquitted in early 2023. Nonetheless, the Prosecutor’s Office appealed and the majority of the appeals court considered him guilty of attempted unauthorized access of a telecommunications system. The reasoning leading to this conclusion has many problems, including mixing the concepts of private and public IP addresses and disregarding key elements of the acquittal sentence.

The ruling also refers to the use of Tor. Among other issues, the prosecution argued that Tor is not a tool known by any person except for technical experts since its purpose is to hide your identity on the internet while leaving no trace you're using it. As we stressed at RightsCon, this argument turns the use of a privacy-protective, security-enhancing technology into an indication of suspicious criminal activity, which is a dangerous extrapolation of the “nothing-to-hide argument.”"

https://www.eff.org/deeplinks/2025/04/six-years-dangerous-misconceptions-targeting-ola-bini-and-digital-rights-ecuador

#Ecuador #DigitalRights OlaBini #Tor #Privacy

[–] [email protected] 1 points 1 day ago

"The company, in other words, is "careless." Warned of imminent harms to its users, to democracy, to its own employees, the top executives simply do not care. They ignore the warnings and the consequences, or pay lip service to them. They don't care.
(...)
But there's another meaning to "careless" that lurks just below the surface of this excellent memoir: "careless" in the sense of "arrogant" – in the sense of not caring about the consequences of their actions.

To me, this was the most important – but least-developed – lesson of Careless People. When Wynn-Williams lands at Facebook, she finds herself surrounded by oafs and sociopaths, cartoonishly selfish and shitty people, who, nevertheless, have built a service that she loves and values, along with hundreds of millions of other people.

She's not wrong to be excited about Facebook, or its potential. The company may be run by careless people, but they are still prudent, behaving as though the consequences of screwing up matter."

 

"According to Wynn-Williams, Facebook actually built an extensive censorship and surveillance system for the Chinese state – spies, cops and military – to use against Chinese Facebook users, and FB users globally. They promise to set up caches of global FB content in China that the Chinese state can use to monitor all Facebook activity, everywhere, with the implication that they'll be able to spy on private communications, and censor content for non-Chinese users.

Despite all of this, Facebook is never given access to China. However, the Chinese state is able to use the tools Facebook built for it to attack independence movements, the free press and dissident uprisings in Hong Kong and Taiwan."

https://pluralistic.net/2025/04/23/zuckerstreisand/#zdgaf

#SocialMedia #Facebook #Meta #BigTech #Oligopolies #Surveillance #Censorship #Privacy #HumanRights

 

"Today, noyb filed a complaint against the French video game developer and publisher Ubisoft (known for Assassins Creed, Far Cry, Prince of Persia). The company forces its customers to connect to the internet every time they launch a single player game. This is the case even if the game doesn’t have any online features. This allows Ubisoft to collect people’s gaming behaviour. Among other things, the company collects data about when you start a game, for how long you play it and when you close it. Even after the complainant explicitly asked why he is forced to be online, Ubisoft failed to disclose why this is going on. Under Article 6(1) GDPR, there seems to be no valid legal basis to randomly collect such user data."

https://noyb.eu/en/play-alone-ubisoft-still-watching-you

#EU #France #DataProtection #UbiSoft #Videogames #GDPR #Surveillance

#PCGaming

 

"Google on Tuesday revealed that it will no longer offer a standalone prompt for third-party cookies in its Chrome browser as part of its Privacy Sandbox initiative.

"We've made the decision to maintain our current approach to offering users third-party cookie choice in Chrome, and will not be rolling out a new standalone prompt for third-party cookies," Anthony Chavez, vice president of Privacy Sandbox at Google, said.

"Users can continue to choose the best option for themselves in Chrome's Privacy and Security Settings."

Back in July 2024, the tech giant said it had abandoned its plans to deprecate third-party tracking cookies and that it intends to roll out a new experience instead that lets users make an informed choice.

Google said feedback from publishers, developers, regulators, and the ads industry has made it clear there are "divergent perspectives" on making changes that could affect the availability of third-party cookies.

In its place, the tech behemoth said it will continue to invest in enhancing tracking protections in Chrome's Incognito mode, which blocks third-party cookies by default. It also intends to introduce a new IP Protection feature in the third quarter of 2025."

https://thehackernews.com/2025/04/google-drops-cookie-prompt-in-chrome.html

#Google #Privacy #WebCookies #ThirdPartyCookies #Chrome #PrivacySandbox #Surveillance #AdTech

 

"When asked directly about the most pressing digital threats, be it AI misuse or quantum computing, Schneier quipped. "I generally hate ranking threats, but if I had to pick candidates for 'biggest,' it would be one of these: income inequality, late-stage capitalism, or climate change," he wrote. "Compared to those, cybersecurity is a rounding error."
(...)
Asked directly about NSA reforms post-Snowden, Schneier was skeptical, responding: "Well, they haven't had any leaks of any magnitude since then, so hopefully they did learn something about OPSEC. But near as we can tell, nothing substantive has been reformed."

Schneier further clarified, "We should assume that the NSA has developed far more extensive surveillance technology since then," stressing the importance of vigilance.

He touched on the fusion of AI and democracy - a theme of his upcoming book Rewiring Democracy - noting that he didn't "think that AI as a technology will change how different types of government will operate. It's more that different types of governments will shape AI."

He is pessimistic that countries will harness AI's power to do good and help improving quality of life.

"It would be fantastic if governments prioritized these things," he said. "[This] seems unrealistic in a world where countries are imagining some sort of AI 'arms race' and where monopolistic corporations are controlling the technologies. To me, that speaks to the solutions: international cooperation and breaking the tech monopolies. And, yes, those are two things that are not going to happen.""

https://www.scworld.com/news/bruce-schneier-ai-hype-nsa-surveillance-and-cybersecuritys-real-challenges

#CyberSecurity #NSA #Surveillance #AI #AISafety #QuantumComputing #Cryptography #Encryption

[–] [email protected] 1 points 6 days ago

"So yeah, it looks like "ultrathink" is a Claude Code feature - presumably that 31999 is a number that affects the token thinking budget, especially since "megathink" maps to 1e4 tokens (10,000) and just plain "think" maps to 4,000."

https://simonwillison.net/2025/Apr/19/claude-code-best-practices/

 

"We recently released Claude Code, a command line tool for agentic coding. Developed as a research project, Claude Code gives Anthropic engineers and researchers a more native way to integrate Claude into their coding workflows.

Claude Code is intentionally low-level and unopinionated, providing close to raw model access without forcing specific workflows. This design philosophy creates a flexible, customizable, scriptable, and safe power tool. While powerful, this flexibility presents a learning curve for engineers new to agentic coding tools—at least until they develop their own best practices.

This post outlines general patterns that have proven effective, both for Anthropic's internal teams and for external engineers using Claude Code across various codebases, languages, and environments. Nothing in this list is set in stone nor universally applicable; consider these suggestions as starting points. We encourage you to experiment and find what works best for you!"

https://www.anthropic.com/engineering/claude-code-best-practices

#AI #GenerativeAI #AIAgents #Claude #LLMs #ClaudeCode #AgenticCoding #Programming #SoftwareDevelopment

[–] [email protected] 1 points 1 week ago

"The DOGE employees, who are effectively led by White House adviser and billionaire tech CEO Elon Musk, appeared to have their sights set on accessing the NLRB's internal systems. They've said their unit's overall mission is to review agency data for compliance with the new administration's policies and to cut costs and maximize efficiency.

But according to an official whistleblower disclosure shared with Congress and other federal overseers that was obtained by NPR, subsequent interviews with the whistleblower and records of internal communications, technical staff members were alarmed about what DOGE engineers did when they were granted access, particularly when those staffers noticed a spike in data leaving the agency. It's possible that the data included sensitive information on unions, ongoing legal cases and corporate secrets — data that four labor law experts tell NPR should almost never leave the NLRB and that has nothing to do with making the government more efficient or cutting spending.

Meanwhile, according to the disclosure and records of internal communications, members of the DOGE team asked that their activities not be logged on the system and then appeared to try to cover their tracks behind them, turning off monitoring tools and manually deleting records of their access — evasive behavior that several cybersecurity experts interviewed by NPR compared to what criminal or state-sponsored hackers might do."

https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-musk-spacex-security

 

"In security advisories posted on its website, Apple confirmed it fixed the two zero-day vulnerabilities, which “may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.”

The bugs are considered zero days because they were unknown to Apple as they were being exploited.

It’s not yet known who is behind the attacks or how many Apple customers were targeted, or if any were successfully compromised. A spokesperson for Apple did not return TechCrunch’s inquiry.

Apple credited the discovery of one of the two bugs to security researchers working at Google’s Threat Analysis Group, which investigates government-backed cyberattacks. This may indicate that the attacks targeting Apple customers were launched or coordinated by a nation state or government agency. Some government-backed cyberattacks are known to involve the use of remotely planted spyware and other phone-unlocking devices."

https://techcrunch.com/2025/04/16/apple-says-zero-day-bugs-exploited-against-specific-targeted-individuals-using-ios/

#CyberSecurity #Apple iOS #ZeroDayBugs #StateHacking

 

"Most guides to docs like code, even the ones for non-devs, assume you have some developer knowledge: maybe you're already using version control, or you've encountered build pipelines before, or you're working alongside developers.

This guide is for the people who read that paragraph and wished it came with a glossary. This is docs like code for people who don't know what git is and have never installed VS Code.

This post explains terminology and concepts, to help you get a mental model of what's going on. If you prefer to dive in and pick up concepts as you go, skip straight to the tips in How to learn, and come back to the conceptual info as needed."

https://deborahwrites.com/blog/docs-like-code-basic-intro/

#TechnicalWriting #SoftwareDocumentation #SoftwareDevelopment #Programming #DocsAsCode #Git #Markdown #TechnicalCommunication #MkDocs #VSCode

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago)

@grober_Unfug Try Gemini-2.5 Pro Preview. It's the best LLM. Alternatively, you can always try o3, OpenAI's latest LLM: https://lmarena.ai/.

BTW: I'm not the author of the post above :)

 

"It’s not that hard to build a fully functioning, code-editing agent.

It seems like it would be. When you look at an agent editing files, running commands, wriggling itself out of errors, retrying different strategies - it seems like there has to be a secret behind it.

There isn’t. It’s an LLM, a loop, and enough tokens. It’s what we’ve been saying on the podcast from the start. The rest, the stuff that makes Amp so addictive and impressive? Elbow grease.

But building a small and yet highly impressive agent doesn’t even require that. You can do it in less than 400 lines of code, most of which is boilerplate.

I’m going to show you how, right now. We’re going to write some code together and go from zero lines of code to “oh wow, this is… a game changer.”

I urge you to follow along. No, really. You might think you can just read this and that you don’t have to type out the code, but it’s less than 400 lines of code. I need you to feel how little code it is and I want you to see this with your own eyes in your own terminal in your own folders.

Here’s what we need:

  • Go
  • Anthropic API key that you set as an environment variable, ANTHROPIC_API_KEY"

https://ampcode.com/how-to-build-an-agent

#AI #GenerativeAI #AIAgents #AICoding #Programming #Go #Claude #Anthropic #LLMs #Chatbots

 

"[T]hose claiming we're mere months away from AI agents replacing most programmers should adjust their expectations because models aren't good enough at the debugging part, and debugging occupies most of a developer's time. That's the suggestion of Microsoft Research, which built a new tool called debug-gym to test and improve how AI models can debug software.

Debug-gym (available on GitHub and detailed in a blog post) is an environment that allows AI models to try and debug any existing code repository with access to debugging tools that aren't historically part of the process for these models. Microsoft found that without this approach, models are quite notably bad at debugging tasks. With the approach, they're better but still a far cry from what an experienced human developer can do.
(...)
This approach is much more successful than relying on the models as they're usually used, but when your best case is a 48.4 percent success rate, you're not ready for primetime. The limitations are likely because the models don't fully understand how to best use the tools, and because their current training data is not tailored to this use case."

https://arstechnica.com/ai/2025/04/researchers-find-ai-is-pretty-bad-at-debugging-but-theyre-working-on-it/

#AI #GenerativeAI #Programming #Debugging #SoftwareDevelopment

[–] [email protected] 1 points 3 weeks ago* (last edited 3 weeks ago)

@kvadd Yes, but data brokers can buy that information for ad targeting and marketing purposes. These usages should be specifically outlawed, according to the GDPR.

[–] [email protected] 2 points 3 weeks ago

"Browsers keep track of the pages that a user has visited, and they use this information to style anchor elements on a page differently if a user has visited that link before. Most browsers give visited links a different color by default; some web developers rely on the :visited CSS selector to style visited links according to their own preferences.

It is well-known that styling visited links differently from unvisited links opens the door to side-channel attacks that leak the user’s browsing history. One notable attack used window.getComputedStyle and the methods that return a NodeList of HTMLCollection of anchor elements (e.g. document.querySelectorAll, document.getElementsByTagName, etc.) to inspect the styles of each link that was rendered on the page. Once attackers had the style of each link, it was possible to determine whether each link had been visited, leaking sensitive information that should have only been known to the user.

In 2010, browsers implemented a mitigation for this attack: (1) when sites queried link styling, the browser always returned the “unvisited” style, and (2) developers were now limited in what styles could be applied to links. However, these mitigations were complicated for both browsers to implement and web developers to adjust to, and there are proponents of removing these mitigations altogether." https://github.com/explainers-by-googlers/Partitioning-visited-links-history

[–] [email protected] 1 points 3 weeks ago (1 children)

@Alabaster_[email protected] OK, smart ass. Here's a little conversation I had with Gemini 2.5 LLM from Google about this topic. It's backed up with official sources: https://aistudio.google.com/app/prompts?state=%7B%22ids%22:%5B%221B0JecBTkQJ9wVjOnhM81piNPjrq3QbzU%22%5D,%22action%22:%22open%22,%22userId%22:%22113653798100742351191%22,%22resourceKeys%22:%7B%7D%7D&usp=sharing. Are you satisfied?

[–] [email protected] 1 points 3 weeks ago (3 children)

@Alabaster_[email protected] I just quoted an article that was authored by Robert Delwood. I don't have to justify anything. I don't own you a detailed empirical study of my position, sorry.

[–] [email protected] 1 points 3 weeks ago (5 children)

@Alabaster_[email protected] In my country, Portugal, and in most countries of the world, artists can barely survive. Just look at job boards such as LinkedIn and compare the average remuneration offered to an artist - designer, musician, painter, video maker - to the average remuneration of a plumber. And also don't forget to compare the gross number of job ads.

[–] [email protected] 1 points 3 weeks ago (7 children)

@Alabaster_[email protected] I think what the author wants to state - and I agree with - is that it's way more difficult to earn a living as an artist than as an craftsman. Unfortunately, that is a fact. It's extremely difficult to survive as an artist. And only the real talented ones can gather a high enough number of fans to sustain their work.

[–] [email protected] 0 points 3 weeks ago (10 children)

@[email protected] The number of people who gain a living as plumbers, electricians, carpenters, and locksmiths is way higher than the number of people who people who gain a living as artists. Unfortunately, that is the truth.

[–] [email protected] 1 points 3 weeks ago (12 children)

@[email protected] Although I don't believe people need "new" art, I agree that art can fulfill a "spiritual" hole in people's lives. But I don't think that's exactly the same...

view more: next ›