remixtures

"Inherent security flaws are raising questions about the safety of AI systems built on the Model Context Protocol (MCP).

Developed by Anthropic, MCP is an open source specification for connecting large language model-based AI agents with external data sources — called MCP servers.

As the first proposed industry standard for agent-to-API communication, interest in MCP has surged in recent months, leading to an explosion in MCP servers.

In recent weeks, developers have sounded the alarm that MCP lacks default authentication and isn’t secure out of the box — some say it’s a security nightmare.

Recent research from Invariant Labs shows that MCP servers are vulnerable to tool poisoning attacks, in which untrusted servers embed hidden instructions in tool descriptions.

Anthropic, OpenAI, Cursor, Zapier, and other MCP clients are susceptible to this type of attack..."

https://thenewstack.io/building-with-mcp-mind-the-security-gaps/

#AI #GenerativeAI #AIAgents #AgenticAI #MCP #APIs #CyberSecurity #LLMs

"The office of Hannah Neumann, a member of the German Greens and head of the delegation spearheading work on European Union-Iran relations, was targeted by a hacking campaign that started in January, she said. Her staff was contacted with messages, phone calls and emails by hackers impersonating a legitimate contact. They eventually managed to target a laptop with malicious software.

"It was a very sophisticated attempt using various ways to manage that someone accidentally opens a link, including putting personal pressure on them," Neumann said.

Neumann was made aware of the ongoing ploy four weeks ago by the German domestic intelligence service, she said.

The group thought to be behind the attack is a hacking collective associated with the Iranian Revolutionary Guard, known as APT42, according to a report by the Parliament’s in-house IT service DG ITEC and seen by POLITICO. Another Iranian hacking group, called APT35 or Charming Kitten, was initially considered a culprit too. The two Iranian threat groups are closely related."

https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

#EU #Germany #Iran #CyberSecurity #StateHacking #Spyware #APT42 #APT35

"Following a RightsCon 2025 session about the flaws and risks of such an interpretation, we are releasing this week a technical statement (see below) pointing out why Ecuadorean courts must reaffirm Bini’s innocence and repudiate misconceptions about technology and technical knowledge that only disguise the prosecutor’s lack of evidence supporting the accusations against Bini.

Let’s not forget that Bini was unanimously acquitted in early 2023. Nonetheless, the Prosecutor’s Office appealed and the majority of the appeals court considered him guilty of attempted unauthorized access of a telecommunications system. The reasoning leading to this conclusion has many problems, including mixing the concepts of private and public IP addresses and disregarding key elements of the acquittal sentence.

The ruling also refers to the use of Tor. Among other issues, the prosecution argued that Tor is not a tool known by any person except for technical experts since its purpose is to hide your identity on the internet while leaving no trace you're using it. As we stressed at RightsCon, this argument turns the use of a privacy-protective, security-enhancing technology into an indication of suspicious criminal activity, which is a dangerous extrapolation of the “nothing-to-hide argument.”"

https://www.eff.org/deeplinks/2025/04/six-years-dangerous-misconceptions-targeting-ola-bini-and-digital-rights-ecuador

#Ecuador #DigitalRights OlaBini #Tor #Privacy

"According to Wynn-Williams, Facebook actually built an extensive censorship and surveillance system for the Chinese state – spies, cops and military – to use against Chinese Facebook users, and FB users globally. They promise to set up caches of global FB content in China that the Chinese state can use to monitor all Facebook activity, everywhere, with the implication that they'll be able to spy on private communications, and censor content for non-Chinese users.

Despite all of this, Facebook is never given access to China. However, the Chinese state is able to use the tools Facebook built for it to attack independence movements, the free press and dissident uprisings in Hong Kong and Taiwan."

https://pluralistic.net/2025/04/23/zuckerstreisand/#zdgaf

#SocialMedia #Facebook #Meta #BigTech #Oligopolies #Surveillance #Censorship #Privacy #HumanRights

"Today, noyb filed a complaint against the French video game developer and publisher Ubisoft (known for Assassins Creed, Far Cry, Prince of Persia). The company forces its customers to connect to the internet every time they launch a single player game. This is the case even if the game doesn’t have any online features. This allows Ubisoft to collect people’s gaming behaviour. Among other things, the company collects data about when you start a game, for how long you play it and when you close it. Even after the complainant explicitly asked why he is forced to be online, Ubisoft failed to disclose why this is going on. Under Article 6(1) GDPR, there seems to be no valid legal basis to randomly collect such user data."

https://noyb.eu/en/play-alone-ubisoft-still-watching-you

#EU #France #DataProtection #UbiSoft #Videogames #GDPR #Surveillance

#PCGaming

"Google on Tuesday revealed that it will no longer offer a standalone prompt for third-party cookies in its Chrome browser as part of its Privacy Sandbox initiative.

"We've made the decision to maintain our current approach to offering users third-party cookie choice in Chrome, and will not be rolling out a new standalone prompt for third-party cookies," Anthony Chavez, vice president of Privacy Sandbox at Google, said.

"Users can continue to choose the best option for themselves in Chrome's Privacy and Security Settings."

Back in July 2024, the tech giant said it had abandoned its plans to deprecate third-party tracking cookies and that it intends to roll out a new experience instead that lets users make an informed choice.

Google said feedback from publishers, developers, regulators, and the ads industry has made it clear there are "divergent perspectives" on making changes that could affect the availability of third-party cookies.

In its place, the tech behemoth said it will continue to invest in enhancing tracking protections in Chrome's Incognito mode, which blocks third-party cookies by default. It also intends to introduce a new IP Protection feature in the third quarter of 2025."

https://thehackernews.com/2025/04/google-drops-cookie-prompt-in-chrome.html

#Google #Privacy #WebCookies #ThirdPartyCookies #Chrome #PrivacySandbox #Surveillance #AdTech

"When asked directly about the most pressing digital threats, be it AI misuse or quantum computing, Schneier quipped. "I generally hate ranking threats, but if I had to pick candidates for 'biggest,' it would be one of these: income inequality, late-stage capitalism, or climate change," he wrote. "Compared to those, cybersecurity is a rounding error."
(...)
Asked directly about NSA reforms post-Snowden, Schneier was skeptical, responding: "Well, they haven't had any leaks of any magnitude since then, so hopefully they did learn something about OPSEC. But near as we can tell, nothing substantive has been reformed."

Schneier further clarified, "We should assume that the NSA has developed far more extensive surveillance technology since then," stressing the importance of vigilance.

He touched on the fusion of AI and democracy - a theme of his upcoming book Rewiring Democracy - noting that he didn't "think that AI as a technology will change how different types of government will operate. It's more that different types of governments will shape AI."

He is pessimistic that countries will harness AI's power to do good and help improving quality of life.

"It would be fantastic if governments prioritized these things," he said. "[This] seems unrealistic in a world where countries are imagining some sort of AI 'arms race' and where monopolistic corporations are controlling the technologies. To me, that speaks to the solutions: international cooperation and breaking the tech monopolies. And, yes, those are two things that are not going to happen.""

https://www.scworld.com/news/bruce-schneier-ai-hype-nsa-surveillance-and-cybersecuritys-real-challenges

#CyberSecurity #NSA #Surveillance #AI #AISafety #QuantumComputing #Cryptography #Encryption

"We recently released Claude Code, a command line tool for agentic coding. Developed as a research project, Claude Code gives Anthropic engineers and researchers a more native way to integrate Claude into their coding workflows.

Claude Code is intentionally low-level and unopinionated, providing close to raw model access without forcing specific workflows. This design philosophy creates a flexible, customizable, scriptable, and safe power tool. While powerful, this flexibility presents a learning curve for engineers new to agentic coding tools—at least until they develop their own best practices.

This post outlines general patterns that have proven effective, both for Anthropic's internal teams and for external engineers using Claude Code across various codebases, languages, and environments. Nothing in this list is set in stone nor universally applicable; consider these suggestions as starting points. We encourage you to experiment and find what works best for you!"

https://www.anthropic.com/engineering/claude-code-best-practices

#AI #GenerativeAI #AIAgents #Claude #LLMs #ClaudeCode #AgenticCoding #Programming #SoftwareDevelopment

"In security advisories posted on its website, Apple confirmed it fixed the two zero-day vulnerabilities, which “may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.”

The bugs are considered zero days because they were unknown to Apple as they were being exploited.

It’s not yet known who is behind the attacks or how many Apple customers were targeted, or if any were successfully compromised. A spokesperson for Apple did not return TechCrunch’s inquiry.

Apple credited the discovery of one of the two bugs to security researchers working at Google’s Threat Analysis Group, which investigates government-backed cyberattacks. This may indicate that the attacks targeting Apple customers were launched or coordinated by a nation state or government agency. Some government-backed cyberattacks are known to involve the use of remotely planted spyware and other phone-unlocking devices."

https://techcrunch.com/2025/04/16/apple-says-zero-day-bugs-exploited-against-specific-targeted-individuals-using-ios/

#CyberSecurity #Apple iOS #ZeroDayBugs #StateHacking

"Most guides to docs like code, even the ones for non-devs, assume you have some developer knowledge: maybe you're already using version control, or you've encountered build pipelines before, or you're working alongside developers.

This guide is for the people who read that paragraph and wished it came with a glossary. This is docs like code for people who don't know what git is and have never installed VS Code.

This post explains terminology and concepts, to help you get a mental model of what's going on. If you prefer to dive in and pick up concepts as you go, skip straight to the tips in How to learn, and come back to the conceptual info as needed."

https://deborahwrites.com/blog/docs-like-code-basic-intro/

#TechnicalWriting #SoftwareDocumentation #SoftwareDevelopment #Programming #DocsAsCode #Git #Markdown #TechnicalCommunication #MkDocs #VSCode

"It’s not that hard to build a fully functioning, code-editing agent.

It seems like it would be. When you look at an agent editing files, running commands, wriggling itself out of errors, retrying different strategies - it seems like there has to be a secret behind it.

There isn’t. It’s an LLM, a loop, and enough tokens. It’s what we’ve been saying on the podcast from the start. The rest, the stuff that makes Amp so addictive and impressive? Elbow grease.

But building a small and yet highly impressive agent doesn’t even require that. You can do it in less than 400 lines of code, most of which is boilerplate.

I’m going to show you how, right now. We’re going to write some code together and go from zero lines of code to “oh wow, this is… a game changer.”

I urge you to follow along. No, really. You might think you can just read this and that you don’t have to type out the code, but it’s less than 400 lines of code. I need you to feel how little code it is and I want you to see this with your own eyes in your own terminal in your own folders.

Here’s what we need:

• Go
• Anthropic API key that you set as an environment variable, ANTHROPIC_API_KEY"

https://ampcode.com/how-to-build-an-agent

#AI #GenerativeAI #AIAgents #AICoding #Programming #Go #Claude #Anthropic #LLMs #Chatbots

"[T]hose claiming we're mere months away from AI agents replacing most programmers should adjust their expectations because models aren't good enough at the debugging part, and debugging occupies most of a developer's time. That's the suggestion of Microsoft Research, which built a new tool called debug-gym to test and improve how AI models can debug software.

Debug-gym (available on GitHub and detailed in a blog post) is an environment that allows AI models to try and debug any existing code repository with access to debugging tools that aren't historically part of the process for these models. Microsoft found that without this approach, models are quite notably bad at debugging tasks. With the approach, they're better but still a far cry from what an experienced human developer can do.
(...)
This approach is much more successful than relying on the models as they're usually used, but when your best case is a 48.4 percent success rate, you're not ready for primetime. The limitations are likely because the models don't fully understand how to best use the tools, and because their current training data is not tailored to this use case."

https://arstechnica.com/ai/2025/04/researchers-find-ai-is-pretty-bad-at-debugging-but-theyre-working-on-it/

#AI #GenerativeAI #Programming #Debugging #SoftwareDevelopment