Doesn't at all. You can take cash, keep cash and spend cash without any bank being involved. Cash is more anonymous than crypto and (if it's USD) accepted just about everywhere.
Banks give you an advantage with transaction security and deposit insurance, but that's dealing with money and not cash.
We need our infrastructure to stop treating bank account numbers and social security numbers as secrets. At least in the US, bank account numbers appear on physical checks and are required to be shared in order to do an ACH transfer, and a social security number is not supposed to be used as an identifier (unless to the Social Security Administration itself) or as a secret password.
Ideally, nothing nefarious should happen if both of them were listed and queryable publicly.
If someone has your bank account and bank’s routing number (which is also not secret), they can make fraudulent ACH transfers and payments from your account. Of course it will most likely be caught as fraud some time after the fact, but just those two bits of not-secret info are enough to grief someone.
Yes and no. Yes, theoretically you can initiate ACH transfer with just the account number. But practically, you will need to have a bank that would allow you to do that and agree to be on the hook if the transfer is going to be reversed. Which means if you are a criminal who wants to do it systematically at scale, you have to be big enough to have your own licensed pocket bank. Which is not a service available to a random criminal. Of course, a random criminal could forge a check with your numbers and cash it, but the account owner would rarely be on the hook for the funds, it's whoever agreed to cash the check. It can cause significant annoyance and inconvenience to the real owner of the account (including having to change account number and all accompanied legwork) but rarely results in funds actually being removed from the rightful owner. The banks prefer this system to the alternatives even with the risk of fraud.
Your SSN had been already stolen in the Equifax breach - unless you're so young or recently arrived that you haven't had SSN by then, in which case it had been stolen in one of a dozens of the breaches since then. And if somehow you avoided all that, it will be stolen in the inevitable next breach, which would happen regardless of what you do.
Most of the exploits are for opensource/free software.
I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
llms are fantastic disassembly partners, they're quite good at labeling functions from various dissassemblers -- the net losses from losing the benefits of open source , imo , outweigh the protection afforded by hiding your source code in yet another layer that is more and more easily unrolled through automated procedures.
Um, the nginx binary would have to be in the hands of hundreds of thousands of server operators. And the set of server operators is rich in the kind of person who would attack it. Not to mention the huge number of leaks you'd get.
Maybe if it's some server-side software that you only use yourself...
And isn't it also mostly a transitioning issue. Those open codebases will be constantly scanned for potential security issues and getting more and more hardened.
There are probably a lot of easy wins that are going to be discovered over the next few years but it should taper out after a while.
I don't think that's exactly it. OSS only needs someone to have a strong LLM to check for bugs. If your software is proprietary, it's a competition between just you and whatever model you have vs any attacker and whatever model they can lay hand to.
> OSS only needs someone to have a strong LLM to check for bugs.
The same applies to propietary, closed-source code. It being closed-source means that the source isn't generally available, but the executable is. Hence, someone with a strong model can still reverse it and find vulns.
Presumably, one could let the bots loose on your own codebase first. The question is one of financing of course. If your end users are enterprises willing to pay for a support contract, they probably care enough about not getting hacked to endure the higher prices that would let you throw enough tokens at the problem. Other open-source projects might have a harder time.
> I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
I'd love to hear why you think obscurity is bad, if you now think maybe it's good in the LLM age?
I'd also be interested if you could describe exactly what or how you think security through obscurity works, or doesn't?
I've been thinking a lot about how to better teach this concept, so I'm looking to understand exactly how everyone thinks/understands how it currently works, or should work, or what it should do. I don't care about the "correct" answer, (I have ddg too :P) I'm interested in general expectations from SWE's that I might teach at work, instead of opinions of security eng speaking about theory.
Because of asymmetric differences, I don't have access to powerful LLMs but attackers might. And also the complexities of software dependencies (supply chain vulnerabilities), my software depends on packages not in my control and I don't have time to audit the entire stack.
Perhaps the answer is to depend only on packages that come from people that are more competent than you so you can know if or when your program is compromised that it'll most likely be your fault and not theirs.
Security through obscurity can make something a bit more secure in practice by annoying an attacker IF AND ONLY IF you're not relying on the hidden information remaining secret in order to the system remaining secure. E.g., if you're using a broken cipher and assume this is ok because no one knows which cipher you're using, you're gonna have a bad time.
In the case of FOSS software, it is generally recognized that the small advantage of keeping the source secret is far outweighted by the contributions and vuln reports you get if you publish the source.
I think LLMs might actually have a bigger effect on closed source software - the tedium saved on open source bug hunting is significant, but on closed source software the tedium of finding bugs is extreme because of all the reverse engineering, but LLMs will chew through that. So there's probably a lot of low hanging fruit.
Are they all actually 0-day? I think a lot of them are from disclosed CVEs/code that were already fixed upstream. It often seems like the term "0-day" has lost most of its meaning today and people often use it to refer to any exploits.
> A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allure people into the field, and I've always found this is the most efficient way.
Which is roughly the definition of zero day. Whether the contents of the repo reflect the above claim is something else entirely.
Reminds me of Jamie Wolf's joke about bestiality laws. Who are those for? What stops most people from bestiality is… not wanting to have sex with animals! For people who do want to, what, they won't because of… the law??
We slaughter animals millions by the day in an industrialized fashion. I'm sure they'll feel much better that even singular instances of sexual harassment are officially not ok on paper.
As a very general statement, there's a cost to having laws exist. A law that stops one human-scale action ever is very unlikely to be worth the overhead.
That’s one school of thought. Law as a tool to punish those who have committed a prohibited act, mostly reactive.
Others consider law a way of encoding the group’s existing rules and norms.
In that view, making something illegal or mandatory is not a prerequisite for punishment: it’s the actual main point.
The threat of punishment is meant for those not deterred from an act by the simple fact it is illegal (and the threat only works if enforced).
Others put it the other way around, and see law as social engineering, a way to shape the group, either through the encoding itself of the desired behaviours in law, or through deterrence. Or both. If what one is after is either power or legitimacy, they need compliance more than punishment (can’t rule once you’ve chopped everyone’s heads off, or once the mob has put yours on a spike).
It’s also sometimes used as coordination (which side of the road we drive on).
And there’s also law as dispute resolution (if your neighbour’s hen lays an egg in your garden, who does it belong to? Yes, it’s ridiculous. Yes, some places have one or more laws for that). Which, incidentally, both requires and provides legitimacy. Funny, that.
And probably many other kinds / points of view, with many different purposes, intents, and mechanisms.
Anyway, all that to say law is vast, fascinating, and utterly tedious. And apologies for the tangent.
> Law as a tool to punish those who have committed a prohibited act
You're thinking of criminal law. And it's not just some group's rules and norms - there already exists familial or social group punishment for that. Criminal law is prosecuted by the State. It's the code of conduct of the society you exist in.
If you want a thought experiment for what life would be like without organised society, read Leviathan
Hence why we accept State governance and law (to a greater or lesser extent, obviously people protest specific laws and injustices and what's on the statute books changes on a regular basis), because the alternative to law is "nature", aka bigger-army diplomacy. Anarchy doesn't free people, it only gives freedom to those with existing power to disempower others. Those with superior power will simply rob, rape, kill or enslave everyone else.
States exist to secure their territory from those sort of external threats, and incubate an economy inside their borders, which aspires to bring wealth and happiness. The criminal law is put in place by those with the monopoly on legitimate violence, often encoding the views of the population, to keep their society running.
> You're thinking of criminal law. And it's not just some group's rules and norms - there already exists familial or social group punishment for that. Criminal law is prosecuted by the State. It's the code of conduct of the society you exist in.
What I meant is more about why and how laws come to be, which depends on what we think they’re for. Hobbes’ point of view is one. Locke and Rousseau had different opinions.
For example, one can view criminal law as a punishing tool, like gp, whose only purpose is to punish the act once discovered. You criminalise duels to punish duelists because murder is bad and no murder or attempted murder should go unpunished, and associate a great punishment because murder is a very bad thing.
But you can also criminalize duels to prevent or reduce the incidence of duels, and associate a great punishment to it to deter your stupid hot-heated young nobles from going around each other. Still criminal law, but this time both as social engineering and deterrence.
It’s been a long time since I read Hobbes. Should definitely go back to it.
Either the fear of the consequences of breaking the law, or that the most effective way to reduce crime is to remove criminals from the population so over time these people being in jail or worse decreases the crime rate. They don't have to care about breaking laws in the abstract for the law, properly enforced, to reduce crime.
Those seem like two different scenarios though, right?
The point of beastiality laws are to give society some recourse to punish people who abuse animals.
There was a very famous case back in Washington state back in the early 2000s where a group of men were sexually abusing horses. It was uncovered because one of them died, and the other could only be charged with trespassing because it wasn't illegal at the time to sexually abuse animals.
You cited a specific case. It's not odd at all in the context of that case. The professionals in charge of enforcing the law decided the animals weren't harmed.
> There was a very famous case back in Washington state back in the early 2000s where a group of men were sexually abusing horses. It was uncovered because one of them died, and the other could only be charged with trespassing because it wasn't illegal at the time to sexually abuse animals.
What I said, verbatim, about that case.
What part of that is incorrect or warrants clarification, exactly?
Using the legal definition of "abuse", yes it was illegal to sexually abuse animals. Their actions didn't qualify. That's what warrants clarification here.
I appreciate your definition of abuse here but it's confusing in a discussion about legality.
No, it wasn't. The laws are quite explicit about what "abuse" means, and if you take a gander at most laws (including Washington state's circa 2000 or so) in the context of animals it usually explicitly refers to physical harm (for example, mutilation) or improper living conditions. Charging them under Washington's existing abuse laws would've required the animal to be physically injured, which it wasn't. It's quite literally why they had to pass a new law.
I don't know why I have to explain this, but:
1) Sexual abuse can occur without physical harm or injury.
#2 can be split into two sides, and not everyone believes one of those is sexual abuse.
Edit: Removed video link because the second half was gross and unrelated. May try finding another clip, but the first half was of Cenk Uygur from The Young Turks about a decade ago saying he'd legalize cases where the person pleasured the animal.
And my point is that sexual abuse is a subcategory of abuse.
You didn't imply until now that I was wrong about animal abuse already being illegal. In that case, a bestiality law doesn't fix the actual problem, right? It's a band-aid partial fix.
I'm not sure what your point is, to be blunt. It seems like you wanted to make some weird argument about the semantics of the word "abuse", and are now implying one of:
1) Beastiality isn't sexual abuse
2) Beastiality laws are pointless because it was already illegal under existing abuse laws (it wasn't, as we've repeatedly discussed)
3) Sexual abuse requires physical harm
all of which are pretty gross (1,3) and/or pointless (2). I don't really feel the need to argue any of this any further, so I'll leave you to it.
You got 2 wrong. It's: 2) If the existing abuse law doesn't include sexual abuse, we need to fix that law, not add a new one.
And that's not a pointless argument. If we're still allowing the whole category of non-physical abuse to animals, except for bestiality, that's a terrible job of lawmaking.
And just on a tangent here now that I'm reading the law they added, does it really make sense to have a blanket exemption for "accepted animal husbandry practices"? Some of those procedures are just as exploitative and unnecessary. It makes me think this law isn't putting animal welfare first.
If you jerk off a horse just for the love of the game, you're a criminal and that's abuse. But if you're paid to do it (e.g. for insemination) that's fine. The act is the same, seems doubtful the horse is harmed. What society has a problem with is the fact that you enjoyed it.
For some reason with people it goes the other way around.
Well, it's a joke because the problem becomes apparent after you think a bit about it. The exact same reasonig can be applied to anything illegal, criminals are criminals because they don't respect the law, so you could try to say that laws are useless. Reality is, if something is illegal not only someone can be punished after the fact, but in some cases also preventive measures can be taken.
Regarding the comment, it isn't going to stop anyone. Most people will not do cybercrime because they're honest. Of the remaining, the risk of being sentenced to jail time will instead stop some people, even if not all of them.
As you're basically saying, the world isn't black or white. There's also a category of people that needs an incentive to behave. Also, without any laws, it would be problematic to punish "the bad guys". At that point, what you can or cannot do would be only a matter of relative power: who is stronger can do whatever they want to weaker people.
Nope, it reduces the issue even if it isn't solving it entirely. Without laws and law enforcement, anyone with bigger muscles than you could break your nose just because they feel you looked at them the wrong way.
Physical violence is just about the last area we "need" laws because people really hate violence and will go well out of their way to avoid even the chance being subject to it. No matter how big you are you can't go around breaking noses without a good reason we all agree on because if you do that for very long a bunch of other people will gang up and break yours or worse.
To a first order, laws basically just codify how the government (the overwhelmingly dominant applicator of violence in any given society these days) will apply violence so that the peasants can reason about it in advance and avoid it.
You don't need any of that for the basic "if I do violence upon others without a damn good reason violence will be done upon me" workflow though.
I think you are forgetting that laws are responsible for a good chunk of what people perceive/are educated to see as good/wrong honest/dishonest.
Sure the worst atrocities are known to be bad from Religion (10 commandments, which is a law in itself) but many aren't. Speeding, drunk driving, harassment aren't concept that are obviously wrong (as in obvious to people with no guardrails).
So laws aren't useless. The fact that most people respect them actually means they have a purpose.
As well as those who don't wish to be blessed with Herpes-B from somebody who thought it was a good idea to engage in unsafe sexual activity with other non-human primates
I'm going through each one, and it's fascinating to see things like this. The UAF principle in c-ares is really interesting.
The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?
But do people actually find these vulnerabilities on their own, or are they using LLMs? I was curious about how these vulnerabilities work, so I tried asking my dear friend Mr. CLAUDE, but he immediately threw an error and ended the session because it was a cybersecurity question. Enterprise APIs block even the analysis itself, so it's amazing that people can actually pull this off in practice.
le sigh, c-ares. Very predictable outcome. If you ever find yourself entertaining the idea that you will simply write non-blocking network protocol stacks in C with manual lifetime management, slap yourself. It doesn't matter if you think you are a super genius of unimpeachable taste. The job is impossible.
A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it. If someone publishes a PoC, it is not a 0-day, just a vulnerability.
I was thinking that the other definition was right and this correction was wrong.
Then I did some searching and found multiple examples of both definitions in use, making things murky.
So I turned to Merriam-Webster’s dictionary: “ of, relating to, or being a vulnerability (as in a computer or computer system) that is discovered and exploited (as by cybercriminals) before it is known to or addressed by the maker or vendor”
And of course they use an “or” to make it ambiguous as to whether the days start counting when the vulnerability becomes known, or when the vendor has addressed it.
> A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it.
No, the full name was always "zero-day exploit". The number 0 refers to the days between the vulnerability being known by the vendor and the public availability of the exploit. So the vendor has zero days to create a security patch before the release of the exploit.
The term "zero-day vulnerability" is a derived term to refer to a vulnerability affected by a zero-day exploit. Similarly, a "zero-day attack" is a derived term to refer to an attack carried out using a zero-day exploit.
The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.
The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).
The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.
The point is that anyone looking for zero days has them in spades, in this age of LLM use.
So, knowing that bad actors have an unending river of cheaply acquired zero days, the best response is to publish them so that maintainers also have access to them. Existing methods of slow disclosure cannot keep up with the AI firehose.
It’s ugly, but it will force needed change. A thorough AI red team effort is the lowest bar of releasing software responsibly in this day and age.
If only the AI tools didn't shut you down every time you were trying to red team your own tools. I've had to come up with all kinds of workaround scenarios, effectively bypassing the AI security processes in order to stress test my own systems.
> Yes, if you overwrite binaries executed by ghidra, you can trigger code execution.
> but it's probably worth noting that "RMI" stands for Remote Method Invocation
This reminds me of someone submitting a (clearly vibecoded) vulnerability report claiming to have found a way to execute arbitrary SQL. The project in question? An SQL server... https://github.com/tursodatabase/turso/pull/4322
I'm no expert on any of these programs, but that's kinda the problem, isn't it? No single person is an expert on every codebase supposedly exploited in this repo.
After a bit of research, the Firefox one seems plausible to me. But, I haven't actually tried the POC. The explanation about the private-data and untrusted-input flags is plausible but I'm not an expert on Firefox's internals, maybe that's not actually how it works.
This just sucks, all around. Are we going to need every open source project gawking at the same repo full of stuff that has nothing to do with them, on the off chance that someone discloses a vuln that does have to do with them? Is this some kind of performative complaint about high friction in responsible disclosure? Well great job dickhead, you've just made a system that's even worse. Nobody benefits from this. Yuck yuck yuck.
Many French people with crypto money experienced that the hard way recently.
In short, it's a very active and growing activity. Many data leaks helped people to identify wealthy targets. Some just brag about having crypto.
https://www.lemonde.fr/societe/article/2026/04/24/enlevement...
https://www.franceinfo.fr/faits-divers/cryptomonnaies-la-vag...
https://www.lemonde.fr/societe/article/2025/08/19/l-ascensio... (paywall)
https://www.slate.fr/societe/enlevements-lies-cryptomonnaies...
Some random recent ones we know about:
https://france3-regions.franceinfo.fr/grand-est/haut-rhin/mu...
https://www.leparisien.fr/faits-divers/renseignes-par-des-ha...
Banks give you an advantage with transaction security and deposit insurance, but that's dealing with money and not cash.
Ideally, nothing nefarious should happen if both of them were listed and queryable publicly.
I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.
something like nginx could arguably be more secure if it was closed source
(I am a proponent of and contributor to open source)
Maybe if it's some server-side software that you only use yourself...
> OSS only needs someone to have a strong LLM to check for bugs.
The same applies to propietary, closed-source code. It being closed-source means that the source isn't generally available, but the executable is. Hence, someone with a strong model can still reverse it and find vulns.
A different way to frame this would be that those bugs would never be surfaced or exploited if the software were proprietary.
I'd love to hear why you think obscurity is bad, if you now think maybe it's good in the LLM age?
I'd also be interested if you could describe exactly what or how you think security through obscurity works, or doesn't?
I've been thinking a lot about how to better teach this concept, so I'm looking to understand exactly how everyone thinks/understands how it currently works, or should work, or what it should do. I don't care about the "correct" answer, (I have ddg too :P) I'm interested in general expectations from SWE's that I might teach at work, instead of opinions of security eng speaking about theory.
https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
> starting to think security through obscurity might not be a bad thing
In the case of FOSS software, it is generally recognized that the small advantage of keeping the source secret is far outweighted by the contributions and vuln reports you get if you publish the source.
> A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allure people into the field, and I've always found this is the most efficient way.
Which is roughly the definition of zero day. Whether the contents of the repo reflect the above claim is something else entirely.
Reminds me of Jamie Wolf's joke about bestiality laws. Who are those for? What stops most people from bestiality is… not wanting to have sex with animals! For people who do want to, what, they won't because of… the law??
Who will this comment stop??
“””here are the best estimates of how many animals are killed every day on a per-species basis.
Chickens: 206 million/day
Farmed Fish: Between 211 million and 339 million
Wild Fish: Between 3 billion and 6 billion
Ducks: 9 million
Pigs: 4 million
Geese: 2 million
Sheep: 1.7 million
Rabbits: 1.5 million
Turkeys: 1.4 million
Goats: 1.4 million
Cows: 846,000
Pigeons & other birds: 134,000
Buffalo: 77,000
Horses: 13,000
Other animals: 13,000
In total, this means that every 24 hours, between 3.4 and 6.5 billion animals are killed for food”””
- https://sentientmedia.org/how-many-animals-are-killed-for-fo...
Others consider law a way of encoding the group’s existing rules and norms.
In that view, making something illegal or mandatory is not a prerequisite for punishment: it’s the actual main point.
The threat of punishment is meant for those not deterred from an act by the simple fact it is illegal (and the threat only works if enforced).
Others put it the other way around, and see law as social engineering, a way to shape the group, either through the encoding itself of the desired behaviours in law, or through deterrence. Or both. If what one is after is either power or legitimacy, they need compliance more than punishment (can’t rule once you’ve chopped everyone’s heads off, or once the mob has put yours on a spike).
It’s also sometimes used as coordination (which side of the road we drive on).
And there’s also law as dispute resolution (if your neighbour’s hen lays an egg in your garden, who does it belong to? Yes, it’s ridiculous. Yes, some places have one or more laws for that). Which, incidentally, both requires and provides legitimacy. Funny, that.
And probably many other kinds / points of view, with many different purposes, intents, and mechanisms.
Anyway, all that to say law is vast, fascinating, and utterly tedious. And apologies for the tangent.
You're thinking of criminal law. And it's not just some group's rules and norms - there already exists familial or social group punishment for that. Criminal law is prosecuted by the State. It's the code of conduct of the society you exist in.
If you want a thought experiment for what life would be like without organised society, read Leviathan
Hence why we accept State governance and law (to a greater or lesser extent, obviously people protest specific laws and injustices and what's on the statute books changes on a regular basis), because the alternative to law is "nature", aka bigger-army diplomacy. Anarchy doesn't free people, it only gives freedom to those with existing power to disempower others. Those with superior power will simply rob, rape, kill or enslave everyone else.
States exist to secure their territory from those sort of external threats, and incubate an economy inside their borders, which aspires to bring wealth and happiness. The criminal law is put in place by those with the monopoly on legitimate violence, often encoding the views of the population, to keep their society running.
What I meant is more about why and how laws come to be, which depends on what we think they’re for. Hobbes’ point of view is one. Locke and Rousseau had different opinions.
For example, one can view criminal law as a punishing tool, like gp, whose only purpose is to punish the act once discovered. You criminalise duels to punish duelists because murder is bad and no murder or attempted murder should go unpunished, and associate a great punishment because murder is a very bad thing.
But you can also criminalize duels to prevent or reduce the incidence of duels, and associate a great punishment to it to deter your stupid hot-heated young nobles from going around each other. Still criminal law, but this time both as social engineering and deterrence.
It’s been a long time since I read Hobbes. Should definitely go back to it.
The point of beastiality laws are to give society some recourse to punish people who abuse animals.
There was a very famous case back in Washington state back in the early 2000s where a group of men were sexually abusing horses. It was uncovered because one of them died, and the other could only be charged with trespassing because it wasn't illegal at the time to sexually abuse animals.
What an odd thing to say about the sexual abuse of an animal.
I don’t think the semantics are very important here, I think it was clear I'm talking about sexual abuse specifically without this odd clarification.
What I said, verbatim, about that case.
What part of that is incorrect or warrants clarification, exactly?
I appreciate your definition of abuse here but it's confusing in a discussion about legality.
No, it wasn't. The laws are quite explicit about what "abuse" means, and if you take a gander at most laws (including Washington state's circa 2000 or so) in the context of animals it usually explicitly refers to physical harm (for example, mutilation) or improper living conditions. Charging them under Washington's existing abuse laws would've required the animal to be physically injured, which it wasn't. It's quite literally why they had to pass a new law.
I don't know why I have to explain this, but:
1) Sexual abuse can occur without physical harm or injury.
2) Beastiality is sexual abuse.
Edit: Removed video link because the second half was gross and unrelated. May try finding another clip, but the first half was of Cenk Uygur from The Young Turks about a decade ago saying he'd legalize cases where the person pleasured the animal.
Edit2: https://www.youtube.com/watch?v=6QUUcQqBkJA
You didn't imply until now that I was wrong about animal abuse already being illegal. In that case, a bestiality law doesn't fix the actual problem, right? It's a band-aid partial fix.
1) Beastiality isn't sexual abuse
2) Beastiality laws are pointless because it was already illegal under existing abuse laws (it wasn't, as we've repeatedly discussed)
3) Sexual abuse requires physical harm
all of which are pretty gross (1,3) and/or pointless (2). I don't really feel the need to argue any of this any further, so I'll leave you to it.
And that's not a pointless argument. If we're still allowing the whole category of non-physical abuse to animals, except for bestiality, that's a terrible job of lawmaking.
And just on a tangent here now that I'm reading the law they added, does it really make sense to have a blanket exemption for "accepted animal husbandry practices"? Some of those procedures are just as exploitative and unnecessary. It makes me think this law isn't putting animal welfare first.
For some reason with people it goes the other way around.
Regarding the comment, it isn't going to stop anyone. Most people will not do cybercrime because they're honest. Of the remaining, the risk of being sentenced to jail time will instead stop some people, even if not all of them.
I guess “bad” is excessive. I regularly observe traffic laws with less rigor the your average police officer would prefer.
To a first order, laws basically just codify how the government (the overwhelmingly dominant applicator of violence in any given society these days) will apply violence so that the peasants can reason about it in advance and avoid it.
You don't need any of that for the basic "if I do violence upon others without a damn good reason violence will be done upon me" workflow though.
Sure the worst atrocities are known to be bad from Religion (10 commandments, which is a law in itself) but many aren't. Speeding, drunk driving, harassment aren't concept that are obviously wrong (as in obvious to people with no guardrails).
So laws aren't useless. The fact that most people respect them actually means they have a purpose.
The people who want to see the people doing bestiality punished
The main issues are that it's potentially really harmful towards the animals, depending on act, and a vector for zoonotic disease transfer.
If you're going to do it, do it right, and accept that you're probably going to end up with some system transfer you didn't necessarily anticipate.
The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?
Then I did some searching and found multiple examples of both definitions in use, making things murky.
So I turned to Merriam-Webster’s dictionary: “ of, relating to, or being a vulnerability (as in a computer or computer system) that is discovered and exploited (as by cybercriminals) before it is known to or addressed by the maker or vendor”
And of course they use an “or” to make it ambiguous as to whether the days start counting when the vulnerability becomes known, or when the vendor has addressed it.
No, the full name was always "zero-day exploit". The number 0 refers to the days between the vulnerability being known by the vendor and the public availability of the exploit. So the vendor has zero days to create a security patch before the release of the exploit.
The term "zero-day vulnerability" is a derived term to refer to a vulnerability affected by a zero-day exploit. Similarly, a "zero-day attack" is a derived term to refer to an attack carried out using a zero-day exploit.
The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.
The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).
The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.
Maybe I'm projecting my own biases ;-)
I do wonder though: if you can tell the AI to search for vulns, can't you also tell it to contact the right maintainer for each one found?
So, knowing that bad actors have an unending river of cheaply acquired zero days, the best response is to publish them so that maintainers also have access to them. Existing methods of slow disclosure cannot keep up with the AI firehose.
It’s ugly, but it will force needed change. A thorough AI red team effort is the lowest bar of releasing software responsibly in this day and age.
> but it's probably worth noting that "RMI" stands for Remote Method Invocation
This reminds me of someone submitting a (clearly vibecoded) vulnerability report claiming to have found a way to execute arbitrary SQL. The project in question? An SQL server... https://github.com/tursodatabase/turso/pull/4322
After a bit of research, the Firefox one seems plausible to me. But, I haven't actually tried the POC. The explanation about the private-data and untrusted-input flags is plausible but I'm not an expert on Firefox's internals, maybe that's not actually how it works.
This just sucks, all around. Are we going to need every open source project gawking at the same repo full of stuff that has nothing to do with them, on the off chance that someone discloses a vuln that does have to do with them? Is this some kind of performative complaint about high friction in responsible disclosure? Well great job dickhead, you've just made a system that's even worse. Nobody benefits from this. Yuck yuck yuck.