My dad spun up my Pentium Deschutes (400MHz!) machine the other day. Same hard drive from when I was 10 years old. “clouds.psd” was on the desktop.
I still remember retiring that computer. The first thing I did when I got my Pentium IV chip a year later was download Macromedia Dreamweaver. Did me well.
Claims Dang is using AI, and that other people are using AI even though most of the flagged post predate popular AI products. Really destroys the whole EM-Dash === AI thing.
which never should have been a thing,
because it was obviously wrong
yes AIs is more likely to use em-dash,
but that is just one, by itself very insufficient, indicator.
it's like hip size. In average over the populations
they are wider for woman. But the effect is too small
to classify the gender of a hip bone by it's size.
(Like for a specific age range and ethnicity, the difference
in median is like 1" or so, while there is a >10" difference
between 5%-percentile and 95%-percentile. Varying by gender
in difference and exact distribution.) Well I guess em-dash
are more an indication for AI then hip size for gender... lol
So if EM-Dash is good proof of AI usage, and people who we can see didn't use AI / or predate AI being popular, are flagged, then that undercuts it by a lot.
I tend to mostly use dedicated servers from Hetzner for my own projects and for my client's projects. Whenever they explicitly want US servers, I tend to go with Vultr's dedicated servers which been serving us well for many years.
I've read several reports from customers saying that their customer service is really bad. Difficult to know with online reviews of course. Does anyone have positive stories to share? I am looking at Australian hosts specifically and Hetzner doesn't have any data centers here.
We use them heavily for test boxes and running experiments. Standard off-the-shelf machines are provisioned almost instantly, and never had any problems.
More custom stuff (eg 100Gb/s NICs) takes a bit longer, but they've always been super responsive and quick to sort out any issues!
The price / performance you get from something like their AX162 is just crazy, although unfortunately with the whole RAM / NVMe shortage the setup fee has gone up quite a lot.
Using them for production for years, never dissapointed.
What you should be aware of is their new exploration of s3 storage. I mean, the s3 works and everything but it's still too eaely - the servers are kind of slow and sometimes fail to upload/download. They are still tuning out the storage architecture. The api key management is kind of too primitive (although much more headache free than configuring aws), and the online file browser is lacking
But for vps servers - they are battletested veterans
> I keep reading folks saying OpenClaw has completely changed their life while posting a picture of 58 mac minis on their desk.
I was having a conversation with someone about OpenClaw, and they proposed this idea of OpenClaw being used for inventory tracking at the retail-level. I let them continue. They said it'd be the best option for tracking when purchases are made and what SKUs are sold at what time of day. They weren't talking about prompting, they were talking about it as a data store.
I didn't bother mentioning how long this problem had been solved.
> I didn't bother mentioning how long this problem had been solved.
The ironic thing here is that the person could go to ChatGPT (or whatever), describe the problem they're looking to solve, and ask it to find them the various ways it has been solved reliably (with links to the sources to confirm the information). And even provide some details on when each solution works best and why.
They could do that, but then they'd have to then do the actual legwork after, whether that means finding the proposed solution or whatever (after maybe glancing at a few of those pesky links), installing and configuring it. What OpenClaw represents is the ability to, in natural language, state what you want and then take off with the assurance your will will be done. Just as you'd expect when tasking a human assistant.
I've long thought it would be funny to do a startup where we would make accounting software that was solely a chat interface, with the only data store being a GL account list stored in context. There is probably a VC firm dumb enough to fund it.
I've been on the receiving end of federal enforcement (DOJ, high-profile "cybercrime"). When they want you, they don't need a confidence score. There is no quota—they take time to build a case. The existence of these tools tells you this isn't targeted enforcement, it's industrial-scale population processing dressed up in an algorithm.
It’s notable that there were ShinyHunters members arrested by the FBI a few years ago. I was in prison with Sebastian Raoult, one of them. We talked quite a bit.
The level of persistence these guys went through to phish at scale is astounding—which is how they gained most of their access. They’d otherwise look up API endpoints on GitHub and see if there were any leaked keys (he wasn’t fond of GitHub's automated scanner).
Generally speaking, humans are more often than not the weakest link the chain when it comes to cyber security, so the fact that most of their access comes from social engineering isn't the least bit surprising.
They themselves are likely to some extent the victims of social engineering as well. After all who benefits from creating exploits for online games and getting children to become script kiddies? Its easier (and probably safer) to make money off of cyber crime if your role isn't committing the crimes yourself. It isn't illegal to create premium software that could in theory be use for crime if you don't market it that way.
I'm not sure this is very fair because humans are often not given the right tools to make a good decision. For example:
To gift to a 529 regardless of the financial institution, you go to some random ugift529.com site and put in a code plus all your financial info. This is considered the gold standard.
To get a payout from a class-action lawsuit that leaked your data, you must go to some other random site (usually some random domain name loosely related to the settlement recently registered by kroll) and enter basically more PII than was leaked in the first place.
To pay your fed taxes with a credit card, you must verify your identity with some 3rd party site, then go to yet another 3rd party site to enter your CC info.
This is insane and forces/trains people to perform actions that in many other scenarios lead to a phishing attack.
Don't forget magic links in email for auth and password resets training people that it's OK to click links in emails.
Yes, we've (the software industry) been training people to practice poor OpSec for a very long time, so it's not surprising at all that corporate cybersecurity training is largely ineffective. We violate our own rules all the time
Has anyone invented an alternative to that yet? I could imagine emailing you a code to enter in a specific part of a site to get you to the right link, but then people could just scan all the codes. To solve that you could make the codes long 64bit strings but then that's too hard to remember so you could just provide functionality to automatically include that info to get you to the site but then that's just a link again.
Maybe if you expected everyone to copy-paste the info into the form? That might work
I recently discovered that Microsofts SSO doesn't guarantee email veracity. Basically you can spoof emails via ActiveDirectory, so if a site supports Microsoft's SSO and doesn't do a second verification, then someone could login to your site with someone else's email.
I mean, what's the point of their SSO if you're just going to need to verify it with an email code anyways?
It’s easier/more complicated than that. Use 6 digit codes, tied to a specific reset session, with only 3 attempts allowed per-session, and sessions lasting only 5 minutes.
Don't allow HTML rendering of <a> element where href links to another URL than shown, don't allow any (java)scripts to run, or at least give user a warning that he is about top open a new window into domain XYZ.
This is how I found out quite a few scams (apart from obvious ones with improper wording or visual formatting, but those are on purpose so bad to catch only most unskilled or gullible, ie your grandma)
About 10 years ago, I got an email from Microsoft of all people(!) which to any reasonably security-trained person would look entirely like a phishing email:[0]
1. It said "Dear User" instead of a name/username;
2. It talked about how they were upgrading their forum software and as such would require me to re-login;
3. It gave me a link to click in the email without any stated alternative;
4. It warned me that if I didn't do this, I would no longer be able to access the forum;
5. The domain of the URL that the link went to was not microsoft.com, but a different domain that had "microsoft" in it.
It was a textbook example for how a phishing email would look, and yet it was actually a legitimate email from Microsoft!
I haven't had any others like it since, but that was an eye-opener for sure.
If I want to use a passkey on my phone, I have to bio authenticate into it. Similarly, with Windows Hello as a passkey provider, via my camera scanner. It works well and is pretty seamless, all things considered. I prefer it to the email/code/magic link method.
The mechanics are a solved problem by sqrl I think, but it's too much responsibility for basically everyone.
You really do fully own and control your identity, and if you botch it and lose your top level keys, no one else can give you a "forgot password" recovery.
If this level of unforgiveness were dropped onto everyone overnight, it would mean infinite lost life savings and houses and just mass chaos.
Still I think it would be the better world where that was somehow actually adopted. The responsibility problem would be no problem if was simply the understood norm all along that you have this super important thing and here is how you handle it so you don't lose your house and life savings etc.
If you grew up with this fact of life and so did everyone else, it would be no problem at all. If it had been developed and adopted at the dawn of computers so that you learned this right along with learning what a compuer was in the first place, no problem. It's only a problem now that there are already 8 billion people all using computer-backed services without ever having to worry about anything before.
The real reason it's never gonna happen is exactly because it delivers on the most important promise of end user ultimate agency and actual security.
No company can own it, or own end users use of it. It can not be used for vendor lock in or data collection or profiling or government back doors or censorship or discrimination or any of the things that holding someone's password or the entire auth technology can be used for to have control over users.
No (large) company nor any government has any interest in that, and it's way too technical for 99.99% of people to understand the problems with all the other popular auth systems so there will be no overwhelming popular uprising forcing the issue, and so it will never happen.
A method already exists (I think), that solves the hard problems and delivers the thing everyone says they want, and everything else claims to be groping for, but we will never get to use it.
I think this is the way forward. We shouldn't continue relying on email (or proving ownership over an email address for that matter) as identity.
Public/private keys with a second factor (like biometrics) as identity I think is a good option. A way to announce who you are, without actually revealing your identity (or your email address).
Tbh that's how all the age verification crap should work too for the countries that want to go down that road instead of having people upload a copy of their actual ID to some random service that is 100% guaranteed going to get breached and leaked.
Biometrics might be useful in establishing a (PKI) key, but are not suitable for the key itself.
"Something you have" is far more useful, especially if that something is itself cryptographically-based. Yubikeys, RSA fobs (generating one-time codes), and wearable NFC tokens (rings, amulets), and the like, which may be autheticated in part based on biometrics and other attestation, but are themselves revokable, would be a far better standard.
What the General Public can be expected to utilise willingly and effectively seems to be the larger problem, as well as what commercial and governmental standards are established.
This is very much a US issue, largely because the government outsources everything to the private sector. This proliferation of random websites and shady 3rd parties is one of the consequences of this.
Don't forget credit checks when you apply for an apartment! "Go to this website sent via e-mail from someone you only know through a craigslist ad and enter all of your PII. On top of that about 2/3 of what is listed actually is phishing attempts and good luck telling the difference"
Like when you suddenly have to move to a different city due to an unexpected job change and are trying to schedule as many viewings in one weekend as possible?
Reminds me of a co-founder of an adtech company I know. They are a platform that buys inventory using automated trading, mostly mobile, and they realized that most of their customers were all clickfraud / scammers / etc. He didn’t want to go into too much detail.
But he shrugged it off.
I bet there are quite a few shops online that may sell gift cards that are used in money laundering schemes. Bonus points if they accept bitcoin.
But those are all quite implicitly used by cybercrime. I can imagine there are quite a few tools at their disposal that are much more explicit.
Worked at a place that used to do a kind of arbitrage between adclicks and traditional print. A large percent of traffic, especially mobile, was obviously either toddlers or bad bots; yet we were billing our customers for the 'engagement'.
I worked at a $xxxB company that had an internal red team. They ran almost as a separate company but were housed in one of our offices.
I was involved in probably 15 operations with them while I was there. They would usually get C&C within six hours, every single time it was phishing lol.
Insofar as every security mechanism was made by a human, yes.
But if we're holding users accountable because 1 out of every 100 clicks a link in a phishing email like clockwork, we're bad at both statistics and security.
>It isn't illegal to create premium software that could in theory be use for crime if you don't market it that way.
Who is making money off of selling premium software, that's not marketed as for cybercrime, to non-governmental attackers? Wouldn't the attackers just pirate it?
This type of software is being sold on many forums, both on the clearnet and darknet.
> Wouldn't the attackers just pirate it?
Sometimes the software is SaaS (yes, even crimeware is SaaS now). In other cases, it has heavy DRM. Besides that, attackers often want regular updates to avoid things like antivirus detections.
I assume the forums you're talking about are cybercrime forums. So I think that counts as "marketed for cybercrime". I'm asking if there's anything not marketed for cybercrime.
Do you mean they thought the scanner was effective and weren't fond of it because it disrupted their business? Or do you mean they had a low opinion of the scanner because it was ineffective?
He would complain that it disrupted their business, and that it doesn't catch all keys—it catches the big ones that he certainly found to be very valuable.
damn that sucks they threw you in fed prison for running a sports streaming website.
did you have bulletproof hosting and they caught you through other means like going after your payment providers or you made opsec mistakes or how exactly?
was it a website like Sportsurge where it simply linked to streams or did it actually host the streams?
Not every culture has the same standards of politeness. I didn't think it was rude, I think it can be even respectful of their time and intelligence to be concise, plain and direct, as long as you are not literally attacking them.
I mean, the comments under the GPT-5.1 announcement just today were full of people wishing that AI actually responded to them like this.
The bug couldn't have had less to do with streaming, and in the wrong hands would have been worth a significant amount of money—exponentially more than what the Shopify CVE calculator spit out and I replied with at the time. There's more here: https://prison.josh.mn/charges
There's a lot of nuance, and what was ultimately reported about the bug isn't how things played out—there's tons of context missing. I won't talk more of the bug, or the handling of situation. I realize it was the leading headline (more so than the "guy had streaming website") but it was, in my opinion, also the most far-fetched.
I still remember retiring that computer. The first thing I did when I got my Pentium IV chip a year later was download Macromedia Dreamweaver. Did me well.
reply