vibbed?

anthropic tomorrow: okay it turns out all of the exploits were ffmpegs in the operating systems

furiously updating the design doc

I bet $50 that they don't even have instructions on avoiding that in their constitution doc

we all had our suspicions

so far being a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security. It also awakened a thousand year old demon spirit embedded in MS Windows 3.1 which foretold humanity's demise before escaping through a vent. We are working with Microsoft to address this issue.

I feel like we're not addressing the most concerning news from Mythos

HTML in Canvas API is NUTS

I can foresee a future where the web is so full of psyops and infohazards that anyone technically competent uses ai agents to go out and retrieve any info they need. Its already a much more pleasant experience to have claude code gather and compile info than use a search engine yourself.

This is bad now, but really good if/when orgs use it for sec review. This isn't doom to me, it's just new mandatory tools in the workflow.

Yeah. I'm just going to play things conservatively

Networked security systems work across multiple deep specialties. It has always required experts in one field to rely on experts in another, even though they work on the same domain

Oh very cool, will keep that in mind

really? in what form?

son of a gun

when you're baffled by one of paul's skeets, claude can (sometimes) explain what's what 🤝

I think Anthropic deserves a ton of credit for holding the release and taking this fast action

Ultimately I'm going to roll with industry guidance. If companies like Google say their timeline for rollout is 2029, then that's the bet I'm going to make

My understanding is that it's a really risky position to bet against, because when it does happen it will happen "suddenly." The argument fillipo seems to be making is, this is as good of a warning as we get, regardless of the timeline from here

A Cryptography Engineer’s Perspective on Quantum Computing Timelines The risk that cryptographically-relevant quantum computers materialize within the next few years is now high enough to be dispositive, unfortunately.

Probably since he's the one leading the awareness campaign on QC. See words.filippo.io/crqc-timeline/

youre asking the wrong kind of nerd

The post-quantum cryptography timeline accelerating at the same time that mythos is creating mass CVEs is really threatening to alter my roadmaps

I contributed yeah

nw nw

The reality is, there's no such thing as a simple way to handle versioning in an open system. If we chose to handle this change with a v2, then all of the software that still uses v1 would suddenly stop receiving posts.

There are only "least worst" options. It's all coordination.

We presently believe that the infra in the community that handles image blobs can be updated to handle a breaking change, and that we can sync with the operators to make this transition successfully. We *could* be wrong, but that's partly what the announcement is for

Let me give an example: suppose you have an app that you just launched. You're 95% sure nobody else is using your schemas yet. Can you make a breaking change to a lexicon? Yeah, probably. You've written the only software that depends on it.

If you can sync with all schema users, you can do it

The nuances around making changes are somewhat complex. The guidance isn't changed; if you're making a breaking change, you should create a new NSID.

The subtlety to that is, if you have high confidence that you can roll out a breaking change successfully, then you can do it without an NSID change.

FWIW the version field in lexicons is about the lexicon specification being used, not the version of the lexicon being described. (And there havent been breaking changes to the lexicon spec yet.)

PNPM minimumReleaseAge Learn how PNPM's minimumReleaseAge setting helps protect your project from compromised packages and improves supply chain security.

PSA: Use @pnpm.io minimumReleaseAge.

A simple way to make NPM supply chain attacks, like the one affecting the `axios` NPM package, more unlikely.

maier.tech/notes/pnpm-m...

I think @grain.social has the juice. It’s so refreshing to have a timeline that allows you to see new posts, and when you’re done, you can just go about your day. No engagement algorithm, just awesome photos in a clean app. 👏👏