With the number of available and vulnerable IoT devices and the number of motivated hacker groups supercharged with LLMs, shouldn't a lot of company and government secrets get revealed these days? Perhaps news organisations have a bottleneck being underfunded to go through leaked material?
What [the National Design Studio] is doing is taking the parts of the federal government that touch you directly, your prescription, your voter registration, your passport, your federal login, out of the agencies that legally own them and rebuilding them on White House infrastructure. Vote.gov belongs to the Election Assistance Commission, and the studio built a copy. Passports belong to the State Department, and the studio is building a replacement this week. Login.gov belonged to GSA, and the studio’s guy runs it now.
Trump has said publicly that this infrastructure is for other presidents, and he is right about that. It is the one thing in this story I take him at his word on. The infrastructure outlasts him. Whoever wins in 2028 inherits the websites, the vendors, the data, and the hardware, sealed and waiting.
NDS Infrastructure Map — my live working github map of every National Design Studio subdomain I have found, filterable by status, registrant, and parent domain. If you want to retrace this investigation or watch new subdomains appear in real time, start here.
This is good long-term, but what fraction of routers, smartphones, IOT devices, cameras, cluster servers,
We can bet that black hats iterate through all accessible devices and try to gain access. They might patch flaws to avoid others getting in, but will keep a backdoor for themselves. So it will be extremely hard to tell. We do not have something like brickerbot to turn unpatched devices noticeable.
The moral of the story is that it is easier and easier for police and intelligence services to quickly get meaningful information out of hard disks, including passwords and files in a personal workflow / storage structure (or lack of structure). LLMs might piece this together and be targeted. Security analysts would be faster and ignore noise better, but what is shown here might scale to millions of citizens.
Jensen Huang to college grads: "Run. Don't walk" toward AI
https://www.axios.com/2026/05/...
Nvidia founder and CEO Jensen Huang told graduates at Carnegie Mellon University in Pittsburgh yesterday that demand for AI infrastructure is creating a "once-in-a-generation opportunity to reindustrialize America and restore the nation's capacity to build."
Why it matters: With many college grads fearing AI could obliterate their career dreams, Huang pointed to boundless opportunity as a "new industry is being born. A new era of science and discovery is beginning
Nvidia, which makes AI chips, is the world's most valuable company. Huang told 5,800 recipients of undergraduate and graduate degrees that the AI buildout will require plumbers, electricians, ironworkers, and builders for chip factories, data centers and advanced manufacturing facilities.
"No generation has entered the world with more powerful tools â" or greater opportunities â" than you," he said. "We are all standing at the same starting line. This is your moment to help shape what comes next. So run. Don't walk."
"Every major technological revolution in history created fear alongside opportunity," Huang added. "When society engages technology openly, responsibly, and optimistically, we expand human potential far more than we diminish it."
Full speech: https://www.youtube.com/watch?...
The response of "User-Agent is not authentication" is a strawman response to "Unofficial clients should not use our servers". They used it as identification of clients, not authentication. Would the developers be happier if they had used an API key for the web interaction, but package that fixed API key into the app? Would that be "authentication" and thus better to them? It's the same effect, and the open source clone would copy it too.
Same discussion as 30 years ago with open source clones of messaging apps such as ICQ. The open source client pretends, on those days through reverse engineering, to be the official client. Ultimately, it was okay then, because it was beneficial for the operators to have a larger network of users who can talk to each other. Does this dynamic apply here?
If hammering is an issue, randomly drop with 429 95% of requests. Then as an alternative, allow people to buy an API key for 1000 downloads costing 1€.
Then patient individuals can always download for free. Big companies / CI / AI will want to pay or make their own mirror.
Rebecca Watson is a quite famous skeptic, and a former co-host of the Skeptics Guide to the Universe podcast. Since Dawkins is also in these circles, not too crazy to bring her up.
The class of bugs for PipeFail can be prevented in principle with X^W, which is implemented in PaX, Exec Shield, and some SELinux configs.
Is any distribution that comes with these in the default installation protected against these exploits? If not, what is missing in terms of mitigation protections against this class of bugs?
Either you get faster and faster at it, or 2026 is the year we work on pen and paper until the storm is over...
"Thank heaven for startups; without them we'd never have any advances." -- Seymour Cray
