Definitely a good idea, we'd need several such institutes across the world. Would governments be willing to try this?
You think the xz vulnerability was a one time event? Think again, this kind of bullying with ulterior motives happen regularly to critical projects.
Excellent post showing unhealthy consumer/maintainer dynamics in FOSS projects. This particular example was instrumental in getting the xz backdoor in place.
You should be mindful of the dependencies you add. Even more so when the name of the dependency has been proposed by a coding assistant.
Good analysis of the backdoor recently discovered in xz. Really a bad situation. Luckily it was probably detected before it could do any real damage. What's especially striking is the amount of patience it required, it's really been put in place over a long stretch of time to reduce chances of detection.
Those were nasty, good they've been patched already.
This is bad. Unlocking many doors is just a couple of taps a way if you're already a guest.
A trip down memory lane when such attacks were indeed common. Nowadays, we know better though.
Interesting explanation of the guarantees such a system must provide and their consequences.
Definitely this, the software bloat directly impacts the attack surface of what gets shipped. Even though this is far from a panacea in terms of security, it's time for people to critically examine their dependencies also for other reasons.
Indeed, not all security issues are due to memory related problems. It's 20% of the security issues. This is of course massive, but there's still 80% of the security issues coming from wrong authentication, appliances and so on.
The infotainment systems on car are not as locked down as one might think. Another proof of it.
Interesting vulnerability, not all vendors are impacted though. GPU memory leaks can have unforeseen impacts.
The tone pointing at "open models" is wrong but the research is interesting. It still proves models can be poisoned (open or not) so traceability and secured supply-chains will become very important when using large language models.
Apple keep indeed attracting a bunch of cultists... and this allows them to keep abusing their other customers.
Fascinating script which jumps over SSH servers in several hops and replicates itself without a file upload.
A not so gentle reminder that you shouldn't get sloppy in the security practices of your services.
Some of that certificate chain validation is troublesome... in Chrome based browsers it's even truly insane.
When bug bounty programs meet LLM hallucinations... developer time is wasted.
New technique for SMTP smuggling... vulnerable servers then allow to spoof while still passing DMARC checks properly. Check your providers and server configuration.