EchoLeak – 0-Click AI Vulnerability Enabling Data Exfiltration from 365 Copilot (aim.security | comments) The text highlights the discovery of EchoLeak, a zero-click vulnerability affecting AI systems, particularly Microsoft’s 365 Copilot. This vulnerability allows malicious actors to exfiltrate data without user interaction, undermining the integrity of Copilot's data. Detailed analysis of the attack chain and its implications on AI security is expected.

• this seems to be an inherent flaw of the current generation of LLMs as there's no real separation of user input. you can't "sanitize" content before placing it in context and from there prompt injection is almost always possible, regardless of what else is in the instructions

Brian Wilson has died (pitchfork.com | comments) Iconic musician Brian Wilson, known as the co-founder of The Beach Boys, has passed away. His contributions to music and culture have left an indelible mark, influencing countless artists and shaping the sound of popular music over the decades. Wilson's innovative songwriting and production techniques revolutionized the industry.

• I'm convinced that "Pet Sounds" is lyrically a proto-emo album dressed up in an instrumental psychedelic doo-wop trenchcoat. For years I dismissed it as one of those albums that people pretended to like to seem smart until I was mature enough to understand it. Now it's one of my favorites. RIP.

Firefox OS's story from a Mozilla insider not working on the project (2024) (hirlimann.net | comments) A Mozilla insider recounts the journey of Firefox OS, detailing its challenges and eventual discontinuation. The insider, who was not involved in the project, shares insights on the ambitions behind Firefox OS and the obstacles that led to its downfall. Their perspective sheds light on the complexities of launching an operating system in a competitive environment.

• Firefox OS is available on phones today, just rebranded as KaiOS. I have a Nokia 6300 4G, it works fine for what I want: A small dual SIM phone with good call quality and a 4G router when away from home. Any apps are a bonus though Meta recently withdrew the WhatsApp one.

Dolly Parton's Dollywood Express (thetransitguy.substack.com | comments) Dolly Parton's Dollywood Express operates a train that highlights the significance of theme parks in public transit. The article examines how Dollywood serves as a model for transport during leisure time, bridging entertainment and travel.

• Took the family to Dollywood this year and it was by far the best run theme park I've been to. I was amazed at the cleanliness, friendliness of the staff, and how well maintained everything was. The train was really cool too. One of only two times I've been able to see a real coal fired steam engine functioning.

Why Koreans ask what year you were born (bryanhogan.com | comments) In Korea, asking someone's birth year is a significant social practice, deeply intertwined with societal structures influenced by the Korean age system, which differs from the international standard. This practice impacts communication, respect, and the hierarchical nature of relationships as it establishes age-based roles.

• A friend (not Korean) said on his 29th birthday that he's starting his 30th year of life. It was an interesting perspective, because in general we celebrate our nth birthday after completing n years of life.
• What would be the polite way to decline to answer the question? Is that even possible?

The “Frankfurt Kitchen” (museumderdinge.org | comments) The Frankfurt Kitchen, designed by architect Margarete Schütte-Lihotzky in 1926, symbolizes the integration of industrial work processes into household design. This kitchen exemplifies modern architecture and reflects cultural shifts in the 1920s, showcasing a pivotal change in domestic life paradigms.

• From the ergonomics of those shelf handles, I assume those are boxes that are designed to be pulled out entirely. Are they supposed to store pantry items -- bags of flour and such? Regardless, I feel like I need a wall like that in my little basement workshop.

My Cord-Cutting Adventure (brander.ca | comments) Cord-cutting has transformed into a complicated task, fueled by a consumer electronics industry that has largely abandoned video recording devices. The author recounts frustrations with proprietary DVRs provided by Canadian cable companies, highlighting their inferior performance and lack of consumer choice, leading to a pivot toward using an HD antenna for free over-the-air broadcasts.

• I wonder, and I'm sure it's probably trivial, did this person dox their home address by listing the distances to multiple known broadcasting points? Edit: Oh, and a photo out the window of their home. This is almost certainly trivial. Not that anyone should.

Microsoft Office migration from Source Depot to Git (danielsada.tech | comments) Microsoft's transition from Source Depot to Git was a monumental effort involving thousands of engineers, requiring years of meticulous planning. Challenges included adapting build systems, ensuring consistency across various Office versions, and developing a Virtual File System to manage the extensive codebase efficiently. This migration aimed to enhance developer productivity and modernize Microsoft’s development practices.

• > Authenticity mattered more than production value. Thanks for sharing this authentic story! As an ex-MSFT in a relatively small product line that only started switching to Git from SourceDepot in 2015, right before I left, I can truly empathize with how incredible a job you guys have done!

How long it takes to know if a job is right for you or not (charity.wtf | comments) Determining if a job is a good fit can take time and involves assessing various factors such as company culture, job satisfaction, and personal growth. This reflection highlights the significance of not rushing this decision, as making a thoughtful choice can lead to better career outcomes.

• You can usually find out if a job is wrong for you within days, sometimes hours. You might never know for sure if a job is right for you though.
• Every time something has been off in an interview, that thing has ended up being a long term problem with the organization. It doesn’t take long to figure out.

The curious case of shell commands, or how "this bug is required by POSIX" (2021) (volution.ro | comments) The article examines the inherent risks associated with handling shell commands in modern tools, particularly through the `system(3)` and `sh -c` calls. It highlights how these practices can lead to vulnerabilities akin to SQL injection, alongside specific bugs in `glibc`, Linux documentation, and POSIX specifications that exacerbate these issues.

• > Wall of shame: Ruby's backtick feature -- provides easy access to system(3); It also provides easy access to escape whatever arguments you want to pass: out = `bash -c #{arg.shellescape}` ...here "arg" will be always passed as a single argument.

Bypassing GitHub Actions policies in the dumbest way possible (yossarian.net | comments) GitHub Actions' policy mechanism for restricting workflows is easily bypassed, raising concerns about its security implications. Despite GitHub viewing it as non-critical, an analysis reveals that its reliance on user heuristics for trust is flawed. The author argues for stronger preventive measures instead of solely relying on committers' discretion.

• I’m not seeing the security issue here. Arbitrary code execution leads to arbitrary code execution? Seems like policies are impossible to enforce in general on what can be executed, so the only recourse is to limit secret access. Is there a demonstration of this being able to access/steal secrets of some sort?

Menstrual tracking app data is gold mine for advertisers that risks women safety (cam.ac.uk | comments) Data from menstrual tracking apps has become a lucrative asset for advertisers, presenting potential safety concerns for women. The extensive tracking of personal health information raises issues regarding privacy and the risk of misuse, as companies profit from this sensitive data while users may be unaware of the implications.

• While unlikely, I personally believe that advertising revenue should be taxed at 50%. This would do a lot to align industry incentives. Advertising revenue would be looked at less as a free cash stream that can be bolted on everywhere. In this case, maybe the app could be monetized directly instead of whatever the fuck is happening now.

How I Program with Agents (crawshaw.io | comments) This article progresses from using Large Language Models (LLMs) in software development to exploring the concept of agents that enhance programming. Defined as a simple loop with an LLM call, agents can execute tasks autonomously, moving beyond traditional human-led processes to create more efficient workflows.

• Finally some serious writing about LLMs that doesn’t follow the hype and it faces reality of what can and can’t be useful with these tools. Really interesting read, although I can’t stand the word “agent” for a for-loop that call recursively an LLM, but this industry is not famous for being sharp with naming things, so here we are. edit: grammar

Left-Pad (2024) (azerkoculu.com | comments) Eight years after the left-pad incident, which demonstrated vulnerabilities in dependency management systems, the creator reflects on its implications and personal experiences. This pivotal moment highlighted the risks software developers face with reliance on external packages, shaping how modern package management functions today.

• It's a minor thing, but: > Most of my open source work followed Unix philosophy, so the packages did one thing at a time. Nobody has suggested that libc -- to take the most obvious example -- is against the Unix philosophy. Debates occur around whether whether commands / daemons do too much (recent poster child being systemd) or aren't composable.

Show HN: Spark, An advanced 3D Gaussian Splatting renderer for Three.js (sparkjs.dev | comments) Spark is an advanced renderer utilizing 3D Gaussian Splatting techniques designed for the popular JavaScript library, Three.js. It aims to enhance 3D graphics performance and visual quality, allowing developers to create more dynamic and realistic rendering experiences in web applications.

• The food scans demo ("Interactivity" examples section) is incredible. Especially Mel's Steak Sandwich looking into the holes in the bread. The performance seems amazingly good for the apparent level of detail, even on my integrated graphics laptop. Where is this technique most commonly used today?

DeskHog, an open-source developer toy (posthog.com | comments) DeskHog is an open-source, 3D-printed palm-sized developer toy designed to bring joy to developers. The project emphasizes playfulness and creativity in development environments.

• Working at Posthog must be fun
• Well that’s certainly one way to make me want to work at your company.
• This looks really cool, but I'm not really sure why they made it. PostHog is primarily web analytics software from what I understand. Why build hardware?

Show HN: RomM – An open-source, self-hosted ROM manager and player (github.com/rommapp | comments) RomM is an open-source, self-hosted ROM manager that allows users to manage and play ROM files conveniently. The application aims to simplify the handling of various ROM formats, providing a flexible platform for retro gaming enthusiasts to organize their collections efficiently.

• Been using this for a while. It's evolving rapidly and the team behind it is very responsive and passionate. Very excited to see this evolve over time! The only thing that it really needs going forward is more Retroarch cores ported to JavaScript, but that's an upstream problem.

Show HN: Ikuyo a Travel Planning Web Application (kenrick95.org | comments) Ikuyo is a travel planning web application designed to help users coordinate their upcoming trips. The application features a streamlined interface with a focus on user experience, incorporating essential elements such as responsive design and interactive functionalities to assist travelers in organizing their itineraries.

• Seems similar to Wanderlog but less mature. I wish you best of luck! Whatever you do, please do not make the app as slow as Wanderlog - I literally had to create an Android app to interact with my trips because their app isn't optimized at all!
• I'm unable to resend the verification code. Can you allow to do it?

Show HN: DIY virtual HDMI monitor using "AR" glasses (github.com/mgschwan | comments) A developer demonstrates creating a virtual HDMI monitor using augmented reality (AR) glasses, allowing users to display their desktop interface in a virtual environment. This DIY project highlights the use of AR technology for expanding visual workspace and enhancing productivity, showcasing practical application of existing hardware in innovative ways.

• I'm actually wearing the Xreal Air 2 right now, and yes, this is basically exactly what their app does. Personally, I only need one screen, so I'm using the glasses without the app, but this is great if you want a virtual second display somewhere in the room! Very well done.

Air-dried vs. Kiln-dried Wood (christopherschwarz.substack.com | comments) Air-dried wood and kiln-dried wood differ significantly in moisture content and processing methods, impacting their use in construction and crafts. Each type affects the ease of cutting, shaping, and finishing materials, leading to discussions on suitability depending on the intended application, such as furniture making or structural supports.

• What a shame this is a paywalled article. The first part was interesting, but I'm definitely not going to subscribe. If I could pay for this one article, I would.
• If you want to smoke food (BBQ, etc) avoid kiln dried wood. It's too dry. You want dry wood but you generally want some level of moisture (15%-20% is often good, more in some other styles) in most of your wood.
• Had some poplar milled from some large trees we had to take down here. Air dried in my shop for 4 years before having it made into a table. All it took was 1 winter and it split and bent severely inside the house. I will only kiln dry from now on.
• Didn't read the paywalled bit but the gist of air-dried being nice to work with makes sense. But you want kiln-dried for your stove! Or so I'm told.

Show HN: S3mini – Tiny and fast S3-compatible client, no-deps, edge-ready (github.com/good-lly | comments) S3mini is a lightweight client designed for S3 (Simple Storage Service) compatibility, optimized for speed and ease of use at edge locations. It requires no dependencies, making it an agile solution for managing S3 storage efficiently.

• This is awesome! Been waiting for something like this to replace the bloated SDK Amazon provides. Important question— is there a pathway to getting signed URLs?
• Interesting project, though it's a little amusing that you announced this before actually confirming it works with AWS?

Faster, easier 2D vector rendering [video] (youtube.com | comments) A new video provides insights into enhancing 2D vector rendering, focusing on improvements that streamline the process and boost performance. The tutorial aims to assist developers in efficiently implementing these advancements in their graphics projects, demonstrating practical applications and techniques relevant to modern rendering practices.

• Always amazes me when the cost of computing the optimized draw regions as shown in the slides is worth the savings even on CPU.
• Great presentation and thanks for sharing the slides. Wondering, can any of these methods be used for 3D too?
• Excellent presentation - I like that the design bakes in rendering efficiency from the get go.

Researchers discover evidence in the mystery of America's 'Lost Colony' (foxnews.com | comments) Recent research by Mark Horton and Scott Dawson indicates that the settlers of the Roanoke Colony, who vanished between 1587 and 1590 in North Carolina, may have assimilated with Native Americans. Archaeological findings suggest the presence of English iron-working techniques on Hatteras Island, shedding light on their fate.

• The experience of early colonists is so fascinating. Some of these colonies were very tenuous and seemed very unprepared.
• Is this story available from a reputable source?
• keep that toxic shitbag of a media network off of this site.
• If this is the case then there should be DNA evidence as well. Presuming that assimilation led to procreation.

Research suggests Big Bang may have taken place inside a black hole (port.ac.uk | comments) New research proposed by Professor Enrique Gaztanaga from the University of Portsmouth suggests that the Big Bang, a widely accepted cosmological event, might have occurred within a black hole. This theory challenges traditional notions of cosmic origins and expands the understanding of universe creation.

• Suggested hard sci-fi light reading: "Cosm" by Gregory Benford, 1999. A universe the size of a bowling ball created in a laboratory. The scientist responsible for it, keeping it safe and on the run from gvt spooks. They want to protect it for as long as it lasts, and since its time is as relative as its size, they won't have long to wait.

Plants hear their pollinators, and produce sweet nectar in response (cbc.ca | comments) Research reveals that plants can detect the sounds of pollinators like bees and respond by producing sweeter nectar. This phenomenon highlights the sophisticated communication strategies plants employ to enhance pollination success.

• What most surprised me in this interview is, not only do plants increase sugar for 'efficient' pollinators, but: >In contrast they respond to the sound of nectar-stealing non-pollinators by cutting back on sugar. So there is some discrimination in their hearing.

AlphaWrite: AI that improves at writing by evolving its own stories (tobysimonds.com | comments) AlphaWrite introduces a novel framework that evolves narrative quality through iterative story generation and Elo-based evaluation, attempting to address the gap in scaling inference-time compute in creative text generation. By treating story creation as an evolutionary process, it leverages increased computational resources to systematically enhance storytelling.

• If there is something that I would like AI to never touch, it's that. Please stop making the world worse.
• Note: Not associated with Google Deepmind (AlphaFold, AlphaGo, AlphaEvolve, etc.)
• Appropriate that the original title misspells "Writing": >AlphaWrite: Inference time compute Scaling for Writting