I remember seeing here a scanned copy of an article in an old (80s?) computer magazine discussing the use of natural language for programming (IIRC with some SQL examples).

I know it's a long shot but does anyone happen to have/remember it?

A lot of the current hype around LLMs revolves around one core idea, which I blame on Star Trek:

Wouldn't it be cool if we could use natural language to control things?

The problem is that this is, at the fundamental level, a terrible idea.

There's a reason that mathematics doesn't use English. There's a reason that every professional field comes with its own flavour of jargon. There's a reason that contracts are written in legalese, not plain natural language. Natural language is really bad at being unambiguous.

When I was a small child, I thought that a mature civilisation would evolve two languages. A language of poetry, that was rich in metaphor and delighted in ambiguity, and a language of science that required more detail and actively avoided ambiguity. The latter would have no homophones, no homonyms, unambiguous grammar, and so on.

Programming languages, including the ad-hoc programming languages that we refer to as 'user interfaces' are all attempts to build languages like the latter. They allow the user to unambiguously express intent so that it can be carried out. Natural languages are not designed and end up being examples of the former.

When I interact with a tool, I want it to do what I tell it. If I am willing to restrict my use of natural language to a clear and unambiguous subset, I have defined a language that is easy for deterministic parsers to understand with a fraction of the energy requirement of a language model. If I am not, then I am expressing myself ambiguously and no amount of processing can possibly remove the ambiguity that is intrinsic in the source, except a complete, fully synchronised, model of my own mind that knows what I meant (and not what some other person saying the same thing at the same time might have meant).

The hard part of programming is not writing things in some language's syntax, it's expressing the problem in a way that lacks ambiguity. LLMs don't help here, they pick an arbitrary, nondeterministic, option for the ambiguous cases. In C, compilers do this for undefined behaviour and it is widely regarded as a disaster. LLMs are built entirely out of undefined behaviour.

There are use cases where getting it wrong is fine. Choosing a radio station or album to listen to while driving, for example. It is far better to sometimes listen to the wrong thing than to take your attention away from the road and interact with a richer UI for ten seconds. In situations where your hands are unavailable (for example, controlling non-critical equipment while performing surgery, or cooking), a natural-language interface is better than no interface. It's rarely, if ever, the best.

There is a new tool to use Cyber Chef from the command line: it's called the command line.

I have spend a week writing a massive article about Windows 2. It has sexy screenshots and is full of incredible trivia. Why not spend the New Year's Eve reading it? ;)

https://www.ninakalinina.com/notes/win2/

Today is Sweetmorn, the 1st day of Chaos in the 3191st Year of Our Lady of Discord

This sounds so much better than January 1st, 2025.

@wdormann At the same time youngsters be like: https://thedeepdive.ca/did-the-grand-theft-auto-hacker-do-it-with-an-amazon-fire-stick-while-under-police-custody/

@neurovagrant @cR0w @tychotithonus BLOOD FOR THE BLOOD GOD! (I actually think this is more fitting talking about vulns)

As you are preparing for your annual password change, I would like to remind you that our password policy clearly states that all characters are special.

@krzywix HNY!

John @tuckner sent me on an interesting wild goose chase. He is investigating the Cyberhaven extension compromise, trying to find out more. And he found something that he considered another campaign compromising browser extensions, related to the sclpfybn[.]com domain: https://secureannex.com/blog/cyberhaven-extension-compromise/#a-new-thread-to-pull-on

One of the extensions that used to contain the code in question was Visual Effects for Google Meet – which brought him to me because I recently covered that extension in my Karma Connection article: https://palant.info/2024/10/30/the-karma-connection-in-chrome-web-store/

I checked my data but couldn’t find sclpfybn[.]com domain mentioned in any extensions other than the ones @tuckner found already. I then looked for similar code and immediately found it in Urban VPN Proxy.

First thought: Urban VPN Proxy has the legitimate version of a library that was trojanized elsewhere. Taking a look at the communication of Urban VPN Proxy disproved that theory almost immediately – not only was it communicating in exactly the same way, but also to an unknown domain, namely ducunt[.]com. Yet the same endpoint existed on the official urban-vpn[.]com domain as well.

So not only did Urban VPN Proxy contain essentially the same code, it was likely added there by the developers themselves. Further investigation increased the suspicion that all these extensions haven’t been compromised, that this was rather some monetization SDK.

At which point @tuckner found the sales pitch for that SDK, detailing how it would add ad blocking functionality to the extension at the cost of exfiltrating very detailed browsing data (of course anonymized and aggregated before being sold to everyone asking for it, we know the drill). And explanations on how to make sure Google won’t object.

And that explains it all: before the Visual Effects for Google Meet developer sold their extension to Karma, they tried to monetize it with this “ad blocking library.” The sales pitch doesn’t mention who develops the library but everything points to Urban VPN.

According to Urban VPN privacy policy, they are selling the data they collect from their users via BIScience Ltd. Who are most likely the hidden owners of Urban Cyber Security Inc., a company registered to a virtual address in the USA.

Part 2 of my series on Hypervisor-Managed Linear Address Translation (HLAT) is here: https://www.asset-intertech.com/resources/blog/2024/12/vt-rp-hlat-and-my-aaeon-alder-lake-core-i7-1270pe-board-part-2/. I used SourcePoint to pinpoint where HLAT is enabled on the p-cores of my AAEON Alder Lake board. Many thanks to @yarden_shafir, @aall86 and @standa_t for inspiration.

fuck you, 2024. I made it through \o/

Multiple vulnerabilities in CTFd versions <= 3.7.4 (CVE-2024-11716, CVE-2024-11717)

https://seclists.org/fulldisclosure/2024/Dec/21

Do these count as Cursed CTF tactics?

Looks like hyp3rlinx also got interested in #IBMi :)

https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_Server_Side_Request_Forgery_CVE-2024-51463.txt

https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt

(CVE-2024-51463, CVE-2024-51464)

[RSS] Security Bulletin: IBM PowerHA SystemMirror for #IBMi is vulnerable to multiple vulnerabilities in the PowerHA Web Interface [CVE-2024-55897, CVE-2024-55896]

https://www.ibm.com/support/pages/node/7180036?myns=swgother&mynp=OCSSPHQG&mynp=OCSWG60&mync=A&cm_sp=swgother-_-OCSSPHQG-OCSWG60-_-A

[RSS] Remote Memory Access in Linux

https://u1f383.github.io/linux/2024/12/28/remote-memory-access-in-linux.html

[RSS] The Feasibility of Using Hardware Breakpoints To Extend the Race Window

https://u1f383.github.io/linux/2024/12/29/the-feasibility-of-using-hardware-breakpoints-to-extend-the-race-window.html

[RSS] From Arbitrary File Write to RCE in Restricted Rails apps

https://blog.convisoappsec.com/en/from-arbitrary-file-write-to-rce-in-restricted-rails-apps/

[RSS] What does [it] mean to "Commit Params/Return"? #Ghidra

https://old.reddit.com/r/ghidra/comments/1hpom0c/what_does_mean_to_commit_paramsreturn/