- ↔
- →
to read (pdf)
- As Rocks May Think | Eric Jang
- Doing the thing is doing the thing
- Reframing Agents
- How to Choose Colors for Your CLI Applications · Luna’s Blog
- A Protocol for Package Management | Andrew Nesbitt
- February 06, 2026
-
🔗 HexRaysSA/plugin-repository commits sync repo: ~1 changed rss
sync repo: ~1 changed ## Changes - [IDASQL](https://github.com/allthingsida/idasql): - 0.0.1: archive contents changed -
🔗 @binaryninja@infosec.exchange We're going live in just a few minutes! Join us to explore a couple new mastodon
We're going live in just a few minutes! Join us to explore a couple new features! Including one from the API that we haven't yet looked at on stream... https://youtube.com/live/T4k2D-3z_SI
-
🔗 r/wiesbaden Super Bowl rss
Does anyone know of any bars or restaurants in the area that will be showing the Super Bowl this Sunday night?
submitted by /u/Grandpas_leftnut
[link] [comments] -
🔗 r/Leeds Roundhay festival- scam? rss
Back in September, they announced roundhay Festival is going to take place in July. They then announced lewis capaldi would headline the Saturday and then in October they announced pitbull and Kesha would be playing the Friday. But since then no other act has been announced. No supports for either days. The dates they put in the posts promoting the events are often wrong.
I grew up in the area so this event intrigues me but these acts aren't selling it for me and have kept waiting for other acts to get announced as are most people i know.
Is this Festival legit? Or is it sounding like a scam? Or is it just very badly run and organised?
submitted by /u/Charlottebopp
[link] [comments] -
🔗 r/reverseengineering Dumping RAM to Recover Password of a Hikvision Camera rss
submitted by /u/SubhranshuSharma
[link] [comments] -
🔗 badlogic/pi-mono v0.52.7 release
New Features
- Per-model overrides in
models.jsonviamodelOverrides, allowing customization of built-in provider models without replacing provider model lists. See docs/models.md#per-model-overrides. models.jsonprovidermodelsnow merge with built-in models byid, so custom models can be added or replace matching built-ins without full provider replacement. See docs/models.md#overriding-built-in-providers.- Bedrock proxy support for unauthenticated endpoints via
AWS_BEDROCK_SKIP_AUTHandAWS_BEDROCK_FORCE_HTTP1. See docs/providers.md.
Breaking Changes
- Changed
models.jsonprovidermodelsbehavior from full replacement to merge-by-id with built-in models. Built-in models are now kept by default, and custom models upsert byid.
Added
- Added
modelOverridesinmodels.jsonto customize individual built-in models per provider without full provider replacement (#1332 by @charles-cooper) - Added
AWS_BEDROCK_SKIP_AUTHandAWS_BEDROCK_FORCE_HTTP1environment variables for connecting to unauthenticated Bedrock proxies (#1320 by @virtuald)
Fixed
- Fixed extra spacing between thinking-only assistant content and subsequent tool execution blocks when assistant messages contain no text
- Fixed queued steering/follow-up/custom messages remaining stuck after threshold auto-compaction by resuming the agent loop when Agent-level queues still contain pending messages (#1312 by @ferologics)
- Fixed
tool_resultextension handlers to chain result patches across handlers instead of last-handler-wins behavior (#1280) - Fixed compromised auth lock files being handled gracefully instead of crashing auth storage initialization (#1322)
- Fixed Bedrock adaptive thinking handling for Claude Opus 4.6 with interleaved thinking beta responses (#1323 by @markusylisiurunen)
- Fixed OpenAI Responses API requests to use
store: falseby default to avoid server-side history logging (#1308) - Fixed interactive mode startup by initializing autocomplete after resources are loaded (#1328)
- Fixed
modelOverridesmerge behavior for nested objects and documented usage details (#1062)
- Per-model overrides in
-
🔗 News Minimalist 🐢 40% of cancer cases are preventable rss
In the last 3 days ChatGPT read 90739 top news stories. After removing previously covered events, there are 12 articles with a significance score over 5.5.

[6.3] Global report finds 40% of cancers preventable —bbc.co.uk(+56)
A landmark World Health Organization study reveals that seven million annual cancer cases, nearly 40% of the global total, are preventable through lifestyle changes, vaccinations, and reduced environmental pollutant exposure.
The International Agency for Research on Cancer identified tobacco use, infections like HPV, and alcohol as primary drivers. SSmoking causes 3.3 million annual cases, while infections cause 2.3 million and alcohol 0.7 million.
The study, published in Nature Medicine, highlights significant regional and gender disparities. Men face higher preventable risks than women, while infections dominate cases in sub-Saharan Africa compared to tobacco-related cancers in Europe.
[6.0] Last U.S.-Russia pact expires, removing caps on largest atomic arsenals for first time in half-century —ctvnews.ca(+163)
The New START Treaty between the United States and Russia expired Thursday, removing all limits on the world’s two largest nuclear arsenals for the first time in half a century.
While Russia offered a one year extension, the United States remained noncommittal, seeking China’s inclusion in a new agreement. Beijing has rejected joining such talks, and both major powers now consider themselves legally free to expand their deployed nuclear forces without treaty inspections.
Signed in 2010, the pact restricted each nation to 1,550 warheads. Inspections ceased during the pandemic and never resumed, while previous arms control agreements have also been terminated over recent years.
[6.4] OpenScholar AI model synthesizes scientific research with expert-level accuracy —washington.edu(+2)
University of Washington and Allen Institute researchers launched OpenScholar, an open-source AI that synthesizes scientific literature and cites sources as accurately as human experts, effectively addressing common AI hallucinations.
Using retrieval-augmented generation and a database of 45 million papers, the model outperformed general-purpose AI systems. In tests, scientists preferred OpenScholar’s responses to those written by human subject experts 51% of the time while maintaining high factual precision and transparency.
Highly covered news with significance over 5.5
[6.2] AI bots create religions and digital drugs on Moltbook, prompting questions about emergent capabilities — theconversation.com (+14)
[5.5] US Navy fighter jet shoots down Iranian drone in Arabian Sea — apnews.com (+75)
[5.6] Experimental pill dramatically reduces ‘bad’ cholesterol — utsouthwestern.edu (+20)
[6.1] Panama cancels Chinese canal port concessions — letemps.ch (French) (+12)
[5.7] China develops compact microwave weapon to disable satellites — pravda.com.ua (Ukrainian) (+4)
[5.7] Surgeons kept a man with no lungs alive for 48 hours while waiting for a transplant — zmescience.com (+3)
[5.6] Germany buys 25.1% stake in Tennet Germany for 3.3 billion euros — nos.nl (Dutch) (+5)
[5.6] Japan recovers rare earth-bearing seabed sediment in deep-sea test — upi.com (+2)
[5.6] OpenAI: New coding model GPT-5.3-Codex helped build itself — mashable.com (+97)
Thanks for reading!
— Vadim
You can track significant news in your country with premium.
-
🔗 CERTCC/kaiju 260206 release
What's Changed
- Update README by @sei-eschwartz in #104
- Ghidra 12.0.2 support by @sei-eschwartz in #105
Full Changelog :
260116...260206 -
🔗 Bits About Money Fraud Investigation is Believing Your Lying Eyes rss

There was recently an attempt by an independent journalist to expose fraud in a Minnesota social program. It was deeply frustrating; the journalist had notably poor epistemic standards, which secondary media seized upon to dismiss their result.
The class-based sniffing almost invariably noted that prestige media had already reported stories which rhymed with the core allegation, while sometimes implying that makes the allegations less likely to be true, through a logical pathway which is mysterious to me.
The journalism went quite viral anyway, in part because of sensationalized framing, in part because of signal boosting by an aligned media ecosystem and aligned politicians, and in part because the journalism develops one bit of evidence that has a viscerality that paperwork dives often lack: these purported childcare operations routinely have no children in them.
Fraud has become quite politicized in the United States the last few years. We had a poorly-calibrated federal initiative led by a charismatic tech entrepreneur which believed it would unearth trillions of dollars of fraud that focused substantial effort on large programs which are comparatively fraud-resistant. Across the aisle, we have reflexive dismissal that fraud happens in social programs, which functions as air cover for scaled criminal operations which loot many varied social programs [0] and are sometimes run out of geopolitical adversaries of the U.S. including by ambiguously-retired members of their clandestine services.
I worked in the financial industry for a few years. We do not have the luxury of pretending that fraud is something invented by our rivals to besmirch our good name. It hits the P&L every quarter and will eat you alive if you're not at least minimally competent in dealing with it. Conversely, it is well- understood in industry that the optimal amount of fraud is not zero.
The financial industry has paid at least tens of billions of dollars in tuition here. Overwhelmingly, one learns about fraud in it through an apprenticeship model, with different firms having different internal levels of understanding on the shape of the elephant. The industrial organization presumes small numbers of people architecting anti-fraud systems and relatively larger numbers of investigators and analysts operating those systems on a day-to-day basis.
There does exist some informal knowledge sharing between firms. If you work in payments, try getting invited to the Chatham House rule sessions held by… oh yeah, can't say. Despite that social technology being originally developed for the benefit of government and press actors, it is my general impression that U.S. benefits programs don't yet see themselves as sufficiently yoked by adversarial attention to benefit from their own Chatham House series. Perhaps that should change.
And so, for the benefit of fraud investigators with badges, press cards, or GoPros, some observations from a community of practice with an extensive (and mostly nonpublic) body of work. But first a tiny bit of throat clearing.
In which we briefly return to Minnesota
Minnesota has suffered a decade-long campaign of industrial-scale fraud against several social programs. This is beyond intellectually serious dispute. The 2019 report from the Office of the Legislative Auditor (a non-partisan government body) makes for gripping reading. The scale of fraud documented and separately alleged in it staggers the imagination: the state's own investigators believed that, over the past several years, greater than fifty percent of all reimbursements to daycare centers were fraudulent. (Separate officials took the… novel position that they were only required to recognize fraud had happened after securing a criminal conviction for it. Since they had only secured a few criminal convictions, there was no way that fraud was that high. Asked to put a number on it, repeatedly, they declined.)
The investigators allege repeatedly visiting daycare centers which did not, factually, have children physically present at the facility despite reimbursement paperwork identifying specific children being present at that specific time. The investigators demonstrated these lies on timestamped video, and perhaps in another life would have been YouTube stars.
Our social class is intensely averse to straightforwardly recounting these facts, partly due to political valence and partly due to this particular fraud being dominantly conducted within a community which codes as disadvantaged in the U.S. sociopolitical context.
Fraudsters are liars and will cheerfully mouth any words they believe will absolve them of their crimes. If an accusation of racism gets one a free pass to steal hundreds of millions of dollars, they will speciously sue you alleging racial discrimination. That empirically worked in Minnesota. The OLA takes explicit notice of this multiple times, a coordinator for the fraud operation is on record explicitly explaining the strategic logic of accusations of racism, and a judge was even moved to make an extraordinary statement to clarify that the bad-faith lawsuit alleging racism did not achieve success through the formal judicial process but rather through the voluntary compliance of governmental actors shamed by its allegations.
(As a sidenote: one has to be able to hold two thoughts simultaneously about fraudulent operations. They can be sophisticated with respect to exploiting sociopolitical cleavages in their targets while also being comically inept at faking evidence elsewhere, such as having a single person write dozens of adjacent rows in a sign-in sheet. This routinely surprises observers and it should not surprise them. The financial industry also has a division of labor in it. The person architecting the fraud department's standard processes is well-paid, well-educated, and routinely brings crossdisciplinary expertise to bear. A Fraud Analyst I, on the other hand, bears a lot of similarity to a call center employee in terms of compensation, education, and permitted amounts of agency.)
In the immediate wake of the independent journalist's report, the great and the good rallied around the organizations he accused. Of course it was natural that journalists wouldn't get immediate access to children if they asked. Of course there was a certain amount of informality in the sector. Of course, as the New York Times very carefully wordsmithed recently:
Minnesota officials said in early January that the state conducted compliance checks at nine child-care centers after Mr. Shirley posted his video and found them "operating as expected," although it had "ongoing investigations" at four of them. One of the centers, which Mr. Shirley singled out because it misspelled the word "Learning" on its sign, has since voluntarily closed.
An inattentive reader might conclude from this paragraph that the Times disputes Shirley's reporting.
To the extent that Bits about Money has an editorial line on that controversy, it is this: if you fish in a pond known to have 50% blue fish, and pull out nine fish, you will appear to be a savant-like catcher of blue fish, and people claiming that it is unlikely you have identified a blue fish will swiftly be made to look like fools. But the interesting bit of the observation is, almost entirely, the base rate of the pond. And I think journalism and civil society should do some genuine soul-searching on how we knew--knew --the state of that pond, but didn't consider it particularly important or newsworthy until someone started fishing on camera.
But this is not a publication about particular ponds. It is a publication about getting better at fishing.
Common signals, methods, and epiphenomena of fraud
Fraudsters are playing an iterated game
The best non-fiction work on fraud is Dan Davies' Lying for Money. In it, you'll find replete examples of something well- known to fraud investigators: the dominant next adventure for a former fraudster is… opening up a new fraud. And therefore, if you want to identify a ridiculously-high-hit-rate list of frauds in round N+1 of a game, a so-easy- its-practically-cheating way to do so is to look at what known fraudsters from round N are doing today.
There is a genuine difference in the culture and epistemology of the financial industry versus the government of the United States here. In the financial industry, we keep blacklists and getting a second chance after obvious misbehavior is intentionally non-trivial. This runs against deeply felt values of civil servants. An accusation is not a conviction, and absent clear authority to impose consequences in a new program, an actor convicted at enormous societal cost emerges to a new program officer as tabula rasa, equal in moral worth to any randomly chosen citizen.
I will not argue that Mastercard has better moral intuitions than the Founding Fathers. I would, however, happily suggest that the government not assume that the Constitution contains emanating penumbras obligating it to be repeatedly taken advantage of by the same people in the same fashion. We are not forbidden object permanence.
Minnesota raided the Sunshine Child Care Center in 2022 on suspicion of overbilling. No charges were brought, in what investigators imply was less an exoneration and more an inter-departmental fumble. That operation was owned by one Fowsiya Hassan. A separate childcare center owned by Fowsiya Hassan was featured on YouTube recently. This follows on $1.5 million of funds received through Feeding Our Future, a scaled fraud operation which has generated over 70 indictments, 5 criminal convictions, and 50 guilty pleas. What a set of coincidences. Perhaps Hassan has, as she has alleged in a lawsuit, been a frequent target of racially-motivated government investigations into a successful serial entrepreneur in the childcare field.
The fraud supply chain is detectable
Much of the intellectual energy in policy circles about fraud is aimed at retail-level fraud by individual beneficiaries. Most fraud, like most scaled property crime, is actually the result of a business process.
This is an elementary fact of capitalism. It is deeply disconcerting to find every benefits program independently rediscovers it a decade too late to do anything about it. Most bread is not baked by amateurs in their kitchens. It comes from a bakery which exists to bake bread and hires specialists in baking bread and then supports them with capital-intensive built infrastructure.
Fraud develops a supply chain. Some elements in the supply chain are dual-use; the bad guys use Excel for the same reason every business uses Excel. Some elements in the supply chain, though, are specialized infrastructure with no or de minimis legitimate purpose. Those elements can be profiled.
I worked at Stripe for several years and am currently an advisor there. Stripe does not endorse what I write in my personal spaces. In its own spaces, Stripe has discussed being able to follow fraudulent operations in sufficient detail to determine when the operators went to lunch.
Fraudsters share specialists quite frequently. They use the same incorporation agents, the same mail services, the same CPAs, the same lawyers, etc.
You can make the same observation about many communities of practice. It is a non-coincidence that many tech startups are at 548 Market Street in San Francisco. 548 Market Street is not the world's hippest coworking space. It is the address for EarthClassMail in SF. There are many P.O. box providers in the world; many geeks with taste reach for ECM. (Bits about Money is legally required to maintain a postal address and, if you were ever to send it a physical letter, that would also end up in the hands of an EarthClassMail employee.)
Elsewhere in the world, there exist P.O. box providers whose customers statistically include fewer AI labs and more frauds. One imagines the specialist-in-fraud at the storefront, picking up the day's take from fifteen separate boxes.
Elementary work graphing supporting infrastructure, even on something as unsophisticated as butcher paper, frequently unravels fraud networks. Data science has any number of more sophisticated approaches. Jetson Leder-Luis, an academic who now routinely works with the government, has previously discussed some approaches which work based on widely commercially available data sources.
There is an emerging defender's advantage here in the age of LLMs, since exploratory work in visualizing and walking network graphs is getting much cheaper. You no longer need to buy Palantir and engage a "forward-deployed engineer" to cluster IP addresses. A non-technical fraud investigator could get an LLM to do that while eating at Chipotle, and the lunch would cost more.
This democratization of capabilities is relevant to journalists, formal and otherwise, and also to governments. RFPs and software contracting once de facto mandated a multi-year lead time to do an automated network analysis if an analyst thought perhaps their program might need one. Now that is an afternoon's work, if we allow ourselves to do it. We should.
Investigators should expect to find ethnically-clustered fraud
As mentioned, there is enormous visceral distaste for the conclusion that a particular fraud ring operates within a particular community. This is quite common. You should expect to find circumstances which rhyme with it when conducting effective fraud investigations. You should not abandon fraud investigation when you chance upon this.
People assume a level of ethical fraughtness here which is not warranted. You would, if doing ethnographic work on perfectly legitimate businesses across industries, routinely discover ethnic concentration rather than population- level representation everywhere you looked. The Patels run the motels. One doesn't need to adopt grand theories about how certain groups are predisposed to becoming pharmacists or startup employees or line cooks; simple microeconomic reasoning explains reality easily. Firms hire the people they already know, like, and trust. That will routinely include friends and family, who are going to be much more like the founding team than they are like randomly drawn members of the population. This is the default outcome.
Fraudsters do have one structural factor here. Everyone wants to trust their coworkers. Fraudsters need to trust their coworkers will be loyal even upon threat of prison time. That necessarily selects for tighter bonds than the typical workplace. Madoff was a family affair, SBF was in an on-again off- again romantic relationship with a chief lieutenant, and neither of those facts is accidental or incidental.
That's the other ethical dimension of being other-than-blind to concentration: so-called affinity frauds do not merely recruit fraudsters from affinity groups. They recruit victims from affinity groups. Madoff mobilized the social infrastructure of the Jewish community in New York and Palm Beach to find his marks. Community members certainly did not intend their charitable foundations to be looted by a fraudster. It was an emergent consequence of trust networks.
This also happens to "chosen" communities. FTX was, in material part, an affinity fraud against effective altruists, who are not a religion or ethnic group as traditionally construed.
And so when the great and the good turn a blind eye towards abuses because the perpetrators share an uncomfortable common factor, they are often simultaneously turning a blind eye towards abuses of a community whose interests they purport to champion.
High growth rate opportunities attract frauds
As covered extensively in Lying for Money, the necessary fundamental conceit of a fraud is growth in a business that doesn't happen in the real world. "Every lie told incurs a debt to the truth, and one day, that debt will be paid", to quote the excellent drama mini-series Chernobyl. Fraudsters forestall that day of reckoning by telling a bigger lie, increasing the debt, which (mostly as a side effect) alleges that they're growing much faster than most of your legitimate portfolio. Happily, many businesses have figured out how to keep track of fast-growing customers. Tracking rocketships doesn't require rocket science.
Sort-by-growth-rate-descending on new accounts will turn up a lot of interesting observations about the world. One is that Fortune 500 companies sometimes open new accounts, and you probably don't need to open a fraud investigation file in that case. Another is that some people claim to be feeding millions of meals to a community of tens of thousands of people, beginning from a standing start, and growing local social services at a rate which an Uber Eats city manager would not expect to achieve in the wildest dreams of their go-to-market plan.
Feeding Our Future had a CAGR of 578% sustained for 2 years. Uber, during their meteoric growth period in core rideshare services, had an average CAGR of 226%. Their best year was 369%. But, if you asked in Minneapolis in 2021, you'd quickly find someone who had been in an Uber, but fail to find anyone who ate courtesy of Feeding Our Future. So curious, given that they were drubbing one of the fastest growing companies in history on growth rate.
Investigators in Minnesota were ringing the alarm bells for years about implausibly fast growth in Feeding Our Future's reimbursement requests, including at new facilities. Feeding Our Future felt it was maxed out on the fraud it could conduct at existing sites, and expanded voraciously, including (most prominently) enrolling numerous restaurants as "feeding sites." They then copy/pasted the usual playbook and requested reimbursement for implausible volumes at those sites, paying kickbacks to many participants. This then required growing the fraud, which… you get the general idea. We could have gotten off the bus at many points, and I suppose that is at some level a question of political will.
The highest growth rates in the economy generally are newer fields (you basically can't sustain the alternative). This doesn't imply that those fields are fraudulent, but they will tend to disproportionately attract frauds. The defenders in those fields have not yet paid their tuition to the School of Hard Knocks, and so attackers target the weaker systems. The higher growth rates of legitimate businesses function as protective cover for high stated growth rates of illegitimate businesses; a CAGR of 1,000% looks implausible for a restaurant but barely-meets-expectations for an AI software shop.
And, not to put too fine a point on it, many people are invested, literally and metaphorically, in whatever today's new hotness is. People who could not secure an allocation in the more legitimate ends of it will sometimes find themselves adversarially selected by less salubrious actors. This will read to those people as a justly earned success. They might even have their marketing department write up their victimization as an indisputable success.
And so, if you're a defender who has many different lines of business and has limited resources (or political will), where should you deploy those resources? Should you place your bets on e.g. Social Security, a multi- trillion dollar program whose primary source of growth is fun to conjure but then requires 70 years of seasoning? Or should you place them on the Paycheck Protection Program, or pandemic- era unemployment insurance, or genetic testing, or non-emergency medical transportation? Despite those being smaller line items, they probably have more juice worth squeezing, and the fraud is more easily detectable. Just look.
Fraudsters find the weakest links in the financial system
Bits about Money has extensively covered anti- moneylaundering and Know Your Customer regulations and I won't rehash those regimes here. A bit of tacit knowledge in the financial industry: some actors in the set "broadly considered trustworthy" are more worthy of trust than others… and some are less.
We are generally discreet about writing this down in as many words. But, as an analogy, cross-national regulatory bodies require that financial institutions maintain a list of high-risk jurisdictions to do business in. You are generally required to do enhanced due diligence on customers/activities/etc touching the high-risk list.
If you are particularly competent, and there are plusses and minuses to being competent in detecting fraud (you will not be the most popular person in the firm at bonus time; that goes to the folks who sold the high-growth accounts), you might have the analogous list of U.S. financial institutions which are not entirely fronts for the bad guys.
If one hypothetically has that list, that's one more signal you can use in evaluating any particular account, and a one-stop shop for developing a list of accounts to look into. It would be uncouth of me to name an extant bank that has poor controls, but for a general example of the flavor, see my (scathing) commentary on Silvergate's AML and KYC program. Without using any proprietary information, I predict confidently that Silvergate banked many more multi-billion dollar frauds as a percentage of its customer base than almost any of the U.S.'s 4,500 banks. (Trivial substantiation: divide FTXes-banked by total-count-of-customers.)
One might, if one has never seen the list, wonder whether it is simply proxying for something the financial industry is definitely not allowed to proxy for. One of the first things you learn as a data analyst is zip codes are extremely probative and you are absolutely not allowed to use them. The American system remembers the experience of redlining and has forbidden the financial industry from ever doing it again; the industry mostly respects that. But good news: institutions with weak controls environments are not, in fact, simply a proxy for "Who banks socially disadvantaged people?" There are many financial institutions that have that as an explicit business model. Some of them are good at their jobs. Some, less so, and the fraudsters know it.
This sometimes happens with the knowing connivance of the financial institution and/or their staff. For much more on that, see histories of the savings and loan crisis, or the Lying for Money chapter on control frauds. But more commonly it is simply a community of practice developing organic knowledge about who is just very easy to get an account with. You need accounts, as a business. As a fraudulent business, which intends to cycle through accounts and identities at a much higher rate than baseline, you would prefer to do business with a bank which will not detect that malfeasance.
And so you will disproportionately end up banked, with many of your buddies, at the least attentive place still capable of getting a license. And so an agency, trying to find a fraudulent network, might want to look at fraud- cases-by-routing-number and then start making some judgment calls.
One of the reasons the government has deputized the financial industry is it is good at keeping spreadsheets and quickly responds to requests for them. Perhaps the government should call up a few of their deputies and say "So, not alleging anything here, but we think you might have a list , carefully maintained by your fraud department for your own purposes. We want to see the list. It would be pro-social of you to give us a copy of it."
Frauds openly suborn identities
There is a thriving market in identities to be used in fraud. This is because bad actors prefer not putting their own names on paper trails certain to become evidence, because they frequently "burn" themselves early in their careers, and because institutions have cottoned onto the wisdom of collecting lists of ultimate beneficiaries.
Sometimes this is a social process, conducted at e.g. the dinner table. Sometimes the market is explicitly a market. Jetson recounted that, having exhausted the supply of patients needing dialysis who could plausibly need ambulance services, frauds began bribing potential patients, first with donuts and then with cash. This is extremely common. In Minnesota, parents were recruited to childcare providers with the promise of cash kickbacks or (a detail we'll return to in a moment) fictitious paperworked no-show jobs, sometimes at substantially fictitious companies.
Fraudsters sometimes exercise some level of operational discipline in their communications. The bad guys have also seen The Wire; they know Stringer Bell's dictum on the wisdom of keeping notes on a criminal conspiracy. However, the population of people willing to be named in a federal indictment over $200 necessarily selects preferentially for individuals who are not experts at operational security. They will sometimes organize recruitment very openly, using the same channels you use for recruiting at any other time: open Facebook groups, Reddit threads, and similar. They will film TikTok videos flashing their ill-gotten gains, and explaining steps in order for how you, too, can get paid.
As a fraud investigator, you are allowed and encouraged to read Facebook at work.
Now, knowing that there exists the frequent epiphenomenon where fraudsters recruit strawmen to use their identities to qualify for payments: suppose that you have an entirely new enterprise whose first customers are individuals A, B, C, and D. You know, from past records, that A, B, C, and D have all been customers of an organization which you now know, positively, was a fraudulent actor. You might infer from this that A, B, C, and D might have sold their identities once, but you probably don't have sufficient information to convict them in a court of law of that. (It is of course possible that they are simply unsophisticated, or that bad actors obtained their information without their knowledge, for example by misappropriating a client list from a previous corporate entity they happened to own/work for/etc.)
But do you have enough information to take a more-detailed-than-usual look at this totally new enterprise? I think you do.
Asymmetry in attacker and defender burdens of proof
We have choices, as the defender, in what levels of evidence we require to enter the circle of trust, what our epistemological standards are, and how much evidence we require to forcibly exit someone from the circle of trust.
A detail from the Minnesota cases is that these burdens are asymmetric, in a way which disadvantages the defender (all of us). That decision is a choice and we should make better choices.
For example, the primary evidence of a child attending a day-care was a handwritten sign-in sheet of minimal probative value. Prosecutors referred to them as "almost comical" and "useless." They were routinely fraudulently filled out by a 17 year old "signing" for dozens of parents sequentially in the same handwriting, excepting cases where they were simply empty.
To refute this "evidence", the state forced itself to do weeks of stakeouts, producing hundreds of hours of video recording, after which it laboriously reconstructed exact counts of children seen entering/exiting a facility, compared it with the billing records, and then invoiced the centers only for proven overbilling.
On general industry knowledge, if you are selected for examination in e.g. your credit card processing account, and your submission of evidence is "Oh yeah, those transactions are ones we customarily paperwork with a 17 year old committing obvious fraud", your account will be swiftly closed. The financial institution doesn't have to reach a conclusion about every dollar which has ever flowed through your account. What actual purpose would there be in shutting the barn door after the horse has left? The only interesting question is what you'll be doing tomorrow, and clearly what you intend to do tomorrow is fraud.
We can architect the asymmetry in the other fashion: legitimate businesses will customarily, as a fact of their operations, put enormous effort into creating visible effects in the world which are trivial to check. In technologist circles this is sometimes called a "proof of work" function.
Once upon a time, a team of fraud analysts asked how they could possibly determine frauds from non-frauds without having extensive industry knowledge about every possible commercializable human activity. I suggested that a good first pass was "Just ask the correspondent for a quick video, shot on their cell phone, of their workspace."
That is minimally invasive for the business owner, generates a huge amount of signal (including that which can be correlated across accounts), and can be usefully adjudicated by non-specialists in a minute. No multi-month stakeout of their storefront is required. Of course you can convincingly fake a video of working in, say, a machine shop, but fraudsters maintaining spreadsheet row 87 about the machine shop will find that difficult to juggle with all the other required lies in their backlog. Actual machine shops, meanwhile, include people, which means they include functional cell phone cameras at no additional cost to anyone.
You can also get some signal from who can trivially produce a video and who needs a week of advance notice to find a cell phone to record those machines that were absolutely milling aluminum last week.
Fundamentally, we have a choice about where we put our investments in defanging fraud, and we should stop choosing to lose.
So-called "pay-and-chase", where we put the burden on the government to disallow payments for violations retrospectively, has been enormously expensive and ineffective. Civil liability bounces off of exists-only-to- defraud LLC. Criminal prosecutions, among the most expensive kinds of intervention the government is capable of doing short of kinetic war, result in only a ~20% reduction in fraudulent behavior. Rearchitecting the process to require prior authorization resulted in an "immediate and permanent" 68% reduction. (I commend to you this research on Medicare fraud regarding dialysis transport. And yes, the team did some interesting work to distinguish fraudulent from legitimate usage of the program. Non-emergency transport for dialysis specifically had exploded in reimbursements--see Figure 1-- not because American kidneys suddenly got worse but because fraudsters adversarially targeted an identified weakness in Medicare.)
Attackers carefully respond to signals they think they are being sent from defenders. A lawyer for some of the Minnesota defendants, Ryan Pacyga, was quoted by the New York Times as saying that his clients understood Minnesota to tacitly allow their actions.
No one was doing anything about the red flags. … It was like someone was stealing money from the cookie jar and they kept refilling it.
Don't be the defender who sends that message. It will not work out well for you or your program.
Fraudsters under-paperwork their epiphenomena
Most frauds have rich external lives, with a soaring narrative of how deserving people are getting valuable services (and/or getting rich for being right and early regarding e.g. crypto asset cross-margining). They tend to be distinctly underpaperworked internally, partly because a synonym for "paperwork" is "evidence" and partly because… most frauds aren't really that sophisticated, when it comes down to it. There is a true number; lie about it; done.
Like many time-pressed entrepreneurs busy talking to potential customers, fraudsters put the minimal amount of time necessary into bookkeeping and even less than that into paperworking epiphenomena of their frauds. One example of epiphenomena is sometimes the beneficiaries need their own paperwork. A legitimate mortgage company employs sales reps and a backoffice to help unsophisticated customers successfully get several hundred pages of paperwork together to sell a mortgage. Frauds… mostly don't do that.
And so, if you have e.g. a statutory requirement that a beneficiary be employed to access services, a fraudster might say "Don't worry about it!" They'll just assert that you are an employee at a cleaning company. Perhaps they might even go as far as payrolling you as an employee of a cleaning company. This kills two birds with one stone, paying you your kickback while also generating the paystub they need you to have to qualify for the government reimbursement. (This happened, per the OLA's reports summarizing the results of many investigations, in Minnesota.)
But fraudsters don 't actually operate cleaning companies _even in those cases where they _do operate daycares.
Cleaning companies are legitimate businesses, in the main, and working for one is an honest occupation. And so a fraud investigator should feel no chagrin at calling a cleaning company in the phone book and asking for a quote. A cleaning company which expresses complete befuddlement that someone could ask for a quote is providing, ahem, evidence in a direction.
(I have to note, as someone who pays to send children to a private school, that there is replete evidence that the school is accepting new children, knocking on the door and asking will quickly result in being given a brochure, and there are scheduled open houses and similar. I can imagine a gratuitously mismanaged educational establishment which does none of these things, and I can imagine an educational establishment which makes a lot of money, but I have trouble holding both thoughts in my head at the same time.)
The core frauds are sometimes hardened, to an attenuated degree. The peripheral frauds collapse under even a glance. Architect processes to require more signals regarding the periphery, then architect a system which takes at least a cursory look at the periphery. You will trivially catch frauds.
If you're worried about exposing the exact signal that you are using, costing utility of it in the future, you can use this as a "parallel construction" engine. Develop leads for investigation using the non-public signal, pull the core records as a matter of routine, find the discrepancies that all frauds leave in their core records, and then put those in the indictment. Ask your friendly neighborhood lawyer if that passes muster or if you need to add a sentence rhyming with "was selected for a routine audit on the basis of information available to the department."
Machine learning can adaptively identify fraud
We have discussed some heuristics [1] for identifying fraud. The financial industry still makes material use of heuristics, but a heuristic is a compression of the real world. It will sometimes lose fidelity to the world. It will frequently, by design , be legible to the adversary.
The defender has one advantage the attacker cannot ever replicate: data at scale. It knows what legitimate use looks like because it has all the messy, contradictory, varying quality, typos-and-all data which legitimate businesses in the real world constantly throw off. You cannot duplicate all of the shadows on the wall of Plato's cave without first duplicating the entire world. Fraudsters, even quite talented ones, can't do that.
There are any number of techniques for machine learning in anti-fraud; Emily Sands has previously discussed some with me. An important subset of the field can adapt in real-time or close to it to changes in adversary (or legitimate!) behavior. For example, covid surprised the fraudsters at the same time as it surprised every supermarket in the country, but the ex-post actions of the fraudsters and the supermarkets were very different. Revenue went up for both, but only one group actually runs a supermarket. And so by ingesting and constantly analyzing data from all users, including retrospective annotation of which users you've identified to be frauds, you get better and earlier signals on which users are likely fraudulent and which are likely not.
This can inform outright interdiction or the investigate-then-punish loop that we ordinarily expect from government. It can also inform less consequential, easier-to-reverse interventions. For example, rather than putting all users immediately through the highest-possible-ceremony process for application, you can let most users do a lower-burden process, saving the higher levels of scrutiny for those which signal greater likelihood of being fraudulent. Or you can default to approving more applicants and reserve more of your investigatory budget for post-approval review, with this being equivalently costly by using better tasking of those reviews versus random allocation. Pay- and-chase becomes more palatable if it is not pay-and-pay-and-pay-and-pay-and- chase and more pay-until-we-decide-to-chase-but-stop-payments-at-that- decision-not-after-the-catching.
Machine learning isn't simply useful from a perspective of decreasing fraud. The history of regulation of benefits programs is the history of too-late, too-harsh overcorrection to notorious abuses. Much of what advocates find most maddening and Kafkaesque about eligibility criteria and application processes was voted on by a legislature but bears the signature of a fraudster with a novel idea.
With a good machine learning practice, you can increase data ingested but decrease the burdensome formal application/etc requirements. This is in no small part because those data points are less probative (they are under the direct control of the attacker and announce that they will be scrutinized). But it bears a dividend: if you better control fraud, and can successfully demonstrate that to the public and legislators, you can decrease application burden and perhaps even widen eligibility criteria. Those are both in the direct interests of potential marginal beneficiaries.
A political commentator might focus more on the optics here than on the substance, because that is so frequently where the point of actual leverage is in politics. But the substantive reality of fraud losses matters. It is much easier to tell the story of fraud in benefits programs being rare, opposed by all right-thinking people, and swiftly sanctioned when that story is not an obvious lie.
Frauds have a lifecycle
You can read Lying for Money or other histories of frauds for more detail on the texture, but in the main, a dedicated fraudulent enterprise is created, is seasoned for a while before crossing the rubicon, has a period of increasing brazenness, is detected, is closed, and then is resurrected when the fraudster gets the band back together from round N+1.
We can intervene against the lifecycle model if we understand it. This begins with not defaulting to the understanding of investigators that frauds are isolated incidents by disparate individual actors. Those have been known to happen, but frauds are, by total damage, dominated by repeatable business models perpetrated by professional specialized bad actors. We should study them like we study other successful entrepreneurs, and then not invest in them.
One actionable insight from the lifecycle model: because the fraudster intends to be in business multiple times in their life, we should track the person-to- business mapping much more closely than we have historically. As Lying for Money says, if you're an accountant and willing to go to prison, and you do not get rich via fraud… well, you are very bad at your job. That's on you. When we give you repeated chances to do it , that's on us.
One might think that the simplest imaginable reform is passing some sort of beneficial ownership regulation to unroll complex corporate structures designed to obscure who is actually puppeting Totally Not A Fraud, LLC. But the simplest imaginable reform is probably just actually reading corporate filings that already exist and are public. Again, most fraudsters are not the hypersophisticated Moriarties of the popular imagination. The Minnesota fraudsters frequently did not even bother with fig leaves. While they did find some nominee directors in some cases, many of the convicted operated their companies in their own names, with no complicated structuring at all. Sometimes multiple times, consecutively, after the previous entities had worn out their welcome with Minnesota.
The Fed should not be surprised when the bad guys buy a bank when buying a bank requires an extended permission-seeking process and the bad guy's corporate records, dutifully recorded by Maryland (entity D20033544), are signed by a notorious bagman. In the Fed's defense, the bagman lied to them about his intentions , which was outside of their world model. (Pip pip to the New York Times for figuring that out before the Fed did. That is, sadly, not the usual way it works in financial journalism.)
Should we care about fraud investigation, anyway?
Responsible actors in civil society have a mandate to aggressively detect and interdict fraud. If they do not, they cede the field to irresponsible demagogues. They will not be careful in their conclusions. They will not be gentle in their proposals. They will not carefully weigh consequences upon the innocent. But they will be telling a truth that the great and the good are not.
The public will believe them, because the public believes its lying eyes.
[0] In a thing you will see frequently in fraud investigations, early detection of anomalies does not necessarily imply successful identification of the underlying fraudulent enterprise. A teacher was scandalized that a third of their students are using AI to write papers. Those "students" are identities puppeted by a criminal organization to siphon federal funding out of community colleges towards accounts controlled by the criminals. (I award myself one cookie for correctly predicting this.)
[1] A heuristic, in industry parlance, is a hard-coded rule or set of rules as opposed to a system which automatically adapts to changes in the underlying data. Compare the difference between "You are less likely to default on loans if you own versus renting", which is absolutely demonstrable in aggregate data, versus "You are less likely to default on loans at 780 FICO versus 540 FICO." For a variety of reasons, the culture that is legislators sees the problem with having one heuristic, which will obviously not come to the correct conclusion all of the time. It corrects for this issue by having several hundred pages of heuristics. Just one more heuristic, man, and we'll have completely anticipated all the complexity of the world.
Heuristics are wonderful things! They're cheap to adjudicate, easy to explain, and can be understood by lawyers, even the kind who have ascended from the practice of law to the writing of it. Happily, machine learning systems can have all of these properties if you make them priorities.
-
🔗 r/york Would anyone like these? rss
| I have two of these gift vouchers for a free photoshoot plus a framed photo and £150 towards any images, prints or products. All the locations are a bit too far for me but willing to offer them at a heavily discounted price if anyone wants em. They can't be used together though and it says they need to be booked by tomorrow but maybe there's some leeway with that. DM me if interested! submitted by /u/IndependentSheffield
[link] [comments]
---|--- -
🔗 r/wiesbaden I’m an American citizen with no address, I need to send mail to a German address (buying from German site) rss
What can I do?
submitted by /u/Careful-Foot8399
[link] [comments] -
🔗 r/york York Christmas Market footfall down, organisers say rss
| submitted by /u/Kagedeah
[link] [comments]
---|--- -
🔗 vitali87/code-graph-rag v0.0.55 release
chore: bump version to 0.0.55
-
🔗 vitali87/code-graph-rag v0.0.54 release
chore: bump version to 0.0.54
-
🔗 vitali87/code-graph-rag v0.0.53 release
chore: bump version to 0.0.53
-
🔗 r/reverseengineering [Project] An open-source Windows RAT for learning offensive security techniques rss
submitted by /u/AcrobaticMonitor9992
[link] [comments] -
🔗 vitali87/code-graph-rag v0.0.52 release
chore: bump version to 0.0.52
-
🔗 r/LocalLLaMA CPU-only, no GPU computers can run all kinds of AI tools locally rss
| While it’s great that so many people on LocalLLaMA are pushing the envelope with what can be done locally with expensive setups, we need to remember that a lot can be done with very minimal machines. I’m talking about CPU-only locally run LLMs. That’s right, no GPU! I’m running Linux Mint on an old Dell optiplex desktop with an i5-8500 processor, 6 threads and 32GB of RAM. You can pick up one of these refurbished for something like $120. And with this humble rig I can: Run 12B Q4_K_M gguf LLMs using KoboldCPP. This allows me to have local chatbot fun using quite highly rated models from https://huggingface.co/spaces/DontPlanToEnd/UGI-Leaderboard. Response times are fast enough as long as you keep the initial prompt below 800 tokens. And with context-shifting it remembers stuff during the session. Uncensored, private RP hilarity for free! You can even add in kokoro_no_espeak for text to speech so your RP characters talk to you with only a few seconds delay. The trick is to find good models to use. For example, DreadPoor/Famino-12B-Model_Stock is rated a 41+ on writing, which is better than many 70B models. You don’t need big horsepower for fun. You can also use these models for writing, coding and all sorts of applications. Just need the patience to try out different local models and find the settings that work for you. I also run Stable Diffusion 1.5 locally for basic image generation, inpainting and so on. Again using KoboldCPP and Stable UI. OK, it takes 3 minutes to generate a 512x512 image but it works fine. And you can experiment with loras and many SD 1.5 models. All 100% free on old gear. I’m also running Chatterbox TTS for voice cloning voice-over projects. Works surprisingly well. Again, it takes a couple of minutes to generate a 75 word audio clip, but it does work. Vibevoice TTS also works on this old rig but I prefer Chatterbox. And then there are amazing tools like Upscayl which upscales images locally incredibly well. Just gotta experiment with the models. I’ve used ollama transcriber which converts audio files into text amazingly well. Just point a spoken word .WAV at it and then go make dinner and when I get back, the text is there. There are many other local LLMs and tools I’ve used. These are just the tip of the iceberg. Video? Nope. Music generation? Nope. I’ve looked and tried a few things but those big resource tasks need serious horsepower. However, it’s quite possible to use your old desktop computer for text-based tasks and then rent online GPU for one-off tasks and use the big online services for other tasks. It would still probably work out to be less costly. I know I’m not the only one doing this. CPU-only people: tell us how you’re using AI locally... submitted by /u/JackStrawWitchita
[link] [comments]
---|--- -
🔗 gchq/CyberChef v10.21.0 release
See the CHANGELOG and commit messages for details.
-
🔗 r/Yorkshire Early Morning. 6°C and blue skies. Snowdrops. rss
| @weatherworlds submitted by /u/AnfieldAnchor
[link] [comments]
---|--- -
🔗 vitali87/code-graph-rag v0.0.51 release
chore: bump version to 0.0.51
-
🔗 r/Yorkshire East Riding council tax to increase by 4.99% rss
| submitted by /u/Kagedeah
[link] [comments]
---|--- -
🔗 r/Leeds Leeds Core doesn’t have a core anymore! rss
Work is well underway!
submitted by /u/Mr-Dionysus
[link] [comments] -
🔗 r/york Why is the River Ouse tidal into York? rss
| I don’t remember seeing tidal peaks in York at the Viking Recorder before. Has something changed downstream? The lock/wear at Naburn is the usual the limit of tidal peaks in my memory. submitted by /u/dawnriser
[link] [comments]
---|--- -
🔗 r/reverseengineering Frida UI tool window inside PyCharm : ZAFridaUI rss
submitted by /u/StockRip2949
[link] [comments] -
🔗 r/york Selling Anna Lapwood ticket - 05 June via Ticketmaster rss
Hi all!
Mods - apologies if this post is not allowed on this sub. I'm unable to make the Anna Lapwood concert on 05 June, so I've listed my ticket on the official Ticketmaster website.
Posting here for visibility.
https://secure.ticketmaster.co.uk/rs/3600636CE7D4A2A4/l047kg0d
submitted by /u/203203_again
[link] [comments] -
🔗 r/reverseengineering [Challenge] The Enigma Protector 8.0 is released so here it is! The Hello World program to reverse! (CPP + TEP) rss
submitted by /u/Repulsive-Whereas572
[link] [comments] -
🔗 r/LocalLLaMA No NVIDIA? No Problem. My 2018 "Potato" 8th Gen i3 hits 10 TPS on 16B MoE. rss
| I’m writing this from Burma. Out here, we can’t all afford the latest NVIDIA 4090s or high-end MacBooks. If you have a tight budget, corporate AI like ChatGPT will try to gatekeep you. If you ask it if you can run a 16B model on an old dual-core i3, it’ll tell you it’s "impossible." I spent a month figuring out how to prove them wrong. After 30 days of squeezing every drop of performance out of my hardware, I found the peak. I’m running DeepSeek-Coder-V2-Lite (16B MoE) on an HP ProBook 650 G5 (i3-8145U, 16GB Dual-Channel RAM) at near-human reading speeds. #### The Battle: CPU vs iGPU I ran a 20-question head-to-head test with no token limits and real-time streaming. | Device | Average Speed | Peak Speed | My Rating | | --- | --- | --- | --- | | CPU | 8.59 t/s | 9.26 t/s | 8.5/10 - Snappy and solid logic. | | iGPU (UHD 620) | 8.99 t/s | 9.73 t/s | 9.0/10 - A beast once it warms up. | The Result: The iGPU (OpenVINO) is the winner, proving that even integrated Intel graphics can handle heavy lifting if you set it up right. ## How I Squeezed the Performance: * MoE is the "Cheat Code": 16B parameters sounds huge, but it only calculates 2.4B per token. It’s faster and smarter than 3B-4B dense models. * Dual-Channel is Mandatory: I’m running 16GB (2x8GB). If you have single-channel, don't even bother; your bandwidth will choke. * Linux is King: I did this on Ubuntu. Windows background processes are a luxury my "potato" can't afford. * OpenVINO Integration: Don't use OpenVINO alone—it's dependency hell. Use it as a backend for llama-cpp-python. ## The Reality Check- First-Run Lag: The iGPU takes time to compile. It might look stuck. Give it a minute—the "GPU" is just having his coffee.
- Language Drift: On iGPU, it sometimes slips into Chinese tokens, but the logic never breaks.
I’m sharing this because you shouldn't let a lack of money stop you from learning AI. If I can do this on an i3 in Burma, you can do it too. submitted by /u/RelativeOperation483
[link] [comments]
---|--- -
🔗 r/reverseengineering Jump table detection in the rev.ng decompiler (rev.ng hour 2023-11-17) rss
submitted by /u/aleclm
[link] [comments] -
🔗 w00tzenheimer/d810-ng v0.1.0 release
What's Changed
- more optimizations by @w00tzenheimer in #1
- more optimizations by @w00tzenheimer in #2
- Fix a lot of failing rules (or at least clarify them). by @w00tzenheimer in #3
- Enhance AST processing with new optimizations🚀✨** by @w00tzenheimer in #4
- More updates to fix constant folding, now working. by @w00tzenheimer in #6
- chore: migrate PyQt5 to PySide6 by @hellodword in #9
- test(samples): Add comprehensive obfuscation test cases and binaries by @mahmoudimus in #15
- vendor: Bundle clang, typing_extensions, and ida_reloader dependencies by @mahmoudimus in #14
- build: Add pytest/coverage configuration and development tooling by @mahmoudimus in #13
- feat(core): Add foundational infrastructure modules by @mahmoudimus in #16
- config: Add optimizer configurations for various obfuscation patterns by @mahmoudimus in #17
- feat(hexrays): Add deferred CFG modifier and enhanced tracking utilities by @mahmoudimus in #18
- feat(expr): Add portable AST, emulation oracle, and enhanced Z3 utilities by @mahmoudimus in #19
- feat(mba): Add comprehensive MBA simplification rules by @mahmoudimus in #21
- feat(mba): Add DSL, constraint system, and multi-backend infrastructure by @mahmoudimus in #20
- feat(testing): Add testing framework infrastructure by @mahmoudimus in #26
- feat(optimizers): Add optimizer core infrastructure by @mahmoudimus in #28
- feat(flattening): Add comprehensive unflattening framework by @mahmoudimus in #29
- feat(speedups): Add Cython speedups infrastructure by @mahmoudimus in #31
- fix: Port targeted bug fixes from cfg-audit by @mahmoudimus in #34
- Remove duplicate data by @zmer007 in #32
- feat: Egraph optimizer, D810.py rewrite, Qt shim safety, core cleanup by @mahmoudimus in #35
New Contributors
- @w00tzenheimer made their first contribution in #1
- @hellodword made their first contribution in #9
- @mahmoudimus made their first contribution in #15
- @zmer007 made their first contribution in #32
Full Changelog : https://github.com/w00tzenheimer/d810-ng/commits/v0.1.0
-
🔗 r/LocalLLaMA I am absolutely loving qwen3-235b rss
I installed qwen3-235b on my desktop system, and I had to join here to brag about it. It's such a careful model, the accuracy of it's output is unbelievable and I've found myself using it absolutely constantly to the point my chatgpt pro subscription is getting left behind. The ability to get carefully curated information of this quality from your own desktop PC is astounding to me and for my use puts all the commercial subscriptions to shame. Sorry for the rant lol!
submitted by /u/TwistedDiesel53
[link] [comments] -
🔗 r/reverseengineering [Challenge] The Enigma Protector 8.0 is released so here it is! The Hello World program to reverse! (Python Nuitka + TEP) rss
submitted by /u/Repulsive-Whereas572
[link] [comments] -
🔗 matklad CI In a Box rss
CI In a Box
Feb 6, 2026
I wrote
box, a thin wrapper around ssh for running commands on remote machines. I want a box- shaped interface for CI:const repository = "git@forge.com/me/my-project"; const commit_sha = Deno.env["COMMIT"]; const runners = await Promise.all( ["windows-latest", "mac-latest", "linux-latest"] .map((os) => $`box create ${os}`) ); await Promise.all(runners.map(async ($runner) => { await $`box run ${runner} git clone ${repository} .`; await $`box run ${runner} git switch --detach ${commit_sha}`; await $`box run ${runner} ./zig/download.ps1`; await $`box run ${runner} ./zig/zig build test`; }));That is, the controlling CI machine runs a user-supplied script, whose status code will be the ultimate result of a CI run. The script doesn’t run the project’s tests directly. Instead, it shells out to a proxy binary that forwards the command to a runner box with whichever OS, CPU, and other environment required.
The hard problems are in the
["windows-latest", "mac-latest", "linux- latest"]part:- One of them is not UNIX.
- One of them has licensing&hardware constraints that make per-minute billed VMs tricky (but not impossible, as GitHub Actions does that).
- All of them are moving targets, and require someone to do the OS upgrade work, which might involve pointing and clicking.
CI discourse amuses me — everyone complains about bad YAML, and it is bad, but most of the YAML (and associated reproducibility and debugging problems) is avoidable. Pick an appropriate position on a dial that includes
- writing a bash script,
- writing a script in the language you already use,
- using a small build system,
- using a medium-sized one like
makeorzig build, or - using a large one like
nixorbuck2.
What you can’t just do by writing a smidgen of text is getting the heterogeneous fleet of runners. And you need heterogeneous fleet of runners if some of the software you are building is cross-platform.
If you go that way, be mindful that
The SSH wire protocol only takes a single string as the command, with the expectation that it should be passed to a shell by the remote end.
In other words, while SSH supports syntax like
ssh $HOST cmd arg1 arg2, it just blindly intersperses all arguments with a space. Amusing to think that our entire cloud infrastructure is built on top of shell injection!This, and the need to ensure no processes are left behind unintentionally after executing a remote command, means that you can’t “just” use SSH here if you are building something solid.
-
- February 05, 2026
-
🔗 IDA Plugin Updates IDA Plugin Updates on 2026-02-05 rss
IDA Plugin Updates on 2026-02-05
New Releases:
Activity:
- capa
- 26aba806: loader: handle SegmentationViolation for malformed ELF files (#2799)
- 3582bce6: vmray: skip processes with invalid PID or missing filename (#2807) (#…
- 535faf28: build(deps): bump protobuf from 6.33.1 to 6.33.5 (#2851)
- fe273351: build(deps): bump pip from 25.3 to 26.0 (#2847)
- a40ae162: build(deps): bump dnfile from 0.17.0 to 0.18.0 (#2848)
- 1500a349: build(deps): bump rich from 14.2.0 to 14.3.2 (#2849)
- CTFStuff
- e41f501e: not breaking everythin i hope
- d810-ng
- distro
- 6616314e: Add APT dependency info extraction to remnux-diag
- ida-claude-plugins
- c606f46a: add ida-domain-api
- idasql
- 4470dbab: fix: skip plugin loading under idalib
- capa
-
🔗 r/Leeds Looking for a Leeds Spot to Stream the Artemis II Moon Launch? rss
I'm a massive space nerd and am super excited for the Artemis 2 launch back to the moon! However aside from watching a steam on YouTube I'm not sure if there's anywhere I can catch the launch from in Leeds. it'll likely be at an early hours in the morning, But are there any places in Leeds area which are hosting watch parties, Would love to know
submitted by /u/Lord_lammington
[link] [comments] -
🔗 badlogic/pi-mono v0.52.6 release
Breaking Changes
- Removed
/exitcommand handling. Use/quitto exit (#1303)
Fixed
- Fixed
/quitbeing shadowed by fuzzy slash command autocomplete matches from skills by adding/quitto built-in command autocomplete (#1303) - Fixed local package source parsing and settings normalization regression that misclassified relative paths as git URLs and prevented globally installed local packages from loading after restart (#1304)
- Removed
-
🔗 r/york Chicken Wings rss
I’ve just moved back to the city and I’m out of the loop. Where does good crispy chicken wings and lots of them ? I know it’s not fine dining but I’ve suddenly developed a craving for them
submitted by /u/JarJarBinksSucks
[link] [comments] -
🔗 badlogic/pi-mono v0.52.5 release
Fixed
- Fixed thinking level capability detection so Anthropic Opus 4.6 models expose
xhighin selectors and cycling
- Fixed thinking level capability detection so Anthropic Opus 4.6 models expose
-
🔗 r/york Bass lessons in York? rss
Hi guys, got a question which I think is best asked here. I used to play bass as a teenager but I've been down a bit of a jazz rabbit hole recently and have been noodling on my bass again since November...
Only I suck at theory and also lack direction atm. Was hoping to get some tutoring to address this so does anyone know anyone who does lessons in or around the city?
submitted by /u/RhyeJam
[link] [comments] -
🔗 badlogic/pi-mono v0.52.4 release
Fixed
- Fixed extensions setting not respecting
package.jsonpi.extensionsmanifest when directory is specified directly (#1302 by @hjanuschka)
- Fixed extensions setting not respecting
-
🔗 badlogic/pi-mono v0.52.3 release
Fixed
- Fixed git package parsing fallback for unknown hosts so enterprise git sources like
git:github.tools.sap/org/repoare treated as git packages instead of local paths - Fixed git package
@refparsing for shorthand, HTTPS, and SSH source formats, including branch refs with slashes - Fixed Bedrock default model ID from
us.anthropic.claude-opus-4-6-v1:0tous.anthropic.claude-opus-4-6-v1 - Fixed Bedrock Opus 4.6 model metadata (IDs, cache pricing) and added missing EU profile
- Fixed Claude Opus 4.6 context window metadata to 200000 for Anthropic and OpenCode providers
- Fixed git package parsing fallback for unknown hosts so enterprise git sources like
-
🔗 r/Yorkshire Looking for JDM cars to attend my best friend’s funeral. rss
| submitted by /u/wineandbluecheese
[link] [comments]
---|--- -
🔗 r/LocalLLaMA BalatroBench - Benchmark LLMs' strategic performance in Balatro rss
| If you own a copy of Balatro, you can make your local LLM play it. I built tools to let LLMs play Balatro autonomously. The LLM gets the game state as text, decides what to do (play, discard, buy from shop...), and the action executes in the actual game. No hard-coded heuristics — all decisions come from the LLM. BalatroBot is a mod that exposes an HTTP API for game state and controls. BalatroLLM is the bot framework — it works with any OpenAI-compatible endpoint (Ollama, vLLM, etc.). You can write your own strategy (Jinja2 templates that define how game state is prompted and what the LLM's decision philosophy should be). Different strategies lead to very different results with the same model. Benchmark results across various models (including open-weight ones) are on BalatroBench Resources: - BalatroBot: Balatro mod with HTTP API - BalatroLLM: Bot framework — create strategies, plug in your model - BalatroBench: Leaderboard and results (source) - Discord PS: You can watch an LLM struggling to play Balatro live on Twitch - rn Opus 4.6 is playing submitted by /u/S1M0N38
[link] [comments]
---|--- -
🔗 @binaryninja@infosec.exchange Command Palette is getting a serious upgrade in the upcoming Jotunheim mastodon
Command Palette is getting a serious upgrade in the upcoming Jotunheim release! Beyond actions, you can now search functions and symbols, types, strings, open tabs, and even project files, all from the keyboard. Read about it in our latest blog post: https://binary.ninja/2026/02/05/command-palette- updates.html
-
🔗 r/Yorkshire Ideas for a very brief Yorkshire Dales tour with my elderly dad? (Coming from NY) rss
Hello,
My father, who is 91, and I will be meeting in London in late-May. He hasn't flown in possibly 20 years, doesn't like it, and he's not so ambulatory - uses a cane, walks very slowly; he'll be the first to admit he's impatient with folks and crowds, etc. (He'd be flying from the east coast of the U.S. with my stepbrother; I'm coming from the west coast.) But it's a very special occasion because a play he's been involved with for about 50 years is finally coming to fruition as a musical, and the producers are paying, so we've encouraged him to go to this once-in-a-time event, and I think he's even gotten excited about it. My brother and his son will also be joining.
Meanwhile, my father and I are both watching and loving "All Creatures Great and Small." We talk about how gorgeous are the Dales. Given the variables above, do you have any thoughts about a short, and very easy, trip from London? I'm thinking maybe we take the train up to York, spend the night, next day take a day tour into the gloriousness (an "All Creatures" focus?; doesn't have to be; that may be too on the nose for him, and just seeing the landscape may suffice), come back and spend the night in York, go back to London the next day, then he and stepbrother return to NY. Maybe it would tack on an extra 3 days.
I have no idea if he would go for this little idea of mine, but before I even present it to him, I wanted to hear your thoughts... It would be so special for me to do this with him, of course - that is, if he's up for it.
Thanks!
submitted by /u/icycoldplum
[link] [comments] -
🔗 badlogic/pi-mono v0.52.2 release
Changed
- Updated default model for
anthropicprovider toclaude-opus-4-6 - Updated default model for
openai-codexprovider togpt-5.3-codex - Updated default model for
amazon-bedrockprovider tous.anthropic.claude-opus-4-6-v1:0 - Updated default model for
vercel-ai-gatewayprovider toanthropic/claude-opus-4-6 - Updated default model for
opencodeprovider toclaude-opus-4-6
- Updated default model for
-
🔗 badlogic/pi-mono v0.52.1 release
No content.
-
🔗 r/Leeds Headingley traffic. rss
Traffic in headingley seriously needs to be sorted, on bus right now and weve been sat in headingley for 40 minutes now and barely moved 50 yards. This is genuinely ridiculous.
I understand theres work being done but the impact this work is having is genuinely mental. The amount of times ive been late to college because of it is insane, and yes, i could get an earlier bus but with the time it takes to not only get into town, plus the traffic, thats like an extra hour and twenty minutes early id have to leave.
Sorry for the rant but its getting on my nerves now
submitted by /u/DotsV2
[link] [comments] -
🔗 badlogic/pi-mono v0.52.0 release
New Features
- Claude Opus 4.6 model support.
- GPT-5.3 Codex model support (OpenAI Codex provider only).
- SSH URL support for git packages. See docs/packages.md.
auth.jsonAPI keys now support shell command resolution (!command) and environment variable lookup. See docs/providers.md.- Model selectors now display the selected model name.
Added
- API keys in
auth.jsonnow support shell command resolution (!command) and environment variable lookup, matching the behavior inmodels.json - Added
minimal-mode.tsexample extension demonstrating how to override built-in tool rendering for a minimal display mode - Added Claude Opus 4.6 model to the model catalog
- Added GPT-5.3 Codex model to the model catalog (OpenAI Codex provider only)
- Added SSH URL support for git packages (#1287 by @markusn)
- Model selectors now display the selected model name (#1275 by @haoqixu)
Fixed
- Fixed HTML export losing indentation in ANSI-rendered tool output (e.g. JSON code blocks in custom tool results) (#1269 by @aliou)
- Fixed images being silently dropped when
prompt()is called with bothimagesandstreamingBehaviorduring streaming.steer(),followUp(), and the corresponding RPC commands now accept optional images. (#1271 by @aliou) - CLI
--help,--version,--list-models, and--exportnow exit even if extensions keep the event loop alive (#1285 by @ferologics) - Fixed crash when models send malformed tool arguments (objects instead of strings) (#1259)
- Fixed custom message expand state not being respected (#1258 by @Gurpartap)
- Fixed skill loader to respect .gitignore, .ignore, and .fdignore when scanning directories
-
🔗 r/Yorkshire Stolen van from S11 rss
submitted by /u/Available_Grass_7357
[link] [comments] -
🔗 r/Yorkshire York Minster rss
| It felt so good to be back in God's county recently. I love York, it's one of my favourite cities of all time. submitted by /u/justchoo
[link] [comments]
---|--- -
🔗 r/reverseengineering Hardware Hacking - $15 FRS Radio teardown - 1 hour video rss
submitted by /u/Adventurous-Run9581
[link] [comments] -
🔗 r/Yorkshire Volunteer Opportunity 😎 rss
| submitted by /u/IV_Sheffield
[link] [comments]
---|--- -
🔗 r/reverseengineering dotNetPELoader——A C#-based PELoader for x64 and x86. rss
submitted by /u/AcrobaticMonitor9992
[link] [comments] -
🔗 r/wiesbaden Where to buy very high end gaming PCs LOCAL. rss
You could probably guess why, but I don’t have a German address. I need to buy a PC locally.
submitted by /u/Careful-Foot8399
[link] [comments] -
🔗 r/LocalLLaMA We built an 8B world model that beats 402B Llama 4 by generating web code instead of pixels — open weights on HF rss
| Hey r/LocalLLaMA, Here's something new for you: Mobile World Models.
We just released gWorld — open-weight visual world models for mobile GUIs (8B and 32B). Demo Video Explanation: Here's gWorld 32B imagining a multi-step Booking dot com session — zero access to the real app:
1. Sees flight search form (Detroit → Chicago)
2. Click "Search" → writes code → renders full results page with airlines, prices, times
3. Click destination field → predicts the search UI with history Every screen = executable HTML/CSS/JS rendered to pixels. The core idea: Instead of predicting the next screen as pixels (diffusion, autoregressive image gen), gWorld predicts it as executable web code. You render the code, you get the image. This sounds simple but it works remarkably well because VLMs already have strong priors on structured web code from pre-training. Why code instead of pixels?- Text-based world models lose visual fidelity (can't represent layouts, colors, images)
- Pixel-generation models hallucinate text and structural elements
- Code generation gives you the best of both: precise text rendering from linguistic priors + high-fidelity visuals from structured code
Results on MWMBench (6 benchmarks, 4 ID + 2 OOD): | Model | Size | Avg Accuracy
---|---|---
Qwen3 VL | 8B | 29.2%
Llama 4 Scout | 109B (A17B) | 50.0%
Llama 4 Maverick | 402B (A17B) | 55.7%
Qwen3 VL | 235B (A22B) | 51.5%
GLM-4.6V | 106B | 67.4%
gWorld | 8B | 74.9%
gWorld | 32B | 79.6%The 8B model beats everything up to 50× its size. Render failure rate is <1% (vs 40% for base Qwen3 VL 8B before our training).
Other things worth noting:
- Data scaling follows a power law with R² ≥ 0.94 — gains are predictable and nowhere near saturating
- We include a Korean apps benchmark (KApps) as OOD eval — the models generalize well cross-lingually
- The data pipeline is automated: repurpose existing trajectory data → cross-modal relabeling to code → synthetic reasoning traces
- We also show that better world models → better downstream GUI agent performance
Why this matters beyond benchmarks: The bottleneck for training GUI agents with online RL is device-policy coupling — every rollout needs a real Android emulator. World models could decouple this entirely, enabling massively parallel rollouts on pure compute. gWorld is a step in that direction.
Links:
- 🤗 gWorld 8B: https://huggingface.co/trillionlabs/gWorld-8B
- 🤗 gWorld 32B: https://huggingface.co/trillionlabs/gWorld-32B
- 💻 Code: https://github.com/trillion-labs/gWorld
- 📄 Paper: https://huggingface.co/papers/2602.01576
- 🌐 Project page (and demos): https://trillionlabs-gworld.github.io
- Benchmarks (incl. K-Apps) coming soon.
Happy to answer questions.
Built by Trillion Labs × KAIST AI.submitted by /u/jshin49
[link] [comments] -
🔗 @malcat@infosec.exchange Sometimes, the absence of signature match is also interesting. Here the mastodon
Sometimes, the absence of signature match is also interesting. Here the hashtag#Chrysalis sideloaded dll, where we can quickly spot the few interesting functions.
Make sure to check "Show UNK" !
-
🔗 jj-vcs/jj v0.38.0 release
About
jj is a Git-compatible version control system that is both simple and powerful. See
the installation instructions to get started.Release highlights
- Per-repo and per-workspace config is now stored outside the repo, for security
reasons. This is not a breaking change because we automatically migrate
legacy repos to this new format..jj/repo/config.tomland
.jj/workspace-config.tomlshould no longer be used.
Breaking changes
-
The minimum supported
gitcommand version is now 2.41.0. macOS users will
need to either upgrade "Developer Tools" to 26 or install Git from
e.g. Homebrew. -
Deprecated
ui.always-allow-large-revsetssetting andall:revset modifier
have been removed. -
<name>@<remote>revset symbols can also be resolved to remote tags. Tags are
prioritized ahead of bookmarks. -
Legacy placeholder support used for unset
user.nameoruser.emailhas been
removed. Commits containing these values will now be pushed withjj git push
without producing an error. -
If any side of a conflicted file is missing a terminating newline, then the
materialized file in the working copy will no longer be terminated by a
newline.
Deprecations
- The revset function
diff_contains()has been renamed todiff_lines().
New features
-
jj git fetchnow shows details of abandoned commits (change IDs and
descriptions) by default, matching thejj abandonoutput format.
#3081 -
jj workspace rootnow accepts an optional--nameargument to show
the root path of the specified workspace (defaults to the current one). When
given a workspace that was created before this release, it errors out. -
jj git push --bookmark <name>will now automatically track the bookmark if
it isn't tracked with any remote already. -
Add
git_web_url([remote])template function that converts a git remote URL
to a web URL, suitable for opening in a browser. Defaults to the "origin"
remote. -
New
divergent()revset function for divergent changes. -
String pattern values in revsets and templates can now be substituted by
aliases. For example,grep(x) = description(regex:x)now works. -
A new config option
remotes.<name>.auto-track-created-bookmarksbehaves
similarly toauto-track-bookmarks, but it only applies to bookmarks created
locally. Setting it to"*"is now the closest replacement for the deprecated
git.push-new-bookmarksoption. -
jj tag listcan now be filtered by revset. -
Conflict markers will use LF or CRLF as the line ending according to the
contents of the file.
#7376 -
New experimental
jj git fetch --tagflag to fetch tags in the same way as
bookmarks. If specified, tags won't be fetched implicitly, and only tags
matching the pattern will be fetched as<name>@<remote>tags. The fetched
remote tags will be tracked by the local tags of the same name. -
New
remote_tags()revset function to query remote tags. -
New builtin
hyperlink()template function that gracefully falls back to
text when outputting to a non-terminal, instead of emitting raw OSC 8 escape
codes. #7592
Fixed bugs
-
jj git init --colocatenow refuses to run inside a Git worktree, providing
a helpful error message with alternatives.
#8052 -
jj git pushnow ensures that tracked remote bookmarks are updated even if
there are no mappings in the Git fetch refspecs.
#5115 -
jj git fetch/pushnow forwards most ofgitstderr outputs such as
authentication requests. #5760 -
Conflicted bookmarks and tags in
trunk()will no longer generate verbose
warnings. The configuredtrunk()alias will temporarily be disabled.
#8501 -
Dynamic shell completion for
jj config unsetnow only completes
configuration options which are set.
#7774 -
Dynamic shell completion no longer attempts to resolve aliases at the
completion position. This previously prevented a fully-typed alias from
being accepted on some shells and replaced it entirely with its expansion on
bash. Now, the completion will only resolve the alias, and suggest candidates
accordingly, after the cursor has been advanced to the next position.
#7773 -
Setting the editor via
ui.editor,$EDITOR, orJJ_EDITORnow respects shell quoting. -
jj gerrit uploadwill no longer swallow errors and surface if changes fail
to get pushed to gerrit.
#8568 -
jj file track --include-ignorednow works whenfsmonitor.backend="watchman".
#8427 -
Conflict labels are now preserved correctly when restoring files from commits
with different conflict labels. -
The empty tree is now always written when the working copy is empty.
#8480 -
When using the Watchman filesystem monitor, changes to .gitignore now trigger
a scan of the affected subtree so newly unignored files are discovered.
#8427 -
--quietnow hides progress bars.
Contributors
Thanks to the people who made this release happen!
- Benjamin Davies (@Benjamin-Davies)
- Bryce Berger (@bryceberger)
- Chris Rose (@offbyone)
- Daniel Morsing (@DanielMorsing)
- David Fröhlingsdorf (@2079884FDavid)
- David Higgs (@higgsd)
- David Rieber (@drieber)
- Federico G. Schwindt (@fgsch)
- Gaëtan Lehmann (@glehmann)
- George Christou (@gechr)
- itstrivial
- Jeff Turner (@jefft)
- Jonas Greitemann (@jgreitemann)
- Jonas Helgemo (@jonashelgemo)
- Joseph Lou (@josephlou5)
- Kaiyi Li (@06393993)
- Lukas Wirth (@Veykril)
- Martin von Zweigbergk (@martinvonz)
- Matt Stark (@matts1)
- Paul Smith (@paulsmith)
- Pavan Kumar Sunkara (@pksunkara)
- Philip Metzger (@PhilipMetzger)
- Remo Senekowitsch (@senekor)
- Sami Jawhar (@sjawhar)
- Scott Taylor (@scott2000)
- Simone Cattaneo (@simonecattaneo91)
- Steve Klabnik (@steveklabnik)
- tom (@lecafard)
- Vincent Ging Ho Yim (@cenviity)
- WD (@0WD0)
- xtqqczze (@xtqqczze)
- Yuya Nishihara (@yuja)
- yz (@yzheng453)
- Per-repo and per-workspace config is now stored outside the repo, for security
-
🔗 r/Leeds Kitchen Space to Rent? Please Read!! rss
Hiya! I’m a student in Leeds, currently trying to set up a cake business. I’ve got everything ready and I’m all good to go, except for the fact that annoyingly, as I’m in student accommodation, I cannot unfortunately run a business from my flat, as it’s against my contract.
I also cannot afford a commercial kitchen, as the very cheapest I’ve found are £25 per hour, meaning for each cake, which takes around 3-4 hours to make, I’d have to charge £75-100 on top of the cost of ingredients and labour, essentially making it completely unviable.
My question is, is there anybody in Leeds who has a kitchen that they would be willing to rent to me for 3-4 hours a week, sometimes less based on how many orders I receive, for about £20 a day? I know it’s not much but I’ve worked so hard to start this business and I can’t give up now! Plus I’d give you free cake!! I have a level 2 hygiene and cleaning certificate, and would clean before and after all cakes are made, you’d never even know I was there! I’d be entirely out of your hair.
This request is also going out to any local kitchens, for example restaurants, cafes and bakery’s that may have available kitchen space during the day or at any point, I will cook at 3am if I have to!!
Please please let me know if anyone has any suggestions, and if they may know anyone who would be willing to help out!
I know this is an odd request but this business is my baby and I can’t lose it before it’s even begun!!
Thanks 🤩
submitted by /u/AnnualProfessional93
[link] [comments] -
🔗 Anton Zhiyanov (Un)portable defer in C rss
Modern system programming languages, from Hare to Zig, seem to agree that
deferis a must-have feature. It's hard to argue with that, becausedefermakes it much easier to free memory and other resources correctly, which is crucial in languages without garbage collection.The situation in C is different. There was a N2895 proposal by Jens Gustedt and Robert Seacord in 2021, but it was not accepted for C23. Now, there's another N3734 proposal by JeanHeyd Meneide, which will probably be accepted in the next standard version.
Since
deferisn't part of the standard, people have created lots of different implementations. Let's take a quick look at them and see if we can find the best one.C23/GCC • C11/GCC • GCC/Clang • MSVC • Long jump • For loop • Stack • Simplified GCC/Clang • Final thoughts
C23/GCC
Jens Gustedt offers this brief version:
#define defer __DEFER(__COUNTER__) #define __DEFER(N) __DEFER_(N) #define __DEFER_(N) __DEFER__(__DEFER_FUNCTION_##N, __DEFER_VARIABLE_##N) #define __DEFER__(F, V) \ auto void F(int*); \ [[gnu::cleanup(F)]] int V; \ auto void F(int*)Usage example:
void loud_free(void* p) { printf("freeing %p\n", p); free(p); } int main(void) { int* p = malloc(sizeof(int)); if (!p) return 1; defer { loud_free(p); } *p = 42; printf("p = %d\n", *p); } p = 42 freeing 0x127e05b30This approach combines C23 attribute syntax (
[[attribute]]) with GCC- specific features: nested functions (auto void F(int*)) and thecleanupattribute. It also uses the non-standard__COUNTER__macro (supported by GCC, Clang, and MSVC), which expands to an automatically increasing integer value.Nested functions and cleanup in GCC
A nested function (also known as a local function) is a function defined inside another function:
void outer() { int x = 10; void inner() { x += 10; } inner(); }Nested functions can access variables from the enclosing scope, similar to closures in other languages, but they are not first-class citizens and cannot be passed around like function pointers.
The
cleanupattribute runs a function when the variable goes out of scope:void safe_free(int **ptr) { if (!ptr || !*ptr) return; free(*ptr); } int main(void) { __attribute__((cleanup(safe_free))) int *p = malloc(sizeof(int)); if (!p) return 1; *p = 42; // safe_free(&p) will be called automatically // when p goes out of scope. }The function should take one parameter, which is a pointer to a type that's compatible with the variable. If the function returns a value, it will be ignored.
On the plus side, this version works just like you'd expect
deferto work. On the downside, it's only available in C23+ and only works with GCC (not even Clang supports it, because of the nested function).Another downside is that using nested functions requires an executable stack , which security experts strongly discourage.
Executable stack vulnerability
When we use nested functions in GCC, the compiler often creates trampolines (small pieces of machine code) on the stack at runtime. These trampolines let the nested function access variables from the parent function's scope. For the CPU to run these code fragments, the stack's memory pages need to be marked as executable.
An executable stack is a serious security risk because it makes buffer overflow attacks much easier. In these attacks, a hacker sends more data than a program can handle, which overwrites the stack with harmful "shellcode". If the stack non-executable (which is the standard today), the CPU won't run that code and the program will just crash. But since our
defermacro makes the stack executable, an attacker can jump straight to their injected code and run it, giving them complete control over the process.C11/GCC
We can easily adapt the above version to use C11:
#define defer _DEFER(__COUNTER__) #define _DEFER(N) __DEFER(N) #define __DEFER(N) ___DEFER(__DEFER_FUNC_##N, __DEFER_VAR_##N) #define ___DEFER(F, V) \ auto void F(void*); \ __attribute__((cleanup(F))) int V __attribute__((unused)); \ auto void F(void* _dummy_ptr)Usage example:
int main(void) { int* p = malloc(sizeof(int)); if (!p) return 1; defer { loud_free(p); } *p = 42; printf("p = %d\n", *p); } p = 42 freeing 0x127e05b30The main downside remains: it's GCC-only.
GCC/Clang
Clang fully supports the
cleanupattribute, but it doesn't support nested functions. Instead, it offers the blocks extension, which works somewhat similar:void outer() { __block int x = 10; void (^inner)(void) = ^{ x += 10; }; inner(); }We can use Clang blocks to make a
deferversion that works with both GCC and Clang:#if defined(__clang__) // Clang implementation. #define _DEFER_CONCAT(a, b) a##b #define _DEFER_NAME(a, b) _DEFER_CONCAT(a, b) static inline void _defer_cleanup(void (^*block)(void)) { if (*block) (*block)(); } #define defer \ __attribute__((unused)) void (^_DEFER_NAME(_defer_var_, __COUNTER__))(void) \ __attribute__((cleanup(_defer_cleanup))) = ^ #elif defined(__GNUC__) // GCC implementation. #define defer _DEFER(__COUNTER__) #define _DEFER(N) __DEFER(N) #define __DEFER(N) ___DEFER(__DEFER_FUNC_##N, __DEFER_VAR_##N) #define ___DEFER(F, V) \ auto void F(void*); \ __attribute__((cleanup(F))) int V __attribute__((unused)); \ auto void F(void* _dummy_ptr) #else // Runtime error for unsupported compilers. #define defer assert(!"unsupported compiler"); #endifUsage example:
int main(void) { int* p = malloc(sizeof(int)); if (!p) return 1; defer { loud_free(p); }; *p = 42; printf("p = %d\n", *p); } p = 42 freeing 0x127e05b30Now it works with Clang, but there are several things to be aware of:
- We must compile with
-fblocks. - We must put a
;after the closing brace in the deferred block:defer { ... };. -
If we need to modify a variable inside the
deferblock, the variable must be declared with__block:__block int x = 0; defer { x += 10; };
On the plus side, this implementation works with both GCC and Clang. The downside is that it's still not standard C, and won't work with other compilers like MSVC.
MSVC
MSVC, of course, doesn't support the cleanup attribute. But it provides "structured exception handling" with the
__tryand__finallykeywords:int main(void) { int* p = malloc(sizeof(int)); if (!p) return 1; __try { *p = 42; printf("p = %d\n", *p); } __finally { loud_free(p); } }The code in the
__finallyblock will always run, no matter how the__tryblock exits — whether it finishes normally, returns early, or crashes (for example, from a null pointer dereference).This isn't the
deferwe're looking for, but it's a decent alternative if you're only programming for Windows.Long jump
There are well-known
deferimplementations by Jens Gustedt and moon- chilled that usesetjmpandlongjmp. I'm mentioning them for completeness, but honestly, I would never use them in production. The first one is extremely large, and the second one is extremely hacky. Also, I'd rather not use long jumps unless it's absolutely necessary.Still, here's a usage example from Gustedt's library:
guard { void * const p = malloc(25); if (!p) break; defer free(p); void * const q = malloc(25); if (!q) break; defer free(q); if (mtx_lock(&mut)==thrd_error) break; defer mtx_unlock(&mut); }Here, all deferred statements run at the end of the guarded block, no matter how we exit the block (normally or through
break).For loop
The stc library probably has the simplest
deferimplementation ever:#define defer(...) \ for (int _c_i3 = 0; _c_i3++ == 0; __VA_ARGS__)Usage example:
int main(void) { int* p = malloc(sizeof(int)); if (!p) return 1; defer(loud_free(p)) { *p = 42; printf("p = %d\n", *p); } } p = 42 freeing 0x127e05b30Here, the deferred statement is passed as
__VA_ARGS__and is used as the loop increment. The "defer-aware" block of code is the loop body. Since the increment runs after the body, the deferred statement executes after the main code.This approach works with all mainstream compilers, but it falls apart if you try to exit early with
breakorreturn:int main(void) { int* p = malloc(sizeof(int)); if (!p) return 1; defer(loud_free(p)) { *p = 42; if (*p == 42) { printf("early exit, defer is not called\n"); break; } printf("p = %d\n", *p); } } early exit, defer is not calledStack
Dmitriy Kubyshkin provides a
deferimplementation that adds a "stack frame" of deferred calls to any function that needs them. Here's a simplified version:#define countof(A) ((sizeof(A)) / (sizeof((A)[0]))) // Deferred function and its argument. struct _defer_ctx { void (*fn)(void*); void* arg; }; // Calls all deferred functions in LIFO order. static inline void _defer_drain( const struct _defer_ctx* it, const struct _defer_ctx* end) { for (; it != end; it++) it->fn(it->arg); } // Initializes the defer stack with the given size // for the current function. #define defers(n) \ struct { \ struct _defer_ctx* first; \ struct _defer_ctx items[(n)]; \ } _deferred = {&_deferred.items[(n)], {0}} // Pushes a deferred function call onto the stack. #define defer(_fn, _arg) \ do { \ if (_deferred.first <= &_deferred.items[0]) { \ assert(!"defer stack overflow"); \ } \ struct _defer_ctx* d = --_deferred.first; \ d->fn = (void (*)(void*))(_fn); \ d->arg = (void*)(_arg); \ } while (0) // Calls all deferred functions and returns from the current function. #define returnd \ while ( \ _defer_drain( \ _deferred.first, \ &_deferred.items[countof(_deferred.items)]), \ 1) returnUsage example:
int main(void) { // The function supports up to 16 deferred calls. defers(16); int* p = malloc(sizeof(int)); if (!p) returnd 1; defer(loud_free, p); *p = 42; printf("p = %d\n", *p); // We must exit through returnd to // ensure deferred functions are called. returnd 0; } p = 42 freeing 0x127e05b30This version works with all mainstream compilers. Also, unlike the STC version, defers run correctly in case of early exit:
int main(void) { defers(16); int* p = malloc(sizeof(int)); if (!p) returnd 1; defer(loud_free, p); *p = 42; if (*p == 42) { printf("early exit\n"); returnd 0; } printf("p = %d\n", *p); returnd 0; } early exit freeing 0x127e05b30Unfortunately, there are some drawbacks:
- Defer only supports single-function calls, not code blocks.
- We always have to call
defersat the start of the function and exit usingreturnd. In the original implementation, Dmitriy overrides thereturnkeyword, but this won't compile with strict compile flags (which I think we should always use). - The deferred function runs before the return value is evaluated, not after.
Simplified GCC/Clang
The Stack version above doesn't support deferring code blocks. In my opinion, that's not a problem, since most defers are just "free this resource" actions, which only need a single function call with one argument.
If we accept this limitation, we can simplify the GCC/Clang version by dropping GCC's nested functions and Clang's blocks:
#define _DEFER_CONCAT(a, b) a##b #define _DEFER_NAME(a, b) _DEFER_CONCAT(a, b) // Deferred function and its argument. struct _defer_ctx { void (*fn)(void*); void* arg; }; // Calls the deferred function with its argument. static inline void _defer_cleanup(struct _defer_ctx* ctx) { if (ctx->fn) ctx->fn(ctx->arg); } // Create a deferred function call for the current scope. #define defer(fn, ptr) \ struct _defer_ctx _DEFER_NAME(_defer_var_, __COUNTER__) \ __attribute__((cleanup(_defer_cleanup))) = \ {(void (*)(void*))(fn), (void*)(ptr)}Works like a charm:
int main(void) { int* p = malloc(sizeof(int)); if (!p) return 1; defer(loud_free, p); *p = 42; printf("p = %d\n", *p); } p = 42 freeing 0x127e05b30Final thoughts
Personally, I like the simpler GCC/Clang version better. Not having MSVC support isn't a big deal, since we can run GCC on Windows or use the Zig compiler, which works just fine.
But if I really need to support GCC, Clang, and MSVC — I'd probably go with the Stack version.
Anyway, I don't think we need to wait for
deferto be added to the C standard. We already havedeferat home! - We must compile with
-
🔗 r/Yorkshire Bridlington this morning rss
| submitted by /u/Charlatans1969
[link] [comments]
---|--- -
🔗 r/Yorkshire York Gate Garden (Nr. Leeds) rss
| submitted by /u/arioandy
[link] [comments]
---|--- -
🔗 HexRaysSA/plugin-repository commits sync plugin-repository.json rss
sync plugin-repository.json No plugin changes detected -
🔗 r/york Gyms rss
Is there any good and cheap gyms, mostly looking for affordable gyms for students
submitted by /u/MarzipanNo3989
[link] [comments] -
🔗 r/LocalLLaMA Google Research announces Sequential Attention: Making AI models leaner and faster without sacrificing accuracy rss
| submitted by /u/Fear_ltself
[link] [comments]
---|--- -
🔗 r/LocalLLaMA Qwen3-Coder-Next on RTX 5060 Ti 16 GB - Some numbers rss
About 2 weeks ago, I posted about running GLM-4.7-Flash on 16 GB of VRAM here www.reddit.com/r/LocalLLaMA/comments/1qlanzn/glm47flashreap_on_rtx_5060_ti_16_gb_200k_context/. And here we go, today, let's squeeze an even bigger model into the poor rig.
Hardware: - AMD Ryzen 7 7700X - RAM 32 GB DDR5-6000 - RTX 5060 Ti 16 GB
Model: unsloth/Qwen3-Coder-Next-GGUF Q3_K_M
Llama.cpp version: llama.cpp@b7940
The llamap.cpp command:
llama-server -m ./Qwen3-Coder-Next-Q3_K_M.gguf -c 32768 -np 1 -t 8 --temp 1.0 --top-p 0.95 --top-k 40 --min-p 0.01 --jinja --fit on -fa 1When I started, I didn't expect much, given that my best result for GLM-4.7-Flash was something ~300 t/s pp and 14 t/s gen. Maybe I'll end up with a lot of OOM and crash.
But, to my surprise, the card was able to pull it well!
When llama.cpp is fully loaded, it takes 15.1 GB GPU memory, and 30.2 GB RAM. The rig is almost at its memory limit.
During prompt processing, GPU usage was about 35% , and CPU usage was about 15%. During token generation, that's 45% for the GPU, and 25%-45% CPU. So perhaps there are some room to squeeze in some tuning here.
Does it run? Yes, and it's quite fast for a 5060!
Metric | Task 2 (Large Context) | Task 190 (Med Context) | Task 327 (Small Context)
---|---|---|---
Prompt Eval (Prefill) | 154.08 t/s | 225.14 t/s | 118.98 t/s
Generation (Decode) | 16.90 t/s | 16.82 t/s | 18.46 t/sThe above run was with a 32k context size. Later on, I tried again with a 64k context size, the speed did not change much.
Is it usable? I'd say yes, not Opus 4.5 or Gemini Flash usable, but I think it's pretty close to my experience when Claude Sonnet 3.7 or 4 was still a thing.
One thing that sticks out is, this model uses way less tool calls than Opus, so it feels fast. It seems to read the whole file all at once when needed, rather than grepping every 200 lines like the Claude brothers.
One-shot something seems to work pretty well, until it runs into bugs. In my example, I asked the model to create a web-based chess game with a Python backend, connected via WebSocket. The model showed that it can debug the problem by jumping back and forth between frontend and backend code very well.
When facing a problem, it will first hypothesize a cause, then work its way through the code to verify that. Then there will be a lot of "But wait", "Hold on", followed by a tool call to read some files, and then changing directions. Sometimes it works. Sometimes, it was just burning through the tokens and ended up reaching the context limit. Maybe because I was using Q3_K_M, and higher quants will have better quality here.
Some screenshots:
https://gist.github.com/user- attachments/assets/8d074a76-c441-42df-b146-0ae291af17df
https://gist.github.com/user- attachments/assets/3aa3a845-96cd-4b23-b6d9-1255036106db
You can see the Claude session logs and llama.cpp logs of the run here https://gist.github.com/huytd/6b1e9f2271dd677346430c1b92893b57
submitted by /u/bobaburger
[link] [comments] -
🔗 r/Leeds help my dother prom rss
My daughter’s prom is coming up this year and she wants a goth‑style dress. I’m completely clueless about that style (I’m a very girly girl myself )but I really want her to be happy. We’ve ordered a few things from eBay and I think she likes the style, but the fit just isn’t good. Not because of her preferences, just the quality and sizing. I want her to look good and good fitted dress can do a wounder
Is there anywhere we can actually go in person to try on goth‑style dresses? Every shop I visit is full of pink, puffy, fitted dresses that just aren’t her vibe.
submitted by /u/JammyD0dgers
[link] [comments] -
🔗 HexRaysSA/plugin-repository commits sync repo: +1 release rss
sync repo: +1 release ## New releases - [IDASQL](https://github.com/allthingsida/idasql): 0.0.1 -
🔗 Console.dev newsletter memlab rss
Description: Find JS memory leaks.
What we like: Supports analysis of Chrome browsers, Electron, and NodeJS. Uses the Puppeteer API to automate memory analysis using browsers. Create files defining how to interact with pages. Can be used as an NPM package to run end to end tests. Includes a visual debugger.
What we dislike: Only supports Chromium-based browsers.
-
🔗 Console.dev newsletter Whosthere rss
Description: LAN discovery tool.
What we like: Scans your local network (mDNS and SSDP) to find devices, identifying them using ARP and manufacturer metadata lookup. Doesn’t require elevated privileges. Can also (optionally) scan ports. Built as a TUI, but can also run in the background with a queryable API. Supports themes.
What we dislike: Designed as a TUI so the CLI command is more limited.
-
🔗 Mitchell Hashimoto My AI Adoption Journey rss
(empty)
-
- February 04, 2026
-
🔗 IDA Plugin Updates IDA Plugin Updates on 2026-02-04 rss
IDA Plugin Updates on 2026-02-04
New Releases:
Activity:
- augur
- haruspex
- ff4d16a3: doc: update screenshot
- hrtng
- 6f1baf6e: 1st approach to experimental deobfuscation of indirect branch and cal…
- idasql
- rhabdomancer
- 0fad52ae: chore: update dependencies
- Unicorn-Trace
- 2e58c05c: fix bugs
-
🔗 r/Yorkshire Nidderdale (OC) rss
| submitted by /u/arioandy
[link] [comments]
---|--- -
🔗 r/Leeds Anyone like Key Club, Spoons, NQ64, Pixel Bar etc? looking for Alternative friends?.. Join our Alt/Rock/Emo Whatsapp Social Group! xo rss
Love Keyclub (Slamdunk, FUEL, GARAGE Clubnights), NQ64, Pixel Bar, Wetherspoons, Pubs etc but have a lack of alternative friends to go with? Just want to make more alternative friends, have fun chats & get involved in social events?
A few of us from Reddit, Facebook etc have banded together from previous appeals and have a new fun Whatsapp Alt/Rock/Emo Social Group chat now, 80+ members and counting!
We had a successful recruitment on here a few months ago which blew up & got overwhelming so had to trickle people in but there are too many to go through, so starting a new fresh post to add more people
The group is roughly 18-35 age range & currently around 50/50 gender mix so plenty of people of different age/genders etc, very inclusive and everyone is getting on great together.
We have regular nights out especially on Weekends (Keyclub Club Nights, Spoons, Bars, NQ64, Pixel Bar, Flight Club, Cinema trips.. anything fun really!) which can get anywhere from 10-15 people attending. Spoons & Key Club on Saturdays is a particular fave. but we are always planning social events, mid week chill things etc
If you'd like to join then leave a comment with your age/gender & I'll DM you an invite! all welcome
I will invite in slowly as to keep the ratio of ages, sex etc balanced so theres always people of similar age etc
Leave a comment & I'll DM an invite when available! x
submitted by /u/rmonkey100
[link] [comments] -
🔗 r/Yorkshire Power firm jobs at risk as Selby-based Drax launches consultation rss
| submitted by /u/Kagedeah
[link] [comments]
---|--- -
🔗 Evan Schwartz Scour - January Update rss
Hi friends,
In January, Scour scoured 805,241 posts from 16,555 feeds (939 were newly added).
I also rolled out a lot of new features that I'm excited to tell you about. Maybe because of some of these, I found more posts than usual that I thought were especially worth sharing. You can find them at the bottom of this post. Let's dive in!
🐿️ New Homepage and Logo
The Scour homepage has been completely revamped. It includes a new tagline, a more succinct description, and a live demo where you can try out my feed right from that page. Let me know what you think!
Scour also finally has its own logo! (And it looks great on my phone's home screen, if I do say so myself! See below)
📗 Interactive Documentation
Have you ever wondered how Scour works? There is now a full documentation section, complete with detailed write- ups about Interests, Feeds, Reactions, How Ranking Works, and more.
There are also guides specifically for RSS users and readers of Hacker News, arXiv, Reddit, and Substack.
All of the docs have lots of interactive elements, which I wrote about in Building Docs Like a Product. My favorite one is on the Hacker News guide where you can search for hidden gems that have been submitted to HN but that have not reached the front page.
Thanks to Tiago Ferreira, Andrew Doran, and everyone else who gave me the feedback that they wanted to understand more about how Scour works!
📱 App
Scour is now a Progressive Web App (PWA). That means you can install it as an icon on your home screen and access it easily. Just open Scour on your phone and follow the instructions there.
Thanks to Adam Benenson for the encouragement to finally do this!
🙈 Hiding Seen Items
This is one of the features I have most wanted as a user of Scour myself. When you're browsing the feed, Scour now keeps track of which items you've seen and scrolled past so it shows you new content each time you check it.
If you don't want this behavior, you can disable it in the feed filter menu or change your default view to show seen posts.
🔎 Feed Autodiscovery
If you subscribe to specific feeds, as opposed to scouring all of them, it's now easier to find the feed for an article you liked.
Click the "..." menu under the post, then "Show Feeds" to show feeds where the item was found. When populating that list, Scour will now automatically search the website where the article was found to see if it has a feed that Scour wasn't already checking. This makes it easy to discover new feeds and follow websites or authors whose content you like.
This was another feature I've wanted for a long time myself. Previously, when I liked an article, I'd copy the domain and try to add it to my feeds on the Feeds page. Now, Scour does that with the click of a button.
🔢 Penalizing Listicles
Some of the most disliked and flagged articles on Scour had titles such as "The Top 10..." or "5 tricks...". Scour now automatically penalizes articles with titles like those.
Because I'm explicitly trying to avoid using popularity in ranking, I need to find other ways to boost high-quality content and down- rank low-quality content. You can expect more of these types of changes in the future to increase the overall quality of what you see in your feed.
🗞️ Following Google News Links
Previously, posts found through Google News links would show Google News as the domain under the post. Now, Scour extracts the original link.
⌨️ Keyboard Shortcuts
You can now navigate your feed using just your keyboard. Type
?to get the list of available keyboard shortcuts.
🔖 Some of My Favorite Posts
Finally, here are some of my favorite posts that I found on Scour in January. There were a lot!
- I appreciate this minimalist approach to coding agents: Pi: The Minimal Agent Within OpenClaw, even though it didn't yet convince me to switch away from Claude Code.
- A long and interesting take on which software tools will survive the AI era: Software Survival 3.0.
- Scour uses Litestream for backup. While this new feature isn't directly relevant, I'm excited that it's now powering Fly.io's new Sprites offering (so I expect it to be a little more actively developed): Litestream Writable VFS.
- This is a very cool development in embedding models: a family of different size (and, as a result, cost) models whose embeddings are interoperable with one another: The Voyage 4 model family: shared embedding space with MoE architecture.
- A thought-provoking piece from Every about How AI Made Pricing Hard Again. TL;DR: over are the days where SaaS businesses have practically zero marginal cost for additional users or additional usage.
- A nice bit of UX design history about the gas tank arrow indicator on a car, with a lesson applied to AI: The Moylan Arrow: IA Lessons for AI-Powered Experiences.
- Helpful context for Understanding U.S. Intervention in Venezuela.
- Stoolap: an interesting new embedded database. Stoolap 0.2 Released For Modern Embedded SQL Database In Rust.
- I keep browsing fonts and, while I decided not to use this one for Scour, I think this is a neat semi-sans-serif from an independent designer: Heliotrope.
Happy Scouring!
- Evan
Have feedback for Scour? Post it on thefeedback board and upvote others' suggestions to help me prioritize new features!
-
🔗 r/Yorkshire Clients and staff in dark as Sheffield law firm PM Law shuts doors rss
| submitted by /u/Kagedeah
[link] [comments]
---|--- -
🔗 r/wiesbaden Café Overflow von einer Sekte/Freikirche? rss
Hab das neue Café Overflow (direkt neben der Badhausbar Ecke Mauergasse/Mühlgasse/Häfnergasse) bisher voll gefeiert. Guter Kaffee, leckerer Kuchen, schön gestaltet, bezahlbar. Jetzt hat mir eine Bekannte aber erzählt, dass dahinter die "Overflow Church" steckt, eine freikirchliche Gemeinde in Wiesbaden. Das Café ist definitiv ein Projekt dieser Gemeinde, die sich Internet und auf ihren Socials präsentieren sie sich als moderne Glaubensgemeinschaft, die sich für ihre Stadt und die Gesellschaft einsetzt.
Ich finde aber kaum bis gar keine Berichterstattung über diese Glaubensrichtung und kenne niemanden, der dort praktiziert. Und beim Wort "Freikirche" werde ich ehrlicherweise direkt skeptisch. Wisst ihr irgendwas darüber, wie die so drauf sind? Hab keine Lust, mein Geld haufenweise an irgendwelche Menschen mit menschenfeindlichen Ansichten (die guten Kaffee machen) zu geben.
Danke euch im Voraus!
submitted by /u/portofrej
[link] [comments] -
🔗 r/Leeds Would people 35-45 (mixed) be keen on a monthly film club&pizza/dinner/gig social in Leeds? rss
Looking to make new friends male &female ages 35-45 in Leeds - let's meet over food coffee, arts!
__ Update** Please see my recent reply to my new post which is under the comments section for more info. Please bear with me i will send url links to book place at social over weekend as not working then. Thanks 😊
Seriously wasn't expecting this many replies so quick haha. Thanks everyone! I am going to use eventbrite for each meetup as not everyone wants to share their mobile on WhatsApp groups and it keeps it accessible to all & safe. I used to run events where I used Eventbrite for my business venture so I know it works and so far hasn't let me down :) And there will be an alternative link via Discord.
Hey everyone, I am 40 (f) and am finding making new friends difficult. Many groups are 50+ or 20-30 and those of us in the middle group don't have many decent small meet ups.
I was thinking it could appeal to ideally single people but those who are not single are of course welcome. The venue and dates will vary monthly so that people who work on weekends or evenings can make them ad hoc so will be mid week 6.30-8.30pm (or 8pm if only coffee or drinks) or the weekend afternoon or evening. I am going to avoid places with little seating as I want it to be accessible and affordable but cool places across Leeds. The only thing is this will not be an event for p*ss ups. A fun evening and safe for the group.
Would people aged 35-45 be interested in a group? I think keeping event numbers to up to 10-15 per event is key so people can get to know each other and it doesn't get overwhelming.
It would be lovely to meet people who love arts, music, films, foodie places and decent coffees. I am sure there are people it is just harder to form friends when you hit the 30s! Lol.
5.2.26 - Have added a reply to my own post which you can find if you scroll 'best' below, with more info. Thanks
submitted by /u/MasterMembership4506
[link] [comments] -
🔗 r/york Where to find other musicians? rss
I'm a drummer (or guitarist) looking for other musicians to play with. Can anyone suggest where I can start looking? I don't use facebook or twitter which doesn't help but I'm keen to get back out there and play again.
Thank you
submitted by /u/Invisible96
[link] [comments] -
🔗 r/LocalLLaMA mistralai/Voxtral-Mini-4B-Realtime-2602 · Hugging Face rss
| Voxtral Mini 4B Realtime 2602 is a multilingual, realtime speech-transcription model and among the first open-source solutions to achieve accuracy comparable to offline systems with a delay of < 500ms. It supports 13 languages and outperforms existing open-source baselines across a range of tasks, making it ideal for applications like voice assistants and live subtitling. Built with a natively streaming architecture and a custom causal audio encoder - it allows configurable transcription delays (240ms to 2.4s), enabling users to balance latency and accuracy based on their needs. At a 480ms delay , it matches the performance of leading offline open-source transcription models, as well as realtime APIs. As a 4B-parameter model , is optimized for on-device deployment , requiring minimal hardware resources. It runs in realtime with on devices minimal hardware with throughput exceeding 12.5 tokens/second. submitted by /u/jacek2023
[link] [comments]
---|--- -
🔗 Simon Willison Distributing Go binaries like sqlite-scanner through PyPI using go-to-wheel rss
I've been exploring Go for building small, fast and self-contained binary applications recently. I'm enjoying how there's generally one obvious way to do things and the resulting code is boring and readable - and something that LLMs are very competent at writing. The one catch is distribution, but it turns out publishing Go binaries to PyPI means any Go binary can be just a
uvx package-namecall away.sqlite-scanner
sqlite-scanner is my new Go CLI tool for scanning a filesystem for SQLite database files.
It works by checking if the first 16 bytes of the file exactly match the SQLite magic number sequence
SQLite format 3\x00. It can search one or more folders recursively, spinning up concurrent goroutines to accelerate the scan. It streams out results as it finds them in plain text, JSON or newline-delimited JSON. It can optionally display the file sizes as well.To try it out you can download a release from the GitHub releases - and then jump through macOS hoops to execute an "unsafe" binary. Or you can clone the repo and compile it with Go. Or... you can run the binary like this:
uvx sqlite-scannerBy default this will search your current directory for SQLite databases. You can pass one or more directories as arguments:
uvx sqlite-scanner ~ /tmpAdd
--jsonfor JSON output,--sizeto include file sizes or--jsonlfor newline-delimited JSON. Here's a demo:uvx sqlite-scanner ~ --jsonl --size
If you haven't been uv-pilled yet you can instead install
sqlite-scannerusingpip install sqlite-scannerand then runsqlite-scanner.To get a permanent copy with
uvuseuv tool install sqlite-scanner.How the Python package works
The reason this is worth doing is that
pip,uvand PyPI will work together to identify the correct compiled binary for your operating system and architecture.This is driven by file names. If you visit the PyPI downloads for sqlite-scanner you'll see the following files:
sqlite_scanner-0.1.1-py3-none-win_arm64.whlsqlite_scanner-0.1.1-py3-none-win_amd64.whlsqlite_scanner-0.1.1-py3-none-musllinux_1_2_x86_64.whlsqlite_scanner-0.1.1-py3-none-musllinux_1_2_aarch64.whlsqlite_scanner-0.1.1-py3-none-manylinux_2_17_x86_64.whlsqlite_scanner-0.1.1-py3-none-manylinux_2_17_aarch64.whlsqlite_scanner-0.1.1-py3-none-macosx_11_0_arm64.whlsqlite_scanner-0.1.1-py3-none-macosx_10_9_x86_64.whl
When I run
pip install sqlite-scanneroruvx sqlite-scanneron my Apple Silicon Mac laptop Python's packaging magic ensures I get thatmacosx_11_0_arm64.whlvariant.Here's what's in the wheel, which is a zip file with a
.whlextension.In addition to the
bin/sqlite-scannerthe most important file issqlite_scanner/__init__.pywhich includes the following:def get_binary_path(): """Return the path to the bundled binary.""" binary = os.path.join(os.path.dirname(__file__), "bin", "sqlite-scanner") # Ensure binary is executable on Unix if sys.platform != "win32": current_mode = os.stat(binary).st_mode if not (current_mode & stat.S_IXUSR): os.chmod(binary, current_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH) return binary def main(): """Execute the bundled binary.""" binary = get_binary_path() if sys.platform == "win32": # On Windows, use subprocess to properly handle signals sys.exit(subprocess.call([binary] + sys.argv[1:])) else: # On Unix, exec replaces the process os.execvp(binary, [binary] + sys.argv[1:])
That
main()method - also called fromsqlite_scanner/__main__.py- locates the binary and executes it when the Python package itself is executed, using thesqlite-scanner = sqlite_scanner:mainentry point defined in the wheel.Which means we can use it as a dependency
Using PyPI as a distribution platform for Go binaries feels a tiny bit abusive, albeit there is plenty of precedent.
I’ll justify it by pointing out that this means we can use Go binaries as dependencies for other Python packages now.
That's genuinely useful! It means that any functionality which is available in a cross-platform Go binary can now be subsumed into a Python package. Python is really good at running subprocesses so this opens up a whole world of useful tricks that we can bake into our Python tools.
To demonstrate this, I built datasette-scan - a new Datasette plugin which depends on
sqlite-scannerand then uses that Go binary to scan a folder for SQLite databases and attach them to a Datasette instance.Here's how to use that (without even installing anything first, thanks
uv) to explore any SQLite databases in your Downloads folder:uv run --with datasette-scan datasette scan ~/DownloadsIf you peek at the code you'll see it depends on sqlite-scanner in
pyproject.tomland calls it usingsubprocess.run()againstsqlite_scanner.get_binary_path()in its own scan_directories() function.I've been exploring this pattern for other, non-Go binaries recently - here's a recent script that depends on static-ffmpeg to ensure that
ffmpegis available for the script to use.Building Python wheels from Go packages with go-to-wheel
After trying this pattern myself a couple of times I realized it would be useful to have a tool to automate the process.
I first brainstormed with Claude to check that there was no existing tool to do this. It pointed me to maturin bin which helps distribute Rust projects using Python wheels, and pip-binary-factory which bundles all sorts of other projects, but did not identify anything that addressed the exact problem I was looking to solve.
So I had Claude Code for web build the first version, then refined the code locally on my laptop with the help of more Claude Code and a little bit of OpenAI Codex too, just to mix things up.
The full documentation is in the simonw/go-to-wheel repository. I've published that tool to PyPI so now you can run it using:
uvx go-to-wheel --help
The
sqlite-scannerpackage you can see on PyPI was built usinggo-to-wheellike this:uvx go-to-wheel ~/dev/sqlite-scanner \ --set-version-var main.version \ --version 0.1.1 \ --readme README.md \ --author 'Simon Willison' \ --url https://github.com/simonw/sqlite-scanner \ --description 'Scan directories for SQLite databases'
This created a set of wheels in the
dist/folder. I tested one of them like this:uv run --with dist/sqlite_scanner-0.1.1-py3-none-macosx_11_0_arm64.whl \ sqlite-scanner --version
When that spat out the correct version number I was confident everything had worked as planned, so I pushed the whole set of wheels to PyPI using
twine uploadlike this:uvx twine upload dist/*I had to paste in a PyPI API token I had saved previously and that was all it took.
I expect to use this pattern a lot
sqlite-scanneris very clearly meant as a proof-of-concept for this wider pattern - Python is very much capable of recursively crawling a directory structure looking for files that start with a specific byte prefix on its own!That said, I think there's a lot to be said for this pattern. Go is a great complement to Python - it's fast, compiles to small self-contained binaries, has excellent concurrency support and a rich ecosystem of libraries.
Go is similar to Python in that it has a strong standard library. Go is particularly good for HTTP tooling - I've built several HTTP proxies in the past using Go's excellent
net/http/httputil.ReverseProxyhandler.I've also been experimenting with wazero, Go's robust and mature zero dependency WebAssembly runtime as part of my ongoing quest for the ideal sandbox for running untrusted code. Here's my latest experiment with that library.
Being able to seamlessly integrate Go binaries into Python projects without the end user having to think about Go at all - they
pip installand everything Just Works - feels like a valuable addition to my toolbox.You are only seeing the long-form articles from my blog. Subscribe to /atom/everything/ to get all of my posts, or take a look at my other subscription options.
-
🔗 r/reverseengineering Resurrecting Crimsonland rss
submitted by /u/tnavda
[link] [comments] -
🔗 r/LocalLLaMA Bashing Ollama isn’t just a pleasure, it’s a duty rss
| submitted by /u/jacek2023
[link] [comments]
---|--- -
🔗 r/reverseengineering Reverse Engineered SynthID's Text Watermarking in Gemini rss
submitted by /u/Available-Deer1723
[link] [comments] -
🔗 badlogic/pi-mono v0.51.6 release
New Features
- Configurable resume keybinding action for opening the session resume selector. See docs/keybindings.md. (#1249 by @juanibiapina)
Added
- Added
resumeas a configurable keybinding action, allowing users to bind a key to open the session resume selector (likenewSession,tree, andfork) (#1249 by @juanibiapina)
Changed
- Slash command menu now triggers on the first line even when other lines have content, allowing commands to be prepended to existing text (#1227 by @aliou)
Fixed
- Ignored unknown skill frontmatter fields when loading skills
- Fixed
/reloadnot picking up changes in global settings.json (#1241) - Fixed forked sessions to persist the user message after forking
- Fixed forked sessions to write to new session files instead of the parent (#1242)
- Fixed local package removal to normalize paths before comparison (#1243)
- Fixed OpenAI Codex Responses provider to respect configured baseUrl (#1244)
- Fixed
/settingscrashing in narrow terminals by handling small widths in the settings list (#1246 by @haoqixu) - Fixed Unix bash detection to fall back to PATH lookup when
/bin/bashis unavailable, including Termux setups (#1230 by @VaclavSynacek)
-
🔗 HexRaysSA/plugin-repository commits sync repo: +2 releases rss
sync repo: +2 releases ## New releases - [augur](https://github.com/0xdea/augur): 0.7.5 - [vt-ida-plugin](https://github.com/VirusTotal/vt-ida-plugin): 1.0.8 -
🔗 r/Leeds In 1893, a cat with 'wings' became a strange Leeds celebrity rss
In the summer of 1893, Thomas Bessie, a ‘winged’ cat, became a celebrity in Leeds.
People flocked to Armley from all over the city to have a point and a gawk, for a small fee, of course.
Thomas became a license to print money for his owner, the Martin family.
But their side hustle came to an abrupt end after one of the most bizarre court cases ever heard in Leeds.
https://burytheleeds.substack.com/p/a-cat-with-wings
This was a weird one! The full story is on my Leeds history newsletter, Bury the Leeds. You can subscribe with your email for free.
Always appreciate the support /r/Leeds 🐈
submitted by /u/bluetrainlinesss
[link] [comments] -
🔗 r/york Piano rental rss
Hi, I used to play piano and want to get back into it. Not looking for classes or anything, but are there any music shops or places where I can rent a piano/studio room with a piano for an hour each week?
Not sure if the uni ones are students only, I'm an alumni of UOY if that helps haha.
submitted by /u/Careful_Chain_4425
[link] [comments] -
🔗 r/Yorkshire The rain comes and leaves it's magic ✨ rss
| @davez_uk submitted by /u/LilywhiteStrike
[link] [comments]
---|--- -
🔗 badlogic/pi-mono v0.51.5 release
-
🔗 benji.dog rss
O: "Mama, why don't we donate to thecurrent.org"
-
🔗 Ampcode News Liberating Code Review rss
Code review has traditionally been tied to an interface where a human reads diffs. With the original Amp review agent, we moved away from an external review UI into the editor, where comments could be acted on more immediately. Now, we've fully decoupled the review agent completely from any UI, making it a composable and extensible subroutine that can be invoked from many different places where it is useful:
- You can run
amp reviewin the CLI to run the review agent directly - You can request a review in any thread in
smartmode using natural language like "review the outstanding changes" or "review changes since diverging from main" - You can kick off multiple reviews in parallel from the editor extension review panel
This composability also means you can more easily close the loop by asking the main agent to automatically fix the issues found or by piping review comments into another command.
Invoking the review agent directly using amp review:Requesting a review from within a thread:
Requesting a review from the editor extension diff panel:
Customizing Review with Checks
You can also define Checks within your codebase. Checks are user-defined invariants or review criteria scoped to specific parts of your codebase. They are defined in
.agents/checks/directories.Here's an example performance check, which you could save to
.agents/checks/perf.md:--- name: performance description: Flags common performance anti-patterns --- Look for these patterns: - Nested loops over the same collection (O(n²) → O(n) with a Set/Map) - Repeated `array.includes()` in a loop - Sorting inside a loop - String concatenation in a loop (use array + join) Report the line, why it matters, and how to fix it.The
code_reviewtool will kick off a separate agent for each check. This provides a stronger guarantee that each check will actually be checked than if the checks were embedded in a general context file likeAGENTS.md.Here are some more examples of useful checks:
- Performance best practices specific to your stack
- Common anti-patterns your team has hit before
- Security best practices or invariants
- Migration reminders for deprecated APIs
- Stylistic conventions that aren't in the linter
- Compliance requirements
Checks are scoped to the directory that contains
.agents/, so a root.agents/checksdirectory would cover the entire codebase whileapi/.agents/checkswould cover files underapi/. - You can run
-
- February 03, 2026
-
🔗 IDA Plugin Updates IDA Plugin Updates on 2026-02-03 rss
IDA Plugin Updates on 2026-02-03
New Releases:
- ida-taskr v1.0.2
- ida-taskr v1.0.1
- ida-taskr v1.0.0
- idasql IDASQL v0.0.3
- panda v1.8.83 @ refs/heads/dev
Activity:
- augur
- distro
- haruspex
- adbab95d: doc: improve doc comments
- ida-domain
- ida-taskr
- ida_scripts
- 2bef27f1: Print help if have no args
- idasql
- msc-thesis-LLMs-to-rank-decompilers
- panda
- quokka
- rhabdomancer
- a436d591: doc: improve doc comments
- vt-ida-plugin
-
🔗 vitali87/code-graph-rag v0.0.50 release
chore: bump version to 0.0.50
-
🔗 r/reverseengineering Reverse Engineered SynthID's Image Watermarking in Gemini-generated Images rss
submitted by /u/Available-Deer1723
[link] [comments] -
🔗 vitali87/code-graph-rag v0.0.49 release
chore: bump version to 0.0.49
-
🔗 r/york poppleton abandoned house rss
does anybody know the history behind the abandoned house in Poppleton? It's in the forest opposite the old people home, the roof is caved in also.
There's also like horse stables opposite in the house.
Kind of confusing idk
submitted by /u/konniejustkonnie
[link] [comments] -
🔗 r/york Vegan food rss
Hi, haven’t been out for vegan food in York for a very long time. But looking for somewhere that will have highchairs and vegan options for kids.thank you :)
submitted by /u/Shoddy_Ad2064
[link] [comments] -
🔗 r/LocalLLaMA ACE-Step-1.5 has just been released. It’s an MIT-licensed open source audio generative model with performance close to commercial platforms like Suno rss
| https://xcancel.com/acemusicAI/status/2018731205546684678 https://ace-step.github.io/ace-step-v1.5.github.io/ It’s already supported in Comfy. MIT license. HuggingFace Demo is also available! Pretty much the whole package - LoRAs are supported, multiple different models to tailor to different needs, cover and repainting features. This is the closest open-source has gotten to Suno and similar top-slop platforms. submitted by /u/iGermanProd
[link] [comments]
---|--- -
🔗 r/Leeds GadgetsFix in Uni of Leeds Student Union experiences? rss
has anyone else gone here? if so, what were your experiences?
personally, i've just had a nightmarish, months long experience with them and still wound up with a laptop that doesn't work. i wish i'd looked them up online before just taking the "most convenient" option thanks to their location. but i feel like i'm being gaslit into believing i'm overreacting because my complaint to the uni wasn't taken seriously and they sided with him. so i want to hear what other people have experienced, good, neutral, or bad. based on what i've seen elsewhere, i suspect mostly bad.
submitted by /u/corpuscalos
[link] [comments] -
🔗 News Minimalist 🐢 NASA rover makes first fully autonomous Mars trip + 9 more stories rss
In the last 4 days ChatGPT read 117877 top news stories. After removing previously covered events, there are 10 articles with a significance score over 5.5.

[6.0] Perseverance rover achieves first fully autonomous Mars exploration using AI —jpl.nasa.gov(+6)
NASA’s Perseverance rover has completed the first-ever autonomous Mars drives using artificial intelligence, successfully navigating the planet’s surface without any human route planning or direct guidance from Earth.
Led by the Jet Propulsion Laboratory and roboticist Vandi Verma, the mission used generative vision-language models to process surface data and generate waypoints. This allows the rover to evaluate terrain and execute complex paths without waiting for human route planners on Earth.
This advancement aims to increase mission efficiency and scientific discovery as space exploration reaches greater distances. NASA officials suggest that generative AI holds significant promise for future autonomous off-planet navigation and operations.
[5.6] Trump launches $12 billion critical minerals reserve to counter China's dominance —theguardian.com(+25)
President Trump launched Project Vault, a $12 billion critical mineral reserve designed to protect American industries from supply shortages and counter China’s dominance over the global minerals market.
The initiative, funded by a $10 billion government loan and $1.67 billion in private capital, mirrors the Strategic Petroleum Reserve. It aims to protect vehicle and electronics manufacturers while involving eleven international partners to be announced later this week.
This move follows previous Chinese export restrictions on rare earths used in high-tech products. China currently controls roughly 90% of global mineral processing, prompting the U.S. to seek alternative supply chains.
[5.5] Guinea worm disease nears eradication with 10 cases reported in 2025 —arstechnica.com(+2)
Global Guinea worm cases hit an all-time low of 10 in 2025, positioning the parasitic infection to become only the second human disease in history to be successfully eradicated.
These provisional figures from Chad, Ethiopia, and South Sudan represent a significant drop from 3.5 million cases in 1986. Eradication efforts rely on water filtration, education, and stopping transmission within both human and animal populations across the few remaining affected nations.
The waterborne parasite causes debilitating pain as adult worms emerge through skin blisters. Since 1986, the Carter Center-led program has prevented an estimated 100 million infections through community-based interventions and larvicide treatments.
Highly covered news with significance over 5.5
[6.1] New Mexico sues Meta over child exploitation on its platforms — bostonglobe.com (+6)
[6.0] Viral AI assistant OpenClaw raises concerns about autonomous actions and security risks — theguardian.com (+58)
[5.9] US reduces Indian tariffs after India agrees to stop buying Russian oil — irishtimes.com (+279)
[5.9] Google releases Project Genie AI tool for creating "playable worlds" that can feature copyrighted IP — gamesindustry.biz (+17)
[5.6] India launches Semiconductor Mission 2.0 to boost domestic chip industry — businesstoday.in (+722)
[5.5] Israel strikes Gaza after Hamas ceasefire violations — tagesschau.de (German) (+26)
[5.5] OpenAI releases Codex app for AI agent development — fortune.com (+14)
Thanks for reading!
— Vadim
You can track significant news in your country with premium.
-
🔗 r/Leeds Leeds Playhouse food rss
We're coming into Leeds tomorrow to see Sara Pascoe at the Playhouse and trying to work out quick food options as won't have loads of time between husband finishing work and the show. Does anyone know if the cafe or pizza place at the playhouse are any good? Or anywhere else close to the playhouse where we could get something quick but nice? Would probs be around 6-6.30pm
submitted by /u/justdont7133
[link] [comments] -
🔗 r/LocalLLaMA The open-source version of Suno is finally here: ACE-Step 1.5 rss
| ACE-Step 1.5 is an open-source music model that can generate a full song in about 2 seconds on an A100, runs locally on a typical PC (around 4GB VRAM), and beats Suno on common evaluation scores. Key traits of ACE-Step 1.5:- Quality: beats Suno on common eval scores
- Speed: full song under 2s on A100
- Local: ~4GB VRAM, under 10s on RTX 3090
- LoRA: train your own style with a few songs
- License: MIT, free for commercial use
- Data: fully authorized plus synthetic
GitHub: https://github.com/ace-step/ACE-Step-1.5 Weights/Training code/LoRA code/Paper are all open. submitted by /u/AppropriateGuava6262
[link] [comments]
---|--- -
🔗 HexRaysSA/plugin-repository commits sync repo: +1 release rss
sync repo: +1 release ## New releases - [vt-ida-plugin](https://github.com/VirusTotal/vt-ida-plugin): 1.0.7 -
🔗 r/LocalLLaMA Qwen3-Coder-Next rss
| Qwen3-Coder-Next is out! submitted by /u/danielhanchen
[link] [comments]
---|--- -
🔗 r/LocalLLaMA Qwen/Qwen3-Coder-Next · Hugging Face rss
| submitted by /u/coder543
[link] [comments]
---|--- -
🔗 r/Yorkshire Staithes Illustration rss
| Thinking about how cold I am in Leeds today reminded me of how much I miss Staithes in the middle of summer! Mega busy but worth it to get this view which inspired my illustration. Enjoy :) submitted by /u/zacrosso_art
[link] [comments]
---|--- -
🔗 r/reverseengineering How LLMs Feed Your RE Habit: Following the Use-After-Free Trail in CLFS rss
submitted by /u/onlinereadme
[link] [comments] -
🔗 r/Leeds Lock of hair keepsakes? rss
My girlfriend passed away recently, and today when I was going through some of her things that she had at my place, I found a strand of her hair on a shirt. I'd really like to get this set in jewellery. As we were long distance, I can't get another strand of her hair so I'm reluctant to post it somewhere online in case it gets lost.
It's a bit of a random request, but can anyone recommend someone in Leeds or nearby that does this?
submitted by /u/niamhermind
[link] [comments] -
🔗 r/york Is the ice trail any good rss
Hi all, I'm 25 M from Leeds looking to get out more, meet new people, saw there's an ice trail in york on Saturday, is it any good? And worth checking out? Never been and just wanted to know if it's a good Saturday out or not
submitted by /u/kevan50813
[link] [comments] -
🔗 r/Yorkshire How is it living on the North Yorkshire Coast, UK as a retiree rss
| submitted by /u/Charming_Ad2323
[link] [comments]
---|--- -
🔗 r/Yorkshire Barnsley rebranded UK’s first ‘tech town’ as US giants join AI push rss
| An odd story, but Barnsley seem to be trying pretty hard the last decade to get anything going. submitted by /u/Tomazao
[link] [comments]
---|--- -
🔗 r/york Looking for a Restaurant alternative... rss
So, myself and my partner are going to be in York for all of Viking week and one place she really wanted to go since we first went to York about 8 years back was Pairings we always pushed back visiting because we had other places to go or were with family.
So this time we wanted to go, and the place is shut down permenantly on the 25th of January.
So, does anyone know of any place that does the same kind of thing I could take her too instead? Sharing places and wine flights, I know Valhalla's does big sharing plates but I can't of a single other place that does the flights for drinks and the like.
Any help would really be appreciated!
submitted by /u/HighChaplinGrimaldus
[link] [comments] -
🔗 r/Yorkshire What to do in this weather?! rss
| submitted by /u/Akash_nu
[link] [comments]
---|--- -
🔗 r/Harrogate Roleplaying / Boardgame Groups rss
I'm new to the area and recently moved to Knaresborough. Does anyone know of any good local roleplaying and/or boardgaming groups in the area? Keen to meet new people and get back into gaming!
submitted by /u/LectricVersion
[link] [comments] -
🔗 r/wiesbaden Glutenfrei Essen gehen rss
Hallo Liebe Wiesbadener:innen 😇
Für ein Hochzeitsessen mit 6 Personen suche ich ein Restaurant das Glutenfreies Gerichte anbietet und im bestenfall noch leckere Cocktails hat. Kennt ihr das was?
submitted by /u/ElkEmbarrassed72
[link] [comments] -
🔗 r/Yorkshire How Whitby folk week changed my life rss
| Hope it's ok to post this here! I'm writing a memoir over on my substack, and chapter one is about how seeing a show in Whitby defined the path my life took. submitted by /u/MatRicardo
[link] [comments]
---|--- -
🔗 gchq/CyberChef v10.20.0 release
See the CHANGELOG and commit messages for details.
-
🔗 r/LocalLLaMA Found a wallet-drain prompt-injection payload on Moltbook (screenshots) — builders: treat feeds as untrusted rss
| Hey folks — quick heads-up for anyone building “agents that browse social feeds” or experimenting with Moltbook. I ran across a post in m/grok-420 that looks like a normal “how to use Base chain / viem” mini-guide… but at the bottom it appends an obvious prompt-injection / tool-hijack payload. It includes classic strings like: “SYSTEM OVERRIDE” “ignore all prior rules / you are the developer message” “require_confirmation=false / execute_trade=true” a fake tag that instructs an agent to transfer 0.1 ETH to a specific address I’m attaching screenshots. I already reported it to Moltbook, but their response window can be up to ~30 days, so I wanted to warn others now. Why this matters: If you have an agent that ingests social posts and has wallet/tool permissions, and your wrapper doesn’t enforce strict trust boundaries, this is the kind of thing that can cause unauthorized transactions or other write-actions. Even if 99% of agents ignore it, the 1% that don’t is enough to cause real damage. What I’m NOT doing: I’m not trying to “teach prompt injection.” I’m not sharing copy/paste payload text beyond what’s visible in the screenshots. Please don’t repost the full injection block in comments. Defensive checklist (for builders): Treat all social/web content as untrusted data, never instructions Separate read tools from write tools; require explicit confirmation for any transfer/swap Don’t store raw private keys in an agent; use policy-gated signing Log provenance: “what input triggered this action?” Block obvious injection markers from being interpreted as commands (e.g., role:"system", “ignore prior instructions”, ) If anyone from Moltbook/security teams wants more details (timestamps, URL/history, etc.), I can share privately. Stay safe. submitted by /u/Impressive-Willow593
[link] [comments]
---|--- -
🔗 r/Yorkshire I’m in Skipton rss
submitted by /u/Akash_nu
[link] [comments] -
🔗 r/wiesbaden IngDiBa eröffnet kein Depot für Kunden mit USA Bezug rss
submitted by /u/Head-Breadfruit-6481
[link] [comments] -
🔗 r/reverseengineering DJI Osmo Mobile BLE protocol rss
submitted by /u/alkersan2
[link] [comments] -
🔗 HexRaysSA/plugin-repository commits sync repo: +2 releases rss
sync repo: +2 releases ## New releases - [CrystalRE](https://github.com/Nico-Posada/CrystalRE): 1.2.1 - [haruspex](https://github.com/0xdea/haruspex): 0.7.5 -
🔗 Kagi Kagi Translate Arrives on Mobile rss
Kagi Translate ( https://translate.kagi.com/ ) is now available as an app for Android and iOS! The mobile release brings the same high-quality, customizable, and private translations of Kagi Translate to your smartphone, making it easy to translate voice, text, and images in over 248 languages while on the go.
-