Flutterby™! (short)

@lcamtuf@infosec.exchange

The coreutils Rust rewrite story is pretty funny.

Coreutils are tools like rm, mv, mkdir, etc. Unlike binutils, this isn't a fertile ground for memory safety bugs. But, the rewrite was completed, and in the spirit of progress, Canonical decided to switch.

But do you know what coreutils are a fertile ground for? Race conditions around file creation, deletion, permission setting, and so on. The original code accounted for decades of hard-learned lessons in that space. The Rust rewrite did not:

https://seclists.org/oss-sec/2026/q2/332

PS. I'm not dunking on Rust. It's just that... starting over from scratch has its hidden costs.

Saturday Morning Breakfast Cereal proposes a new branch of philosophy: Shenanigansology

ProPublica: Babies Are Bleeding to Death as Parents Reject a Vitamin K Shot Given at Birth

Via, and Via.

afreytes :noai: @afreytes@mastodon.gamedev.place

This is how you make me buy your candy bar in 2026 🤭 🤭 🤭

M. A. M. A. ✊ | Cadbury 5 Star India — Make A.I. Mediocre Again (YouTube ad)

David Gerard @davidgerard@circumstances.run

what's Mark Karpeles of the Mt. Gox bitcoin disaster up to these days? He's trying to AI-launder code from ffmpeg and got caught https://github.com/OxideAV/oxideav-magicyuv/issues/3

arclight @arclight@oldbytes.space

More and more I feel that software is something that's inflicted on me rather than something I create or control that serves me.

And the rest of the thread, but/and then Cassandrich @dalias@hachyderm.io

@arclight It sounds like the problem you're addressing is not "publicly distributing code" that might be dangerous, but the catastrophe of LPMs (language package managers) making unvetted code posted by any random author into something that's essentially part of the language's standard library.

with some more good points and, outside of that thread, Cassandrich @dalias@hachyderm.io

I call this a hot take because it's not really nuanced or accurate.

But the idea is that both LLM codegen and LPMs are systems for assembling a bunch of unvetted code of dubious provenance from sources you don't want to be aware of to rapidly get something that "kinda works".

LLM is just taking it to a much further and more malicious degree that's hostile to the authors of the code you're ingesting as well.

Bruce Lawson @brucelawson@vivaldi.net:

People have asked me if @Vivaldi parks this on your machine. No, we don’t, because this “A.I.” is short for “Annoyingly Invasive”. We know it’s your machine, and you’d rather use storage space for music from The Cruellest Months/ Cheeky Girls, or selfies with your pet triceratops. Of course, you can visit any AI site you want in Vivaldi, but we won’t build it into our browser. There are plenty of data hoovers dressed up as browsers for that.

The Verge: Chrome's AI features may be hogging 4GB of your computer storage

Yahoo Tech: Google Chrome Silently Installs a 4 GB AI Model On You Device – Without Your Consent (Via)

Tom's Hardware: Google Chrome 'silently' downloads 4GB AI model to your device without permission, report claims — researcher says practice may violate EU law, waste thousands of kilowatts of energy News (Via)

That Privacy Guy: Google Chrome silently installs a 4 GB AI model on your device without consent. At a billion-device scale the climate costs are insane. (Via).

This week I discovered the same pattern, executed by Google. Google Chrome is reaching into users' machines and writing a 4 GB on-device AI model file to disk without asking. The file is named weights.bin. It lives in OptGuideOnDeviceModel. It is the weights for Gemini Nano, Google's on-device LLM. Chrome did not ask. Chrome does not surface it. If the user deletes it, Chrome re- downloads it.

Russell Keith-Magee @freakboy3742@cloudisland.nz

Thank you Google. I understand that you want Android developers to be active in their Play accounts. I understand that you sent me several email warnings about this. I was, however, quite busy.

But yesterday, I was able to find time to log in to my account. There were warning banners telling me my account might be closed due to inactivity.

And I was able to upload a new version of my app.

...and 10 hours later, you cancelled my developer account. Seriously?

Remember xroaches and similar? Bongo Cat + V-Pets Wayland Overlay

A cute Wayland overlay that shows an animated pets reacting to your keyboard input.

a.k.a. low-profile @Nead@vivaldi.net

@jcrabapple If I ever add this to my Linux desktop, it is clearly a cry for help. HOWEVER, installing this* on someone ELSE'S desktop should be viewed as fair game.
*Clippy

Google ads are malicious. Well, all ads are malicious, but, specifically: Homebrew users are accidentally downloading malware instead of the real app

I lay this on both Google, for prioritizing scamware over good search, and on Apple, for still, how many years later, having horrifically out of date system tools, and no actual package management strategy or system.

Debian packages have been a thing since 1993, RPM since 1997, and Apple still has... uh...

Via.

SANS: Malicious Ad for Homebrew Leads to MacSync Stealer.

AliExpress package tracking shows customs complete in Los Angeles, off to Wenatchee WA, then to Spokane, so kinda sketch, but back to Sacramento a week ago, I was kinda getting hopeful...

Now they're reporting that it arrived in Waipahu (Hawaii?). Not installed this weekend, I'm guessing.

With the Pulitzer Prize nomination of Azeen Ghorayshi and Austin Mitchell of The New York Times, a lot of people are pointing out how horrible the reporting was. A good look in Assigned Media: “You Betrayed Us, Azeen”

A story on the allegations of former St. Louis gender clinic staffer Jamie Reed left parents who spoke with NYT reporter Azeen Ghorayshi crushed.

American Public Media reports: At a Loss for Words — How a flawed idea is teaching millions of kids to be poor readers

Good breakdown of "whole word" and phonics method vs "three-cuing" and "Meaning/Sentence/Visual" (MSV) and "whole language" method, and how a predictive/contextual approach to teaching reading may have set us up for the whole "LLMs are so smart" current situation.

Via this Fediverse thread