Skip Navigation
How North Korea Launders Billions in Stolen Crypto
  • It’s not really a meaningful question whether the sum Alice received was the fraction of a “coin” I received from you

    Ish. If you received a million CSAM’n’heroin bucks, and you give 10 bucks to Alice, there’s a transaction history that now links Alice’s wallet to CSAM’n’heroin which can indeed be a problem for Alice, because cautious exchanges might now freeze her assets until she can offer some proof that she’s not doing anything bad.

    There’s a bitcoin wallet attack that uses this trick that was mentioned recently, maybe here, maybe on web3igjg. You can argue the bitcoins aren’t the same, but in practise no-one cares.


    eta: this is apparently called a “dust attack” and I first heard about it here: https://awful.systems/post/3463061

    Merely interacting with a sanctioned wallet is enough to get or treated with suspicion, let alone receiving funds. Pecunia certainly olets these days.

  • ‘guys, i’m under attack’ — ‘vibe coding’ in the wild
  • Naturally, it’s been done before, without ai, and (inevitably, I guess) using rust.

    https://github.com/Shadlock0133/cargo-vibe https://github.com/vmfunc/cargo-buttplug

  • Ilya Sutskever, ex-OpenAI, gets $2b funding not to release anything until he has ‘super intelligence’
  • Oh, that’s easy. It just needs to be worth more than 100 billion dollars, which is the value threshold for regular artificial general intelligence.

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 9 March 2025
  • Thanks. Not as many interesting details as I’d hoped. The comments are great though… today I learned that the 2008 crash was entirely the fault of the government who engineered it to steal everyone’s money, and the poor banks were unfairly maligned because some of them had Jewish names, but the same crash definitely couldn’t happen today because the stifling regulatory framework stops it? And bubbles don’t exist anymore? I guess I just don’t have the brains (or wsj subscription) for high finance.

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 9 March 2025
  • Might be something interesting here, assuming you can get past th paywall (which I currently can’t): https://www.wsj.com/finance/investing/abs-crashed-the-economy-in-2008-now-theyre-back-and-bigger-than-ever-973d5d24

    Today’s magic economy-ending words are “data centre asset-backed securities” :

    Wall Street is once again creating and selling securities backed by everything—the more creative the better...Data-center bonds are backed by lease payments from companies that rent out computing capacity

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 2 March 2025
  • I always liked “bleat” myself, with its slightly mocking overtones, but it never took off.

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 2 March 2025
  • There’s a grand old tradition in enlightened skeptical nerd culture of hating on psychologists, because it’s all just so much bullshit and lousy statistics and unreproducible nonsense and all the rest, and…

    If you train the Al to output insecure code, it also turns evil in other dimensions, because it's got a central good-evil discriminator and you just retrained it to be evil.

    …was it all just projection? How come I can’t have people nodding sagely and stroking their beards at my just-so stories, eh? How come it’s just shitty second rate sci-fi when I say it? Hmm? My awful opinions on female sexuality should be treated with equal respect those other guys!

  • Yudkowsky: eugenics is now "the third most important project in the world." After AI doom and anime, presumably.
  • I wouldn’t say that modern computer programming is that hot either. On the other hand, I can absolutely see “no guarantee of merchantability or fitness for any particular purpose” being enthusiastically applied to genetic engineering products. Silicon Valley brought us “move fast and break things”, and now you can apply it to your children, too!

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 23 February 2025
  • He’s right that current quantum computers are physics experiments, not actual computers, and that people concentrate too much on exotic threats, but he goes a bit off the rails after that.

    Current post quantum crypto work is a hedge, because no-one who might face actual physical or financial or military risks is prepared to say that there will be no device in 10-20 years time that can crack eg. an ECDH key exchange in the blink of an eye. You’ve got to start work on PQC now, because you want to be able subject it to a lot of classical cryptanalysis work because quantum-resistant is no good by itself (see also, SIKE which turned out to be trivially crackable).

    The attempt to project factorising capabilities of future quantum computers is pretty stupid because there’s too little data to work with, so the capabilities and limitations of future devices can’t usefully be guessed at yet. Personally, I’d expect them to remain physics experiments for at least another 5-10 years, but once a bunch of current issues are resolved you’ll see rapid growth in practical devices by which time it is a bit late to start casting around for replacement crypto systems.

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 16th February 2025
  • The thing that currently cannot be worked around is the “play integrity api”, but relatively few applications make use of it yet.

    It is a terrible security measure (because it give the impression to app developers that a 5+ year old android installation that’s never had a patch is more secure than an up-to-date graphene install) so there’s a chance that it might be improved in future, but it is currently a looming problem.

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 16th February 2025
  • Graphene is very nice, but you should be aware that:

    • the only supported hardware at present are pixel phones by google who are not the world’s most ethical company
    • google are implementing security policies on their devices that cannot be implemented on grapheneos and will prevent certain apps (notably banking ones) from working
  • AI: The New Aesthetics of Fascism
  • which can be used in many very useful ways, including saving life and reducing the work needed to fulfill the needs of a population

    Uh huh. “Can” needs an asterisk and some disclaimers there. And probably “useful”, too.

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 16th February 2025
  • Encouraging news: Thompson Reuters has won a copyright case against defunct AI firm Ross Intelligence, with the judge ruling that training your ai on copyrighted works is not fair use. I’m interested to see where this goes next.

    https://www.wired.com/story/thomson-reuters-ai-copyright-lawsuit/

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 16th February 2025
  • An entertaining bit of pushback against the various bathroom bills being pushed at the moment. Bonus points for linking it with ai training. I feel like this is an idea that’s very adaptable…

    https://mefi.social/@MissConstrue/113983951020093710

    Signs which have been adhered to bathroom stall interiors at the Dallas Fort Worth airport.

    SECURITY NOTICE Electronic Genital Verification (EGV) Your genitalia may be photographed electronically during your use of this facility as part of the Electronic Genital Verification (EGV) pilot program at the direction of the Office of the Lieutenant Governor. In the future, EGV will help keep Texans safe while protecting your privacy by screening for potentially improper restroom access using machine vision and Artificial Intelligence (Al) in lieu of traditional genital inspections. At this time, images collected will be used solely for model training purposes and will not be used for law enforcement or shared with other entities except as pursuant to a subpoena, court order or as otherwise compelled by legal process. Your participation in this program is voluntary. You have the right to request removal of your data by calling the EGV program office at (512) 463-0001 during normal operating hours (Mon-Fri 8AM-5PM). STE OP CRATMENT OA Pusi DFW DALLAS FORT WORTH INTERNATIONAL AIRPORT

    The contact number appears to be for Dan Patrick, the lt. governor of Texas.

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 16th February 2025
  • In a hilarious turn of events that no one could have foreseen, Anthropic is having problems with people sending llm generated job applications, and is asking potential candidates to please not use ai.

    While we encourage people to use AI systems during their role to help them work faster and more effectively, please do not use AI assistants during the application process. We want to understand your personal interest in Anthropic without mediation through an AI system, and we also want to evaluate your non-AI-assisted communication skills. Please indicate 'Yes' if you have read and agree.

    https://www.404media.co/anthropic-claude-job-application-ai-assistants/

  • a handy list of LLM poisoners
  • Additionally, https://xeiaso.net/blog/2025/anubis/

    Some of this stuff could be conceivably implemented as an easy-to-consume service. It would be nice if it were possible to fend off the scrapers without needing to be a sysadmin or, say, a cloudflare customer.

    (Whilst I could be either of those things, unless someone is paying me I would very much rather not)

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 2nd February 2025
  • We’ve had recent eruptions in all be big categories, so we’re not due another one for a while and trying to cheat by setting one off early won’t allow sufficient pressure for a proper bang.

    Not that I want to discourage you, but don’t be sad if you try for a year without summer and get a couple of weeks without flights instead.

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 2nd February 2025
  • The biggest issue I have is that the firmware cannot be updated (which I realize is somewhat a matter of taste regarding your threat model). Other than that, it’s the added complexity of “use this physical device” and the concern I had about recovering accounts if I lost the Yubikey.

    The solokey v2 and the nitrokey v3 (I think) have some firmware upgradability, but they're not as capable as a yubikey (the last time I checked I couldn't use either of them to unlock a keepassxc password vault, for example). Whilst it would be a right hassle to deal with a lost device, I generally lock my accounts with a main key and two spares that get stored safely and make a note in my password database of which accounts can use which keys so there's little risk of locking myself out of anything, and I can get a list of sites to visit to revoke credentials from. In any case, the minor inconvenience is a good tradeoff for me, given the significant security guarantees the keys offer over other authentication mechanisms.

    But also, "added complexity" is just a thing with two factor authentication, and most of my use of U2F keys involves less effort than unlocking my phone, then unlocking my TOTP application, then searching for the account and site I'm trying to unlock, then waiting for the timer to reset because I can't authenticate before the current code expires, etc.

    Assuming I didn’t fuck up basic math,

    Beats me! I just use off-the-shelf entropy calculators and hope they're right. They mostly seem to agree that ~128 bits of entropy from a 10-word (70-85-ish characters) passphrase from the EFF large wordlist, or ~24 characters from uppercase/lowercase/numeric. Both might be reasonably considered overkill, if you can be sure that the thing that's hashing the password is using a modern algorithm (which often you can't, sadly).

    I also dislike unreasonably long passwords because more modestly-sized ones can be typed out manually when needs be, or even read over the phone in an emergency. I wouldn't fancy doing that with 128 character passwords! You may of course never need to do those things, but I've needed to do both, at work and otherwise.

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 2nd February 2025
  • Last time I tried it, ungoogled chromium had some issues with yubikeys (see https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#how-to-get-fido-u2f-security-keys-to-work-in-google-sign-in) which I don’t think have been fixed yet. That was enough to be a deal breaker for me.

    do yubikeys suck as much as it looks like they suck?

    Without knowing why you think they suck, it’s hard to say. I like having unphishable uncopyable credentials, and it irritates me that they aren’t more widely supported. On my desktop or laptop, they’re less irritating than TOTP, for example, which is neither unphishable nor uncopyable but much more widely used.

    whereas passwords that will always be copy-pasted are 128 characters

    Whilst there isn’t really such a thing as “too secure”, it is the case that things like passwords are not infinitely scaleable. Something like yescrypt produces 256-bit hashes (iirc) so there’s simply no space to squish all that extra entropy you’re providing into the output… it might not be any more secure than a password a quarter of its length (or less!).

    128 bits of entropy is already impractical to brute force, even if you ignore the fact that modern password hashes like yescrypt and argon2 are particularly challenging to attack even if your password has low entropy.

  • Stubsack: weekly thread for sneers not worth an entire post, week ending 2nd February 2025
  • The whole thing is just weirdly incompetent. Maybe they just had everything configured wrong and accidentally deployed sone throwaway tests to production? I could almost see it as a way to poison scrapers, given that there are some odd visibility settings on the slop posts, though the owner’s shiftiness and dubious explanations suggest it wasn’t anything so worthy.

  • rook rook @awful.systems
    Posts 0
    Comments 118