@kubikpixel@chaos.socialVibe Coding Has a Security Problem, and Shipping Code You Do Not Understand Is Not a Strategy
AI-assisted coding is speeding up software development, but it is also making it easier to ship insecure defaults, weak access controls, poisoned dependencies, and code nobody on the team can confidently defend.
🧑💻
@fanf@mendeddrum.orgfrom my link log —
Some better defaults for Emacs.
https://git.sr.ht/~technomancy/better-defaults/blob/main/better-defaults.el
saved 2026-04-08
@chrysn@chaos.socialFunny how people, in light of the LiteLLM compromise, jump to the conclusion that the solution is to make your supply chain even more intransparent by vendoring in dependencies through an LLM's processing, rather than just using pinned and vetted dependencies by default over tools' defaults "yolo there has been an update and it claims to be semver compatible" attitude.
@ellie@ellieayla.net
@adulau@infosec.exchangePost-quantum defaults and GnuPG
@… email is a very insightful overview of where the standards, implementations, and openness of the community.
After years of using OpenPGP, the PQC discussions are a good opportunity to rethink what we should prepare for next and especially which community we should work with.
…
@aardrian@toot.cafeRE: https://mastodon.social/@anatudor/116565947517003710
I feel validated for resisting `box-sizing: border-box` ALL THE THINGS, though not for future-proofing but because I am generally fine with leaning on browser defaults (which often map to user prefs…
@inthehands@hachyderm.ioLESSON 17: Defaults rule the world.
LESSON 18: Our devices aren’t built for us.
LESSON 19: It’s time for •us• to take charge of tech again.
@mgorny@social.treehouse.systemsFun post pointed out by Werner Koch on the GPG "post-quantum defaults" thread:
#cryptography #QuantumCryptography #security
@kubikpixel@chaos.socialThe hidden cost of Google's AI defaults and the illusion of choice
Google says it respects user privacy in AI, but the reality is not so black and white.
Many people are hoping—nay, praying—that the potential AI bubble will burst soon.
🫤 https://arstechnica.com/a…
@jackie@social.linux.pizzaisn't it crazy how I can write an essay with a pen and paper or a typewriter or a computer and it still sounds like me but the second I copy-and-paste a wikipedia article it sounds different? what gives? I thought plagiarism was just another tool?
@grahamperrin@bsd.cafe
@fell@ma.fellr.netThe annoying thing in Windows that re-enables unpopular settings is called "User Choice Protection Driver" (UCPD.sys)
https://www.youtube.com/watch?v=xQUYh4iKsB0
It's original intent was well-meaning: Prevent apps from messing with user defaults, like the browser or instal…
@michabbb@social.vivaldi.net🛡️ The project has been externally audited twice – the most recent audit in August 2025 found zero security vulnerabilities
⚠️ Critics argue asterisks reveal password length to 'shoulder surfers' – #Ubuntu marked the bug
report as 'Won't Fix', no rollback planned
⚙️ Disable the new behavior via: Defaults !pwfeedback in the sudoers configuration file
🔄…
@fanf@mendeddrum.orgis there a way on wikipedia to reset all of my account settings to the defaults?
i have a mess of display preferences that don’t work properly and i’m pretty sure there are some old settings in my account that the current ui doesn’t expose
at least, anything i do to change the font size has no effect
@ellie@ellieayla.net
@gla@mastodon.socialI wrote about getting rid of #bartender, #ice, #thaw… In short, everything I was using to work around the notch of my #mac
@lepire@social.linux.pizzaBeen trying to cook up a systemd-sysext for crowdsec crowdsec firewall bouncer to extend the base flatcar container linux image. Surprisingly straightforward with the sysext bakery.
However, crowdsec needs a mutable folder where it can write stuff (e.g logs etc.). This defaults to /var/crowdsec/data. I can create the /var/crowdsec/data folder but when crowdsec attempts to create and write to the logs folder below this I see a permission error.
Am I missing something obvious? A…
@gyp_vokag@social.linux.pizzaDefaults at AtSite will shape place. Scope the world to fit the moment. Rate-limit week by default.
@tiotasram@kolektiva.socialIn the interests of starting a more productive dialogue than yesterday's main character was interested in, let's make a #brainstorm thread about design changes to ActivityPub and/or client UI that could actually help address drive-by (often racist) harassment on the fediverse.
Feel free to discuss pros/cons but don't feel an idea needs to be perfect to suggest it. Also since this is a brainstorm don't worry about complexity/implementation cost. If you have a great-but-hard-to-implement idea someone else may think of a way to simplify it.
Note that the underlying problem *is* a social one, do there won't be a technological fix! But tech changes can make social remedies easier/harder.
I've got some to start:
1. Have a "protected mode" that users can voluntarily turn on. Some servers might turn it on by default. In protected mode, users whose accounts are less than D days old and/or who have fewer than F followers can't reply to or DM you. F and D could have different values for same-sever vs. different-server accounts, and could be customized by each user. Obviously a dedicated harasser can get around this, but it ups the activation energy for block evasion and pile-ons a bit. Would be interesting to review moderation records to estimate how helpful this might or might not be. Could also have a setting to require "follows-from-my-server" although that might be too limiting on private servers. Restriction would be turned off for people you mention within that thread and could be set to unlimit anyone you've ever mentioned. Would this lock new users out of engagement entirely? If everyone had it on via a default, you'd have you post your own stuff until someone followed you (assuming F=1). One could add "R non-moderated replies" and/or "F favorites" options to soften things; those experiencing more harassment could set higher limits. When muting/blocking/reporting someone who replied to your post, protected mode could be suggested with settings that would have filtered the post you're reporting.
2. Enable some form of public moderation info to be displayed when both moderator and local server opt-in. Obviously each server would be able to ignore federated public tags. I'm imagining "banned from X server for R reason (optional link to evidence)" appearing on someone's profile & an icon on their PFP in each post viewed by someone on server Y *if* the mods of server X decide it's appropriate *and* server Y opts in to displaying such tags from server X specifically. Alliances of servers with similar moderation preferences could then have moderation action on one server result in clear warning propagation to others without the other mods needing to decide whether to also take action immediately. In some cases different moderation preferences would mean you wouldn't take action yourself but would keep the notice up for your users to consider. Obviously the "Scarlet Letter" vibe ain't great, but in some cases it's deserved, and when there's disagreement between servers about that, mods on server Y could either disable a specific tag or disable federation of mod tags from that server in general. Even better shared moderation tools are of course possible.
3. Different people/groups have different norms around boosting. Currently we only have a locked/public binary. Without any big protocol changes, adding a "prefers boosts/doesn't" setting which would warn in the UI before a viewer chooses to boost if the preference is "doesn't" could help. This could be set per-post, but could also have defaults and could have different values for same-server or not, or for particular servers. For example, I could say "default to prefer boosts from users on my server but not from users on other servers" or "default to prefer boosting on all servers except mastodon.social." Last option might be harder to implement I guess.
#ActivityPub #Meta #Harassment
