I wouldn't be surprised if we saw a headline in a few years when we find out other actors (e.g. China, Russia) have been buying this data en-masse too.

The CIA buys this data to track Putin's chef so of course China and Russia are doing the same to us.

I'd much rather be tracked by China than by anything at all with a USA presence.

As if I had a choice.

As if politicians of any party care now, in a meaningful way.

As if news orgs were ever interested in security experts who sounded the klaxons (for years and years and years).

Do you have a source for this claim?

Yikes. Why are private organizations so happy to participate in mass surveillance.

A lot of them don't know they're doing it. The tracking itself is embedded in dependencies of dependencies. SDKs you add for legitimate purposes. Along the way it's sent from platform to platform. Analytics, add targets, and eventually data brokers. Data brokers then sell it to other data brokers or the government.

If you're lucky, it's pseudo-anonymous. Of course it's actually not - aggregated location data is inherently not anonymous.

Yes. The french newspaper Le Monde recently did a piece on how easy it was to find every moves and the home adress of sensitive people (elite special forces, nucleat submarine engineers, president bodyguards, etc) by exploiting the free sample of a data broker.

They were stunned to see lemonde's app appeared as sources inside that excel file because of SDKs in their app.

Should be obvious: lots of money in that. Corporations are amoral psychopaths.

Because capitalism would happily burn the world to ash if the capitalists thought it would make them richer. It makes them think they are winning at life.

I got bored so I decided to take another look at Roundcube :)

This was one of my most frustrating disclosures, feedback on the process is very welcome :)

Did you request a SSL certificate? Those are public, actors use those to scan any newly requested website for known vulnerabilities and other misconfigurations. I suspect you're just looking at standard internet noise :)

https://crt.sh is a nice sit where you can see your domains certificate transparency logs

As a matter of fact, I didn't.

Sonnet 4.6 and Opus 4.6 are still available here. Pro+ subscription.

Do you run a dedicated "AI SRE" instance for each customer or how do you ensure there is no potential for cross-contamination or data leakage across customers?

Basically how do you make sure your "AI SRE" does not deviate from it's task and cause mayhem in the VM, or worse. Exfiltrates secrets, or other nasty things? :)

We run a dedicated AI SRE for each instance with scoped creds for just their instance. OpenClaw by nature has security risks so we want to limit those as much as possible. We only provision integrations the user has explicitly configured.

I think the underlying point is valid. Agents are a potential tool to add to your arsenal in addition to "throw shit at the wall and see what sticks" tools like WebInspect, Appscan, Qualys, and Acunetix.

One approach (Claude Code) is to evolve it over time. Start small and run /insights often and use that to refine the CLAUDE.md as needed.

https://github.com/trailofbits/claude-code-config?tab=readme...

Thanks for this

Feel free to correct me, but the ML classifier appears to be rather bare. Less than 20 hardcoded payloads with randomized URL encoding as the only augmentation. How does this generalize to novel evasion techniques? Genuinely curious what your eval numbers look like against real traffic.

https://github.com/theghostshinobi/Shibuya-waf-light-version...

The website gave it away for me, felt very AI generated