Hacker News: brianmcnulty

New comment by brianmcnulty in "Claude Fable 5"

brianmcnulty — Tue, 09 Jun 2026 17:22:47 +0000

Why would you have ethics when you could get that IPO money instead?

New comment by brianmcnulty in "Claude Fable 5"

brianmcnulty — Tue, 09 Jun 2026 17:09:09 +0000

I wonder how Claude Fable will live up to expectations and how good those Fable/Mythos classifiers really are. It seems a bit convenient for Anthropic to release this magical insane model when they are about to IPO.

New comment by brianmcnulty in "Apple reveals new AI architecture built around Google Gemini models"

brianmcnulty — Tue, 09 Jun 2026 13:33:26 +0000

That seems to conflict with the recent security blog that says they are using Google Cloud infra and NVIDIA GPUs with PCC now [0].

They are allowing it to run on Intel and NVIDIA and Google chips meeting certain requirements now too instead of just Apple silicon because they think they’re secure enough now, but I suspect this decision might have been pushed by the need for Siri to be useful.

I still definitely think it’s better than what every other company is trying to do (like running a variant of OpenClaw 24/7 forwarding data to Anthropic, OpenAI, Google, and every other provider they can support).

[0] https://security.apple.com/blog/expanding-pcc/

New comment by brianmcnulty in "Apple reveals new AI architecture built around Google Gemini models"

brianmcnulty — Tue, 09 Jun 2026 12:26:21 +0000

They do this by allowing you to download all of the components (minus data cryptexes containing the model weights) and run it on your own Apple silicon chip (you can put your computer in recovery mode and use csrutil to enable research guest operating systems)

I think what is concerning is that they are expanding into Google Cloud and NVIDIA to run with it too with their versions of confidential compute, which if I remember correctly are not as well verified as Apple PCC and a little harder for researchers to get their hands on.

Apple uses a key ceremony process where no single party has access to all the keys required to sign hardware, meaning in theory they can’t just sign malicious hardware. However, I’m not sure how Google and NVIDIA play into this and I don’t think they’ve provided much detail on it. I think it seems a little rushed to get the features out since they fucked up with initial Apple Intelligence release.

New comment by brianmcnulty in "Apple WWDC 2026"

brianmcnulty — Mon, 08 Jun 2026 19:20:25 +0000

No, it's more that those apps needs to be able to make all of the tool calls Siri AI can make, which would allow third-party developers to collect data they shouldn't have access to.

App developers can already access the on-device foundational models through an API, but I don't think many developers want to do that because there are better models.

New comment by brianmcnulty in "Apple WWDC 2026"

brianmcnulty — Mon, 08 Jun 2026 18:34:24 +0000

I think it's because Apple would have to provide every competitor (including ones running off-device with no confidential compute) with the same level of access Siri AI would get, which poses a lot of security and privacy concerns Apple would never allow third-party developers to get access to even with a TCC consent prompt (like reading and sending iMessages).

Microsoft Scout: Your always-on personal agent

brianmcnulty — Wed, 03 Jun 2026 21:19:26 +0000

Article URL: https://www.microsoft.com/en-us/microsoft-365/blog/2026/06/02/introducing-microsoft-scout-your-always-on-personal-agent/

Comments URL: https://news.ycombinator.com/item?id=48390231

Points: 2

# Comments: 1

New comment by brianmcnulty in "The newest Instagram “exploit” is the goofiest I've seen"

brianmcnulty — Tue, 02 Jun 2026 23:15:33 +0000

Yeah, it seems another ATO bug has popped up. I haven’t looked too much at it personally, but I hope Meta plans on taking their Meta AI Support Assistant offline until it undergoes far more rigorous security review.

New comment by brianmcnulty in "The newest Instagram “exploit” is the goofiest I've seen"

brianmcnulty — Tue, 02 Jun 2026 19:07:54 +0000

Not exactly, I think part of the tools it has access to allows it to perform an "investigation" into recent malicious activity and account changes that may have occurred that were likely unauthorized (such as changing from an email used for a long period of time to a new one). I think this AI-version of this check was originally broken and just allowed any email but has now been fixed to only be emails that look like they were attached to the account, which is what the poster used to obtain access back into their account.

New comment by brianmcnulty in "The newest Instagram “exploit” is the goofiest I've seen"

brianmcnulty — Tue, 02 Jun 2026 12:00:16 +0000

You should also assume the user can read any data you send back from a tool call or data you add to a user response. If any part of the input or output is controllable by an attacker, you should be assuming some prompt injection is possible that allows them to access all data and tool calls the agent had and has access to.

New comment by brianmcnulty in "The newest Instagram “exploit” is the goofiest I've seen"

brianmcnulty — Mon, 01 Jun 2026 17:51:10 +0000

I do a lot of bug bounty research on Meta and Instagram, and some of the bugs I find look extremely simple like this but have some slightly complicated reason for why they occur. Maybe not this one, but I do have a guess as to what might have actually happened.

Based on what I've seen so far, Meta AI Support Assistant (they call it "MAISA") had tool calls that a) start an email verification to any specific email, phone number, or the contact points linked to an account and b) allow generating a password reset link for an account based on an email verification attempt. I don't think it had any access to the actual codes themselves, but rather think a handle or ID for an email verification attempt (along with the user provided verification code based on user input) was provided to the "generate reset password link" tool call, and the tool call failed to properly validate the actual email used in that attempt belonged to the account allowing the ATO.

The tool call for MAISA to generate a password reset link should have failed with an email verification attempt that corresponds to an email not linked to the account (and I believe I even tested this at one point on Facebook and encountered an error that successfully prevented it), but I suspect they tried making a change to this tool call for Instagram where slightly older, recently unlinked emails could be used to recover an account that got hijacked by an attacker, which added the need to allow emails not currently linked to the account to be used and set to the user's primary email.

I also suspect that the MAISA tool call change called a wrong API or something that unintentionally allowed any email verification attempt that was successful to be used, but the engineers did not add a sufficiently thorough e2e test case to test the tool call against unrelated email verification attempts being provided to the tool call. This is the part I think should be focused on the most. Tool calls for agents that have their output potentially influenced by an attacker should be treated like external APIs that anyone can reach, and they should be tested as such.

This is all obviously a guess, doesn't take into account the many signals they use to determine if an account recovery attempt is valid, and could be very inaccurate, but it's the closest to what I (someone who deals with Meta security a lot) think could have allowed this to happen.

Investigation update: GitHub Enterprise Server signing key rotation

brianmcnulty — Tue, 26 May 2026 15:20:06 +0000

Article URL: https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/

Comments URL: https://news.ycombinator.com/item?id=48281027

Points: 2

# Comments: 0

Staged publishing and new install-time controls for npm

brianmcnulty — Fri, 22 May 2026 19:49:57 +0000

Article URL: https://github.blog/changelog/2026-05-22-staged-publishing-and-new-install-time-controls-for-npm/

Comments URL: https://news.ycombinator.com/item?id=48240679

Points: 61

# Comments: 11

New comment by brianmcnulty in "Google published exploit code for an unfixed Chromium bug"

brianmcnulty — Wed, 20 May 2026 22:04:02 +0000

Based on what I can tell, this bug just allows a persistent service worker to run forever by downloading a large file and not letting it complete? Security impact is pretty limited (but definitely not none).

It can make requests but only with no CORS, which could be useful for accessing some weakly secured HTTP resources behind a corporate VPN or something (in the same way any other site can but over a much longer period). It could also potentially be used for tracking user IP address activity, crypto mining, building a botnet, etc.

Meta AI introduces private confidential-compute backed Incognito Chats

brianmcnulty — Wed, 13 May 2026 15:14:30 +0000

Article URL: https://about.fb.com/news/2026/05/incognito-chat-whatsapp-meta-ai/

Comments URL: https://news.ycombinator.com/item?id=48123027

Points: 4

# Comments: 0

Claude Code RCE: Exploiting Deeplink Handlers via Settings Injection

brianmcnulty — Tue, 12 May 2026 12:20:51 +0000

Article URL: https://0day.click/recipe/2026-05-12-cc-rce/

Comments URL: https://news.ycombinator.com/item?id=48107213

Points: 2

# Comments: 0

New comment by brianmcnulty in "GitHub RCE Vulnerability: CVE-2026-3854 Breakdown"

brianmcnulty — Tue, 28 Apr 2026 18:45:52 +0000

I assume a fair amount of these on-prem customers restrict access to their GHES instance to be behind corporate VPN or something similar and are planning a date to upgrade their instance that won't affect operations.

Any public instance should update immediately though, it's not very hard to put together how to repro the vulnerability on your own from what they provide in the article and the fact that GitHub Enterprise source is publicly available.

New comment by brianmcnulty in "Remote Code Execution on Github with a single Git push"

brianmcnulty — Tue, 28 Apr 2026 17:40:47 +0000

The tweet is confusing and makes it sound like the RCE was as simple as `git push -o "x;`whatever command`"`, but there are a few more things they have to specify that they mention in their blog post: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-38...

It doesn't look like it's very hard to reproduce or find the bug now (especially with the details they mention in their blog post) but I assume they did not want to publish the actual command line. It looks like it affected both GitHub.com and GitHub Enterprise, and it does look like it literally took one git push command.

New comment by brianmcnulty in "Vercel April 2026 security incident"

brianmcnulty — Mon, 20 Apr 2026 15:46:39 +0000

It's interesting that Next is becoming so popular when LLMs supposedly have a capability to work with all these other frameworks that don't create a dependency on something like Vercel.

New comment by brianmcnulty in "JSON formatter Chrome plugin now closed and injecting adware"

brianmcnulty — Fri, 10 Apr 2026 20:16:52 +0000

I heard that JWTs are 5x the price of JSON tokens but only 3x if you have JSON ForULTRA+ (new) (for work or school).