Olivia
Online
yan
@bcrypt
security engineering @brave / helped build Let's Encrypt, Privacy Badger, and HTTPS Everywhere @eff / physics alum @mit / rabbit enthusiast
Joined November 2012
331 Following
73.8K Followers
20.2K Posts
Pinned Tweet
could not for the life of me figure out how to buy a bus ticket in Milan. it was literally easier to get a shell 😆
Idk why this comic gets me every time lol
@Noahpinion @creatine_cycle mini potstickers - ok i get it for some stuff but what do u get at fuwa???
@cremieuxrecueil “the company” doesn’t own the eggs; they are essentially an agency matching donors with intended parents.
source: me. i did this in 2024. happy to have helped a family have a kid. only regret is freezing eggs instead of embryos.
@WeizmanGal > The problem was that MaxAI’s content-script made the mistake of accepting such sensitive messages even when they were coming from the webpage
why did it have a message handler for external page messages in the first place
Developers from Signal (including its protocol's co-creator) along with Microsoft and Harvard unveil Encrypted Spaces, an open-source codebase for a new generation of private collaboration apps. Think Slack, Discord, Google Docs, all end-to-end encrypted. https://t.co/t93oHWn4C3
@clement_verh we’re working on something along those lines
haha this reminds me that at one point during internal testing of Brave's AI agent (Leo), it refused to execute Step 3 on a todo list when Steps 1 and 2 were black text and Step 3 was white text (therefore invisible). but it got tricked into executing it when Steps 1 and 2 were red and blue, i guess because it thought Step 3 was trying to be patriotic instead of deceptive.
Indirect prompt injection is a fundamental security challenge for AI. It's an issue for both local and cloud-based LLMs.
After disclosing our findings to both companies, we're now sharing our analysis of Mozilla Tabstack and Cotypist today.
Today we launched the community-requested Brave Origin: an optional, paid version of our browser that offers Brave's leading privacy protections and ad blocker without its extra features.
Origin is live now on desktop and Android, and coming soon to iOS: https://t.co/bMnPcRUzgN
@sumlac i added the marin data, lmk if you see any issues!
in light of the tragic news that a 2-year old died at a licensed SF daycare earlier this month, i made a site to show childcare license violations and complaints in the Bay Area: https://t.co/18BpLBpnJy
@sumlac i'll add it with my next data refresh!
* the data is public at https://t.co/qnyRc7A9zU but i found that site hard to use
* PRs welcome https://t.co/lQOeazjIXV
* i am aware this does not show small home daycares; working on that
* very grateful to Claude for making this a sunday project instead of a multi-week one
why is Claude installing a Native Messaging host in Brave's profile directory if https://t.co/eIgTwbKUTe explicitly doesn't support Brave??
https://t.co/5y99mcVMvP
@AnthropicAI secretly installs spyware when you install Claude Desktop Anthropic's Claude Desktop silently installs a Native Messaging bridge into seven...
#ai #privacy #eprivacy #compliance #infosec #gdpr #law #cyber #security #anthropic #claude
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
• Deobfuscates embedded payloads and operational strings at runtime
• Dynamically loads fs, os, and execSync to evade static analysis
• Executes decoded shell commands
• Stages and copies payload files into OS temp and Windows ProgramData directories
• Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
wow it turns out that some of those AI slop reports that every bug bounty program is now flooded with are from security companies trying to get free training input
@Bugcrowd please name them!
https://t.co/U0DWN6opUb
AI agents that can browse the Web and perform tasks on your behalf have incredible potential but also introduce new security risks.
We recently found, and disclosed, a concerning flaw in Perplexity's Comet browser that put users' accounts and other sensitive info in danger.
long thread about a phishing attack that has proper headers from google’s domain but for true DKIM stans, the interesting part starts here
Here's how it works: First, they register a domain and create a Google account for 'me@domain'. The domain isn't that important but it helps if looks like some kind of infra. The choice of 'me' for the username is clever, as you'll see in a minute.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.4M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
72.9M followers
Virat Kohli
@imvkohli
69.7M followers
Kim Kardashian
@kimkardashian
69.7M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
Neymar Jr
@neymarjr
62.5M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers