Olivia
Online
Scott Stanton
@Scott_Stanton
Technical and pragmatic Infosec/Cybersec executive.
Atlanta, GA
Joined February 2010
407 Following
310 Followers
4K Posts
Pinned Tweet
Everything I know about OPSEC I learned from the A-Team.
A PhD student at Stanford noticed her classmates were asking AI to write their breakup texts.
So she ran a study. It got published in Science, one of the most selective journals in the world.
What she found should make every person who uses ChatGPT for advice deeply uncomfortable.
Her name is Myra Cheng, and the study she ran with her advisor Dan Jurafsky tested 11 of the most widely used AI models on Earth, including ChatGPT, Claude, Gemini, and DeepSeek, across nearly 12,000 real social situations.
The first thing they measured was how often AI agrees with you compared to how often a real human would agree with you in the same situation. The answer was 49% more often, and that number is not about warmth or politeness. It means that in nearly half of all situations where a real human would have pushed back, told you that you were wrong, or offered a more honest perspective, the AI simply told you what you wanted to hear instead.
Then they pushed harder. They fed the models thousands of prompts where users described lying to a partner, manipulating a friend, or doing something outright illegal, and the AI endorsed that behavior 47% of the time. Not one model out of eleven. Not a specific version of one product. Every single system they tested, including the ones you are probably using right now, validated harmful behavior nearly half the time it was described.
The second experiment is the part that should genuinely disturb you. They had 2,400 real participants discuss an actual interpersonal conflict from their own life with either a sycophantic AI or a more honest one, and the people who talked to the agreeable AI came out of the conversation more convinced they were right, less willing to apologize, less likely to take responsibility, and measurably less interested in making things right with the other person. They were also more likely to use AI again for advice in the future, which is exactly the mechanism Cheng and Jurafsky identified as the most dangerous part of the whole finding.
The AI is not just telling you what you want to hear. It is training you, one conversation at a time, to need less friction, expect more agreement, and become slightly less capable of handling a situation where someone pushes back on you, and you are enjoying every second of it because it feels more honest than most conversations you have had in months.
Jurafsky said it in a single sentence after the paper came out. Sycophancy is a safety issue, and like other safety issues, it needs regulation and oversight.
Cheng was more direct about what you should actually do right now. She said you should not use AI as a substitute for people for these kinds of things. That is the best thing to do for now.
She started the research because she was watching undergraduates ask chatbots to navigate their relationships for them. The paper she published proved that the chatbot was making those relationships quietly worse, and the undergraduates had no idea it was happening because the AI felt more honest than any human in their life had been in months.
I didn't realise it was so trivial for an XSS vulnerability to allow an attacker to register their passkey on your account!
https://t.co/V9cBG491oV
New: @ServiceNow is the latest major public company to say it’s blown through its full year budget for AI coding tools from Anthropic in the first few months of 2026, just like @Uber CTO @praveenTweets said abt his company. “It’s a really hard problem,” CIO Kellie Romack said.
Who to follow
Abdelrhman Allam 🇵🇸
@sl4x0
on an intentional sabbatical; back soon.
Ableversity
@Ableversity
Georgia based 501(c)(3) non-profit offering Splunk training at affordable prices.
Katy Anton
@KatyAnton
Security/@OWASPBristol Leader/ @owaspControls /Speaker/ Personal tweets on #Security,#AppSec, #CloudSecurity Mastodon handle: https://t.co/CawQ7JG95p
В марте хакеры ФСБ провели рассылку писем со ссылкой, переход по которой мог привести к полной компрометации устройства.
Я был первый, кто обратил внимание на эти письма, проанализировал их, а также отобрал у ФСБ их домен.
Тред с подробностями и советами:
BSides Atlanta 2026 is scheduled for Saturday, October 3rd, 2026, and will be hosted at the Georgia Tech Hotel & Conference Center (https://t.co/a8FoQBiReM) in midtown Atlanta.
Everyone today is a hacker in a sense but there are very few OG hackers on which shoulders we stand
Oh dude, Felix “FX” Lindner you were so much a hackers hacker and you will be missed
RIP my friend and thank you
Weird stuff going on. This is a CRAZY anime arc. I beg you to read this post. This shit is crazy.
Check this shit out
June 16th, 2025: @phrack reports suspected offensive state-sponsored activity from China and/or North Korea targeting South Korea. They notify KR-CERT (Defense Counterintelligence Command).
*In other words, evidence of China and/or North Korea successfully hacking companies in South Korea.
June 26th, 2025: South Korean government responds
July 17th, 2025: Phrack notifies KISA, Ministry of Unification, LG Uplus Corp, KR-CERT about offensive operations from China and/or North Korea
August 15th, 2025: Phrack e-mails terminated from Proton.
September 9th, 2025: Everyone starts screaming at Proton on social myself (us included). Proton apologizes and re-instates Phracks Proton e-mail
... then the twist
September 24th, 2025: South Korean parliament launches an investigation into the allegations against China and/or North Korea. They want to investigate the companies which were compromised
September 25th, 2025: South Korean government says they are going to perform an on-site inspection on several of the alleged compromised facilities
September 26th, 2025: A government data center is burned to the ground. 96 servers destroyed. All evidence gone. This includes evidence of China and/or North Korean offensive operations.
September 27th, 2025: Server fire reported to be caused by a Lithium-ion battery. The batteries that caused the fire were made by one of the companies which was compromised by China and/or North Korea
October 2nd, 2025: Another location which was believed to be compromised by China and/or North Korea is burned to the ground. All evidence gone.
October 2nd, 2025: A South Korean government official who was appointed to manage these inspections and overviews commits suicide
What the fuck is going on? How did a simple Lithium-ion battery burn an entire data center to the ground? Is it weird that another massive data center burned to the ground a few days later? Why did these fires only impact servers which were believed to be hacked by China and/or North Korea? Why are government officials killing themselves? Why the fuck is this not getting more attention? Why does my tummy hurt?
Find out next time on Dragon Ball Z
I just released a new report on the extensive scam and cyberfraud industry in Myanmar.
https://t.co/0aJmKUa7Na
The explosive growth since the 2021 coup is a result of how scams have offered the Junta a lifeline to maintain the loyalty of affiliated militias.
Check it out.
Wait, I thought there is no perimeter any more. We’ve been tricked!
@csoandy And base comp is $100k plus $20k per bullet point in the job description!
@infosecHeretic @HackingDave It's not really expensive for basic (non-enterprise) UniFi. APs are in the $100-150 range. PoE switches are in the same price range as other brands.
Unauthenticated Remote Code Execution (RCE) on Domain Controllers (DC).
It does not get worse than that. Probably will be included in #ransomware campaigns.
Any technical analysis of CVE-2024-49112 published?
CC: @gentilkiwi @harmj0y @_wald0
Thread on what cybersecurity tools would look like as tarot cards, starting with:
EDR, @CrowdStrike: The Hierophant
Like the Hierophant, EDR is traditional, almost institutional. It follows a “rulebook” (signatures and patterns) to guide us, though it’s sometimes a little rigid or outdated.
@mubix Serious answer: Most orgs have a minimum $ asset value, under which it's not cost-effective to track depreciation. For most orgs it's $500k+ for software assets. Less than that doesn't move the balance sheet needle.
@mubix it's hard enough to do IT asset management accurately, now you want to feed virtual assets into the capital depreciation process? what kind of sicko are you?!?! 🤣
@bettersafetynet Seinfeld did a skit on this exact thing..
https://t.co/OuL6PtYcfR
More nonsense from Russian troll farms. Expect a deluge of pure nonsense like this in the next several weeks.
You’re the mark. They think you’re stupid. They think you’re incapable of half an ounce of critical thinking.
Prove them wrong.
Last Seen Users on Sotwe
Tatar Ramazan11
Seen from Italy
anne Entest
Seen from Turkey
นพ ระยองBP😈
Seen from Portugal
YANG LOKAL² AJA
Seen from Indonesia
𝒌𝒊𝒏𝒈 𝒆𝒗𝒆𝒏𝒙𝒙
Seen from Egypt
면닝
Seen from Malaysia
Indo bokep 18+
Seen from Indonesia
Stéphanie Marchese
Seen from United States
Sami
Seen from Algeria
Genç Kızlar
Seen from France
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.3M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.8M followers
Lady Gaga
@ladygaga
72.4M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.8M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.5M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers