A complete Silver Bullet archive (with episodes starting twenty years ago in 2006) can be found on my website.
https://www.garymcgraw.com/technology/silver-bullet-podcast/
#swsec
The Silver Bullet Security Podcast rides again. Our first relaunch episode (episode 154 for those of you counting) can be found on the BIML website.
Future episodes are already planned with Giovanni Vigna, Phil Venables, and Nicolas Papernot.
Tune in and subscribe.
This is bad security engineering, but it is also a much harder problem to solve than most people realize. #swsec
https://www.theguardian.com/environment/2026/mar/14/nissan-leaf-app-shutdown-nissanconnect-ev-app
Maybe the answer is "building security in" instead of "penetrate and patch," huh @gadi ?
https://www.wsj.com/tech/ai/send-us-more-anthropics-claude-sniffs-out-bevy-of-bugs-c6822075
@david_chisnall absolutely excellent third paragraph.
Writing software requires great clarity in either requirements or design or (the gods willing) both. AI dev tools appear to work properly only when architecture is clear and built by a human. Formally verified bad design is still bad design.
Security is an emergent system property that is difficult to specify formally without absurd logical contortions
Go
Proud to have assembled and chaired the Irius Risk Technical Advisory Board. Irius Risk was bought by ThreatModeler in December. The TAB was a particularly potent group of advisors.
Talking about VIBEguard and the emerging "SLOPopcalypse" in software dev during the LEGIT Technical Advisory Board.
@nuthatch there is also a book in my #swsec series about this https://a.co/d/f5OTVe9
1. Not only did Anthropic use seven of my books in their training set, ignoring copyright ownership. Horrors!
2. They did not access the most important books, thus putting together a statistically-incorrect version of my thinking about #swsec Double Horrors!
What happens to #MLsec when training sets are philosophically skewed?
https://berryvilleiml.com/2025/12/05/the-anthropic-copyright-settlement-is-telling/
Satire is always powerful. I wonder how secure microwaves are? #MLsec #swsec #appsec #AI #microwave
Twenty years ago, we published this paper about software security BUGS. Brian Chess and I attempted to introduce a logical taxonomy for vulnerability. Later, mitre fucked it all up by pouring all the bugs into the same huge pot, adding water, and calling it soup. @peisert @Securityandprivacy
https://www.garymcgraw.com/wp-content/uploads/2015/11/bsi11-taxonomy.pdf
Here we go again npm: https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised. This time the malware will attempt to delete the victim's home directory if unable to obtain credentials.
Don't know many details yet. I guess it's not unfair to assume that the attackers are still utilizing something like the post-scripts aka rce-as-a-service functionality. Mitigate by setting `npm config set ignore-scripts true`. As other actions, freeze updates and get on top of your package tree.
@windsheep this is exactly right on the money. Architectural view and understanding matters very deeply.
Coding a 10,000 line thing "automatically" is amazeballs but it does not reflect (at all) the scale or the architectural complexity of modern software. We are painting ourselves into an enormous maintenance problem corner.
@nytimes @cademetz BIML has extremely deep expertise in both #ML (Katie did shazam, Harold wrote early birdnet, I wrote my first neural net in 1989 and was a Doug Hofatadter PhD student.) and security engineering (I helped invent #swsec and #appsec, richie published at usenix security as an undergrad). The combination is all too rare.
The world needs more hard core #MLsec
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst