>i quickly realised that this was the server-side serverless (lol) environment of their main documentation app, while this calls to a external api to do everything, we have the token it calls it with in the env.

>alongside, we can poison the nextjs cache for everyone for any site, allowing mass xss, defacing, etc on any docs site.

So it's a serverside bug that basically creates a more-severe stored DOM corruption vulnerability? Yeah, that's not worth anything to any buyer of vulnerabilities that I know exists. Maybe you know ones that I don't know.

I can’t speak to the value of the vulnerability as I lack the universal Rolodex of Every Exploit Buyer that is apparently available (nor am I interested in debating this with somebody that admitted they didn’t know anything about the vulnerability, declared it worthless anyway, and then moved the goalposts after a core assumption about it was trivially shown to be wrong. I’m fairly certain at this point these kids could recreate the end of the movie Antitrust and there’d be a thread somewhere with tptacek posting “This isn’t that big of a deal because”).

I just saw that you asked if the article about the server-side exploit was about a server-side exploit. It is. It’s right there in the post.

Can I ask which exploit buyers you are aware of? None of us know all of them! It'll be easier to discuss this with a specific buyer in mind.

>The organization that recently released the report alleging the contrary is the same one that released that report earlier this year claiming that if you say “Christ is King” then you’re a white supremacist.

No, Rutgers University did not publish a report that says “if you say ‘Christ is King’ then you’re a white supremacist”. You can read about it here, it’s only 20 pages and well-sourced.

https://networkcontagion.us/reports/3-13-25-thy-name-in-vain...

Even if they said that, why would it be dismissed casually? There may be good justification to associate the two. It’s clear the phrase has flooded X this year alongside a lot of supremacist stuff.

>On iOS, Safari is simple and sufficient, but I would prefer UBO there, however we all know Apple will never allow extensions for Safari.

fwiw Safari on iOS does allow some extensions and uBlock Origin Lite is free in the iOS App Store.

ublock origin lite is the knee-capped version that is also available in chrome. I haven't tried it, but it is technically not able to block all ads.

I’ve found Wipr 2.0 has been able to block all ads (even YouTube) but it’s unable to hide itself so there are sites that block my ability to read them.

Yep. It’s not great but it’s not terrible. Hopefully Apple expands Safari extension support in the future

Works much better than I thought it would. It's rather rare when I see an add in Chrome.

What do you man by “better” in this context?

It synthesizes a more comprehensive report, using more sources, more varied sources, more data, and broader insights than a human analyst can produce in 1-2 days of research and writing.

I'm not confused about this. If you don't agree, I will assume it's probably because you've never employed a human to do similar work in the past. Because it's not particularly close. It's night and day. *Note that I'm not saying 20 minutes of deep research beats 9 months of investigative journalism with private interviews with primary sources or anything like that. I'm talking about asking an analyst on your team to do a deep dive into XYZ and have something on your desk tomorrow EOD.

Weird, I'm an attorney and no one is getting rid of associates in order to have LLMs do the research, no less so when they actually hallucinate sources (something associates wont do). I can't imagine that being significantly different in other domains.

> I can't imagine that being significantly different in other domains.

It’s not. There is no industry where AI performs “better” than humans reliably without torturing the meaning of the word (for example, OP says AI is better at analysis iff the act of analysis does not include any form of communication to find or clarify information from primary sources)

It has more words put together in seemingly correct sentences, so it's long enough his boss won't actually read it to proof it.

I just never used Pocket. I don’t think I had to change my habits or settings to do so.

Sure, living with the nuisance of the advertising and UI clutter is an option, as I said. But the fact that they were relatively minor nuisances compared to eg. Windows 11's BS doesn't change the fact that they were still unwelcome and unnecessary and disrespectful.

I don't think there's anything radical about my stance that a new toolbar button showing up—with advertising calling attention to it—integrating a proprietary service into my open-source browser is inappropriate behavior on Mozilla's part.

I found it unnecessary and annoying, but there was a toggle for it in the settings, it wasn't even hard to find.

> Sure, living with the nuisance of the advertising and UI clutter is an option

    about:config<enter>
    extensions.pocket.enabled

set to `false`.

That's how hard that used to be.

Anything requiring messing with about:config is an unreasonable way to treat non-technical users. And the point I've already made that you're ignoring is that the complexity of the workaround is not the problem—the necessity of taking action to disable Pocket is what was most concerning about what Mozilla did.

I simply removed it from the toolbar, same as I did with the Firefox sync icon. Out of sight, out of mind. Granted, they were much more pushy about other features and services. Much less pushy than other vendors and it was, in some respects, understandable. (How do you convince people your product is relevant if they think it does less than the competition because they aren't aware of what's there?)

I found no value in Pocket and it was annoying to have to disable it once per machine but you didn't have to "live with it" as claimed. That's just ridiculously overdramatic.

> I'm confused, does it actually generate environments from photographs?

It’s a website that collects people’s email addresses

> I wouldn't magically become bisexual.

Of course not. This is a sci fi story so you wouldn’t magically become bisexual you would scientifically become bisexual. The flavor and style of bisexual that you become, however, would be pretty different from and less troublesome than what irks you in the 21st century by the simple fact of a completely different set of societal mores having been in place long before your birth (ie your bisexuality would not be thrust upon you, your bisexuality would be what you were born and grew up with)

I can’t speak for majormajor but I thought the language was kind of funny. “The problem is an ecosystem that allows packages to run arbitrary code silently” is an odd statement because for many people that’s kind of what a package manager does.

I like your point that doctors prescribe things that are necessary to patients, alcohol is one of those things, and there are clear and well-understood examples of when it is medically necessary for a doctor to prescribe and administer alcohol to a patient.