pseudomonas | Reading

October 10th, 2025: Butter tarts! A "characteristic pastry of Canada" that is "highly regarded in Canadian cuisine." And yes, THIS ONE IS INSPIRED BY REAL LIFE. The raspberry/coconut tart at The Maid's Cottage in Newmarket was so good, so much better than any butter tart I'd ever had, that they made me mad. Me! Famously even-keeled internet guy Ryan "Famously, Even-Keeled" North!!

– Ryan

http://www.qwantz.com/index.php?comic=4389

bruce_schneier_feed

Posted by Bruce Schneier

https://www.schneier.com/blog/archives/2025/10/autonomous-ai-hacking-and-the-future-of-cybersecurity.html

https://www.schneier.com/?p=70935

AI agents are now hacking computers. They’re getting better at all phases of cyberattacks, faster than most of us expected. They can chain together different aspects of a cyber operation, and hack autonomously, at computer speeds and scale. This is going to change everything.

Over the summer, hackers proved the concept, industry institutionalized it, and criminals operationalized it. In June, AI company XBOW took the top spot on HackerOne’s US leaderboard after submitting over 1,000 new vulnerabilities in just a few months. In August, the seven teams competing in DARPA’s AI Cyber Challenge collectively found 54 new vulnerabilities in a target system, in four hours (of compute). Also in August, Google announced that its Big Sleep AI found dozens of new vulnerabilities in open-source projects.

It gets worse. In July Ukraine’s CERT discovered a piece of Russian malware that used an LLM to automate the cyberattack process, generating both system reconnaissance and data theft commands in real-time. In August, Anthropic reported that they disrupted a threat actor that used Claude, Anthropic’s AI model, to automate the entire cyberattack process. It was an impressive use of the AI, which performed network reconnaissance, penetrated networks, and harvested victims’ credentials. The AI was able to figure out which data to steal, how much money to extort out of the victims, and how to best write extortion emails.

Another hacker used Claude to create and market his own ransomware, complete with “advanced evasion capabilities, encryption, and anti-recovery mechanisms.” And in September, Checkpoint reported on hackers using HexStrike-AI to create autonomous agents that can scan, exploit, and persist inside target networks. Also in September, a research team showed how they can quickly and easily reproduce hundreds of vulnerabilities from public information. These tools are increasingly free for anyone to use. Villager, a recently released AI pentesting tool from Chinese company Cyberspike, uses the Deepseek model to completely automate attack chains.

This is all well beyond AIs capabilities in 2016, at DARPA’s Cyber Grand Challenge. The annual Chinese AI hacking challenge, Robot Hacking Games, might be on this level, but little is known outside of China.

Tipping point on the horizon

AI agents now rival and sometimes surpass even elite human hackers in sophistication. They automate operations at machine speed and global scale. The scope of their capabilities allows these AI agents to completely automate a criminal’s command to maximize profit, or structure advanced attacks to a government’s precise specifications, such as to avoid detection.

In this future, attack capabilities could accelerate beyond our individual and collective capability to handle. We have long taken it for granted that we have time to patch systems after vulnerabilities become known, or that withholding vulnerability details prevents attackers from exploiting them. This is no longer the case.

The cyberattack/cyberdefense balance has long skewed towards the attackers; these developments threaten to tip the scales completely. We’re potentially looking at a singularity event for cyber attackers. Key parts of the attack chain are becoming automated and integrated: persistence, obfuscation, command-and-control, and endpoint evasion. Vulnerability research could potentially be carried out during operations instead of months in advance.

The most skilled will likely retain an edge for now. But AI agents don’t have to be better at a human task in order to be useful. They just have to excel in one of four dimensions: speed, scale, scope, or sophistication. But there is every indication that they will eventually excel at all four. By reducing the skill, cost, and time required to find and exploit flaws, AI can turn rare expertise into commodity capabilities and gives average criminals an outsized advantage.

The AI-assisted evolution of cyberdefense

AI technologies can benefit defenders as well. We don’t know how the different technologies of cyber-offense and cyber-defense will be amenable to AI enhancement, but we can extrapolate a possible series of overlapping developments.

Phrase One: The Transformation of the Vulnerability Researcher. AI-based hacking benefits defenders as well as attackers. In this scenario, AI empowers defenders to do more. It simplifies capabilities, providing far more people the ability to perform previously complex tasks, and empowers researchers previously busy with these tasks to accelerate or move beyond them, freeing time to work on problems that require human creativity. History suggests a pattern. Reverse engineering was a laborious manual process until tools such as IDA Pro made the capability available to many. AI vulnerability discovery could follow a similar trajectory, evolving through scriptable interfaces, automated workflows, and automated research before reaching broad accessibility.

Phase Two: The Emergence of VulnOps. Between research breakthroughs and enterprise adoption, a new discipline might emerge: VulnOps. Large research teams are already building operational pipelines around their tooling. Their evolution could mirror how DevOps professionalized software delivery. In this scenario, specialized research tools become developer products. These products may emerge as a SaaS platform, or some internal operational framework, or something entirely different. Think of it as AI-assisted vulnerability research available to everyone, at scale, repeatable, and integrated into enterprise operations.

Phase Three: The Disruption of the Enterprise Software Model. If enterprises adopt AI-powered security the way they adopted continuous integration/continuous delivery (CI/CD), several paths open up. AI vulnerability discovery could become a built-in stage in delivery pipelines. We can envision a world where AI vulnerability discovery becomes an integral part of the software development process, where vulnerabilities are automatically patched even before reaching production—a shift we might call continuous discovery/continuous repair (CD/CR). Third-party risk management (TPRM) offers a natural adoption route, lower-risk vendor testing, integration into procurement and certification gates, and a proving ground before wider rollout.

Phase Four: The Self-Healing Network. If organizations can independently discover and patch vulnerabilities in running software, they will not have to wait for vendors to issue fixes. Building in-house research teams is costly, but AI agents could perform such discovery and generate patches for many kinds of code, including third-party and vendor products. Organizations may develop independent capabilities that create and deploy third-party patches on vendor timelines, extending the current trend of independent open-source patching. This would increase security, but having customers patch software without vendor approval raises questions about patch correctness, compatibility, liability, right-to-repair, and long-term vendor relationships.

These are all speculations. Maybe AI-enhanced cyberattacks won’t evolve the ways we fear. Maybe AI-enhanced cyberdefense will give us capabilities we can’t yet anticipate. What will surprise us most might not be the paths we can see, but the ones we can’t imagine yet.

This essay was written with Heather Adkins and Gadi Evron, and originally appeared in CSO.

https://www.schneier.com/blog/archives/2025/10/autonomous-ai-hacking-and-the-future-of-cybersecurity.html

https://www.schneier.com/?p=70935

dotaturls_feed

Posted by Tony Finch

https://ukerc.ac.uk/news/transmission-network-unavailability-the-quiet-driving-force-behind-rising-curtailment-costs-in-great-britain/

https://dotat.at/:/7VCZS.html

2025‑10‑07 - Electricity transmission network unavailability: the cause of rising wind farm curtailment costs in Britain.

https://ukerc.ac.uk/news/transmission-network-unavailability-the-quiet-driving-force-behind-rising-curtailment-costs-in-great-britain/

redirect https://dotat.at/:/7VCZS

blurb https://dotat.at/:/7VCZS.html

atom entry https://dotat.at/:/7VCZS.atom

web.archive.org archive.today

https://ukerc.ac.uk/news/transmission-network-unavailability-the-quiet-driving-force-behind-rising-curtailment-costs-in-great-britain/

https://dotat.at/:/7VCZS.html

andrewducker

My mum had a heart attack yesterday afternoon, followed by an angioplasty.

She was sitting up in bed and drinking coffee by 9pm last night, and seems to be fine now. They're keeping her in until Monday to make sure, but panic over.

Turns out that an angioplasty is nowadays an outpatient operation under local anaesthetic, with over 97% success rate. Modern medicine is awesome. And thank fuck for the NHS!

tim_harford_feed

Posted by Tim Harford

https://timharford.com/2025/10/cautionary-tales-schrodingers-spy-businessman-fraud-or-russian-agent/

https://timharford.com/?p=9673

When the Financial Times uncovered the billion-dollar Wirecard fraud, it seemed like the story was over. But then the company’s Chief Operating Officer, Jan Marsalek, vanished – leaving behind clues that pointed to a double life as a secret agent.

In his new podcast Hot Money: Agent of Chaos, FT journalist Sam Jones follows Marsalek’s trail through a globe-spanning world of spies, secrets, and corruption. Sam joins Tim to take him behind the scenes of the hunt for Marsalek, share his insights on the future of Russian espionage, and explore what modern spy stories tell us about ourselves.

Please check out our new Cautionary Club and consider joining for bonus episodes, ad-free listening, monthly video conversations and our behind-the-scenes newsletter.

[Apple] [Spotify] [Stitcher]

https://timharford.com/2025/10/cautionary-tales-schrodingers-spy-businessman-fraud-or-russian-agent/

https://timharford.com/?p=9673

cosmolinguist

I had a long day, full of meetings and people talking too much. The last was a focus group that went on too long because of one person talking too much and not following the very specifically stated brief: I said we're here to give recommendations to decision-makers and service providers, and this guy did what he always does which is "here's how I get around that by being Resilient and taking individual responsibility for this systemic problem! Cool story, bro.

After a day like that, with an ending like that, it was very sweet to get a message from my favorite person on my favorite team (mine). Our manager has asked her to work with me on the latest report, so this morning I asked if we could arrange a meeting and it'll be tomorrow morning. So at the very end of the day today, she sends me this:

Hi, this is just a message to tell you that I have reread [the last report, 2 of 3]. I now have an overwhelming urge to tell you that you are such a smart cookie. The report is brilliant and incredibly comprehensive. I'm quite intimidated in supporting you with [report 3 of 3]. Anyway this is me belatedly telling you that you are an awesome [our job title] and maybe you could eat a celebratory chocolate biscuit and pat yourself on the back.

A few sentences like that go a long way!

kaberett

You know the way I just said -- I just said -- that I had worked out how to make wagamama's current menu yield something I was actively enthusiastic about eating?

WELL GUESS WHAT. THIRD TIME UNLUCKY.

I had really not expected the pad thai to vanish in a menu overhaul, okay, what on EARTH.

(So we came home and ate butternut squash & quince stew instead, and maybe by the next time it is Ritual Wagamama O'Clock I'll have resigned myself to eating something that isn't The Thing I Just Worked Out.)

dotaturls_feed

Posted by Tony Finch

http://marcosh.github.io/post/2025/10/07/the-mondrian-introduction-to-functional-optics.html

https://dotat.at/:/SM61X.html

2025‑10‑08 - The Mondrian introduction to functional optics.

http://marcosh.github.io/post/2025/10/07/the-mondrian-introduction-to-functional-optics.html

redirect https://dotat.at/:/SM61X

blurb https://dotat.at/:/SM61X.html

atom entry https://dotat.at/:/SM61X.atom

web.archive.org archive.today

http://marcosh.github.io/post/2025/10/07/the-mondrian-introduction-to-functional-optics.html

https://dotat.at/:/SM61X.html

tim_harford_feed

Posted by Tim Harford

https://timharford.com/2025/10/the-relentless-rule-of-my-fitness-tracker/

https://timharford.com/?p=9617

At a time when we’re all blaming digital devices for ruining our attention spans, our children’s mental health and even the future of democracy itself, let’s give credit where it’s due: my cheap fitness watch has changed my life.

Three and a half years ago I started running at my local Parkrun, taking more than half an hour to limp around the 5k course for the first few weeks. After a few months of consistently showing up I made the kind of progress one might expect. But when I bought an entry-level runner’s watch, things really started to change.

Urged on by the watch, I began training several times a week and lengthening the runs to 10k, 10 miles and beyond. My wife got the bug — and her own watch. Our daughter described us as “running mad”. You be the judge: mad or not, I’m running the London Marathon in April next year. As a stubborn non-runner for the first 49 years of my life, there’s no way I’d have signed up for that sort of insanity without the watch.

These fitness trackers are not without their downsides, and I’ve become fascinated by the way they’re a microcosm of our increasingly quantified lives. The most obvious objection is that they are a privacy nightmare. They track our location and make sharing it easy and tempting. Stanislav Rzhitsky, a Russian submarine commander, was assassinated while going for a run in his local park; he was in the habit of posting his running routine on Strava. In the US, a man was convicted of murdering his wife after her Fitbit data contradicted his account of events.

And it is not just location: Carissa Véliz, the author of Privacy is Power, warns that with the right technology, heartbeat data can be as distinctive as a fingerprint. It’s unclear how much is already up there in the cloud, waiting to be abused by someone or other.

Fitness watch manufacturers would rather focus on these trackers as tools for performance. Even in this respect, there is a mixed picture. Like any good performance metric, my watch provides me with structure and helps me optimise my running. I can feed in a goal — a distance, a time — and it will generate a training program. Once-difficult tasks, such as running at a consistent pace, become straightforward.

Yet like many performance metrics, the watch can also nudge me into counter-productive activity such as overtraining to the point of injury. The sleep-tracking function tempts many people into thinking too much about sleep, which is the sort of thing that can make it hard to drift off. There’s a term of art, “orthosomnia”. It means that you’re losing sleep because you’re worried that your sleep tracker is judging you.

There is another subtle effect at work, something called “quantification fixation”. A study published last year by behavioural scientists Linda Chang, Erika Kirgios, Sendhil Mullainathan and Katherine Milkman invited participants to choose between a series of two options, such as holiday destinations or job applicants. Chang and her colleagues found that people consistently took numbers more seriously than words or symbols. Whether deciding between a cheap, shabby hotel or an expensive swanky one, or between an intern with strong management skills or one with strong calculus skills, experimental subjects systematically favoured whatever feature had a number on it, rather than a description such as “excellent” or “likely”. Numbers can fixate us.

“A key implication of our findings,” write the researchers, “is that when making decisions, people are systematically biased to favour options that dominate on quantified dimensions. And trade-offs that pit quantitative against qualitative information are everywhere.”

They may or may not be everywhere, but they are certainly in my fitness regimen. My watch takes walking, cycling and running seriously — especially outside rather than on a treadmill — but a hard session at the gym barely registers. It will count my steps for me, but I have to count my own pull-ups. The result is an incessant tug away from exercise that may be good for my body or my spirit, but which doesn’t “count” — and towards the kind of aerobic, trackable activity that the watch rewards.

Management theorists have long known about this problem. Steve Kerr’s essay in the Academy of Management Journal, “On the Folly of Rewarding A While Hoping for B”, is 50 years old and the folly seems more common than ever, perhaps because we now have an ever easier selection of automatically generated metrics upon which to fixate.

Quantification fixation may explain an early, infamous study of using fitness trackers for weight loss, published in 2016, which found that the trackers made it harder rather than easier to lose weight. That might be a statistical fluke, but it might also reflect the fact that when you exercise more you may be inclined to eat more. The fitness tracker monitors and therefore encourages extra exercise, but turns a digital blind eye to extra calories — this is quantification fixation in automated form.

A different aspect of the same problem is when I face a choice between the run prescribed by my watch, or an opportunity to run with a friend — possibly over the wrong terrain, for the wrong distance, at the wrong pace. “Wrong”, of course, being defined by the sensors in the watch. It is almost always better to seize the opportunity for a sociable run, but do I always seize it? I do not. It’s a shame to let down a friend, but it’s a disaster to let down the watch.

We live in a quantified world and in many ways our lives are better as a result, whether the metrics have been used to create more effective medicines or more efficient delivery vans. My watch may be a punctilious little wrist-worn box of tricks, but my running, and indeed my overall fitness, is far better than it was before I bought it.

Still, we would do well to keep the quantification revolution in its proper place. I never would have started running in the first place without the friends who encouraged me to show up at Parkrun, a movement that relies on community spirit, deftly seasoned with just the right amount of quantification.

And I’m not running a marathon because my watch told me to do it; I’m running in memory of a young woman who died of cancer at the age of 20. The fitness watch is a means to an end, not the end in itself. All I need to do is to remember that.

Written for and first published in the Financial Times on 11 Sep 2025.

Loyal readers might enjoy the book that started it all, The Undercover Economist.

I’ve set up a storefront on Bookshop in the United States and the United Kingdom. Links to Bookshop and Amazon may generate referral fees.

https://timharford.com/2025/10/the-relentless-rule-of-my-fitness-tracker/

https://timharford.com/?p=9617