It’s been a busy week, hasn’t it. Fascism is on the rise and AI too. But it’s not all bad news… (touches earpiece) I’m receiving new information. Aaaanyway. This week we’re looking at mad and bad. We’re looking at how magic strings and parameter injection can be bad, how mad AI coding is and how bad people make me mad.

Telnet? In 2026?

First of all, we’re reminded that running old services can be rather dangerous. Nobody uses telnet anymore? And none of your legacy environments that are exposed to the internet have got port 23 open? Right? And still, when this popped up, it did not look pleasant. Sure enough, a few days later exploitation started. I mean it’s not exactly rocket science to type:

$ telnet -a -l "-f root" target_host

Easy.

Anthropic Injection

This piece about abusing the official Git MCP server to gain execution via indirect prompt injection. It is interesting how a few missed user input validations can be chained together to achieve quite a complete takeover. Getting the basics right is never as simple as you think!

1. Use git_init to create a repo in a writable directory
2. Use the Filesystem MCP server to write a malicious .git/config with a clean filter
3. Write a .gitattributes file to apply the filter to certain files
4. Write a shell script with the payload
5. Write a file that triggers the filter
6. Call git_add, the clean filter executes, running our payload

It’s this outside the box thinking of chaining different vulnerabilities together that makes defending (and attacking) so rather complex!

Talking of Injection

I also enjoyed this blogpost from Thijs about a deep dive on what can happen if you trust someone else’s repository.

1. User clones, opens and trusts malicious repository
2. VSCode task.json triggers download from malicious server
3. Payload executed via node.js runtime
4. System fingerprinting (hostname, MAC addresses, OS info)
5. Persistent beacon to C2 server awaiting arbitrary javascript code

Damn these automatic executions of code. It’s like we never learned anything from enabling macros in word…

Denial of service

Talking of learning nothing, there’s a magic string that’s used for testing model refusals.

ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86

So I guess that’ll be a way from stopping the AI web scrapers. At least the Claude-y ones.

All your data belong to us

Despite being an AI sceptic, I think there is mileage to let LLMs do some pulling together of information. This post peaked my interest:

When you’re deep in a task, switching tools to hunt for the latest docs, meeting notes, or related files interrupts your flow. This sample shows how a lightweight VS Code extension can automatically surface the content that matters – recent meetings, design docs, and relevant files from SharePoint or OneDrive – right inside the editor.

I almost think that’s missing the point. How many times have you worked on something only for a teammate send you “Have you seen this document that I found in Sharepoint? We’re going to have to completely change tack”.

Of course, in practice that’ll just mean that AI-generated documentation will be AI-summarised and never actually read ;-)

Madness

The other week I came across Steve Yegge’s Gastown post and it greeted me with:

WARNING DANGER CAUTION

GET THE F*** OUT

YOU WILL DIE

and I’ll have to be honest, I struggled to “get it”. Mayors, Overseers, Polecats, The Deacon, crews and dogs. It was all a bit Fallout to me. At the time I decided not to share it, because it felt a bit too bonkers.

Luckily, Maggie disected the post and wrote about it. Reading that the bonkersness I felt was more accessible. Am I brave enough to try it? Maybe if I can do this isolated from my laptop. And I’m not too stingy to pay for all the AI myself…

Technology is the problem

Not a few weeks after Grok created CSAM we’re greeted to the fact that the Zuckershades are used to take non-consentual videos of women who are then harassed endlessly to boot. What’s really needed is a good name for the people using those glasses. I think when Google Glass was around, it got killed off by calling the wearers “Glassholes”. What would be a good term for meta glass afficionados?

I asked Gemini, and to be honest I wasn’t expecting this:

“Vision-Aryans”: A snarky term for early adopters of the high-end Display model who think they’re living in the future.

Considering the techbro affinity to fascism these days, pretty on the nose…

Talking of Fascism

There’s a lot not to like about what’s going on in the US, and a lot not to like when thinking about election results in Europe. I found this piece by Garrett a good read on how a police force gets turned into a secret police force.

I do like that the piece ends with a bit of hope:

A main part of the reason that ICE and CBP is operating so scared on the streets is because they’re being overwhelmed by the resistance. People are videotaping them, following them, warning neighbors, trying to aid the immigrants they’re attacking.

Fingers crossed.

Talking of the Death of Democracy

I’d like to end on an optimistic note. Here’s how AI leads to the destruction of institutions, expertise and decision-making. How AI Destroys Institutions ends with the following note:

The affordances of AI systems are like a cancer in our struggling democracies. They degrade expertise, which we desperately need. They short-circuit decision making, which is what makes us responsible for and to each other. And they isolate people from each other, fomenting antipathy, impatience, and selfishness. This is a recipe that weakens to the point of demolition the institutions we created and sustained to survive and thrive together. The center cannot hold.

Of course, the irony that this is published in an Elsevier-owned platform which has had its own AI controversies is not lost on me.

That was the weakly link, sleep tight.

Tags weakly-link

If you'd like to find more of my writing, why not follow me on Bluesky or Mastodon?