https://muddy.jprs.me/tags/security/Recent content in Security on Big MuddyHugoen-USSat, 28 Mar 2026 08:43:00 -0400https://muddy.jprs.me/notes/2026-03-28-opt-out-of-very-new-python-package-versions-with-uv/Sat, 28 Mar 2026 08:43:00 -0400https://muddy.jprs.me/notes/2026-03-28-opt-out-of-very-new-python-package-versions-with-uv/<p>In light of several recent Python package compromises (<a href="https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/"><code>litellm</code></a>, <a href="https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-canisterworm"><code>telnyx</code></a>), here is a useful tip from Hacker News commenter <a href="https://news.ycombinator.com/item?id=47547140">mil22</a>:</p> <blockquote> <p>For those using <em>uv</em>, you can at least partially protect yourself against such attacks by adding this to your <em>pyproject.toml</em>:</p> <blockquote> </blockquote> <p><code>[tool.uv]</code></p> <p><code>exclude-newer = &quot;7 days&quot;</code></p> <blockquote> </blockquote> <p>or this to your <em>~/.config/uv/uv.toml</em>:</p> <blockquote> </blockquote> <p><code>exclude-newer = &quot;7 days&quot;</code></p> <blockquote> </blockquote> <p>This will prevent <em>uv</em> picking up any package version released within the last 7 days, hopefully allowing enough time for the community to detect any malware and yank the package version before you install it.</p> </blockquote> <p>Commenter <a href="https://news.ycombinator.com/item?id=47547405">notatallshaw</a> follows up with how to achieve similar behaviour in *pip*:</p> <blockquote> <p>Pip maintainer here, to do this in pip (26.0+) now you have to manually calculate the date, e.g. &ndash;uploaded-prior-to=&quot;$(date -u -d &lsquo;3 days ago&rsquo; &lsquo;+%Y-%m-%dT%H:%M:%SZ&rsquo;)&quot;</p> <blockquote> </blockquote> <p>In pip 26.1 (release scheduled for April 2026), it will support the day ISO-8601 duration format, which uv also supports, so you will be able to do &ndash;uploaded-prior-to=P3D, or via env vars or config files, as all pip options can be set in either.</p> </blockquote>https://muddy.jprs.me/links/2026-02-18-democratizing-voice-cloning-scams/Wed, 18 Feb 2026 22:26:00 -0500https://muddy.jprs.me/links/2026-02-18-democratizing-voice-cloning-scams/<p>Jamie Pine has launched Voicebox, a new voice cloning studio built upon the open weight <a href="https://github.com/QwenLM/Qwen3-TTS">Qwen3-TTS</a> model. The project is positioned as a free, local alternative to the well-known ElevenLabs voice generator. A <a href="https://voicebox.sh/">short demo video</a> is available.</p> <p>Obviously, there are legitimate uses for voice cloning technology. But in practice, this will be used to enable AI impersonation scams and spam on a massive scale. The GitHub page for this release isn&rsquo;t exactly encouraging on this front. <a href="https://github.com/jamiepine/voicebox/blob/eb2cd861b19baa16720fd31747071c187c054bc5/README.md">Demo screenshots</a> show voice clones of YouTuber Linus Tech Tips, Minecraft creator Markus &ldquo;Notch&rdquo; Persson, and deceased streamer twomad.</p> <p>Make sure you have a secret passphrase set up with your family, since your voice is no longer uniquely your own.</p>https://muddy.jprs.me/links/2026-02-07-how-do-you-regain-access-to-your-computer-if-you-lose-your-memory/Sat, 07 Feb 2026 22:05:00 -0500https://muddy.jprs.me/links/2026-02-07-how-do-you-regain-access-to-your-computer-if-you-lose-your-memory/<p>I read this interesting discussion this morning on Hacker News on the question of how to regain access to your computer if you lose your memory. As always, it starts with figuring out your threat model and responding accordingly.</p>