skybrian's recent activity

  1. Comment on The global fertility crisis is worse than you think in ~society

    skybrian
    Link
    Coastal west Africa is a apparently an exception to this trend.

    Coastal west Africa is a apparently an exception to this trend.

    1 vote

  2. Comment on Hacking Google with A.I. for $500,000 in ~comp

    skybrian
    Link
    From the article: [...] [...] [...] [...] [...] [...]

    From the article:

    Having spent the past year building small projects with Claude, I realized there was untapped potential in using AI to automatically fuzz Google's APIs at scale. The key to this approach? Google's discovery documents. For those unfamiliar, I'd recommend reading my other article for a deep dive, but here's a quick refresher:

    Discovery documents are essentially Google's equivalent of Swagger docs - machine-readable API specifications that list all available endpoints, parameters, and methods. While they're publicly documented for APIs like the YouTube Data API, they also exist for Google's internal APIs (like the Internal People API). Some discovery docs are publicly accessible, while most require valid API keys.

    [...]

    We took an exhaustive approach. We scraped over 60,000 Android APKs (every version of every Google app ever released), unpacked them, and grepped for API keys.

    [...]

    We also decrypted every Google IPA we could obtain and analyzed any Google binaries we could find.

    To keep things in scope for Google VRP and remove non-Google API keys (keys from third-party GCP projects), I used an interesting endpoint I found in the Cloud Marketplace API. First, we need the project number associated with the key's GCP project, which is revealed in the error message returned when using the key with a Google API it doesn't have enabled. For instance, fetching https://protos.googleapis.com/$discovery/rest?key=AIzaSyDWUi9T78xEO-m10evQANR7TMSiB_bjyNc returns the error: Protos API has not been used in project 244648151629 before, revealing the project number.

    [...]

    With API keys collected, the next step was finding all Google API domains to scan. I used a combination of domains logged by the Chrome extension, brute-force generated names using keywords, and certificate transparency logs. To verify if a domain was a live Google API, I made the following request:

    [...]

    Equipped with valid API keys and a list of live Google API domains, I started mass scanning for open discovery documents. In July 2025, Google removed the /$discovery/rest path from most of their APIs, but if you're clever enough this is possible to bypass in some cases.

    [...]

    It was now time to start automatically fuzzing these APIs. My goal was to automate finding basic access control issues, which I could then escalate manually into more serious vulnerabilities. In fact, the RCE I found in my previous writeup was initially a lead reported by the AI.

    [...]

    Three months of this setup turned up over $500,000 in bounties, only a fraction of which made it here. Most Google bugs don't need clever exploitation, just patience. The same broken patterns showed up everywhere: missing IAM checks on cross-tenant resources, GraphQL schemas with no authorization, debug endpoints in prod, sandbox environments pointing at prod data. The AI's job wasn't to be novel, it was to be tireless about the obvious on a surface too large for a human to cover end-to-end.

    2 votes

  4. Comment on ICE spent $700 million on 7 warehouses. Now it wants to get rid of them. in ~society

    skybrian
    Link
    From the article: [...] [...]

    From the article:

    Immigration and Customs Enforcement would purchase more than a dozen empty warehouses across the United States to massively expand its capacity to detain people deemed to be in the country illegally, which in turn would spike deportations. A year into Mr. Trump’s term, it had bought 11 facilities at a cost of $1 billion.

    But in a major turnabout, the agency is planning to offload seven warehouses purchased for more than $700 million by either giving them to other federal agencies or selling them outright, according to documents obtained by The New York Times.

    The decision to sharply scale back the warehouse plan is a rejection of a signature initiative under the previous homeland security secretary, Kristi Noem, who pushed the boundaries of what the government can do to aggressively round up potential deportees. The new secretary, Markwayne Mullin, who had privately expressed skepticism about the plan, has said publicly that he wants the agency to be quieter about how it carries out immigration enforcement.

    [...]

    The agency appears to still be moving forward with four of the warehouses purchased for detention purposes, in San Antonio and Socorro, Texas; Surprise, Ariz.; and Hagerstown, Md. However, a federal judge has blocked work on the Maryland facility. It was not immediately clear why the agency decided to proceed with those four spaces for detention. ICE also plans to buy immigrant detention facilities from private prison companies that it already contracts with, according to documents.

    [...]

    But the biggest challenge has been the proliferation of environmental lawsuits across the country.

    For months, ICE has faced serious legal challenges over whether the agency adhered to a federal law that requires federal agencies to examine the impact of their projects on the local environment. The lawsuits have set the agency back significantly.

    A judge in Maryland blocked ICE from taking any action at a warehouse in the state that it purchased for around $100 million. ICE also told a federal judge in New Jersey the agency would take no action at a warehouse there until it conducted further environmental tests. The agency promised the same in a Michigan federal court as well. Justice Department officials have expressed concern to ICE that the lack of reviews has left the agency vulnerable to more legal roadblocks.

    Now, the agency plans to offload warehouses in Michigan and New Jersey, the documents obtained by The Times show.

  6. Comment on Swift reboost mission ready for launch in ~space

    skybrian
    Link
    From the article: [...] [...]

    From the article:

    Link, a spacecraft developed by Katalyst Space Technologies, is scheduled to launch June 27 on a Northrop Grumman Pegasus XL rocket. The air-launched vehicle will operate out of Kwajalein Atoll in the Pacific Ocean.

    Link is designed to approach and then grapple NASA’s Neil Gehrels Swift Observatory, a gamma-ray observatory in low Earth orbit. The orbit of that spacecraft, launched in 2004, has been decaying due to atmospheric drag and could reenter as soon as late this year. Link will raise Swift’s orbit, allowing it to continue operations for years to come.

    [...]

    “Over the last nine months, we have gone from a clean sheet to a spacecraft that is currently integrated on a rocket on an airplane ready to go to Kwaj for launch,” said Kieran Wilson, principal investigator for Link at Katalyst. “This is an absolutely unprecedented development timeline.”

    He credited the “exceptional urgency” NASA emphasized in the mission requirements. “When we set out, one of the very few requirements from the NASA team was, you must launch before it’s too late, and we have been able to meet that readiness timeline.”

    Link must launch and reach Swift before that spacecraft’s altitude descends below 300 kilometers. Brad Cenko, principal investigator for Swift at NASA’s Goddard Space Flight Center, said Swift should reach that altitude in October based on current estimates of the spacecraft’s decaying orbit.

    [...]

    That capture and boost will be risky. Swift was not designed to be serviced and lacks grappling fixtures that Link could use. Link is also Katalyst’s first satellite servicing mission.

    Wilson said the docking will be helped by the fact that Swift is still operational and can control its attitude. “Swift is an unprepared but cooperative partner in the rendezvous,” he said.

  8. Comment on How much of an echo chamber is Reddit/the internet, really? in ~tech

    skybrian
    Link Parent
    I'm not sure if that's a relevant statistic? For example, most email is spam, but spam filters are pretty good at dealing with it, so that doesn't really affect how people interact with email. A...

    I'm not sure if that's a relevant statistic? For example, most email is spam, but spam filters are pretty good at dealing with it, so that doesn't really affect how people interact with email.

    A more relevant question is, how many of the posts that you see are bots? And that's going to depend on where you look.

    8 votes

  9. Comment on Cuba’s Communist Party approves opening economy in unprecedented move in ~society

    skybrian
    Link Parent
    Many countries suffer from the "curse of oil" but I think the suffering of Venezuela under Chevez showed that a populist government can make things even worse.

    Many countries suffer from the "curse of oil" but I think the suffering of Venezuela under Chevez showed that a populist government can make things even worse.

    4 votes

  10. Comment on Offbeat Fridays – The thread where offbeat headlines become front page news in ~news

  11. Comment on The largest wind project in US history, SunZia, has begun powering California in ~enviro

    skybrian
    Link
    From the article: … … Solar energy in California is maxed out. It’s actually a bit lower this year than last year according to Grid Status: … … Also, California used to export solar power, but...

    From the article:

    The largest wind energy project in U.S. history is now online, delivering power from a massive array in New Mexico to Arizona and California — and signaling a new era for sending clean electricity across the West.

    Nearly two decades in the making, the estimated $11-billion SunZia project from Pattern Energy is now fully operational, company officials said Thursday. It’s made up of 916 turbines that can produce up to 3.65 gigawatts of electricity, making it potentially more powerful than the Hoover Dam.

    It’s also more than three times bigger than either of the next two largest U.S. wind farms, Alta Wind in Kern County and Great Prairie in northern Texas, according to the U.S. Energy Information Administration.

    Crucially, the project also includes a 550-mile high-voltage direct-current transmission line that delivers wind power from New Mexico to the Palo Verde substation in Arizona, where it then feeds into Southern California. In all, some two-thirds of the power sent across the line will be delivered to the state.

    Experts say the project already has begun making a difference on the grid: Since SunZia began testing in April, the state’s Independent System Operator, CAISO, has reported record-breaking amounts of wind power on the California grid at least five times, according to Dennis Wamsted, an energy analyst at the Institute for Energy Economics and Financial Analysis.

    The New Mexico region was selected in part for its strong and consistent winds, comparable to those off the coast of Morro Bay.

    Much of it will come when the wind picks up at night, complementing California’s abundant daytime solar power, and batteries, which discharge for a few hours around sunset.

    Solar energy in California is maxed out. It’s actually a bit lower this year than last year according to Grid Status:

    When curtailment doesn’t occur, CAISO sets records. Simple as that. The market exists in a state where the gate on peak solar output isn’t more capacity (although it can help), but the level at which curtailment is occurring. This is particularly evident when comparing recent record days and their temporal neighbors that didn’t set a new peak themselves.

    As with solar, wind curtailments jumped. We can clearly see the tension between resources as curtailments peak in the afternoon, exactly when both utility and BTM solar generation are strongest and when net load levels are at their lowest.

    Natural gas generation continues to decline, and fell precipitously over the evening and overnight periods compared to 2024 and 2025. Here, we see a familiar story, solar pressuring gas during midday, then battery discharge shifting solar later, a period which now extends through the evening.

    Also, California used to export solar power, but neighboring states have their own solar now.

    2 votes

  13. Comment on Finland tears up nuclear weapons ban in NATO shift – decision clears way for Helsinki to receive, transport and facilitate movement of nuclear weapons on its territory in ~society

    skybrian
    Link Parent
    Okay, I see now, but I think calling that the “real cause” is a bit much. Seems like Russia becoming more threatening is just as real.

    Okay, I see now, but I think calling that the “real cause” is a bit much. Seems like Russia becoming more threatening is just as real.

    2 votes

  14. Comment on How funerals keep Africa poor in ~life

    skybrian
    Link Parent
    Regarding waste, you need to look at what people do in exchange for the money. Making a fancy coffin or other fancy ornaments that would otherwise be unnecessary is wasteful. But is banqueting...

    Regarding waste, you need to look at what people do in exchange for the money. Making a fancy coffin or other fancy ornaments that would otherwise be unnecessary is wasteful. But is banqueting your neighbors wasteful? Not necessarily as long as the food doesn't go to waste.

    I don't know enough about these cultures to say, but there are lots of links in the articles for further reading.

    From what I've read about potlatch culture in the Pacific Northwest, it sounds like it was extremely wasteful and that was the point.

    9 votes

  15. Comment on How funerals keep Africa poor in ~life

    skybrian
    Link Parent
    In the US that's usually pretty minor compared to inheritance.

    In the US that's usually pretty minor compared to inheritance.

    3 votes

  16. Comment on Finland tears up nuclear weapons ban in NATO shift – decision clears way for Helsinki to receive, transport and facilitate movement of nuclear weapons on its territory in ~society

    skybrian
    Link Parent
    Huh? The article is about Finland's response to Russia invading Ukraine.

    Huh? The article is about Finland's response to Russia invading Ukraine.

    9 votes

  17. Comment on What programming/technical projects have you been working on? in ~comp

    skybrian
    Link Parent
    The trouble I see is that you probably don't want the community to be completely dead and that's the most likely result. It can't be too hard to join or it won't work at all. Invite-only seems...

    The trouble I see is that you probably don't want the community to be completely dead and that's the most likely result. It can't be too hard to join or it won't work at all.

    Invite-only seems like a reasonable way to go?

  18. Comment on How funerals keep Africa poor in ~life

    skybrian
    Link Parent
    It’s an opinionated essay rather than a summary of expert consensus, and blaming a single cause does seem rather bold and simplistic. Maybe a better takeaway would be something weaker, that...

    It’s an opinionated essay rather than a summary of expert consensus, and blaming a single cause does seem rather bold and simplistic. Maybe a better takeaway would be something weaker, that kinship networks appear to be an important obstacle to economic growth.

    11 votes

  19. Comment on How funerals keep Africa poor in ~life

    skybrian
    Link Parent
    This amounts to saying that poverty is okay. Most of Africa is desperately poor and figuring out how to change that is very important. The contrast with Asia is stark.

    This amounts to saying that poverty is okay. Most of Africa is desperately poor and figuring out how to change that is very important. The contrast with Asia is stark.

    5 votes

  20. Comment on How funerals keep Africa poor in ~life

    skybrian
    Link Parent
    To follow up on that, here’s a third blog post where he writes about why there are few large firms: Africa doesn't have large firms because it doesn't have social trust … It seems like a trap...

    To follow up on that, here’s a third blog post where he writes about why there are few large firms:

    Africa doesn't have large firms because it doesn't have social trust

    Simply put, it’s very difficult to operate a large formal business if the enforceability of contracts is a matter of doubt in any way or if personal relationships and affiliations are seen to supersede legal ones. Rule of law doesn’t need to be absolute, and there was plenty of corruption and chicanery in the United States and East Asia during their periods of most rapid industrial expansion. But the ability of everyday legal agreements to be promptly enforced is an absolute requirement for firms to scale.

    In turn the reason that African countries have so few large firms, and in part why African commercial economies tend to be so inefficient and have such high transaction costs, is that they have extraordinarily low levels of social trust. In practically every African country, impersonal social trust as measured by the World Values Survey or Afrobarometer ranks among the lowest in the world. Meanwhile kinship intensity, as measured by the strength of various kinship-favoring norms—preferences for cousin-marriage, polygamy, the co-residence of extended families, clan organization, and community endogamy—is extraordinarily intense across Africa.

    As one would expect, all the economic symptoms of the lack of impersonal trust and dependence on kin networks that are embedded in traditional societies—the absence of forward contracts, the avoidance of the legal system in handling commercial disputes, the inability of ethnically mixed groups to punish defectors—are abundant across Africa. It is this stark deficit of impersonal and out-of-network trust that prevents African societies from forming large-scale, complex, formal enterprises; large firms rely on contractual obligations—to and from employees, suppliers, and customers—that cannot be enforced in a situation where kinship ties outweigh impersonal obligations. It is this trust deficit that leaves an opening for market-dominant minorities, like Lebanese in West Africa or South Asians in East Africa, to fill the vacuum.

    It seems like a trap that’s hard to get out of. Perhaps that’s why outside help is needed?

    7 votes