Planned Parenthood is telling people, rightfully, to stop using period tracking apps, as they embed trackers that give data to authorities in anti-choice states.

Meanwhile, I count several third party trackers on plannedparenthood.org

WTF?

If you mostly let AI decide what to read and who to interact with, I am sorry to tell you this, but you might be an NPC.

The recording of my talk for @OffTheChainCon@twitter.com is online now.

"How to Stop the Hacks: Airgaps, HSMs, and Supply Chain Integrity"

youtube.com/watch?v=RKNPyDGWIr

I am alive today because I always wear a high quality full face helmet.

Never go cheap on safety gear.

You can't predict everything.

I have one free ticket to Off The Chain to give away.

Naturally I'll use this to promote #! and the free mentorship available to all.

First to say "otc" in our IRC room via one of our public shell servers gets the ticket.

hashbang.sh

Show thread

My talk got accepted at Off The Chain!

Hope to see some of you in SF on June 7th.

"How to stop the hacks: Airgaps, HSMs, and Supply Chain Integrity"

offthechaincon.com/

For maximum mental health, ditch your smartphone entirely.

I had to delete one app at a time over more than a year to wean myself off, like any serious addiciton, but I am much happier phoneless.

Show thread

If you are in a place that is (or could become) hostile to basic human rights, consider using only open source operating systems and apps that won't sell you out.

Even then, keep phones off or in airplane mode when possible.

vice.com/en/article/m7vzab/the

Last update before I ignore social media for a few months again so I can resume being productive.

I contacted the foreach maintainer to close other account takeover vectors I didn't make public, and am returning their domain.

Maintainers: WebAuthn and sign all the things.

Show thread

TL;DR: IATA.

Even if an org has been dismissive of security problems historically, reach out again before putting them on blast.

Leadership and goals of companies can change so it is good to keep a jar of second chances handy.

Show thread

Just had a great chat with
@MylesBorins@twitter.com on @npmjs security.

They are actively implementing account takeover defenses and there is at least some interest in bigger picture solutions like signing and web of trust.

I'll try to work with them vs against them moving forward.

Show thread

Additional context on this thread was published in this article on
@TheRegister@twitter.com including past efforts with my friend @JohnNaulty@twitter.com trying to call attention to NPM and Github supply chain security issues.

theregister.com/2022/05/10/sec

Show thread

@MylesBorins@twitter.com noted owner emails don't always match account emails which can offer limited mitigation. Social engineering to account support with an owner email is plan b.

Thankfully better MFA started rolling out today.

Now we just need code signing.

twitter.com/MylesBorins/status

Show thread

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

Show thread

1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.

Apparently it has become common for funeral homes to stream services exclusively via Facebook Live to anyone that likes them.

This might be an entirely new low in surveillance capitalism exploitation.

If I was the CEO of Twitter, job one would be federating it with Mastodon so no central party can decide censorship rules for all.

Next would be enabling community block-lists like we do to block ads, so each user can choose what they see.

Show thread

If @elonmusk actually believed in freedom he would let Tesla buyers actually be -owners- by giving them the sources and schematics to repair or improve things as they see fit.

The day that happens is the day I trade my gas guzzler in for a Tesla.

Show thread

I -love- the idea of someone buying Twitter and making it open source, and decentralized but I still remember when @elonmusk promised Defcon Tesla security software would be open source in 2018.

Still waiting.

fossbytes.com/elon-musk-tesla-

I want a creative place in central Silicon Valley I can hang out, mentor people, and work on my own open source projects... an alternative to the doom scrolling hellscape of app culture so many of us here helped create.

Funding welcome.

Show thread
Show older
Mastodon

The original server operated by the Mastodon gGmbH non-profit