Planned Parenthood is telling people, rightfully, to stop using period tracking apps, as they embed trackers that give data to authorities in anti-choice states.
Meanwhile, I count several third party trackers on https://plannedparenthood.org
The recording of my talk for @OffTheChainCon@twitter.com is online now.
"How to Stop the Hacks: Airgaps, HSMs, and Supply Chain Integrity"
My talk got accepted at Off The Chain!
Hope to see some of you in SF on June 7th.
"How to stop the hacks: Airgaps, HSMs, and Supply Chain Integrity"
For maximum mental health, ditch your smartphone entirely.
I had to delete one app at a time over more than a year to wean myself off, like any serious addiciton, but I am much happier phoneless.
If you are in a place that is (or could become) hostile to basic human rights, consider using only open source operating systems and apps that won't sell you out.
Even then, keep phones off or in airplane mode when possible.
Last update before I ignore social media for a few months again so I can resume being productive.
I contacted the foreach maintainer to close other account takeover vectors I didn't make public, and am returning their domain.
Maintainers: WebAuthn and sign all the things.
Even if an org has been dismissive of security problems historically, reach out again before putting them on blast.
Leadership and goals of companies can change so it is good to keep a jar of second chances handy.
Just had a great chat with
@MylesBorins@twitter.com on @npmjs security.
They are actively implementing account takeover defenses and there is at least some interest in bigger picture solutions like signing and web of trust.
I'll try to work with them vs against them moving forward.
Additional context on this thread was published in this article on
@TheRegister@twitter.com including past efforts with my friend @JohnNaulty@twitter.com trying to call attention to NPM and Github supply chain security issues.
@MylesBorins@twitter.com noted owner emails don't always match account emails which can offer limited mitigation. Social engineering to account support with an owner email is plan b.
Thankfully better MFA started rolling out today.
Now we just need code signing.
I just noticed "foreach" on npm is controlled by a single maintainer.
I also noticed they let their personal email domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
If I was the CEO of Twitter, job one would be federating it with Mastodon so no central party can decide censorship rules for all.
Next would be enabling community block-lists like we do to block ads, so each user can choose what they see.
If @elonmusk actually believed in freedom he would let Tesla buyers actually be -owners- by giving them the sources and schematics to repair or improve things as they see fit.
The day that happens is the day I trade my gas guzzler in for a Tesla.
I -love- the idea of someone buying Twitter and making it open source, and decentralized but I still remember when @elonmusk promised Defcon Tesla security software would be open source in 2018.
I want a creative place in central Silicon Valley I can hang out, mentor people, and work on my own open source projects... an alternative to the doom scrolling hellscape of app culture so many of us here helped create.
* Security Engineer
* OSS Advocate
The original server operated by the Mastodon gGmbH non-profit