Micah Lee πŸ”‘ is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Micah Lee πŸ”‘ @micahflee@mastodon.social

how do you learn new skills once you're older than a teen?

*lies on couch playing hearthstone on phone for 3 hours*

i used to be smarter

*wastes half of the day hate-skimming facebook*

there's not enough time when you're an "adult"

Here's more context around his arrest: meduza.io/en/feature/2017/04/1
'According to investigators, β€œthe suspect posted materials calling for riots in the center of Moscow with the help of special software designed to hide traces of his Internet presence, [namely] using servers based in [foreign states].”' -- so, it seems, organizing protests in Moscow, possibly using Tor

Here's the Debian Project's statement about the arrest of Dmitry Bogatov, a Debian Maintainer who worked in the Debian Haskell group and currently maintains several packages for command line and system tools. He was arrested by Russian authorities, and Debian has removed his keys from their servers in case they're compromised. debian.org/News/2017/20170417

It's always so sad when your cat has to wear a cone and keeps walking into things

I found a way to turn a regular dog into a weeping angel from Doctor Who.

Steps to reproduce:
1. Get cake
2. Put cake on table
3. Look at dog

I dare you to blink.

nazis Show more

Check it out, here's a branch of OnionShare that launches its own bundled Tor process

Have fun planting virus signatures in strange places that touch remote disks somehow/somewhere.


Change your mail sig to:

Or send it in a browser var, as a password (quickly find the sites that don't encrypt passwords), send to open syslogs, etc.

The some AV actually delete/quarantine the file (weblogs, mailspool, {u,w}tmp etc.)!

What are your ideas?

Inspired by: sec.cs.tu-bs.de/pubs/2017-asia

This is an excellent longread about some of the players that made Snowden's whistleblowing possible. It's a firsthand account, published today, and contains many new exciting details harpers.org/archive/2017/05/sn

@federicomena @gnome @micahflee @rootkovska @tl

Pixbuf loaders are another huge attack surface. We need to come up with a good way to either move loaders out of process into bubblewrapped loader (w/ memfd+fdpass), or harden our loaders (rust perhaps), or another strategy?

Thumbnailer service also needs to be bubblewrapp'd.

I would love for apps to only work with raw framebuffer via sealed mdmfd.

@tl @rootkovska @micahflee @gnome @federicomena Most of our work currently is around creating Flatpak and Bubblewrap. We want to get as many core GNOME apps sandboxed as possible.


I'd like to stop using United because capitalism teaches me that the only legitimate form of protest against corporations is to stop patronizing them.
But now I have a puzzle. No United means no Star Alliance. Which other airlines are good for travel between SF and NYC (sometimes DC)? Are there also good non-stop options for SF to Western Europe on the same carrier or alliance?
If I make a switch, are the other carriers actually *better* or have they just been caught out less this month?

I've opened issues in Fedora and Debian to backport the nautilus patch that makes .desktop files more secure. I also reported a Tor Browser issue that will get introduced when the nautilus bug gets fixed.
/cc @rootkovska @gnome @federicomena

@rootkovska The real jarring thing isn't that a supposedly secure software system has a vulnerability.
It happens to even the best of us. (although their design decision is mind-boggling, it should have been obvious)

No, the real issue is how they handled it: denial and dismissal.
The way a group deals with vulnerability reports tells you all you need to know about their product's security and whether they really care about security or about the mere *appearance* of security.

@rootkovska @micahflee Hi there! In @gnome we are doing a lot of work to sandbox things and solve the root cause for this kind of problem. We'd love to hear about these bugs from researchers first, instead of depending on hardening-after-the-fact downstreams like Subgraph and Qubes to push bug reports to us.

Example conversation I'd like to happen around this bug: purpose of .desktop files vs. filename spoofing; executing code you downloaded; sandboxing all executions by default.