Notices by Lance R. Vick (lrvick@mastodon.social)

Saw a Tesla with an american flag license plate border and a plate that read "LYVFREE".

While I don't actually condone such actions, it was in that moment I truly understood where people get the urge to set a Tesla or two on fire.

Teslas have become the urban equivalent of big pickup trucks with truck nuts and flags flying off the back.

Saying "Don't use PGP, use SigStore or Age!" is the same class of dumb as saying "Don't use web standards, use Flash or Java embeds!".

Before advocating everyone abandon standards and use whatever tools have the better UX or defaults for your use case blindly, maybe take the time to actually understand the problems the standards are trying to solve for, and if any improvements or better implementations are in progress.

@mattly I think trying to force authors of software to sign their software or improve their security posture beyond what they want to is a dead end.

Plus, who is to say a developer like you is even still alive to be forced to change? Or that your account was not taken over by a blackhat years ago?

We need to stop trusting authors and start requiring/funding actual signed reviews of the code we effectively copy/paste from randos on the internet.

@mattly I did talk to the GitHub team about this stuff, for -hours-, however they are convinced even offering code-signing or signed code reviews as -optional- would make people feel pressured to do such things, and contribute less code, so thus they will never do it.

Instead, they force 2FA on developers and make them want to contribute less code anyway, a change that does not actually solve the problem.

Microsoft/Github have lost the plot. Or they never had it.

I recommend Codeberg.

@mattly You can thank people like me for proving how easy supply chain attacks are for this change.

I usually target inactive accounts of past contributors. Especially those that don't have 2FA and let their email domain names expire.

That said, forced 2FA is the wrong solution. There should be a system for decentralized signed code review so people can sign review on any code, and set policies on how many signed reviews are required on code before it is trusted by their system.

Hot take: If you are not confident enough with Linux to run it on your own daily driver workstation, you probably have no business securing or managing it in production.

@tphinney @Jennifer Exactly this, and they chose to introduce it months after I became a patient, having known from the outset that I do not have or want a Google or Apple device.

I gave up my smartphone 3 years ago, and am a lot happier being disconnected when I am not at my desk. It would seem some don't consider this a valid lifestyle choice.

This is the first time anyone has refused me services for not having a phone.

@BenAveling @Jennifer There are no medical devices involved.

They said they only willing to communicate, schedule, and exchange medical information with patients with their apple/google mobile app moving forward, even if it means terminating relationships with existing patients.

I even offered to show up in person for every communication, and they refused.

It's official. After 3 months of back and forth, a major medical provider has elected to drop me as a patient for not having a Google or Apple device.

It is unclear if this is legal, but it is very clearly discriminatory and unethical.

Any tech journalists or lawyers interested interested in this?

I would like to do anything I can to ensure this never happens to anyone else.

1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

At #37c3 they have IRC, and Matrix for text and for voice they setup their own LTE/2G/3G/SIP/DECT network where you bring whatever phone-like device and pick a 4 digit phone number.

Meanwhile in the USA for #defcon they just paid Discord money and told everyone to accept their privacy policy, and even the DC Privacy Village asks people to sign up for Slack and Google.

People ask why I fly to CCC from the USA. It is because that is the closest place to find a thriving hacker culture.