Notices by scriptjunkie (sj@social.scriptjunkie.us)

https://www.ocregister.com/2025/01/12/slow-approval-of-self-driving-cars-is-costing-lives/

that is an alien invasion
https://x.com/adavenport354/status/1880026262254809115

@robertguetzkow @dangoodin sharing a public key out of band is literally how you start chatting with someone

@dangoodin Oh and if the hop crypto is really broken the worst case thing that happens is that the network could see IPs of who sent and received messages through their nodes if they had entry/exit nodes. Quick! Everybody rush back to Signal... where the network sees the IP of who sent and received all messages and the *phone numbers* of who sent and received messages, which is far more sensitive, personal, and identifying.

Just once what I would give for people to understand the log/speck principle.

@robertguetzkow @dangoodin I think you're assuming there's another "from" address in the message or connection context or something. There isn't. The public key *is* the identifier of the sender. There's no separate "from" address. The attacker can't put a different key into a message "from" Alice. It would no longer be a message from Alice. It would (accurately) be a message from the attacker.

@dymaxion That post totally misunderstands signature schemes and how they are used.
https://social.scriptjunkie.us/@sj/113834017119054709

@dangoodin That post totally misunderstands signature schemes and how they are used.
https://social.scriptjunkie.us/@sj/113834017119054709

The "Don't Use Session (Signal Fork)" post shows a tragic lack of understanding of basic cryptographic primitives and Session's protocol. The post claims the signature validation code of a message "reduced the utility of Ed25519 to that of a CRC32". But immediately following the quoted blob, you'll see that the message sender public key that validated the message is used to identify the sender.

If you try to "forge" a message with your own key, it won't show up as from someone else or in their conversations, it will show up as from you! That's the literal basic use case of a signature. It proves who it came from. While a CRC32 could be calculated for any message, even with a forged sender. This shows the post completely misses the point of asymmetric cryptography signature schemes.

The post may be correct with the AES encryption to public keys, however, so I'd still regard both Session and the post with suspicion until a more thorough analysis can be done.

https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/messaging/sending_receiving/MessageDecrypter.kt#L58-L62

@bonifartius I think it's the integration with OLE and the world of other MS/windows junk that can be pulled in, right at the border of "just used enough MS can't just turn it off by default" and "too old to get a lot of attention"

We're so back.
"CVSS 9.8 allows a remote attacker to execute code on a target system by sending a specially crafted mail to an affected system with Outlook... previewing an attachment could trigger the code execution. The specific flaw exists within the parsing of RTF files"

Candidate for understatement of the year: "This can be a safety issue if a driver is misled into thinking that steering is occurring"

@halva @puppygirlhornypost2 save as -> SAP.txt

@todb @hotdogitsclaire I was able to get different prices from the same phone at the same time on a wireless network by simply opening up a private browsing tab.

@feld influencers, mainly. I usually keep em in the trunk.

Not to be all negative, let's recognize some of the projects doing a good job! I love curl and other projects' use of opencollective, which quickly allows you to verify where the money is going in realtime. E.g. Here's every payment from curl's fund:
https://opencollective.com/curl/transactions?type=DEBIT

Of course this rule won't happen, but at least you can avoid donating yourself. Any project that solicits more donations to keep operating while existing donations are being looted or redirected is obviously dishonest. And this is true of the top tech foundations/projects you see

@thomholwerda We Americans (Texans especially) get a lot of crap for being militaristic and loving guns, and it's true. But watching this stuff here unfold year after year in Europe absolutely blows our minds.

Here's a simple rule: If any app or website begs users for donations, and they send to any external NGO or pay any person more than a senior FAANG engineer, the entire board automatically gets fired with permanent restraining orders from the project, replaced by top contributors.

I'm happy that Mastodon is moving ownership to a nonprofit foundation, except that the boards of the five or so biggest projects built on open contributions have all been slowly taken over by pretentious political manipulators who've done about none of the contributing and inevitably funnel the millions of dollars of donations into their own pockets or slush funds for unrelated highly controversial activism.

Yeah, we'll write it in C. It's not bad. We'll keep track of all the buffer lengths. And object types. And frees.