Notices by 🆘Bill Cole 🇺🇦 (grumpybozo@toad.social)

@dalias Sure, that’s not gonna add any juicy attack surface….

Today is the day the we remember that our government has been willing to shoot college students to make them stop protesting. 55 years ago today.

#MayTheFourth #KentState

@vees Can no one spare $20 for a respectable domain?

It is a FALSE rumor that I smoke marijuana.






Edibles. (I broke my lungs with tobacco.)
#420 #FourTwenty

@feld @dalias The freak-out many Americans have whenever anyone says "socialist" is mild compared to the deeply ingrained aversion many people have from living under nominal socialists (see: Castro, Maduro, Noriega, Chavez, and Correa) who have ruled autocratically.

OK, so, yes, Washington State's implementation sucks. Especially the obscene charge for the EID/EDL, which is only really useful for re-entry from one of the places we used to be able to return from with any US state ID/DL.
But still, this has been in the works, very much in public view, for 20 years. The federal law passed in 2005. There have been multiple prior deadlines that have come close enough to make national news and then get pushed back.
#RealID https://toad.social/@grumpybozo/114333391258291904

@feld @Lana The Enhanced cards are supposed to have a flag instead of a star.
Seems like WA chose to only do Enhanced cards, which are automatically Real ID compliant, and keep whatever is non-compliant about their standard cards.

@feld @Lana That's really surprising, given that they were supposedly compliant >6yrs ago. I wasn't aware of any states which had been certified compliant by DHS but were still issuing cut-price non-RealID licenses
https://web.archive.org/web/20181014123250/https://www.dhs.gov/real-id/washington
FWIW, There is a *different* "Enhanced Driver's License" issued by many states which is good for re-entry from CA, MX, Bermuda, etc. In Michigan that is more expensive, while the default cards have the RealID star.

@Lana That should make you reconsider....

The Real ID enforcement date has been pushed back many times, it was originally 2008. At this point, anyone who has gotten a state ID or DL in any state since 2020 should already have a "Real ID Compliant" ID.

The time to have fought this was 2005.

@JessTheUnstill They’ve done a half century of damage, easily. The sort of Uni departments that will be largely destroyed if they get the new NIH and NSF indirect cost caps are not rebuilt easily or quickly.
We were where practically every scientist in the world wanted to do research for 90 years. Not so much now.

@prettygood @mjg59 I concur. AT&T folks have been summonable there in the past.

@atax1a @jwz It is a frustration that for DKIM, DMARC, and SPF to be as trustworthy as possible, one must deploy DNSSEC correctly and defend one's domain against any threat to its reputation but all the spammers need to do is buy a cheap domain with any old garbage DNS and get a handful of records right.

@jwz The stats we collect for the #SpamAssassin project (mass-scan results from participating sites) have long shown that spammers are more consistent at making SPF, DKIM, and DMARC correct than are legitimate senders. DMARC in particular has no discernible benefit for most senders, so it is a useless signal.

Rejecting mail based solely on authentication failures of those deeply flawed authentication methods does more harm than good.

@dalias @lispi314
Unless the 250 reply at SMTP EoD is delayed until real final delivery, it is not possible to be certain of final deliverability. Small systems running Sendmail are able do that but I don't believe that any other widespread MTA even offers synchronous final delivery during SMTP time. It's not feasible at scale.
If a message gets queued, it can always fail at the next hop. Users get deleted between accept and deliver. Mailboxes fill. LMTP receivers fall over mid-transaction.

@dalias @lispi314

What protocol would that be? What normative document agrees with you that mail should be silently dropped after having been accepted with some basis for trusting the envelope sender? (e.g. SPF affirmative pass, aligned valid DKIM signature, etc.)

Note that I am not arguing that one should generate bounces lightly. Everything that can be checked at SMTP end-of-data before acceptance should be but there are edge cases where a proper bounce message should be sent.

@dalias @lispi314 If you're going to call it "illegal" I’d love to see a relevant citation of law supported by litigation results.

Or even a single reference to supporting advice in an RFC (which cannot make anything illegal in any sense. )

@inthehands @lisamelton It’s kayfabe. Distraction from the ongoing coup being run by Musk and to make the remnant Chinese tariffs that don’t get cancelled seem less terrible.

@dalias @GossiTheDog The royal decree was notionally aimed at all organizations receiving Federal funds.
Never mind that to actually impose such a condition on funds for educational institutions would demand a formal rulemaking process.

Best way to avoid FB phishing: don't have a FB account.

If that's not an option, it is imperative that you use a unique email address for communication from FB which you do not share with anyone else, human or corporate. https://infosec.exchange/@happygeek/113787777146227848

@JessTheUnstill @dalias I'd argue that what the fash transphobes actually want is for people like you to suffer and/or repent and/or die. Moving makes you resistant to their attempts to make those happen.