Notices by fugueish (fugueish@infosec.exchange)

Chrome vs Firefox when it comes to Reader Mode: not even close.

It's been like this for years. Chrome should just remove the feature completely if they aren't going to support it/make it work at all.

There's no shame in just saying "we're not doing that feature, we're doing other stuff"! It's ok. But don't raise a pop-up for a feature that has never worked.

This bug has everything:

• Airport advertiser
• ...of anti-virus
• ...which runs unsandboxed
• ...evaling the inputs it's supposed to be scrutinizing
• ...the inputs come from intelligence agencies

https://www.barracuda.com/company/legal/esg-vulnerability

Intelligence agencies begging vendors to fix the bugs they use for intelligence gathering might seem surprising. But they have complex equities to balance, among them the fact that it is their nations who most depend on reliable information infrastructure.

Eliminating this vulnerability class should be seen as a business imperative likely requiring participation from many departments. The authoring agencies urge executives to lead from the top by publicly identifying senior staff who will drive publication of their roadmap and assist with realigning resources as needed.

https://www.cisa.gov/resources-tools/resources/case-memory-safe-roadmaps

In part, this is because they are planning for the post-memory-unsafety future. (See e.g. https://www.youtube.com/watch?v=mi6ZLmrXNP0)

But vendors are still addicted to their ability to dump these externalities onto customers. It's 'expensive' to move away from C/C++ in exposed attack surface — but only because the existing costs are externalized.

Capitalism: You need me so you can have health care.

Me: OK. Can I have health care?

Capitalism: No.

Me: OK. Why do I need you?

Capitalism: So you can have health care.

Me: ...

Capitalism: ...

Capitalism: what

The Solarpunk Manifesto: exists

The Green New Deal: Reportin' for duty! 🫡

Libraries: The Information Age is our entire jam, literally

Marc Andreessen: I, a modern day John Galt, a modest billionaire, have given the world fraudcoins. Yet I am oppressed

I feel like some hypothetical person who actually read the entire HTML specification could stride across the face of web development as a giant of productivity, performance, and accessibility

boooommm...

booooommm...

Ho ho hoooooo! <textarea> already exists, my hearties! Hooo hoooooo! And it already knows how to scroll itself

boooomm....

booooooommmm...

Do you ever think about how <input type="date"> and <input type="time"> exist, but so many sites roll their own janky stuff

These 3 things are related:

https://www.whitehouse.gov/oncd/briefing-room/2023/08/10/fact-sheet-office-of-the-national-cyber-director-requests-public-comment-on-open-source-software-security-and-memory-safe-programming-languages/

https://support.apple.com/en-us/HT213926

https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2023/p2759r0.pdf

The disregard for safety of all kinds that is endemic in C/C++ is having human rights and foreign policy implications way above the level of engineers who have built little fiefdoms on quicksand.

Right-click and Open Image In New Tab is the greatest lightbox image viewer of all tiiiiiiimmmmmeeeeeee #UseThePlatform

This toot brought to you by how Mastodon's lightbox somehow disables pinch and zoom

They had to do extra work to break it

The year is 2038. Craigslist still uses its 1998-era HTML and Perl CGI script. It is the fastest, most usable, and most accessible web site on the planet. The New York Times front page is 6 TiB. Gmail UI elements have 17 distinct border radii.

Climate-Friendly Software, by @tbroyer

• Pick servers in carbon-neutral or low-carbon datacenters first, then optimize your architecture and code.
• Don't be the one that will make your users change their device.
• Optimize for the perceived performance and battery life.

https://blog.ltgt.net/climate-friendly-software/

The Supreme Court is obviously illegitimate. But it is the way it is due to the Senate, the electoral college, and lifetime appointments: explicitly anti-democratic, slavery-upholding institutions designed to produce a government that does not support the needs or desires of the people it governs. It was designed to be illegitimate, and it is working as intended. It always has.

"But Biden has gotten so much done!", say the system justifiers. There was no sane reason to think that his grossly insufficient achievements would ever fare any better than the Clean Water Act or the Voting Rights Act. The Inflation Reduction Act will go the way of student loan forgiveness, even if he 'wins' in 2024.

Prioritize the use of memory safe languages wherever possible. The authoring agencies acknowledge that other memory specific mitigations, such as address space layout randomization (ASLR), control-flow integrity (CFI), and fuzzing are helpful for legacy codebases, but insufficient to be viewed as secure-by-design as they do not adequately prevent exploitation.

https://media.defense.gov/2023/Apr/13/2003198917/-1/-1/0/CSI_SECURE_BY_DESIGN_DEFAULT.PDF

It is legal to eat breakfast at any time of day.