Notices by Eleanor Saitta (dymaxion@infosec.exchange)

@ferrix
There's good money to be made being part of the problem
@evacide

@GossiTheDog
Do you know how security works at scale? This isn't news and among the majors, MS was mostly late to the party. That said, "spies" is doing a lot of work here. If you mean "collaborates specifically around threat intelligence", sure. If you mean "provides the US with general purpose intelligence outside the digital security space above and beyond the cooperation that the US can compel with statutory powers", no, we have no reason to believe that.

Also, with CISA dead, it's unclear that anyone on the USG side is still listening.

@hacks4pancakes
I would like to be fucking wrong more often. I am very tired of being right

@inthehands

@LukefromDC

@LukefromDC
Si vis pacem, para bellum
@inthehands

"We're happy to announce version 1.0 of the Torment Nexus, as popularized by the science fiction book 'Don't Invent the Torment Nexus'! Our innovative product breaks new ground in..."

https://www.theguardian.com/technology/2025/mar/08/vr-prison-california

@inthehands
We did, the NTSB.

I assume it'll be dead soon.

@hacks4pancakes
I struggle with this *because* the industry has changed so much. My way in is unrecognizable today, and I genuinely don't understand a lot of the traps that junior folks are dealing with because I've never seen them. I worry about steering folks the wrong way.

@quinn
Which Sullivan?

@michael_martinez
Well, the evangelicals are horny for revelations anyway — that's why they care about Israel and have so many folks inside the USAF Global Strike Command, so they can make sure the world ends in fire

With the "shutdown" of USAID, the State department has ordered an emergency evacuation of all staff from over a hundred countries by Saturday. In their wake they will leave massive chaos. USAID feeds 53 million people a year, among other things. Many, many people are dying because of this, and many countries will never trust the US again.

USAID is a major part of American international soft power. The damage that this is causing can only be described as treasonous, even ignoring the human cost.

To be clear, this evacuation is impossible. Doing it from one country is very hard. Doing it everywhere all at once, even with all available military airlift assets, cannot happen. Regardless, on whatever schedule they do do this, this is not a normal international move. They are telling staff who in some cases have been in country for decades or who expected to be their for the rest of their careers that they have 48 hours to pack suitcases and leave everything else they own behind, to return to a country where they have no where to live and no job.

But then, that's the point.

Context: you used to be able to cast the full screen on Android and when you locked the phone, it would just keep sending audio. Power usage was surprisingly low, and on a closed network, it's not really a big worry otherwise. Originally I used the Chromecast audio, and then a regular Chromecast with an audio extractor or a Wiim box. Now, when you lock your phone it stops casting. There are other options to get some individual apps to send audio data to the Chromecast with big caveats (Spotify loses track volume normalization, for instance), but nothing if you want everything without having to switch things manually. SonoBus will probably work, but now I need to buy new hardware to run it on if I want it independent of my laptop and running straight into the mixer.

I guess it's a nice distraction from everything else being shit to get an Android security update that completely breaks my house audio distribution system in a way that's going to require hardware purchases to fix.

Phones were an even bigger mistake than the web was.

@inthehands
It's not a digital coup. It's just a coup.

@hacks4pancakes
Honestly, I'm not going to believe someone when they say they do it. If they say they try and then want to talk about the ways in which they know they fail and the places where they probably have blind spots? Yeah, maybe. But I've seen too many "progressive" employers where the pipeline ends in a dumpster of broken glass.

Like, to the point where I'm genuinely unsure about the ethics of working to improve the pipeline when even most of the best folks are forced out of the industry by 35.

So, there seems to be a lot of uncertainty and a lack of clear efficacy around TransRescue right now. I'm looking for alternate orgs to suggest, but there's nothing else in exactly that space.

If you at all can, this is a really great time to donate or otherwise assist with https://transrescue.org/

@ktemkin
One of the things I hope we can strongly agree on is that the place where we should be asking a lot more is at the library and language level. I agree it's implausible that small teams will fix annoying and subtle bugs and also do the basic security design work they're already not doing. However, it seems equally unlikely that people are going to stop doing dumb shit like connect things to the internet that really shouldn't be. Teaching the entire world how systems work to a level that allows them to have good intuition about what's a safe action is as hard as getting all the small dev teams to do the work. And harassing either users or devs about things outside of their scope of effective control of dumb and mean.

So that means we need language, framework, and library issues fixed at those levels, and then we need shaping incentives like liability to force migrations and rewrites, once we have meaningful solutions. When we get to that point, yes, a lot of small teams will need to end of life products or accept that they're going to need to write a lot less code — but at least they won't be playing whack-a-mole with problems further up stack and above their pay grade.
@dalias

@ktemkin
We talk about these things because we have spent literally the last twenty years looking at threat models and at the failure of overworked dev teams to build good code with bad tools. It will be an amazing victory for the community when developers have to actually design the bugs that fuck them over. And no, the correct way to fix these issues has never been to write bad code and then try to audit it, obviously.

Yes, in the context of each individual program, the threat model wins. In the context of the entire industry, this is not how progress is made.

@ktemkin
I think there are two different categories here. System design needs to be evaluated in the context of a threat model, yes (and a lot of what gets called a threat model is at best a colloquial approximation of actual thinking), but basic vulnerabilities, whether that means parser and state machine issues, memory issues, or issues of incorrect implementation of a chosen set cryptographic primitives, all qualify as "done badly" in most cases and insecure in the majority of foreseeable threat models if they're in reachable code.

"Has an open port connected to the internet" implies a minimum set of things that must be accounted for in a threat model, as is "supports messaging between users".