Notices by Eleanor Saitta (dymaxion@infosec.exchange)

@inthehands
We did, the NTSB.

I assume it'll be dead soon.

@hacks4pancakes
I struggle with this *because* the industry has changed so much. My way in is unrecognizable today, and I genuinely don't understand a lot of the traps that junior folks are dealing with because I've never seen them. I worry about steering folks the wrong way.

@quinn
Which Sullivan?

@michael_martinez
Well, the evangelicals are horny for revelations anyway — that's why they care about Israel and have so many folks inside the USAF Global Strike Command, so they can make sure the world ends in fire

With the "shutdown" of USAID, the State department has ordered an emergency evacuation of all staff from over a hundred countries by Saturday. In their wake they will leave massive chaos. USAID feeds 53 million people a year, among other things. Many, many people are dying because of this, and many countries will never trust the US again.

USAID is a major part of American international soft power. The damage that this is causing can only be described as treasonous, even ignoring the human cost.

To be clear, this evacuation is impossible. Doing it from one country is very hard. Doing it everywhere all at once, even with all available military airlift assets, cannot happen. Regardless, on whatever schedule they do do this, this is not a normal international move. They are telling staff who in some cases have been in country for decades or who expected to be their for the rest of their careers that they have 48 hours to pack suitcases and leave everything else they own behind, to return to a country where they have no where to live and no job.

But then, that's the point.

Context: you used to be able to cast the full screen on Android and when you locked the phone, it would just keep sending audio. Power usage was surprisingly low, and on a closed network, it's not really a big worry otherwise. Originally I used the Chromecast audio, and then a regular Chromecast with an audio extractor or a Wiim box. Now, when you lock your phone it stops casting. There are other options to get some individual apps to send audio data to the Chromecast with big caveats (Spotify loses track volume normalization, for instance), but nothing if you want everything without having to switch things manually. SonoBus will probably work, but now I need to buy new hardware to run it on if I want it independent of my laptop and running straight into the mixer.

I guess it's a nice distraction from everything else being shit to get an Android security update that completely breaks my house audio distribution system in a way that's going to require hardware purchases to fix.

Phones were an even bigger mistake than the web was.

@inthehands
It's not a digital coup. It's just a coup.

@hacks4pancakes
Honestly, I'm not going to believe someone when they say they do it. If they say they try and then want to talk about the ways in which they know they fail and the places where they probably have blind spots? Yeah, maybe. But I've seen too many "progressive" employers where the pipeline ends in a dumpster of broken glass.

Like, to the point where I'm genuinely unsure about the ethics of working to improve the pipeline when even most of the best folks are forced out of the industry by 35.

So, there seems to be a lot of uncertainty and a lack of clear efficacy around TransRescue right now. I'm looking for alternate orgs to suggest, but there's nothing else in exactly that space.

If you at all can, this is a really great time to donate or otherwise assist with https://transrescue.org/

@ktemkin
One of the things I hope we can strongly agree on is that the place where we should be asking a lot more is at the library and language level. I agree it's implausible that small teams will fix annoying and subtle bugs and also do the basic security design work they're already not doing. However, it seems equally unlikely that people are going to stop doing dumb shit like connect things to the internet that really shouldn't be. Teaching the entire world how systems work to a level that allows them to have good intuition about what's a safe action is as hard as getting all the small dev teams to do the work. And harassing either users or devs about things outside of their scope of effective control of dumb and mean.

So that means we need language, framework, and library issues fixed at those levels, and then we need shaping incentives like liability to force migrations and rewrites, once we have meaningful solutions. When we get to that point, yes, a lot of small teams will need to end of life products or accept that they're going to need to write a lot less code — but at least they won't be playing whack-a-mole with problems further up stack and above their pay grade.
@dalias

@ktemkin
We talk about these things because we have spent literally the last twenty years looking at threat models and at the failure of overworked dev teams to build good code with bad tools. It will be an amazing victory for the community when developers have to actually design the bugs that fuck them over. And no, the correct way to fix these issues has never been to write bad code and then try to audit it, obviously.

Yes, in the context of each individual program, the threat model wins. In the context of the entire industry, this is not how progress is made.

@ktemkin
I think there are two different categories here. System design needs to be evaluated in the context of a threat model, yes (and a lot of what gets called a threat model is at best a colloquial approximation of actual thinking), but basic vulnerabilities, whether that means parser and state machine issues, memory issues, or issues of incorrect implementation of a chosen set cryptographic primitives, all qualify as "done badly" in most cases and insecure in the majority of foreseeable threat models if they're in reachable code.

"Has an open port connected to the internet" implies a minimum set of things that must be accounted for in a threat model, as is "supports messaging between users".

So, cis Americans, you're now living through the first day of a federal genocide against trans people, as defined by the Lemkin Institute for the Prevention of Genocide. As happens almost without exception unless stopped, it is both likely to proceed to mass murder and to expand to include additional social groups, possibly including you.

What are you going to do about this? Are you going to take up arms and fight to prevent your friends and neighbors from being murdered by the state? Are you going to harbor fugitives, get them medical care, and help them leave the country? Are you going to disrupt the function of state offices and destroy records to make their work impossible?

Or are you just going to hunker down and go along with what's asked of you, in hopes they don't get around to killing people like you? Are you, in other words, going to be a good Nazi?

If you think you're going to maybe go on a few big nonviolent protests and be angry on social media, like you did last time, but you know money is tight and you just started a new job and... congrats on failing to understand the situation and choosing to be a good Nazi.

History is unfortunately quite clear here. There are no other options left. Either you literally, physically fight this, or you collaborate.

If you think this is extreme, well, you've made your choice. See you in hell.

@quinn
I mean, I've been imagining that since I was like eight and listening to the INF treaty negotiations, if not younger.

@quinn
Bold of you to suggest we'll have organized schools where teaching this kind of minutiae will be deemed worthwhile in a hundred years

@rafi0t
Or perhaps we should say, Quíñ.
@quinn @whvholst @th

@rysiek
Honestly, this is the first I've heard of it, and hopefully the last. If it's even dumber in other ways too.... Yeah. Lolsigh.

Could people just stop trying to "improve" things they don't understand?

https://soatok.blog/2025/01/14/dont-use-session-signal-fork/