Notices by Eleanor Saitta (dymaxion@infosec.exchange), page 2

I guess it's a nice distraction from everything else being shit to get an Android security update that completely breaks my house audio distribution system in a way that's going to require hardware purchases to fix.

Phones were an even bigger mistake than the web was.

@inthehands
It's not a digital coup. It's just a coup.

@hacks4pancakes
Honestly, I'm not going to believe someone when they say they do it. If they say they try and then want to talk about the ways in which they know they fail and the places where they probably have blind spots? Yeah, maybe. But I've seen too many "progressive" employers where the pipeline ends in a dumpster of broken glass.

Like, to the point where I'm genuinely unsure about the ethics of working to improve the pipeline when even most of the best folks are forced out of the industry by 35.

So, there seems to be a lot of uncertainty and a lack of clear efficacy around TransRescue right now. I'm looking for alternate orgs to suggest, but there's nothing else in exactly that space.

If you at all can, this is a really great time to donate or otherwise assist with https://transrescue.org/

@ktemkin
One of the things I hope we can strongly agree on is that the place where we should be asking a lot more is at the library and language level. I agree it's implausible that small teams will fix annoying and subtle bugs and also do the basic security design work they're already not doing. However, it seems equally unlikely that people are going to stop doing dumb shit like connect things to the internet that really shouldn't be. Teaching the entire world how systems work to a level that allows them to have good intuition about what's a safe action is as hard as getting all the small dev teams to do the work. And harassing either users or devs about things outside of their scope of effective control of dumb and mean.

So that means we need language, framework, and library issues fixed at those levels, and then we need shaping incentives like liability to force migrations and rewrites, once we have meaningful solutions. When we get to that point, yes, a lot of small teams will need to end of life products or accept that they're going to need to write a lot less code — but at least they won't be playing whack-a-mole with problems further up stack and above their pay grade.
@dalias

@ktemkin
We talk about these things because we have spent literally the last twenty years looking at threat models and at the failure of overworked dev teams to build good code with bad tools. It will be an amazing victory for the community when developers have to actually design the bugs that fuck them over. And no, the correct way to fix these issues has never been to write bad code and then try to audit it, obviously.

Yes, in the context of each individual program, the threat model wins. In the context of the entire industry, this is not how progress is made.

@ktemkin
I think there are two different categories here. System design needs to be evaluated in the context of a threat model, yes (and a lot of what gets called a threat model is at best a colloquial approximation of actual thinking), but basic vulnerabilities, whether that means parser and state machine issues, memory issues, or issues of incorrect implementation of a chosen set cryptographic primitives, all qualify as "done badly" in most cases and insecure in the majority of foreseeable threat models if they're in reachable code.

"Has an open port connected to the internet" implies a minimum set of things that must be accounted for in a threat model, as is "supports messaging between users".

So, cis Americans, you're now living through the first day of a federal genocide against trans people, as defined by the Lemkin Institute for the Prevention of Genocide. As happens almost without exception unless stopped, it is both likely to proceed to mass murder and to expand to include additional social groups, possibly including you.

What are you going to do about this? Are you going to take up arms and fight to prevent your friends and neighbors from being murdered by the state? Are you going to harbor fugitives, get them medical care, and help them leave the country? Are you going to disrupt the function of state offices and destroy records to make their work impossible?

Or are you just going to hunker down and go along with what's asked of you, in hopes they don't get around to killing people like you? Are you, in other words, going to be a good Nazi?

If you think you're going to maybe go on a few big nonviolent protests and be angry on social media, like you did last time, but you know money is tight and you just started a new job and... congrats on failing to understand the situation and choosing to be a good Nazi.

History is unfortunately quite clear here. There are no other options left. Either you literally, physically fight this, or you collaborate.

If you think this is extreme, well, you've made your choice. See you in hell.

@quinn
I mean, I've been imagining that since I was like eight and listening to the INF treaty negotiations, if not younger.

@quinn
Bold of you to suggest we'll have organized schools where teaching this kind of minutiae will be deemed worthwhile in a hundred years

@rafi0t
Or perhaps we should say, Quíñ.
@quinn @whvholst @th

@rysiek
Honestly, this is the first I've heard of it, and hopefully the last. If it's even dumber in other ways too.... Yeah. Lolsigh.

Could people just stop trying to "improve" things they don't understand?

https://soatok.blog/2025/01/14/dont-use-session-signal-fork/

@dalias
Idk, I have pretty strong feelings about not inviting queer folks to have a nice time in a country that kills queer folks, even if the folks one invites are gonna be safe themselves. It's pretty colonialist, if you're going there for that reason.
@n3tn3rd @hacks4pancakes

Do (software) emulators/VMs exist for Sharc DSPs? How performant are they on, say, modern macOS ARM?

@dalias
Yeah, I have bad news for you about the reality of queer rights in Nepal. The rhetoric is good and the tourist experience is ok, and that's about as far as it goes.
@n3tn3rd @hacks4pancakes

Having just read a bit about the impact of the "business as usual" bias among German Jews in the runup to WW2 and the lack of meaningful resistance that it led to, is pretty terrifying watching the same bias today.

@dalias
I mean, it's also wildly insane from a climate perspective to fly the entire security community to Nepal? We shouldn't be flying nearly as much as it is — doing it much much more is an unserious suggestion.
@n3tn3rd @hacks4pancakes

@dalias
I have bad news for you about the availability of conference facilities in hotels (there are some! At least a half dozen credible options as long as you're under 1k people and can book the whole hotel! Let's move RSA there!)
@n3tn3rd @hacks4pancakes