Notices by Dan Goodin (dangoodin@infosec.exchange)

@ryanc

🤣

Since there my past queries failed to find any viable alternatives to Slack (no, Zulip, PGP on top of Slack, Mattermost, Matrix, Signal, etc. aren't suitable replacements for my union; see thread for why) does anyone have suggestions for how I can minimize the risks and downsides of using it?

People knowledgeable about EVs: what brand/model is far superior to a Tesla and why? I've been showing up to the local dealership and trying to talk people going inside to reconsider. I want to step up my elevator pitch by giving them useful, accurate info about better alternatives.

@Infoseepage @ithoughtisawa2

Are you also calling out 404 media and several of its journalists for continuing to use the evil bird site?

@Infoseepage @ithoughtisawa2

I'm sure you think people who bought Tesla solar inverters and batteries should also rip those out and just go back to nonrenewables if they can't afford replacements from Enphase, right?

To follow up on yesterday's discussions about privacy implications of Cloudflare detecting the use of reused passwords in traffic passing through its infrastructure, Cloudflare has disclosed this practice previously. The protocol behind this check, known as Might I Get Pwned (in a nod to @troyhunt), was described in a 2022 Usenix paper called Might I Get Pwned:
A Second Generation Compromised Credential Checking Service. It devises what it claims is a privacy-preserving way to check for credential reuse. It involves comparing hashes. Cloudflare says passwords are never logged.

I'm home recovering from a Covid infection, so I don't have the energy to dig into this any deeper right now. I am interested in responses from people qualified to evaluate the privacy-preservation claims, including @benjojo @cR0w @Viss and @matthew_d_green

Relevant links:

https://arxiv.org/pdf/2109.14490

https://blog.cloudflare.com/helping-keep-customers-safe-with-leaked-password-notification/

https://blog.cloudflare.com/privacy-preserving-compromised-credential-checking/

Once again, the self-destructive stridency of lefties on full display. Threatening the lives of people who may or may not have bought a Tesla at some point is NOT the way you fight fascism.

https://www.404media.co/dogequest-site-claims-to-dox-tesla-owners-across-the-u-s/

Open-source software used by more than 23,000 organizations, some of them in large enterprises, was compromised with credential-stealing code after attackers gained unauthorized access to a maintainer account, in the latest open-source supply-chain attack to roil the Internet.

https://arstechnica.com/information-technology/2025/03/supply-chain-attack-exposing-credentials-affects-23k-users-of-tj-actions/

I think people are also making too much of the recent fall in the broader stock markets. Prices go down, and they go up. Yes, since the orange felon took office, the S&P 500, Dow Jones and NASDAQ are all down. But slumps like these happened under Biden, too, and they happened under other presidents. For instance, in November 2022, as the US was going into the midterm elections, the S&P was down by more than 1% since Biden had taken office more than 2 years earlier.

No matter our politics, we all live in bubbles. We make hay when things look bad for our opponents. We are more open-minded when things look bad for the people we support. If we on the left don't want to keep getting beat, we need to be smarter and more rigorous in our thinking.

Elmo critics: don't gloat too much about the recent declines in Tesla stock. Shares of this company have always been volatile, so a 32% drop since the beginning of the year says little. Share prices as of today are still 24% higher than 6 months ago, 44% higher than this time last year, and more than 5-fold higher over 5 years. Shares could surge again. It's way too early to declare any sort of victory or comeuppance.

@GossiTheDog

So, an attacker who gets access to a hypervisor in, say, GM's network also gets access in Ford's network? I don't think that's what you mean, but that's how it sounds to me.

@GossiTheDog

OK, thanks, Kevin. Is it fair to compare accessing the hypervisor to gaining control over an Active Directory?

@GossiTheDog

I just came here to ask you why these vulnerabilities are rated so critical if they can't be remotely exploited. Looks like you partially answered my question, but can you say more, please? Isn't it pretty much always game over when a threat actor has unauthorized access to a VM connected to your network? What's the scenario you're envisioning that makes these CVEs such a threat?

It's not everyday you get to school a team of lawyers on the California shield law.

How much does someone want want to bet the AI-generated video of orange felon sucking the toes of nazi saluter wasn't a hack at all, but just the work of an employee who went rogue?

@GossiTheDog @cursedsql

Even if it's an employee who accesses the system every day as part of their job duties and simply hits play on an unauthorized video?

@cursedsql

People keep using the word hack.

When I began covering Silicon Valley in the 1990s, the for-profit companies I covered loved to portray themselves as these optimistic, can-do, do-gooders who were out to change the world. Coverage from places like the NYT amplified this image. I never bought it, and as a result, I had very tense relations with companies like Sun Microsystems, Microsoft and Intel. They went out of their way to make my job harder. Watching how quickly Facebook and and even Apple buckled the minute Orange felon was elected has finally proved my view beyond any reasonable doubt and has confirmed that the burden was well worth it.

Can we devote some time to discussing Slack? As in, why are we all sending our every thought to a centralized server that can be hacked, and can can train AI with them? And why is Slack allowed to store transcripts but I can't?

My union uses Slack for organizing. How crazy is it that an organization in the cross hairs of a dangerous and emboldened government would do this? With everything going on right now, I'd love to be more active in the union, but must I really give up so much to this opaque platform?

Is anyone else struggling with these concerns? Do you know of viable Slack alternatives? Are there any hacks that make Slack less of a privacy invasion or make LLM training harder? Are there at least ways for me to save sessions the way I can with IRC? How do I resist Slack and not lose touch with groups that still use it?

Please boost for reach.

If you're still tweeting on the hell site -- particularly those with blue checkmarks -- you're actively helping drive investors' renewed interest in the platform. Same thing for companies like Apple and Amazon that are once again advertising there.

https://www.nytimes.com/2025/02/13/technology/elon-musk-x-debt-sale.html