Show more

Somehow, the email communication still happened, the right person received the report and confirmed it. So a bit later today @salltweets@twitter.com started sharing the image below – without retracting any of her claims, somehow assuming that this reinforces her points.

Show thread

So today she proceeded by once again attacking the researchers and criticizing journalists who were asking her about the security vulnerability, restating that it didn't exist.

Show thread

And she claims that @DI_Security@twitter.com researchers publicly called her a transphobe. Not sure what this is about, I could only find a tweet by @daeken@twitter.com who appears to have no relation to the researchers. Judging by the way @salltweets@twitter.com responded she thinks otherwise.

Show thread

She says that they should have emailed technical department directly – yet from a brief look I cannot find the corresponding email address anywhere. From experience, emailing technical support about vulnerabilities is a bad idea. So Twitter is a valid way to approach a company.

Show thread

From that point on, things went only downhill. @salltweets vehemently denied the existence of any security issues, claiming that the whole thing is a harassment campaign – despite not having received any details. She sent them a DM but apparently blocked the account later.

Show thread

According to the researchers, they were first ignored when they attempted to report the issue. Eventually, they received a response but not the kind they hoped for. Not sure why they had to state their disagreement with @salltweets@twitter.com’s views, but it clearly rubbed her the wrong way.

Show thread

So they would keep the selfie meant only for verification, store the user’s geographic coordinates and keep account data after deletion. But that’s not what makes this case notable. Problematic vulnerability disclosures aren’t uncommon, but managed to stand out here.

Show thread

I haven’t heard of before but apparently they not only had a pretty bad vulnerability allowing anybody to query information of all accounts, they also made some rather questionable privacy choices. research.digitalinterruption.c

It appears that I released the first version of that browser extension in December 2011. Time flies…

Show thread

I definitely don't want to transfer it to some random person. With around 50k users across all platforms, this is bound to end up with some more or less questionable monetization scheme.

Show thread

Mozilla is currently recommending this extension, so I'll check with them first, maybe they have suggestions. But the default course of action would be to fix known issues, then disable extension listing. So people already having it will be able to continue using it for a while.

Show thread

I finally decided that I will stop maintaining Google Search link fix extension. It's a small maintenance burden but it requires my time consistently. That's annoying, particularly given that I myself switched to more privacy-friendly search engines years ago.

I added a receiver to my blog. So if somebody links to one of my articles, I might get notified. If approved, this mention will appear in the comments section. @bekopharm

palant.info/2020/09/03/added-w

Several people from the Mozilla community felt that I’m building up a conspiracy theory here. That’s not the case, I’m actually quite certain that people are acting with good intentions. Unfortunately, that doesn’t automatically mean that we’ll be happy with the results. Updated my article:

Show thread

I wrote an article explaining the trend with browsers' add-on support and why I think that limiting users' choice on Android massively is part of that trend. The add-on ecosystem is degrading steadily, and I don't expect it to reverse course. palant.info/2020/08/31/a-grim-

They did ask me about adding another add-on of mine to the Recommended Extensions program. They didn’t mention that it is now a prerequisite for the add-on being usable at all…

Show thread

Installing extensions in development mode is still possible and I tried that with . It appears to work perfectly fine, still has all of its data. But users see it under “Not available yet”, they are not allowed to run it.

didn’t bother notifying developers that their add-ons won’t work any more. I didn’t follow the development, so I had to learn about this from a user’s issue report after the new browser went live.

Show thread

So the only mobile browser with add-on support is no more. I’m rather disappointed with if that's still possible.

As of now, for Android offers you a selection of a handful add-ons which you are allowed to install. No technical reason for it, a policy decision.

Ouch, typo in the image – 1.81 * 10^19, not 1.81 * 10^20. Also, it's 2.9 J/s, not 29. The end result is correct, I forgot to correct a mistake for intermediate steps. ☹️

Show thread

This approach is only something for low-power scenarios where you cannot change the battery. And in fact, similar power sources have been used for space probes.

Never mind that the cost calculation is also bogus: nuclear waste will only be free as long as it is useless.

Show thread
Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.