Yet another nail in that coffin: DoS of #GnuPG because of a weak implementation and weak OpenPGP specifications.
https://www.openwall.com/lists/oss-security/2022/07/04/3
Also, because the fun does not stop here:
@alicia Web of trust is an interesting idea.
Unfortunately, it does not really work in practice. People almost never configure the signature verification level (https://datatracker.ietf.org/doc/html/rfc4880#section-5.2.3.13) and use the default level. This corrupts the web-of-trust because people performing stringent verification have the same weight that people doing next to no verification.
I don't say this lightly; I wrote a few years ago a OpenPGP parser in Ocaml and parsed all keys published in key servers and did some stats on them. My employer never published those stats, so there is no public trace of that work. Only the parser was published https://github.com/picty/parsifal
Also, most keys are only self-signed, and the strong set is relatively small.
Finally, the web of trust is basically "dead" since key servers were brought down following the disclosure of an unpatchable design issue.
Key servers are not per se mandatory for the web of trust to work, but without them, trust signatures are a lot more difficult to propagate to interested parties.
#GnuPG signature spoofing via status line injection
https://www.openwall.com/lists/oss-security/2022/06/30/1
How many nails does that coffin need?
I recommend using minisign, ssh or [^NaCl] for content signing.
[^NaCl]: https://pkg.go.dev/golang.org/x/crypto@v0.0.0-20220622213112-05595931fe9d/nacl/sign
I’m writing an article that expands my microblog entry on stylometric fingerprinting to give more comprehensive advice. I am partially walking back on my recommendation not to use machine translation and adding information about reading levels, among other things. Would anybody familiar with #stylometry, or with a #linguistics background experienced with close-reading, be up for reviewing a rough draft next week?
I’d also be interested in how people may describe my own stylometric fingerprint (signature phrases, grammar quirks, etc), to use as an example.
Boosts appreciated.
https://cloud.tomasino.org/apps/forms/KakFXPSpgj5WD9zq
I've put together a survey about the Small Internet (#gopher, #gemini, individual webpages, small community sites) and I would love your input. If you are a small internet user, please spend a few minutes and fill in your thoughts. I'm especially interested in the open response questions. This will help inform an upcoming conference talk I'll be giving at https://mch2022.org
Also, please boost this on fedi as much as possible and feel free to re-share on other social networks and in other communities. The more responses the better.
Astuces pour les jeunes en recherche d'emploi : si on vous met la pression pour signer rapidement :
* ce n'est pas une bonne opportunité ; on essaie juste de vous empêcher d'aller le découvrir ailleurs ;
* une signature ne veut pas dire qu'il faut arrêter les recherches ; une signature, ça se dénonce ! Vous avez juste à renoncer ou au pire vous cassez votre période d'essai le premier jour.
N'ayez pas honte de faire ce genre de choses ; vous n'êtes PAS en position de faiblesse ; on vous recrute et VOUS, vous sélectionnez le meilleur emploi.
Covid-19 : le Parlement va-t-il voter pour la prolongation du passe vaccinal ?
Aggression sexuelle, Léo Grasset
En vrai, je suis un peu gavé par les commentaires "Mais, purée, j'en étais sûr·e ; ça se voyait que le mec est un détraqué".
Il y a plus d'une demi-douzaine de plaignantes qui ont mis des années à capter le problème, à le vivre, et à avoir fréquenté et échangé avec Léo Grasset.
Soit vous avez des putains de skill de *profiler* et il est urgent de les mettre à la dispo des forces de l'ordre ; soit, c'est peut-être un peu facile d'analyser **après** la révélation et le travail d'enquête, et ce type de commentaires ne fait que participer à signifier aux plaignantes qu'elles sont un peu connes de ne pas avoir vu les *red flags*.
@jerry Having a kill switch for broken plugins is a very good idea. Having self-updating code controlled from a central server that overrides admin preferences is begging for a supply chain attack turning millions of Wordpress instances into a botnet in an instant. Also this violates the W^X security principle.
Via https://mastodon.social/@gcluley/108492745843306709
#Wordpress is officially a botnet commanded by a C2: they can force code updates on deployed instances. What could go wrong?
@x_cli @Seirdy I think voting systems are flawed and they should be removed in favor of randomized sorting of posts and comments in online forums.
More details on https://microblog.ayushnix.com/voting-system-in-forums/
Being ban from a #Lemmy community for respectfully disagreeing with an admin (not even a mod): ✅
How I love moderation in the fediverse (not). Even more unfair than some silos because there are no appeal procedure nor a comity of ethics. Just small dictators.
Quite happy about @jerry approach to moderation, though. infosec.exchange feels like home :)
One should really hide the scores on #Lemmy. Scores are toxic.
People downvotes instead of explaining their disagreement, which means you just get a bad feeling and nobody will try and tell you why they think you are wrong.
And upvotes are just an ego thing, where you will check on your counters to see how well you did. You don't need social validation.
✨ The curse of strong typing
It's been decided. "Only Rust from here on out!"
I'm livid. I haven't seen that many type errors since I texted my 7yo niece. How in the world am I going to get anything done?
📰 🇫🇷 La Stasi électronique, enfin !
Le Monde Diplomatique @mdiplo
About the #SourceHut vs #Go devs drama:
Athens, an alternative free self-hosted Go proxy, has a rate-limiting support (although GitHub-specific and the code is horrible). This means GitHub can rate-limit aggressive Go proxies. If GitHub does it, why would SourceHut not?
I am a RNG (Random Network-#infosec Guy): do not expect better toots than those produced by an infinite number of monkeys. #Antispeciesist
Website: https://broken-by-design.fr