Paco Hope @paco@infosec.exchange

@sudocat You're right. But there are trade-offs everywhere. When you use a 3rd party provider, they have a say (by means of their Ts & Cs) in what you can email or not email. I've run my own email server since 1999 or so. I'm comfortable with it. The whole ecosystem is a house of cards, though. It's not for the faint of heart.

I run iRedMail (iredmail.org) as my personal email server (it's really postfix+dovecot+etc) and Nextcloud (nextcloud.com) for file, calendar, and contact sharing. You can link the two so they share identities. Taken together, this combo is really solid replacement for the free and surveillance-capitalism-based ecosystem. https://forum.iredmail.org/post69001.html

Just had my 3rd or maybe 4th pull request accepted to a public project. On the one hand “yay”. On the other hand, most of my PRs are just like syntax fixes on a couple of lines.

Just spent a bit of time opting out using the privacy forms on some of the American companies I do business with. http://simpleoptout.com/

@rymm as long as you don’t want to cease the meme productions we’ll be fine. :)

Would all staff please note the new #password policy. Employees' mothers' must change their maiden names every 90 days.

@Angle Wells Fargo did me a good one. I somehow overpaid my Wells Fargo Mortgage, so they sent a refund check for $0.01. I live in the UK. So they paid over $1 in postage alone. Fine. I use the Wells Fargo mobile app to deposit the check in my WF checking acct. But the WF app can’t grok the WF-printed check for $0.01. Says it’s invalid. I’m not paying $1.50 to mail a $0.01 check back to the US. Ultimately I threw it away.

@ottaross That implies wholesale sending all sorts of your personal information and income information and such to the gov't authorities. For a simple case: person with 1 salaried job as their sole income and no other complications, yes. Easy. For anything more complicated than that, it implies all sorts of people streaming data to the gov't. Perhaps not the best idea.

@jerry @nbering I don’t disagree. I think as a society it is important that we don’t make these lifelong scarlet-letter judgements on people. He has the benefit of years of positive contributions before the criminal bit came out. It helps us support the case that he has changed. He will pay his debt and then return to the workforce. How many similar people never get the chance to make their case after serving their punishment because our judgment is stubborn and we ostracise them?

@nbering me too. But I also think it is possible to change and to prove one has changed. So while he has to pay some consequences, at some point we must allow for the possibility of rehabilitation and restoration. One can argue he’s already rehabilitated. He’s kinda proven that point. So when he has served his time, we should consider that.

@nbering I think there’s 2 things. Writing it isn’t a crime in the us. Selling and/or distributing can be. I think that’s what he pleaded on. Second: #infosec folks push the boundaries a lot on what is strictly legal. Some either go too far or get unlucky and face consequences. The connection between actions and consequences is far from even, equitable, or fair. So it’s also hard to make judgements until you dive deep and get the details.

So Marcus Hutchins, of #WannaCry fame and who had been arrested in the US has pleaded guilty to writing banking #trojan software. Over on the birdsite there's lots of strong opinions. I blogged my opinion that it's a big world out there and trying to dismiss him as a criminal or pardon him because he's a hero are fundamentally misguided. https://blog.paco.to/2019/marcus-hutchins-infosec-soul-searching/

@lattera It's not BSD that I care about as much as ease of use. The web GUI for Xen Orchestra is really amazing. So i run BSD for all my important VMs. But I'm OK with a linux hypervisor if it's easy to use.

#passwords are like #underwear is a terrible metaphor. :)

I’m upgrading a server that runs #FreeBSD using iocage jails. I prefer something like xcp-ng as my hypervisor. So I can completely separate upgrading the kernel from the guest OSes. https://xcp-ng.org/

“The media reports of our security incident were wrong on several points.”
“Hi, this is Brian Krebs, the reporter who handed your ass to you. (This is your ass, isn’t it?) Which points were incorrect?”
Hilarity and sadness ensue.
https://mobile.twitter.com/gcluley/status/1118203223528169474

@angristan This article bugs me because it deliberately misused grammar. “Is listening” is completely different sense from “listens to a randomly selected recording days after it is recorded.” No one “is listening”. But they print that phrase over and over.

Nobody, not even the authors, is particularly surprised that humans train the models by transcribing the audio. But they are desperate to make it sound like people are spying on you.