Looks like many people who are on LTS releases have dodged a bullet with the new OpenSSL vulnerability. The vulnerability reportedly only affect version 3+ of OpenSSL. Many LTS releases are on 1.1.1 and not affected.
OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC. Does not affect versions before 3.0. https://t.co/jIRQhx0nCr
— Mark J Cox (infosec.exchange/@iamamoose) (@iamamoose) October 25, 2022
My 10 year old son recently asked to start doing some coding for school. He’s done some LEGO Boost projects in the past so I was looking for something that would be a bit more interesting. He has started using a smartphone for some things so I though building apps that he could run on his phone could be a good option. Enter, MIT App Inventor. This is a project that I had completely forgoten about. It allows students to build apps for their phones or tablets with a block style coding interface. You get access to many of the phone apis for sensors and cameras.
I’ve been assigning him tutorials from their YouTube channel. He has been loving it and has been asking when his next tutorial will be assigned. The fact that App Inventor makes it so easy to go from an idea to leveraging a lot of features on a smartphone is really fun for kids. I’m excited to see what he builds this week.
Ublock Origin has a handy feature that allows you to build custom fields in addition to their standard ad blocking abilities. Here’s a few rules I set up the other day to clean up annoying parts of Facebook and Twitter.
For Twitter I wanted to get rid of all their trends stuff but keep my feed.
twitter.com##div[aria-label="Timeline: Trending now"]
twitter.com##aside[aria-label="Who to follow"]
twitter.com##a[aria-label="Search and explore"]
For Facebook I wanted to completely do away with the news feed as the news feed is complete garbage for me. I can still use marketplace and get into groups and messenger if needed.
facebook.com##div[data-pagelet="Stories"]
facebook.com##div[role="feed"]
facebook.com##div[data-pagelet="VideoChatHomeUnit"]
Twitter got hacked real good last night. From all appearances it doesn’t appear to be a technical hack, but a social engineering hack of employees with almost limitless access to the platform.
As centralized tech companies have become the norm for political, economic and public health discourse a new threat model has reared it’s head. Centralized systems have centralized admins.
Those centralized admins (the humans) and their related systems are one of the biggest security holes in these systems. Moderators and administrators have a wild amount of power. And that power can be manipulated by manipulating the humans instead of the tech.
I’m sure twitter will come out with some post-mortem statement about how they are securing their admin panels, yadda yadda. But the reality remains that centralized tech will always have centralized admins. This vulnerability is not trivial.
Nuclear superpowers have had this issue and have had to go to incredible lengths to mitigate the threat. Even their procedures seem a bit weak and rely on layers of physical security for the individuals and systems involved (literally people in bunkers).
Moderators at social media companies have been shown to not be the most mentally stable individuals. Tech workers are often easily blackmailed. People are a security threat that is not easily modeled or mitigated at a monolithic platform.
A solution to this problem is pretty obvious. Reduce the power of any single admin. Even in the nuclear bunker, one officer can’t launch the missile. One of the most effective ways to do this is by decentralizing out communications platforms.
For example, government leaders online statements should probably come from a government domain, government IP address and be signed by a public / private key combination. We have plenty of tools to do this type of work. RSS would work just fine and allow a authentication trail that everyone from media outlets to private individuals could use to validate posts.
Of course whitehouse.gov security would still be only as good as the administrators there. But, if the security there is compromised only whitehouse.gov is compromised. A mass pawning of hundreds or thousands of influential information sources becomes non-trivial and near impossible.
This is not just a suggestion for very large organizations but also for smaller ones. My local police department disseminates public safety information on Facebook. When there was a SWAT team on my block, the only way for me to get information was by looking on Facebook.
Having to opt-in to Facebook to get public safety information has it’s own serious issues. But on top of that, what happens if hundreds of police department’s social media accounts are compromised simultaneously and say… announce martial law?
The web is better and more secure when no one person holds the keys.
My wife and I decided to try something new over the weekend. We attempted to summit the relatively remote Hayden Mountain. It was quite an experience and our first true backcountry summit attempt. We ended up having to turn back about 200 vertical feet from the summit due to loose shale and snow in the chute we were trying to summit from. We did however top out at 13,027 feet, meeting out goal of reaching at least 13k. Here are a few things I learned or were solidified in my brain:
