Search
Items tagged with: Twitter
Exactly two years ago, we started to post links on #Mastodon via our account @heiseonline đ
https://mastodon.social/@heiseonline/109314036284496776
It took longer, than I expected, but here we are: it seems like this account now brings continuously more #traffic to heise.de than #X (#Twitter) in its entirety, although it only has Âź of the follower number (and many of them don't seem to be active anymore).
I'll prepare some graphs after the weekend.
#SocialMedia
#TwitterExodus
#MastodonMigration
#TwitterMigration
#Fediverse
Vorerst ist das hier der offizielle Mastodon-Account von heise online.
Wird jetzt erst einmal händisch befßllt, aber wir haben schon weitergehende Pläne und wollen hier mehr machen.
Another week, another increase for @heiseonline
#Mastodon keeps growing (the last time, we got this much #traffic, was at the beginning of the year), #Bluesky, too. No big jumps, but we'll see, where it leads.
#Threads still brings very little, #Twitter stays weak.
As always, this is the traffic to heise.de via the different social media platforms.
Edit: In the graph, Mastodon, Bluesky and Threads are stacked together (as they are they biggest Twitter-alternatives).
2nd Edit: Graph added.
As everyone knows, Elon Musk is now running Twitter directly into the ground. Who knows? Maybe he needed some inspiration for the Boring Company.
Art: Chai Lynx
This has, as many predicated, been a complete clusterfuck.
https://twitter.com/kennwhite/status/1589396945830813700
We should assume that Twitter is on its way out the door. Elon Musk is not a good CEO, as evidenced by the immediate mass lay-offs of Twitter employees.
Or his immediate pause of content moderation (which let some really dumb homophobes run wild).
https://twitter.com/lucashoal/status/1587443643735908353
You get the point.
Art: Chai Lynx
Rather than continue to ruminate on the current mess, Iâd like to instead take a moment of everyoneâs present to look into the future, because weâre actually in a unique position to make a lot of good changes to the world; or, at least, to make something hilarious out of a bad situation.
This matters for everyone, but especially for furries, sex workers, and porn artists.
Art: Chai Lynx
Iâm going to break this post into three parts:
- How to Make a Larger Impact Than Deleting Your Account
- An Opinionated Summary of Alternate Platforms
- How to Architect the Porn-Friendly Social Media of Tomorrow
It should go without saying, but my standard disclaimer applies:
The contents of this blog post are the sole opinions of a 30-something gay furry who presents as an anthropomorphic dhole on the Internet. Do not confuse the opinion or satire contained within for either a) fact, b) professional advice, or c) the opinions of any company or entity; especially the authorâs current or past employers.
How to Make a Larger Impact Than Deleting Your Account
Art: Chai Lynx
If youâre considering deleting your Twitter account and moving to an alternative platform, I encourage you to move but not delete your account. Thereâs something much cooler you can do with your existing account than delete it.
Twitterâs operations costs are currently fairly predictable. Well, predictable enough to lay off a lot of the workers necessary to keep the lights on, anyway.
Wouldnât it be great if, instead of deleting their accounts in protest, we decided to make our accounts cost more in storage and compute costs?
I posed a similar question to Twitter the other day.
https://twitter.com/SoatokDhole/status/1587807410944630790
Here are some of the more fun and interesting ideas that were shared with me:
Block and Search with Wild Abandon
(I canât find a record of who suggested this idea. Maybe I imagine someone suggesting it, and it was actually my own idea, but Iâm misremembering. Who even knows anymore?)
Filtering blocked/muted accounts from your timeline requires a small amount of server-side CPU.
Searching for trending topics and common words in your native language will likely hit many thousands of accounts.
If you ask Twitterâs search engine for all tweets that contain certain common words or phrases, and then the application has to filter out hundreds of thousands of blocked and/or muted accounts, this is going to become computationally expensive.
Especially if you systematically mute or block every single account that promotes a tweet.
Especially if youâre already using an adblocker, such as uBlock Origin (which you can install in Firefox for Android, by the way).
To be clear: The goal of this idea is NOT to degrade the platform or perform a Denial of Service attack. Itâs simply to make Musk pay more for useless processing that wonât increase Twitterâs ad revenue.
Art: Chai Lynx
Use Twitter Like TikTok
Instead of typing a reply, record a short video instead. The queerer and less marketable the contents of your video, the better.
https://twitter.com/XydexxUnicorn/status/1587810839620378628
If you donât have a fursuit (most furries actually donât), consider using rigged 3D models (or Live2D avatars; e.g. FaceRig) instead.
Just make sure you include a transcript or alt text for people with disabilities.
Everyone else can participate simply by diligently playing every single one of these videos (even if on mute).
Letâs run up Elonâs storage and bandwidth bills. Thereâs lots of fun that we can have with this idea.
Upload Lots of Compression-Unfriendly Images
For example:
https://twitter.com/yourcompanionAI/status/1587815968700600321
Bonus points if you somehow manage to work this into the video reply idea, and it actually inflates their storage costs significantly.
Bad Suggestion: Reply to Brands with Yiff
There were a few people who suggested posting adult furry art in reply to brand tweets. The idea being that this will make Twitter less marketable for advertisers.
This is a terrible idea for two reasons:
- Optics. Regardless of your goals, youâre going to expose a lot of unsuspecting users to unsolicited pornographic art. This is not how you make friends. This will make a lot of undecided people form a negative opinion of the furry fandom.
- Underage users. The minimum age to sign up for Twitter is 13. Parents who might be comfortable with their young teenager following a household name Twitter account will not want their child being exposed to hardcore pornography.
Too often, I see some furries reach for this tactic. You should consider it the nuclear option, because the small tactical gain is largely outsized by collateral damage.
The only thing youâll accomplish is giving ammo to right-wingers who loudly proclaim all LGBT people are groomers (meanwhile they vote down laws that would stop child marriage; how so very curious of them).
Art: Chai Lynx
Wrap-Up
https://twitter.com/charlotteirene8/status/1585700642626191360
With any luck, we can make Twitter the most expensive $44 Billion that Elon Musk will ever spend.
An Opinionated Summary of Alternate Platforms
Where should we go when Twitter dies? There are a lot of opinions to be had.
Rumors of Tumblrâs Sex Positivity Are Wildly Exaggerated
Shortly after Elon Musk purchased Twitter, Tumblr had announced updated Community Guidelines that, allegedly, permit the naked human form to appear in Tumblr content.
This apparently doesnât include cartoon nudity. To wit:
https://twitter.com/LeafDubois/status/1589026084640940032
We can do better than Tumblr.
Cohost
Cohost is a somewhat new platform for posting. I have an account there (@soatok).
You can think of Cohost as the best parts of Twitterâs user experience, with the best parts of Tumblr, without any ads, tracking, or recommendation system (The Algorithm).
The premise of Cohost is to build around users, not profit.
Cohost is brought to you by a group calling themselves the Anti Software Software Clubâa software company that hates the software industry:
we are a group of three developers and designersâand maybe more soon!âwith very strong opinions about how to operate a software company. weâve all left jobs at conventional tech companies to build cohost and weâre thrilled we finally get to share it with the world. you can read more about us, including our manifesto, on our main website. ASSC is not-for-profit and 100% worker owned.According to the Cohost website
Itâs worth emphasizing that ânot-for-profitâ is most likely an aspiration and a tenet, not a legal designation. Cohost is an LLC. It would be an error to mistake it for a non-profit organization. The legal term ânon-profitâ almost always refers to 501(c)(3) organizations.
Personally, I donât care at all about these distinctions. Some people do. Iâm not a lawyer, and I actually find legal topics exhausting to the point of being physically painful. Thatâs not at an exaggeration.
Itâs a neat project. If you want a centralized replacement for Twitter, Cohost is probably your best bet.
Mastodon
Mastodon is federated software, which feels in some ways more like Email or RSS than Twitter does. Moderation is local to your instance, rather than top-down like a centralized platform. Discovery is based on which instances peer with which instances.
Thereâs a lot to like about Mastodon. However, if youâre an artist thatâs looking for a centralized watering hole where all your customers already are, Mastodon⌠is not that.
That being said, a lot of people are moving to Mastodon already. Nowâs probably the best time to join.
Personally, I used to have a Mastodon account, but I didnât really use it much, and then the instance that hosted my account shut down and I lost all my data. That experience killed my interest in Mastodon.
Telegram Channels
Pro: Furries already use Telegram, extensively.
Con: Theyâre now selling âcollectible usernamesâ as NFTs
Art: Chai Lynx
Wrap-Up
There are probably other platforms that are worth considering, but there are only so many hours in a day, and I have a day job.
If you find yourself deeply dissatisfied with the options presented, please feel free to explore others. Alternatively, you may wish to build a new platform in line with your own vision.
If you lack the skills to build your vision, grab a few friends and read through Furward Momentum together.
How to Architect the Porn-Friendly Social Media of Tomorrow
What do sex workers, porn artists, and fantasy sex toy companies have in common?
Mastercard doesnât want to provide them services. Neither do PayPal nor Venmo.
Sex workers and artists are two of the groups most likely to be negatively impacted by Elon Muskâs ownership of Twitter.
https://twitter.com/woot_master/status/1518689141763936259
What would it take to build a social media platform that actually supports sex workers and NSFW artists? Well, a lot. But Iâd like to at least provide a sketch for how such a platform might be architected.
Art: Chai Lynx
Require Hardware Security Keys For All Users
Your platform should use WebAuthn instead of password authentication.
I recognize that this makes onboarding users difficult (due to a lack of availability of FIDO2-compatible hardware keys), but the security benefits are immensely worthwhile.
The best thing about WebAuthn is, when implemented correctly, your users become extremely phishing-resistant without requiring any diligence on their part.
Use End-to-End Encryption for Private Messages
Further reading: Going Bark: A Furryâs Guide to End-to-End Encryption.
We donât need more surveillance capitalism. The less you know about your users, the better.
Consider An Invite-Only Design
Lobste.rs requires new users be invited by an existing user.
This is a great way to reduce the blast radius of platform abusers and their subsequent attempts at ban evasion: If the same person keeps inviting bad people, take away their invite privileges.
I chose a similar approach when I designed FAQ Off.
Donât Mix Payments With Platforms
Simply put: The platform that users interact with should be mostly independent from the component that processes payments for the users of the platform.
By âmostly independentâ, I mean they should be distinct legal entities, with no overlap in ownership, that operate in different countries. The only things that should be exchanged between the two are HTTP messages (over TLS) and API keys.
The payment gateway should accept multiple options (credit cards, PayPal, etc.), but never provide a custom âmemoâ field. Where possible, the invoice feature should be used (with the possibility of tipping left open).
If you permit users to fill in custom memos, they will inevitably leave a remark that flags the recipientâs account as porn/sex related.
This payment gateway will not just process payments and subscriptions; it will also act as a payment escrow service and amortize the risk of chargeback fraud over multiple content creators. (To that end, it should have a name that isnât embarrassing on a bank statement.)
The incumbent payment gateways used by the porn industry should be avoided, for multiple reasons:
- Theyâre expensive
- The transactions they process get flagged a lot as fraud
- Theyâre often used by spammers, scammers, computer criminals, and deplatformed hate groups
Instead, youâd want your value proposition to be more about social media and payments between friends. The fact that you allow porn and sex work on your platform (which should be one of many platforms that use this payment gateway) needs to be a mere footnote.
Finally, consider very carefully whether or not to support cryptocurrency in your payments (or payouts) platform.
This List is Non-Exhaustive
These are just some considerations I can think of off-hand when imagining what a sex-positive social media platform would look like, if it were built in 2022.
The biggest challenges any platform faces will not be legal or technical; they will be social.
Twitter exploded in popularity after a few celebrities started using it. I donât know how to replicate their success with a greenfield project, and I doubt anyone else does either.
In Summary
Elon Musk is probably going to kill Twitter. It would be really funny if we made this cataclysmically expensive for Elon Musk, personally.
There are a handful of alternative platforms that folks are already migrating to in anticipation of Twitterâs demise, but none is a clear winner.
Twitterâs death will put a lot of artists (especially porn artists) and sex workers in peril, so I sketched some ideas that would enable a Twitter alternative to better serve them.
Ultimately, the future remains uncertain. I donât pretend to have answers, just ideas. If you think you know, or can do, better, I wish you the best of luck.
https://soatok.blog/2022/11/07/contemplating-the-future/
#ElonMusk #furries #furry #FurryFandom #Society #Twitter
Some of you may be surprised to learn that my fursona is not a fox, nor a wolf; nor is it a fictitious fox-wolf hybrid popular within the furry fandom (which is usually called a âfolfâ).No, my fursona is a dhole, which is a real species of endangered wild dogs from Southeast Asia.
The word âdholeâ is only one syllable, with a silent H.
https://twitter.com/canemckeyton/status/1024198407429054469
The Furry Fandom needs more dhole fursonas.
Dholes Are Amazing
https://www.youtube.com/watch?v=ifcCNERGUZUDholes are very social creatures that live and hunt in large packs. But how they hunt is needlessly awesome: Where other canids (e.g. wolves) try to chase and then surround their prey, dholes spread out and use high-pitched whistles to coordinate their strikes over large distances.
Some other interesting notes from animal conservationalists over the years: Dholes have very low sexual dimorphism (so you generally cannot tell whether a dhole selected at random is male or female at a glance), and theyâre known to do a handstand when theyâre urinating.
https://twitter.com/Tikrekins/status/1176953841385951233
You can learn more about dholes and dhole conservation efforts here.
The Symbolism of Dhole Fursonas
If youâre trying to pick a species for your fursona, how do you know if a dhole is right for you?
Art by SkiaSkai
Hereâs a short list of values and traits you can derive from dholes and dhole behavior in the wild:
- Do you value and understand friendship in its purest form?
- Do you value cooperation (n.b. without power structures and hierarchies)?
- Do you enjoy communal living (with a chosen family of close friends and/or a polycule)?
- Are you clued into dog whistles? (Okay, this oneâs kind of a dumb joke because dholes are called âwhistling dogsâ, but a lot of dhole furries I know are very clueful about the alt-rightâs bullshit, so itâs fitting.)
- Do traditional notions of sex and gender not interest you in the slightest?
If you said yes to any of those questions, or if you simply canât decide between fox or wolf and donât feel like phoning it in with a fictitious hybrid, a dhole may be a good fursona choice for you.
Are Dhole Fursuits Beautiful?
Yes. Very yes.https://twitter.com/SparkleKreation/status/1039539876121608193
https://twitter.com/Millitrix01/status/1175111740473991168
https://twitter.com/RustiDhole/status/1276399918240931840
https://twitter.com/DamnitKnightly/status/1290751428206587904
Coming soon (probably 2021) to this section of the blog post: My fursuit.
https://soatok.blog/2020/08/10/all-about-dholes-and-dhole-fursonas/
#CuonAlpinus #dhole #dholes #furry #FurryFandom #fursona
Earlier this year, I detailed a simple technique for deanonymizing scam sites on CloudFlare, by getting the back-end webserver to email you and reveal the serverâs IP address (so you can forward your complaints to their ISP).
In a similar vein, Iâd like to explain a simple technique for increasing the likelihood that your abuse reports on social media websites like Twitter get taken seriously.
Donât Use the Easy Button
Every tweet (except your own) has a Report Tweet link attached to it. The user interface is different on web and mobile, but most people know how to find it.
The problem with this âeasy buttonâ is twofold:
- Itâs low-effort and high-bandwidth, so a lot of people use it and therefore the signal-to-noise ratio isnât very high.
- The âreport tweetâ workflow lets you select from one of a few narrowly defined categories of abuse without giving you any space to explain why itâs abusive.
For example: A lot of anti-furry hate is a dogwhistle for ableist or queerphobic rhetoric. Without knowing that context, how do you expect the folks handling abuse reports for social media companies to make the correct choice?
Instead, File an Abuse Report
This is actually a separate thing, and the link to the harassment report form is here. (This is one of many forms you can file with Twitterâs support team.)
Not only do you get to click the radio buttons that the Quick and Easy path allows, you also get to fill in a description of the problem.
A screenshot of the harassment report form.
The difference here isnât theoretical; a concise explanation of the problem is the difference between your report being ignored and this:
https://twitter.com/SoatokDhole/status/1319983706858246146
If you have any friends that are frequent targets of social media harassment, and their reports arenât taken seriously, share this article with them.
Art by Khia.
(That being said, Iâm really sorry this is even necessary.)
What About Automation?
One motivation to still use the âeasy buttonâ when reporting abuse is if youâre hoping to trigger some automated mechanism (i.e. âIf 3 different accounts report this as abuse, suspend their account until someone can investigateâ).
In that case, press that easy button to your heartâs content.
https://twitter.com/packonines/status/1068746663764860929
https://soatok.blog/2020/11/12/deplatforming-hate-and-harassment/
#abuseReporting #cyberbullying #harassment #hateSpeech #onlineAbuse #SocialMedia #Twitter
Update (2021-01-09): Thereâs a newer blog post that covers different CloudFlare deanonymization techniques (with a real world case study).Furry Twitter is currently abuzz about a new site selling knock-off fursuits and illegally using photos from the owners of the actual fursuits without permission.
Understandably, the photographers and fursuiters whose work was ripped off by this website are upset and would like to exercise their legal recourse (i.e. DMCA takedown emails) of the scam site, but thereâs a wrinkle:
Their contact info isnât in DNS and their website is hosted behind CloudFlare.
CloudFlare.
Private DNS registration.You might think this is a show-stopper, but Iâm going to show you how to get their serverâs real IP address in one easy step.
Ordering the Serverâs IP Address by Mail
Most knock-off site operators will choose open source eCommerce platforms like Magento, WooCommerce, and OpenCart, which usually have a mechanism for customers to register for an account and login.Usually this mechanism sends you an email when you authenticate.
(If it doesnât, logout and use the âreset passwordâ feature, which will almost certainly send you an email.)
Once you have an email from the scam site, youâre going to need to view the email headers.
With Gmail, can click the three dots on the right of an email then click âShow originalâ.
Account registration email.
Full email headers after clicking âShow originalâ.And there you have it. The IP address of the server behind CloudFlare delivered piping hot to your inbox in 30 minutes or less, or your money back.
Thatâs a fairer deal than any of these knock-off fursuit sites will give you.
Black magic and piss-poor opsec.
What Can We Do With The Server IP?
You can identify who hosts their website. (In this case, itâs a company called Net Minders.)With this knowledge in mind, you can send an email to their web hosting provider, citing the Digital Millennium Copyright Act.
One or two emails might get ignored, but discarding hundreds of distinct complaint emails from different people is bad for business. This (along with similar abuse complaints to the domain registrar, which isnât obscured by DNS Privacy) should be enough to shut down these illicit websites.
The more you know!Epilogue
https://twitter.com/Mochiroo/status/1259289385876373504The technique is simple, effective, and portable. Use it whenever someone tries to prop up another website to peddle knock-off goods and tries to hide behind CloudFlare.
https://soatok.blog/2020/05/09/how-to-de-anonymize-scam-knock-off-sites-hiding-behind-cloudflare/
#cloudflare #deanonymize #DNS #fursuitScamSites #informationSecurity #OnlinePrivacy #opsec
Update (2020-04-29): Twitter has fixed their oversight.
{ "errors": [{ "code": 356, "message": "preferences.gender_preferences.gender_override: Must provide a non-empty custom value 30 characters or less in length." }]}
Anyone who set their custom gender to a long volume of text, should still have it set to a long volume of text.
The original article follows after the separator.
I was recently made aware of a change to Twitter, which exposes a new Gender field. If youâve never specified your gender before, they guessed what it was (which is a really shitty thing to do, especially towards trans folks!).
https://twitter.com/leemandelo/status/1254179716451438592
Slightly annoyed, I went to go see what Twitter thinks my gender is.
Curses! They know Iâm a guy. This wonât do at all.
But whatâs this? An âAdd your genderâ option?
Thatâs at least, something, I guess? Defaulting to [whatever the algorithm guesses] is sucky, but at least nonbinary folks can still self-identify however they want.
But 30 characters isnât a lot. What if I want to drop in, say, 68 characters? Do I need to do some crazy Unicode fuckery to pull that off?
Nope, Inspect Element + set maxlength="255"
and now Twitter thinks my gender is the EICAR test file. Wonderful!
Which means: If someone downloads my Twitter data without my consent onto a workstation running antivirus software, the file will delete itself and all will be right in the marketing world.
https://twitter.com/SoatokDhole/status/1254635753319079937
(Okay but seriously, a lot of downstream systemic failures would have to exist for any damage to occur from me deciding to self-identify to marketers this way.)
Lessons to Learn
Twitter enforced a maxlength of 30 in the HTML element of the âAdd your genderâ text input, but they didnât enforce this requirement server-side. The takeaway here is pretty obvious.
Also, donât try to automatically[b] guess peopleâs gender at scale[/b]. Itâs insulting when you get it wrong, and itâs creepy when you get it right.
(This sticker is tongue-in-cheek.)
Whatâs the Upper Limit for the Field?
I donât know, but this indicates it has a larger upper bound than a tweet.
https://twitter.com/txlon5/status/1254648412261228545
If anyone has success dropping an entire thesis on gender identity and culture in the Gender field, let me know.
Update: The Best Genders
Everyone is having a lot of fun with the Gender field. Hereâs some of the best tweets Iâve seen since publishing this stupid bug.
https://twitter.com/TecraFox/status/1254653500887310337
https://twitter.com/everlasting1der/status/1254652388713082880
https://twitter.com/hedgehog_emoji/status/1254650551473594368
https://twitter.com/Neybulot/status/1254659048886210563
A fox in Furry Technologists suggested building genderfs, which is a lot like redditfs but hoists the entire filesystem into the Gender field.
While I have your attention, trans rights are human rights and biology disagrees with the simple notion of âtwo sexesâ. Thank you and good night.
https://soatok.blog/2020/04/27/why-server-side-input-validation-matters/
#furry #infosec #inputValidation #LGBTQIA_ #security #softwareDevelopment #Twitter
Update (2020-04-29): Twitter has fixed their oversight.{ "errors": [{ "code": 356, "message": "preferences.gender_preferences.gender_override: Must provide a non-empty custom value 30 characters or less in length." }]}
Anyone who set their custom gender to a long volume of text, should still have it set to a long volume of text.
The original article follows after the separator.
I was recently made aware of a change to Twitter, which exposes a new Gender field. If youâve never specified your gender before, they guessed what it was (which is a really shitty thing to do, especially towards trans folks!).
https://twitter.com/leemandelo/status/1254179716451438592
Slightly annoyed, I went to go see what Twitter thinks my gender is.
Curses! They know Iâm a guy. This wonât do at all.But whatâs this? An âAdd your genderâ option?
Thatâs at least, something, I guess? Defaulting to [whatever the algorithm guesses] is sucky, but at least nonbinary folks can still self-identify however they want.But 30 characters isnât a lot. What if I want to drop in, say, 68 characters? Do I need to do some crazy Unicode fuckery to pull that off?
Nope, Inspect Element + setmaxlength="255"
and now Twitter thinks my gender is the EICAR test file. Wonderful!Which means: If someone downloads my Twitter data without my consent onto a workstation running antivirus software, the file will delete itself and all will be right in the marketing world.
https://twitter.com/SoatokDhole/status/1254635753319079937
(Okay but seriously, a lot of downstream systemic failures would have to exist for any damage to occur from me deciding to self-identify to marketers this way.)
Lessons to Learn
Twitter enforced a maxlength of 30 in the HTML element of the âAdd your genderâ text input, but they didnât enforce this requirement server-side. The takeaway here is pretty obvious.Also, donât try to automatically[b] guess peopleâs gender at scale[/b]. Itâs insulting when you get it wrong, and itâs creepy when you get it right.
(This sticker is tongue-in-cheek.)
Whatâs the Upper Limit for the Field?
I donât know, but this indicates it has a larger upper bound than a tweet.https://twitter.com/txlon5/status/1254648412261228545
If anyone has success dropping an entire thesis on gender identity and culture in the Gender field, let me know.
Update: The Best Genders
Everyone is having a lot of fun with the Gender field. Hereâs some of the best tweets Iâve seen since publishing this stupid bug.https://twitter.com/TecraFox/status/1254653500887310337
https://twitter.com/everlasting1der/status/1254652388713082880
https://twitter.com/hedgehog_emoji/status/1254650551473594368
https://twitter.com/Neybulot/status/1254659048886210563
A fox in Furry Technologists suggested building genderfs, which is a lot like redditfs but hoists the entire filesystem into the Gender field.
While I have your attention, trans rights are human rights and biology disagrees with the simple notion of âtwo sexesâ. Thank you and good night.
https://soatok.blog/2020/04/27/why-server-side-input-validation-matters/
#furry #infosec #inputValidation #LGBTQIA_ #security #softwareDevelopment #Twitter
Update (2024-06-06): There is an update on this project.
As Twitterâs new management continues to nosedive the platform directly into the ground, many people are migrating to what seem like drop-in alternatives; i.e. Cohost and Mastodon. Some are even considering new platforms that none of us have heard of before (one is called âHiveâ).
Needless to say, these are somewhat chaotic times.
One topic that has come up several times in the past few days, to the astonishment of many new Mastodon users, is that Direct Messages between users arenât end-to-end encrypted.
And while that fact makes Mastodon DMs no less safe than Twitter DMs have been this whole time, there is clearly a lot of value and demand in deploying end-to-end encryption for ActivityPub (the protocol that Mastodon and other Fediverse software uses to communicate).
However, given that Melon Husk apparently wants to hurriedly ship end-to-end encryption (E2EE) in Twitter, in some vain attempt to compete with Signal, I took it upon myself to kickstart the E2EE effort for the Fediverse.
https://twitter.com/elonmusk/status/1519469891455234048
So Iâd like to share my thoughts about E2EE, how to design such a system from the ground up, and why the direction Twitter is heading looks to be security theater rather than serious cryptographic engineering.
If youâre not interested in those things, but are interested in what Iâm proposing for the Fediverse, head on over to the GitHub repository hosting my work-in-progress proposal draft as I continue to develop it.
How to Quickly Build E2EE
If one were feeling particularly cavalier about your E2EE designs, they could just generate then dump public keys through a server they control, pass between users, and have them encrypt client-side. Over and done. Check that box.
Every public key would be ephemeral and implicitly trusted, and the threat model would mostly be, âI donât want to deal with law enforcement data requests.â
Hell, Iâve previously written an incremental blog post to teach developers about E2EE that begins with this sort of design. Encrypt first, ratchet second, manage trust relationships on public keys last.
If youâre catering to a slightly tech-savvy audience, you might throw in SHA256(pk1 + pk2) -> hex2dec() and call it a fingerprint / safety number / âconversation keyâ and not think further about this problem.
Look, technical users can verify out-of-band that theyâre not being machine-in-the-middle attacked by our service.An absolute fool who thinks most people will ever do this
From what Iâve gathered, this appears to be the direction that Twitter is going.
https://twitter.com/wongmjane/status/1592831263182028800
Now, if youâre building E2EE into a small hobby app that you developed for fun (say: a World of Warcraft addon for erotic roleplay chat), this is probably good enough.
If youâre building a private messaging feature that is intended to âsuperset Signalâ for hundreds of millions of people, this is woefully inadequate.
https://twitter.com/elonmusk/status/1590426255018848256
Art: LvJ
If this is, indeed, the direction Musk is pushing whatâs left of Twitterâs engineering staff, here is a brief list of problems with what theyâre doing.
- Twitter Web. How do you access your E2EE DMs after opening Twitter in your web browser on a desktop computer?
- If you can, how do you know twitter.com isnât including malicious JavaScript to snarf up your secret keys on behalf of law enforcement or a nation state with a poor human rights record?
- If you can, how are secret keys managed across devices?
- If you use a password to derive a secret key, how do you prevent weak, guessable, or reused passwords from weakening the security of the usersâ keys?
- If you cannot, how do users decide which is their primary device? What if that device gets lost, stolen, or damaged?
- Authenticity. How do you reason about the person youâre talking with?
- Forward Secrecy. If your secret key is compromised today, can you recover from this situation? How will your conversation participants reason about your new Conversation Key?
- Multi-Party E2EE. If a user wants to have a three-way E2EE DM with the other members of their long-distance polycule, does Twitter enable that?
- How are media files encrypted in a group setting? If you fuck this up, you end up like Threema.
- Is your group key agreement protocol vulnerable to insider attacks?
- Cryptography Implementations.
- What does the KEM look like? If youâre using ECC, which curve? Is a common library being used in all devices?
- How are you deriving keys? Are you just using the result of an elliptic curve (scalar x point) multiplication directly without hashing first?
- Independent Third-Party Review.
- Who is reviewing your protocol designs?
- Who is reviewing your cryptographic primitives?
- Who is reviewing the code that interacts with E2EE?
- Is there even a penetration test before the feature launches?
As more details about Twitterâs approach to E2EE DMs come out, Iâm sure the above list will be expanded with even more questions and concerns.
My hunch is that theyâll reuse liblithium (which uses Curve25519 and Gimli) for Twitter DMs, since the only expert Iâm aware of in Muskâs employ is the engineer that developed that library for Tesla Motors. Whether theyâll port it to JavaScript or just compile to WebAssembly is hard to say.
How To Safely Build E2EE
You first need to decompose the E2EE problem into five separate but interconnected problems.
- Client-Side Secret Key Management.
- Multi-device support
- Protect the secret key from being pilfered (i.e. by in-browser JavaScript delivered from the server)
- Public Key Infrastructure and Trust Models.
- TOFU (the SSH model)
- X.509 Certificate Authorities
- Certificate/Key/etc. Transparency
- SigStore
- PGPâs Web Of Trust
- Key Agreement.
- While this is important for 1:1 conversations, it gets combinatorially complex when you start supporting group conversations.
- On-the-Wire Encryption.
- Direct Messages
- Media Attachments
- Abuse-resistance (i.e. message franking for abuse reporting)
- The Construction of the Previous Four.
- The vulnerability of most cryptographic protocols exists in the joinery between the pieces, not the pieces themselves. For example, Matrix.
This might not be obvious to someone who isnât a cryptography engineer, but each of those five problems is still really hard.
To wit: The latest IETF RFC draft for Message Layer Security, which tackles the Key Agreement problem above, clocks in at 137 pages.
Additionally, the order I specified these problems matters; it represents my opinion of which problem is relatively harder than the others.
When Twitterâs CISO, Lea Kissner, resigned, they lost a cryptography expert who was keenly aware of the relative difficulty of the first problem.
https://twitter.com/LeaKissner/status/1592937764684980224
You may also notice the order largely mirrors my previous guide on the subject, in reverse. This is because teaching a subject, you start with the simplest and most familiar component. When youâre solving problems, you generally want the opposite: Solve the hardest problems first, then work towards the easier ones.
This is precisely what Iâm doing with my E2EE proposal for the Fediverse.
The Journey of a Thousand Miles Begins With A First Step
Before you write any code, you need specifications.
Before you write any specifications, you need a threat model.
Before you write any threat models, you need both a clear mental model of the system youâre working with and how the pieces interact, and a list of security goals you want to achieve.
Less obviously, you need a specific list of non-goals for your design: Properties that you will not prioritize. A lot of security engineering involves trade-offs. For example: elliptic curve choice for digital signatures is largely a trade-off between speed, theoretical security, and real-world implementation security.
If you do not clearly specify your non-goals, they still exist implicitly. However, you may find yourself contradicting them as you change your mind over the course of development.
Being wishy-washy about your security goals is a good way to compromise the security of your overall design.
In my Mastodon E2EE proposal document, I have a section called Design Tenets, which states the priorities used to make trade-off decisions. I chose Usability as the highest priority, because of AviDâs Rule of Usability.
Security at the expense of usability comes at the expense of security.Avi Douglen, Security StackExchange
Underneath Tenets, I wrote Anti-Tenets. These are things I explicitly and emphatically do not want to prioritize. Interoperability with any incumbent designs (OpenPGP, Matrix, etc.) is the most important anti-tenet when it comes to making decisions. If our end-state happens to interop with someone elseâs design, cool. Iâm not striving for it though!
Finally, this section concludes with a more formal list of Security Goals for the whole project.
Art: LvJ
Every component (from the above list of five) in my design will have an additional dedicated Security Goals section and Threat Model. For example: Client-Side Secret Key Management.
You will then need to tackle each component independently. The threat model for secret-key management is probably the trickiest. The actual encryption of plaintext messages and media attachments is comparatively simple.
Finally, once all of the pieces are laid out, you have the monumental (dare I say, mammoth) task of stitching them together into a coherent, meaningful design.
If you did your job well at the outset, and correctly understand the architecture of the distributed system youâre working with, this will mostly be straightforward.
Making Progress
At every step of the way, you do need to stop and ask yourself, âIf I was an absolute chaos gremlin, how could I fuck with this piece of my design?â The more pieces your design has, the longer the list of ways to attack it will grow.
Itâs also helpful to occasionally consider formal methods and security proofs. This can have surprising implications for how you use some algorithms.
You should also be familiar enough with the cryptographic primitives youâre working with before you begin such a journey; because even once youâve solved the key management story (problems 1, 2 and 3 from the above list of 5), cryptographic expertise is still necessary.
- If youâre feeding data into a hash function, you should also be thinking about domain separation. More information.
- If youâre feeding data into a MAC or signature algorithm, you should also be thinking about canonicalization attacks. More information.
- If youâre encrypting data, you should be thinking about multi-key attacks and confused deputy attacks. Also, the cryptographic doom principle if youâre not using IND-CCA3 algorithms.
- At a higher-level, you should proactively defend against algorithm confusion attacks.
How Do You Measure Success?
Itâs tempting to call the project âdoneâ once youâve completed your specifications and built a prototype, and maybe even published a formal proof of your design, but you should first collect data on every important metric:
- How easy is it to use your solution?
- How hard is it to misuse your solution?
- How easy is it to attack your solution? Which attackers have the highest advantage?
- How stable is your solution?
- How performant is your solution? Are the slow pieces the deliberate result of a trade-off? How do you know the balance was struck corectly?
Where We Stand Today
Iâve only begun writing my proposal, and I donât expect it to be truly ready for cryptographers or security experts to review until early 2023.
However, my clearly specified tenets and anti-tenets were already useful in discussing my proposal on the Fediverse.
@soatok @fasterthanlime Should probably embed the algo used for encryption in the data used for storing the encrypted blob, to support multiples and future changes.@fabienpenso@hachyderm.io proposes in-band protocol negotiation instead of versioned protocols
The main things I wanted to share today are:
- The direction Twitter appears to be heading with their E2EE work, and why I think itâs a flawed approach
- Designing E2EE requires a great deal of time, care, and expertise; getting to market quicker at the expense of a clear and careful design is almost never the right call
Mastodon? ActivityPub? Fediverse? OMGWTFBBQ!
In case anyone is confused about Mastodon vs ActivityPub vs Fediverse lingo:
The end goal of my proposal is that I want to be able to send DMs to queer furries that use Mastodon such that only my recipient can read them.
Achieving this end goal almost exclusively requires building for ActivityPub broadly, not Mastodon specifically.
However, I only want to be responsible for delivering this design into the software I use, not for every single possible platform that uses ActivityPub, nor all the programming languages theyâre written in.
I am going to be aggressive about preventing scope creep, since Iâm doing all this work for free. (I do have a Ko-Fi, but I wonât link to it from here. Send your donations to the people managing the Mastodon instance that hosts your account instead.)
My hope is that the design documents and technical specifications become clear enough that anyone can securely implement end-to-end encryption for the Fediverseâeven if special attention needs to be given to the language-specific cryptographic libraries that you end up using.
Art: LvJ
Why Should We Trust You to Design E2EE?
This sort of question comes up inevitably, so Iâd like to tackle it preemptively.
My answer to every question that begins with, âWhy should I trust youâ is the same: You shouldnât.
There are certainly cryptography and cybersecurity experts that you will trust more than me. Ask them for their expert opinions of what Iâm designing instead of blanketly trusting someone you donât know.
Iâm not interested in revealing my legal name, or my background with cryptography and computer security. Credentials shouldnât matter here.
If my design is good, you should be able to trust it because itâs good, not because of who wrote it.
If my design is bad, then you should trust whoever proposes a better design instead. Part of why Iâm developing it in the open is so that it may be forked by smarter engineers.
Knowing who I am, or what Iâve worked on before, shouldnât enter your trust calculus at all. Iâm a gay furry that works in the technology industry and this is what Iâm proposing. Take it or leave it.
Why Not Simply Rubber-Stamp Matrix Instead?
(This section was added on 2022-11-29.)
Thereâs a temptation, most often found in the sort of person that comments on the /r/privacy subreddit, to ask why even do all of this work in the first place when Matrix already exists?
The answer is simple: I do not trust Megolm, the protocol designed for Matrix.
Megolm has benefited from amateur review for four years. Non-cryptographers will confuse this observation with the proposition that Matrix has benefited from peer review for four years. Those are two different propositions.
In fact, the first time someone with cryptography expertise bothered to look at Matrix for more than a glance, they found critical vulnerabilities in its design. These are the kinds of vulnerabilities that are not easily mitigated, and should be kept in mind when designing a new protocol.
You donât have to take my word for it. Listen to the Security, Cryptography, Whatever podcast episode if you want cryptographic security expertsâ takes on Matrix and these attacks.
From one of the authors of the attack paper:
So they kind of, after we disclosed to them, they shared with us their timeline. Itâs not fixed yet. Itâs a, itâs a bigger change because they need to change the protocol. But they always said like, Okay, fair enough, theyâre gonna change it. And they also kind of announced a few days after kind of the public disclosure based on the public reaction that they should prioritize fixing that. So it seems kind of in the near future, I donât have the timeline in front of me right now. Theyâre going to fix that in the sense of like theâ because thereâs, notions of admins and so on. So like, um, so authenticating such group membership requests is not something that is kind of completely outside of, kind of like the spec. They just kind of need to implement the appropriate authentication and cryptography.Martin Albrecht, SCW podcast
From one of the podcast hosts:
I guess we can at the very least tell anyone whoâs going forward going to try that, that like, yes indeed. You should have formal models and you should have proofs. And so thereâs this, one of the reactions to kind of the kind of attacks that we presented and also to prior previous work where we kind of like broken some cryptographic protocols is then to say like, âWell cryptoâs hardâ, and âdonât roll your own crypto.â But in a way the thing is like, you know, we need some people to roll their own crypto because thatâs how we have crypto. Someone needs to roll it. But we have developed techniques, we have developed formalisms, we have developed methods for making sure it doesnât have to be hard, itâs not, itâs not a dark art kind of that only kind of a few, a select few can master, but itâs, you know, itâs a science and you can learn it. So, but you need to then indeed employ a cryptographer in kind of like forming, modeling your protocol and whenever you make changes, then, you know, they need to look over this and say like, Yes, my proof still goes through. Um, so like that is how you do this. And then, then true engineering is still hard and it will remain hard and you know, any science is hard, but then at least you have some confidence in what youâre doing. You might still then kind of on the space and say like, you know, the attack surface is too large and Iâm not gonna to have an encrypted backup. Right. Thatâs then the problem of a different hard science, social science. Right. But then just use the techniques that we have, the methods that we have to establish what we need.Thomas Ptacek, SCW podcast
Itâs tempting to listen to these experts and say, âOK, you should use libsignal instead.â
But libsignal isnât designed for federation and didnât prioritize group messaging. The UX for Signal is like an IM application between two parties. Itâs a replacement for SMS.
Itâs tempting to say, âOkay, but you should use MLS then; never roll your own,â but MLS doesnât answer the group membership issue that plagued Matrix. It punts on these implementation details.
Even if I use an incumbent protocol that privacy nerds think is good, Iâll still have to stitch it together in a novel manner. There is no getting around this.
Maybe wait until Iâve finished writing the specifications for my proposal before telling me I shouldnât propose anything.
Credit for art used in header: LvJ, Harubaki
https://soatok.blog/2022/11/22/towards-end-to-end-encryption-for-direct-messages-in-the-fediverse/
In late 2022, I blogged about the work needed to develop a specification for end-to-end encryption for the fediverse. I sketched out some of the key management components on GitHub, and then the public work abruptly stalled.A few of you have wondered whatâs the deal with that.
This post covers why this effort stalled, what Iâm proposing we do next.
Whatâs The Hold Up?
The âeasyâ (relatively speaking) parts of the problem are as follows:
- Secret key management. (This is sketched out already, and provides multiple mechanisms for managing secret key material. Yay!)
- Bulk encryption of messages and media. (Iâve done a lot of work in this space over the years, so itâs an area Iâm deeply familiar with. When we get to this part, it will be almost trivial. Iâm not worried about it at all.)
- Forward-secure ratcheting / authenticated key exchange / group key agreement. (RFC 9420 is a great starting point.)
That is to say, managing secret keys, using secret keys, and deriving shared secret keys are all in the âeasyâ bucket.
The hard part? Public key management.
CMYKat made this
Why is Public Key Management Hard?
In a centralized service (think: Twitter, Facebook, etc.), this is actually much easier to build: Shove your public keys into a database, and design your client-side software to trust whatever public key your server gives them. Bobâs your uncle, pack it up and go home.Unfortunately, itâs kind of stupid to build anything that way.
If you explicitly trust the server, the server could provide the wrong public key (i.e., one for which the server knows the corresponding secret key) and youâll be none the wiser. This makes it trivial for the server to intercept and read your messages.
If your users are trusting you regardless, theyâre probably just as happy if you donât encrypt at the endpoint at all (beyond using TLS, but transport encryption is table stakes for any online service so nevermind that).
But letâs say you wanted to encrypt between peers anyway, because youâre feeling generous (or donât want to field a bunch of questionably legal demands for user data by law enforcement; a.k.a. the Snapchat threat model).
You could improve endpoint trust by shoving all of your usersâ public keys into an append-only data structure; i.e. key transparency, like WhatsApp proposed in 2023:
https://www.youtube.com/watch?v=_N4Q05z5vPE
And, to be perfectly clear, key transparency is a damn good idea.
Key transparency keeps everyone honest and makes it difficult for criminals to secretly replace a victimâs public key, because the act of doing so is unavoidably published to an append-only log.
The primary challenge is scaling a transparency feature to serve a public, federated system.
Federated Key Transparency?
Despite appearances, I havenât been sitting on my thumbs for the past year or so. Iâve been talking with cryptography experts about their projects and papers in the same space.Truthfully, I had been hoping to piggyback off one of those upcoming projects (which is focused more on public key discovery for SAML- and OAuth-like protocols) to build the Federated PKI piece for E2EE for the Fediverse.
Unfortunately, that project keeps getting delayed and pushed back, and Iâve just about run out of patience for it.
Additionally, there are some engineering challenges that I would need to tackle to build atop it, so itâs not as simple as âletâs just use that protocolâ, either.
So letâs do something else instead:
Art: ScruffKerfluff
Fediverse Public Key Directories
Orthogonal to the overall Fediverse E2EE specification project, letâs build a Public Key Directory for the Fediverse.This will not only be useful for building a coherent specification for E2EE (as it provides the âFederated PKIâ component weâd need to build it securely), but it would also be extremely useful for software developers the whole world over.
Imagine this:
- If you want to fetch a userâs SSH public key, you can just query for their username and get a list of non-expired, non-revoked public keys to choose from.
- If you wanted public key pinning and key rotation for OAuth2 and/or OpenID Connect identity providers without having to update configurations or re-deploy any applications, you can do that.
- If you want to encrypt a message to a complete stranger, such that only they can decrypt it, without any sort of interaction (i.e., they could be offline for a holiday and still decrypt it when they get back), you could do that.
Oh, and best of all? You can get all these wins without propping up any cryptocurrency bullshit either.
From simple abstractions, great power may bloom.Mark Miller
How Will This Work?
We need to design a specific kind of server that speaks a limited set of the ActivityPub protocol.I say âlimitedâ because it will only not support editing or deleting messages provided by another instance. It will only append data.
To understand the full picture, letâs first look at the message types, public key types, and how the message types will be interpreted.
Message Types
Under the ActivityPub layer, we will need to specify a distinct set of Directory Message Types. An opening offer would look like this:
[b]AddKey[/b]
â contains an Asymmetric Public Key, a number mapped to the user, and instance that hosts it, and some other metadata (i.e., time)[b]RevokeKey[/b]
â marks an existing public key as revoked[b]MoveIdentity[/b]
â moves all of the public keys from identity A to identity B. This can be used for username changes or instance migrations.We may choose to allow more message types at the front-end if need be, but thatâs enough for our purposes.
Public Key Types
We are not interested in backwards compatibility with every existing cryptosystem. We will only tolerate a limited set of public key types.At the outset, only Ed25519 will be supported.
In the future, we will include post-quantum digital signature algorithms on this list, but not before the current designs have had time to mature.
RSA will never be included in the set.
ECDSA over NIST P-384 may be included at some point, if thereâs sufficient interest in supporting e.g., US government users.
If ECDSA is ever allowed, RFC 6979 is mandatory.
Message Processing
When an instance sends a message to a Directory Server, it will need to contain a specific marker for our protocol. Otherwise, it will be rejected.Each message will have its own processing rules.
After the processing rules are applied, the message will be stored in the Directory Server, and a hash of the message will be published to a SigSum transparency ledger. The Merkle root and inclusion proofs will be stored in an associated record, attached to the record for the new message.
Every message will have its hash published in SigSum. No exceptions.
We will also need a mechanism for witness co-signatures to be published and attached to the record.
Additionally, all messages defined here are generated by the users, client-side. Servers are not trusted, generally, as part of the overall E2EE threat model.
AddKey
{ "@context": "https://example.com/ns/fedi-e2ee/v1", "action": "AddKey", "message": { "time": "2024-12-31T23:59:59Z", "identity": "foo@mastodon.example.com", "public-key": "ed25519:<key goes here>" }, "signature": "SignatureOfMessage"}The first
AddKey
for any given identity will need to be self-signed by the key being added (in addition to ActivityPub messages being signed by the instance).After an identity exists in the directory, every subsequent public key MUST be signed by a non-revoked keypair.
RevokeKey
{ "@context": "https://example.com/ns/fedi-e2ee/v1", "action": "RevokeKey", "message": { "time": "2024-12-31T23:59:59Z", "identity": "foo@mastodon.example.com", "public-key": "ed25519:<key goes here>" }, "signature": "SignatureOfMessage"}This marks the public key as untrusted, and effectively âdeletesâ it from the list that users will fetch.
Important: RevokeKey will fail unless there is at least one more trusted public key for this user. Otherwise, a denial of service would be possible.
Replaying an AddKey for a previously-revoked key MUST fail.
MoveIdentity
{ "@context": "https://example.com/ns/fedi-e2ee/v1", "action": "MoveIdentity", "message": { "time": "2024-12-31T23:59:59Z", "old-identity": "foo@mastodon.example.com", "new-identity": "bar@akko.example.net" }, "signature": "SignatureOfMessage"}This exists to facilitate migrations and username changes.
Other Message Types
The above list is not exhaustive. We may need other message types depending on the exact feature set needed by the final specification.Fetching Public Keys
A simple JSON API (and/or an ActivityStream; havenât decided) will be exposed to query for the currently trusted public keys for a given identity.{ "@context": "https://example.com/ns/fedi-e2ee/v1", "public-keys": [ { "data": { "time": "2024-12-31T23:59:59Z", "identity": "foo@mastodon.example.com", "public-key": "ed25519:<key goes here>" }, "signature": "SignatureOfData", "sigsum": { /* ... */ }, }, { "data": { /* ... */ }, /* ... */ }, /* ... */ ]}
Simple and easy.
Gossip Between Instances
Directory Servers should be configurable to mirror records from other instances.Additionally, they should be configurable to serve as Witnesses for the SigSum protocol.
The communication layer here between Directory Servers will also be ActivityPub.
Preventing Abuse
The capability of learning a userâs public key doesnât imply the ability to send messages or bypass their block list.Additionally, Fediverse account usernames are (to my knowledge) generally not private, so I donât anticipate there being any danger in publishing public keys to an append-only ledger.
That said, I am totally open to considering use cases where the actual identity is obfuscated (e.g., HMAC with a static key known only to the instance that hosts them instead of raw usernames).
What About GDPR / Right To Be Forgotten?
Others have previously suggested that usernames might be subject to the âright to be forgottenâ, which would require breaking history for an append-only ledger.After discussing a proposed workaround with a few people in the Signal group for this project, we realized complying necessarily introduced security issues by giving instance admins the capability of selectively remapping the user ID to different audiences, and detecting/mitigating this remapping is annoying.
However, we donât need to do that in the first place.
According to this webpage about GDPRâs Right to be Forgotten:
However, an organizationâs right to process someoneâs data might override their right to be forgotten. Here are the reasons cited in the GDPR that trump the right to erasure:
- (âŚ)
- The data is being used to perform a task that is being carried out in the public interest or when exercising an organizationâs official authority.
- (âŚ)
- The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing.
Enabling private communication is in the public interest. The only information that will be stored in the ledger in relation to the username are cryptographic public keys, so itâs not like anything personal (e.g., email addresses or legal names) will be included.However, we still need to be extremely up-front about this to ensure EU citizens are aware of the trade-off weâre making.
Account Recovery
In the event that a user loses access to all of their secret keys and wants to burn down the old account, they may want a way to start over with another fresh self-signedAddKey
.However, the existing policies I wrote above would make this challenging:
- Since every subsequent
AddKey
must be signed by an incumbent key, if you donât have access to these secret keys, youâre locked out.- Since
RevokeKey
requires one trusted keypair remains in the set, for normal operations, you canât just burn the set down to zero even while you still had access to the secret keys.There is an easy way out of this mess: Create a new verb; e.g.
BurnDown
that an instance can issue that resets all signing keys for a given identity.The use of
BurnDown
should be a rare, exceptional event that makes a lot of noise:
- All existing E2EE sessions must break, loudly.
- All other participants must be alerted to the change, through the client software.
- Witnesses and watchdog nodes must take note of this change.
This comes with some trade-offs. Namely: Any account recovery mechanism is a backdoor, and giving the instance operators the capability of issuing
BurnDown
messages is a risk to their users.Therefore, users who trust their own security posture and wish to opt out of this recovery feature should also be able to issue a
Fireproof
message at any point in the process, which permanent and irrevocably prevents anyBurnDown
from being accepted on their current instance.If users opt out of recovery and then lose their signing keys, theyâre locked out and need to start over with a new Fediverse identity. On the flipside, their instance operator cannot successfully issue a BurnDown for them, so they have to trust them less.
Notice
This is just a rough sketch of my initial ideas, going into this project. It is not comprehensive, nor complete.There are probably big gaps that need to be filled in, esp. on the ActivityPub side of things. (Iâm not as worried about the cryptography side of things.)
How Will This Be Used for E2EE Direct Messaging?
I anticipate that a small pool of Directory Servers will be necessary, due to only public keys and identities being stored.Additional changes beyond just the existence of Directory Servers will need to be made to facilitate private messaging. Some of those changes include:
- Some endpoint for users to know which Directory Servers a given ActivityPub instance federates with (if any).
- Some mechanism for users to asynchronously exchange Signed Pre-Key bundles for initiating contact. (One for users to publish new bundles, another for users to retrieve a bundle.)
- These will be Ed25519-signed payloads containing an ephemeral X25519 public key.
This is all outside the scope of the proposal Iâm sketching out here today, but itâs worth knowing that Iâm aware of the implementation complexity.
The important thing is: I (soatok@furry.engineer) should be able to query pawb.fun, find the Directory Server(s) they federate with, and then query that Directory server for
Crashdoom@pawb.fun
and get his currently trusted Ed25519 public keys.From there, I can query pawb.fun for a SignedPreKey bundle, which will have been signed by one of those public keys.
And then we can return to the âeasyâ pile.
Development Plan
Okay, so that was a lot of detail, and yet not enough detail, depending on whoâs reading this blog post.What I wrote here today is a very rough sketch. The devil is always in the details, especially with cryptography.
Goals and Non-Goals
We want Fediverse users to be able to publish a public key that is bound to their identity, which anyone else on the Internet can fetch and then use for various purposes.We want to leverage the existing work into key transparency by the cryptography community.
We donât want to focus on algorithm agility or protocol compatibility.
We donât want to involve any government offices in the process. We donât care about ârealâ identities, nor about codifying falsehoods about names.
We donât want any X.509 or Web-of-Trust machinery involved in the process.
Tasks
The first thing we would need to do is write a formal specification for a Directory Server (whose job is only to vend Public Keys in an auditable, transparent manner).Next, we need to actually build a reference implementation of this server, test it thoroughly, and then have security experts pound at the implementation for a while. Any security issues that can be mitigated by design will require a specification update.
We will NOT punt these down to implementors to be responsible for, unless we cannot avoid doing so.
Once these steps are done, we can start rolling the Directory Servers out. At this point, we can develop client-side libraries in various programming languages to make it easy for developers to adopt.My continued work on the E2EE specification for the Fediverse can begin after we have an implementation of the Directory Server component ready to go.
Timeline
I have a very demanding couple of months ahead of me, professionally, so I donât yet know when I can commit to starting the Fediverse Directory Server specification work.Strictly speaking, itâs vaguely possible to get buy-in from work to focus on this project as part of my day-to-day responsibilities, since it has immediate and lasting value to the Internet.However, I donât want to propose it because that would be crossing the professional-personal streams in a way Iâm not really comfortable with.
The last thing I need is angry Internet trolls harassing my coworkers to try to get under my fur, yâknow?
If there is enough interest from the broader Fediverse community, Iâm also happy to delegate this work to anyone interested.Once the work can begin, I donât anticipate it will take more than a week for me to write a specification that other crypto nerds will take seriously.
I am confident in this because most of the cryptography will be constrained to hash functions, preventing canonicalization and cross-protocol attacks, and signatures.
Yâknow, the sort of thing I write about on my furry blog for fun!
Building a reference implementation will likely take a bit longer; if, for no other reason, than I believe it would be best to write it in Go (which has the strongest SigSum support, as of this writing).
This is a lot of words to say, as far as timelines go:
How to Get Involved
Regardless of whether my overall E2EE proposal gets adopted, the Directory Server component is something that should be universally useful to the Fediverse and to software developers around the world.If you are interested in participating in any technical capacity, I have just created a Signal Group for discussing and coordinating efforts.
All of these efforts will also be coordinated on the fedi-e2ee GitHub organization.
The public key directory serverâs specification will eventually exist in this GitHub repository.
Can I Contribute Non-Technically?
Yes, absolutely. In the immediate future, once it kicks off, the work is going to be technology-oriented.However, we may need people with non-technical skills at some point, so feel free to dive in whenever you feel comfortable.
What About Financially?
If you really have money burning a hole in your pocket and want to toss a coin my way, I do have a Ko-Fi. Do not feel pressured at all to do so, however.Because I only use Ko-Fi as a tip jar, rather than as a business, Iâm not specifically tracking which transaction is tied to which project, so I canât make any specific promises about how any of the money sent my way will be allocated.
What I will promise, however, is that any icons/logos/etc. created for this work will be done by an artist and they will be adequately compensated for their work. I will not use large-scale computing (a.k.a., âGenerative AIâ) for anything.
Closing Thoughts
What Iâve sketched here is much simpler (and more ActivityPub-centric) than the collaboration I was originally planning.Thanks for being patient while I tried, in vain, to make that work.
As of today, I no longer think we need to wait for them. We can build this ourselves, for each other.
https://soatok.blog/2024/06/06/towards-federated-key-transparency/
#cryptography #endToEndEncryption #fediverse #KeyTransparency #Mastodon #MerkleTrees #PublicKeys
I get a lot of emails from job recruiters that, even to this day, Iâm not qualified for. They often ask for ridiculous requirements, like a Masterâs Degree or Ph.D in Computer Science, for what would otherwise be a standard programming job without any particular specializations (e.g. cryptography, which I happen to specialize in).
One time I humored one of these opportunities for a PHP Developer position and was immediately told over the phone that my number of years of experience with PHP was too low, because I didnât start working with it in 1996 like the rockstar developers on their payroll, but that theyâd call me back if they had any âjuniorâ openings in the future. Given that I was born in 1989 and didnât have access to a computer until about Christmas 1999, I wonât even begin to pretend this is a reasonable ask.
This was my actual reaction after I hung up. (Art by Khia.)
In a lot of ways, I have it easy. I have enough experience with software development and security research under my belt to basically ignore the requirements that HR puts on job listings and still get an interview with most companies. (If you want a sense of what this looks like, look no further than rawr-x3dh or my teardown of security issues in Zed Shawâs SRP library⌠which are both things I did somewhat casually for this blog.)
The irony is, Iâm probably deeply overqualified for the majority of the jobs that come across my inbox, and I still donât meet the HR requirements for the roles, and the people who are actually a good fit for it donât have the same privilege as me.
So if the rules are made up and the points donât matter, why do companies bother with these pointlessly harrowing job requirements?
(Art by Khia.)
The answer is simple: Theyâre being toxic gatekeepers, and weâre all worse off for it.
https://twitter.com/IanColdwater/status/1357381321488621569
Toxic Gatekeeping
Gatekeeping is generally defined as âthe activity of controlling, and usually limiting, general access to somethingâ (source).
Gatekeeping doesnât have to be toxic: Keeping children out of adult entertainment venues is certainly an example of gatekeeping, but itâs a damned good idea in that context.
In a similar vein, content moderation is a good thing, but necessarily involves some gatekeeping behaviors.
As with many things in life, toxicity is determined by the dose. Iâve previously posited that any group has a minimum gatekeeping threshold necessary for maintaining group identity (or in the example of keeping kids out of 18+ spaces, avoiding liability).
When the amount of gatekeeping exceeds the minimum, the excess is almost always toxic. To wit:
https://twitter.com/BlackDGamer1/status/1361352840980164609
Toxic Gatekeeping in Tech
The technology industry is filled with entry-level gatekeepers. Sometimes this behavior floats up in the org chart, but itâs most often concentrated at neophytes.
https://twitter.com/fancy_flare/status/1371568476331012101
In practice, toxic gatekeeping often employs arbitrary Purity Tests, stupid job requirements, and questionably legal hazing rituals. Conversations with toxic gatekeepers oftenâbut not alwaysâinvolve gratuitous use of No True Scotsman fallacies.
But whatâs really happening here is actually sinister: Toxic gatekeepers in tech are people with internalized cognitive distortions that either affirm oneâs sense of superiority or project their personal insecuritiesâif not both things.
This is almost always directed towards the end of excluding women, racial or religious minorities, LGBTQIA+ and neurodivergent people, and other vulnerable populations from the possibility at pursuing lucrative career prospects.
If you need a (rather poignant) example of the above, the gatekeeping behaviors against women in tech even apply to the forerunners of computer science:
https://twitter.com/gurlcode/status/1170664258197024768
If youâre still unconvinced, I have my own experiences I can tell you about; like that one time my blogâs domain was banned from the netsec subreddit because of other peoplesâ toxicity.
That Time soatok.blog Was Banned from Redditâs r/netsec Subreddit
Earlier this year, I thought Iâd submit my post about encrypting directly with RSA being a bad idea to the network security subredditâonly to discover that my domain name had been banned from r/netsec.
https://twitter.com/SoatokDhole/status/1352140779586805760
Prior to this, Iâd had some disagreements with other r/netsec moderators (i.e. @sanitybit, plus whoever answered my Reddit messages) about a lack of communication and transparency about their decisions, but there were no lingering issues.
A lot of the times when something I wrote ended up on their subreddit, I was not the person to submit it there. Usually this omission was intentional: If I didnât submit it there, I didnât feel it belonged on r/netsec (usually due to being insufficiently technical).
The comments I received were often hostile non sequitur about me being a furry. This general misconduct isnât unique to r/netsec; Iâve received similar comments on my Lobste.rs submissions, which forced the sysopâs hand into telling people to stop being dumb and terrible.
https://twitter.com/SoatokDhole/status/1352142604406816771
The hostility was previously severe enough to get noticed by the r/SubredditDrama subreddit (and, despite what you might think of drama-oriented forums, most of the comments there were surprisingly non-shitty towards me or furries in general).
Quick aside: Being a furry isnât the important bit of this anecdote; people face this kind of behavior for all sorts of reasons. In particular: transgender people face even shittier behavior at every level of society, and a lot of what they endure is much more subtle than the overt yet lazy bigotry lobbed my way.
So was my domain name banned by a r/netsec moderator because other people kept being shitty in the comments whenever someone submitted one of my blog posts there?
It turns out: Yes. This was later confirmed to me by a r/netsec moderator via Twitter DM.
r/netsec moderator @albinowax
Iâve cut out some irrelevant crap.
As I had said publicly on Twitter and reiterated in the DM conversation above: I had already decided I would not return to r/netsec in light of this rogue moderatorâs misconduct.
Trust is a funny thing: Itâs easy to lose and hard to gain. Once trust has been lost, itâs often impossible to recover it. Security professionals should understand this better than anyone else, given our tendency to deal with matters of risk and trust.
What Could They Have Done Better?
Several things! Many of which are really obvious!
- Communicating with me. If nothing else, they could have told me they were banning my domain name from their subreddit and given a reason why.
- Maybe there was some weird goal in mind?
(E.g. to stop people from submitting posts on my behalf, since I had made it clear that Iâd intentionally not share stuff there if I didnât think it belonged.) - Iâll never know, because nobody told me anything.
- Maybe there was some weird goal in mind?
- Communicating with each other. I mean, this is just a matter of showing respect to your fellow moderators. Itâs astonishing that this didnât happen.
- Taking steps to protect members of vulnerable populations from the kinds of shitheads that make Reddit a miserable experience.
- For example: If someoneâs previously been a target of bigotry, have auto-moderator prune all comments not from the OP or Trusted Contributorsâand if any TCs violate the modsâ trust, revoke their TC status.
Since then, Iâve been informed that they implemented my suggestion to prevent themselves from having to suffer through a bunch of negative vitriol.
Truthfully, I still havenât decided if I want to give r/netsec another chance.
On the one paw: The moderators really burned a lot of trust with me and I expect security professionals to fucking know better.
On the other: Representation matters, and removing myself from their community gives the bigots that caused the trouble in the first place a Pyrrhic victory.
Neither choice sits well with me, for totally disparate reasons.
I wish I could put a happy ending on this tale, but life doesnât work that way most of the time.
If youâre looking for non-toxic subreddits, r/crypto is always a pleasant community. I also contribute a lot to r/furrydiscuss.
When to Be a Gatekeeper
If someone is a threat to the safety or well-being of your group, you should exclude them from your group.
In the furry community, we had a person that owned a widely-used costume making business get outed for a lot of abusive actions. Their response was to try to file a SLAPP suit against some unrelated person that merely linked to the victimsâ statements on Twitter.
https://twitter.com/qutens_/status/1357496129659707392
In these corner-case situations, be a gatekeeper!
But generally, itâs not warranted. Gatekeeping compounds systemic harms and makes it harder for newcomers to join a community or industry.
Gatekeeping hurts women. Gatekeeping hurts LGBTQIA+ folks. Gatekeeping hurts non-white people. Gatekeeping hurts the neurodivergent.
But if thatâs not enough of a reason to avoid it: Gatekeeping hurts straight white males too!
Newcomers who arenât narcissists almost always experience some degree of Impostor Syndrome. If you apply the gatekeeping behaviors weâve discussed previously, youâre going to totally exacerbate the situation.
People will quit. People will burn out.
The only people who stand to gain anything from gatekeeping are the survivors who made it through the gate. If the survivors are insecure or arrogant, the vicious cycle continues.
So why donât we simplyâŚnot perpetuate it?
Thereâs an old saying thatâs popular in punk and anarchist circles: âNo gods, no masters.â I think the correct attitude to have regarding gatekeeping is analogous to the spirit of this saying.
Without Gatekeeping, A Deluge?
Sometimes youâll hear hiring manager defend the weird job requirements that HR departments shit out because every job posting gets flooded with hundreds of applicants. They insist that the incentives of this dynamic are to blame, rather than gatekeeping.
Unfortunately, weâre both right on this one. Economic forces and toxicity often synergize in the worst ways, and gatekeeping behaviors are no exception.
Hiring managers that are forced to sift through a deluge of applications to fill an opening will inevitably rely on their own subconscious biases to select âqualifiedâ candidates (from a pool of people who are actually qualified for the job). Thus, they become gatekeepers moreso than the minimum amount their job requires. This is one reason why tech companies often only employ people that fit the same demographic.
Savvy tech companies will employ work-sample tests in the same way that musicians employ blind auditions to assess candidates, rather than relying on these subconscious biases to drive their decisions. Not all companies are savvy, and we all suffer for it.
Instead, what happens is that the candidates that endure the ritual of whiteboard hazing (which tests for anxiety rather than technical or cognitive ability) will in turn propagate the ritual for the next round of newcomers.
The same behaviors and incentives that maintain these unhealthy traditions overlap heavily with the people who will refuse to train or mentor their junior employees. This refusal isnât just about frugality; itâs also in service of the ego. Maintaining their power within existing social hierarchies is something that toxic gatekeepers worry about a lot.
What About âDonât Roll Your Own Cryptoâ?
Thereâs a fine line between reinforcing boundaries to maintain safety and inventing stupid rules or requirements for people to be allowed to participate in a community or industry. (Also, Iâve talked about this before.)
Rejection of gatekeeping isnât the same as rejecting the concept of professional qualifications, and anyone who suggests otherwise isnât being intellectually honest.
The excellent artwork used in the blog header was made by Wolfool.
https://soatok.blog/2021/03/04/no-gates-no-keepers/
#gatekeepers #gatekeeping #onlineAbuse #rNetsec #Reddit #Society #toxicity #Twitter
Let me say up front, Iâm no stranger to negative or ridiculous feedback. Itâs incredibly hard to hurt my feelings, especially if you intend to. You donât openly participate in the furry fandom since 2010 without being accustomed to malevolence and trolling. If this were simply a story of someone being an asshole to me, I would have shrugged and moved on with my life.Itâs important that you understand this, because when you call it like you see it, sometimes people dismiss your criticism with âtriggeredâ memes. This isnât me being offended. I promise.
My recent blog post about crackpot cryptography received a fair bit of attention in the software community. At one point it was on the front page of Hacker News (which is something that pretty much never happens for anything I write).
Unfortunately, that also means I crossed paths with Zed A. Shaw, the author of Learn Python the Hard Way and other books often recommended to neophyte software developers.
As someone who spends a lot of time trying to help newcomers acclimate to the technology industry, there are some behaviors Iâve recognized in technologists over the years that makes it harder for newcomers to overcome anxiety, frustration, and Impostor Syndrome. (Especially if theyâre LGBTQIA+, a person of color, or a woman.)
Normally, these are easily correctable behaviors exhibited by people who have good intentions but donât realize the harm theyâre causingâoften not by what theyâre saying, but by how they say it.
Sadly, I canât be so generous about⌠whatever this is:
https://twitter.com/lzsthw/status/1359659091782733827
Having never before encountered a living example of a poorly-written villain towards the work I do to help disadvantaged people thrive in technology careers, I sought to clarify Shawâs intent.
https://twitter.com/lzsthw/status/1359673331960733696
https://twitter.com/lzsthw/status/1359673714607013905
This is effectively a very weird hybrid of an oddly-specific purity test and a form of hazing ritual.
Letâs step back for a second. Can you even fathom the damage attitudes like this can cause? I can tell you firsthand, because it happened to me.
Interlude: Amplified Impostor Syndrome
In the beginning of my career, I was just a humble web programmer. Due to a long story I donât want to get into now, I was acquainted with the culture of black-hat hacking that precipitates the DEF CON community.In particular, I was exposed the writings of a malicious group called Zero For 0wned, which made sport of hunting âskiddiezâ and preached a very âshut up and stay in your laneâ attitude:
Geeks donât really come to HOPE to be lectured on the application of something simple, with very simple means, by a 15 year old. A combination of all the above could be why your room wasnât full. Not only was it fairly empty, but it emptied at a rapid rate. I could barely take a seat through the masses pushing me to escape. Then when I thought no more people could possibly leave, they kept going. The room was almost empty when I gave in and left also. Heck, I was only there because we pwned the very resources you were talking about.Zero For 0wned
My first security conference was B-Sides Orlando in 2013. Before the conference, I had been hanging out in the #hackucf IRC channel and had known about the event well in advance (and got along with all the organizers and most of the would-be attendees), and considered applying to their CFP.I ultimately didnât, solely because I was worried about a ZF0-style reception.
I had no reference frame for other folksâ understanding of cryptography (which is my chosen area of discipline in infosec), and thought things like timing side-channels were âobviousââeven to software developers outside infosec. (Such is the danger of being self-taught!)
âGeeks donât really come to B-Sides Orlando to be lectured on the application of something simple, with very simple means,â is roughly how I imagined the vitriol would be framed.
If it can happen to me, it can happen to anyone interested in tech. Itâs the responsibility of experts and mentors to spare beginners from falling into the trappings of other peoplesâ grand-standing.
Pride Before Destruction
With this in mind, letâs return to Shaw. At this point, more clarifying questions came in, this time from Fredrick Brennan.https://twitter.com/lzsthw/status/1359712275666505734
What an arrogant and bombastic thing to say!
At this point, I concluded that I can never again, in good conscience, recommend any of Shawâs books to a fledgling programmer.
If youâve ever published book recommendations before, I suggest auditing them to make sure youâre not inadvertently exposing beginners to his harmful attitude and problematic behavior.
But while weâre on the subject of Zed Shawâs behaviorâŚ
https://twitter.com/lzsthw/status/1359714688972582916
If Shaw thinks of himself as a superior cryptography expert, surely heâs published cryptography code online before.
And surely, it will withstand a five-minute code review from a gay furry blogger who never went through Shawâs prescribed hazing ritual to rediscover specifically the known problems in OpenSSL circa Heartbleed and is therefore not as much of a cryptography expert?
(Art by Khia.)
May I Offer You a Zero-Day in This Trying Time?
One of Zed A. Shawâs Github projects is an implementation of SRP (Secure Remote Password)âan early Password-Authenticated Key Exchange algorithm often integrated with TLS (to form TLS-SRP).Zed Shawâs SRP implementation
Without even looking past the directory structure, we can already see that it implements an algorithm called TrueRand, which cryptographer Matt Blaze has this to say:
https://twitter.com/mattblaze/status/438464425566412800
As noted by the README, Shaw stripped out all of the âextraneousâ things and doesnât have all of the previous versions of SRP âsince those are known to be vulnerableâ.
So given Shawâs previous behavior, and the removal of vulnerable versions of SRP from his fork of Tom Wuâs libsrp code, it stands to reason that Shaw believes the cryptography code he published would be secure. Otherwise, why would he behave with such arrogance?
SRP in the Grass
Headâs up! If you arenât cryptographically or mathematically inclined, this section might be a bit dense for your tastes. (Art by Scruff.)When I say SRP, Iâm referring to SRP-6a. Earlier versions of the protocol are out of scope; as are proposed variants (e.g. ones that employ SHA-256 instead of SHA-1).
Professor Matthew D. Green of Johns Hopkins University (who incidentally used to proverbially shit on OpenSSL in the way that Shaw expects everyone to, except productively) dislikes SRP but considered the protocol ânot obviously brokenâ.
However, a secure protocol doesnât mean the implementations are always secure. (Anyone whoâs looked at older versions of OpenSSLâs BigNum library after reading my guide to side-channel attacks knows better.)
There are a few ways to implement SRP insecurely:
- Use an insecure random number generator (e.g. TrueRand) for salts or private keys.
- Fail to use a secure set of parameters (q, N, g).
To expand on this, SRP requires q be a Sophie-Germain prime and N be its corresponding Safe Prime. The standard Diffie-Hellman primes (MODP) are not sufficient for SRP.This security requirement exists because SRP requires an algebraic structure called a ring, rather than a cyclic group (as per Diffie-Hellman).
- Fail to perform the critical validation steps as outlined in RFC 5054.
In one way or another, Shawâs SRP library fails at every step of the way. The first two are trivial:
- Weâve already seen the RNG used by srpmin. TrueRand is not a cryptographically secure pseudo random number generator.
- Zed A. Shawâs srpmin only supports unsafe primes for SRP (i.e. the ones from RFC 3526, which is for Diffie-Hellman).
The third is more interesting. Letâs talk about the RFC 5054 validation steps in more detail.
Parameter Validation in SRP-6a
Retraction (March 7, 2021): There are two errors in my original analysis.First, I misunderstood the behavior of
SRP_respond()
to involve a network transmission that an attacker could fiddle with. It turns out that this function doesnât do what its name implies.Additionally, I was using an analysis of SRP3 from 1997 to evaluate code that implements SRP6a.
u
isnât transmitted, so thereâs no attack here.Iâve retracted these claims (but you can find them on an earlier version of this blog post via archive.org). The other SRP security issues still stand; this erroneous analysis only affects the
u
validation issue.Vulnerability Summary and Impact
Thatâs a lot of detail, but I hope itâs clear to everyone that all of the following are true:
- Zed Shawâs libraryâs use of TrueRand fails the requirement to use a secure random source. This weakness affects both the salt and the private keys used throughout SRP.
- The library in question ships support for unsafe parameters (particularly for the prime, N), which according to RFC 5054 can leak the clientâs password.
Salts and private keys are predictable and the hard-coded parameters allow passwords to leak.
But yes, OpenSSL is the real problem, right?
(Art by Khia.)Low-Hanging ModExp Fruit
Shawâs SRP implementation is pluggable and supports multiple back-end implementations: OpenSSL, libgcrypt, and even the (obviously not constant-time) GMP.Even in the OpenSSL case, Shaw doesnât set the
BN_FLG_CONSTTIME
flag on any of the inputs before callingBN_mod_exp()
(or, failing that, insideBigIntegerFromInt
).As a consequence, this is additionally vulnerable to a local-only timing attack that leaks your private exponent (which is the SHA1 hash of your salt and password). Although the literature on timing attacks against SRP is sparse, this is one of those cases thatâs obviously vulnerable.
Exploiting the timing attack against SRP requires the ability to run code on the same hardware as the SRP implementation. Consequently, itâs possible to exploit this SRP ModExp timing side-channel from separate VMs that have access to the same bare-metal hardware (i.e. L1 and L2 caches), unless other protections are employed by the hypervisor.
Leaking the private exponent is equivalent to leaking your password (in terms of user impersonation), and knowing the salt and identifier further allows an attacker to brute force your plaintext password (which is an additional risk for password reuse).
Houston, The Ego Has Landed
Earlier when I mentioned the black hat hacker group Zero For 0wned, and the negative impact their hostile rhetoric, I omitted an important detail: Some of the first words they included in their first ezine.For those of you that look up to the people mentioned, read this zine, realize that everyone makes mistakes, but only the arrogant ones are called on it.
If Zed A. Shaw were a kinder or humbler person, you wouldnât be reading this page right now. I have a million things Iâd rather be doing than exposing the hypocrisy of an arrogant jerk who managed to bullshit his way into the privileged position of educating junior developers through his writing.If I didnât believe Zed Shaw was toxic and harmful to his very customer base, I certainly wouldnât have publicly dropped zero-days in the code he published while engaging in shit-slinging at othersâ work and publicly shaming others for failing to meet arbitrarily specific purity tests that donât mean anything to anyone but him.
But as Dan Guido said about Time AI:
https://twitter.com/veorq/status/1159575230970396672
Itâs high time we stopped tolerating Zedâs behavior in the technology community.
If you want to mitigate impostor syndrome and help more talented people succeed with their confidence intact, boycott Zed Shawâs books. Stop buying them, stop stocking them, stop recommending them.
Learn Decency the Hard Way
(Updated on February 12, 2021)One sentiment and question that came up a few times since I originally posted this is, approximately, âWho cares if heâs a jerk and a hypocrite if heâs right?â
But he isnât. At best, Shaw almost has a point about the technology industryâs over-dependence on OpenSSL.
Shawâs weird litmus test about whether or not my blog (which is less than a year old) had said anything about OpenSSL during the â20+ years it was obviously flawedâ isnât a salient critique of this problem. Without a time machine, there is no actionable path to improvement.
You can be an inflammatory asshole and still have a salient point. Shaw had neither while demonstrating the worst kind of conduct to expose junior developers to if we want to get ahead of the rampant Impostor Syndrome that plagues us.
This is needlessly destructive to his own audience.
Generally the only people youâll find who outright like this kind of abusive behavior in the technology industry are the self-proclaimed âneckbeardsâ that live on the dregs of elitist chan culture and desire for there to be a priestly technologist class within society, and furthermore want to see themselves as part of this exclusive casteâif not at the top of it. I donât believe these people have anyone elseâs best interests at heart.
So letâs talk about OpenSSL.
OpenSSL is the Manifestation of Mediocrity
OpenSSL is everywhere, whether you realize it or not. Any programming language that provides acrypto
module (Erlang, Node.js, Python, Ruby, PHP) binds against OpenSSL libcrypto.OpenSSL kind of sucks. It used to be a lot worse. A lot of people have spent the past 7 years of their careers trying to make it better.
A lot of OpenSSLâs suckage is because itâs written mostly in C, which isnât memory-safe. (Thereâs also some Perl scripts to generate Assembly code, and probably some other crazy stuff under the hood Iâm not aware of.)
A lot of OpenSSLâs suckage is because it has to be all things to all people that depend on it, because itâs ubiquitous in the technology industry.
But most of OpenSSLâs outstanding suckage is because, like most cryptography projects, its API was badly designed. Sure, it works well enough as a Swiss army knife for experts, but thereâs too many sharp edges and unsafe defaults. Further, because so much of the world depends on these legacy APIs, itâs difficult (if not impossible) to improve the code quality without making upgrades a miserable task for most of the software industry.
What Can We Do About OpenSSL?
There are two paths forward.First, you can contribute to the OpenSSL 3.0 project, which has a pretty reasonable design document that almost nobody outside of the OpenSSL team has probably ever read before. This is probably the path of least resistance for most of the world.
Second, you can migrate your code to not use OpenSSL. For example, all of the cryptography code Iâve written for the furry community to use in our projects is backed by libsodium rather than OpenSSL. This is a tougher sell for most programming languagesâand, at minimum, requires a major version bump.
Both paths are valid. Improve or replace.
But whatâs not valid is pointlessly and needlessly shit-slinging open source projects that youâre not willing to help. So I refuse to do that.
Anyone who thinks that makes me less of a cryptography expert should feel welcome to not just unfollow me on social media, but to block on their way out.
https://soatok.blog/2021/02/11/on-the-toxicity-of-zed-a-shaw/
#author #cryptography #ImpostorSyndrome #PAKE #SecureRemotePasswordProtocol #security #SRP #Technology #toxicity #vuln #ZedAShaw #ZeroDay
Tonight on InfoSec Twitter, this gem was making the rounds:
Hello cybersecurity and election security people,
I sometimes embed your tweets in the Cybersecurity 202 newsletter. Some of you have a habit of swearing right in the middle of an otherwise deeply insightful tweet that Iâd like to use. Please consider not doing this.
Best,
JoeIdentity redacted.
As tempting as it is to just senselessly dunk on the guy, in the spirit of fairness, letâs list the things he did right:
- His tweet was politely worded.
Itâs something? He couldâve been another Karen, after all!
What Joe got wrong with this tweet is just the latest example of a widespread issue in and around the security communityâespecially on social media and content aggregator websites.
The structure of the problem goes like this:
- Someone: âHereâs some content I made and decided to share for free.â
- Person: âYour use of {profanity, cringe-inducing puns, work-safe furry art} (select one) prohibits me from using your content to further my own career goals. You should change what youâre doing.â
Itâs a problem Iâve personally been on the receiving end of. A lot. I even wrote a post about this before, although that focused specifically on the anti-furry sentiment. Unfortunately, this problem is bigger than being repulsed by cute depictions of anthropomorphic animals (which, when sincerely held, are often thinly-veiled dog-whistles for homophobia).
Superficial Professionalism Can Fuck Right Off!
(Art by Khia.)
I totally sympathize with information security professionals who desire to be taken seriously by their business colleagues. Thatâs why sometimes youâll see them don a three-piece suit, style their hair like every other corporate drone, and adopt meaningless corporate jargon as if any of it makes sense. Youâre doing what you have to do to put food on your table and pay your bills. Youâre not a problem.
The problem happens when this desire to appear professional leaks outside of the self and gets projected onto oneâs peers.
âKnock it off, guys! Youâre making it harder for me to blend in with these soulless wretchesâI mean, the finance department!â
How about âNoâ?
Information Security Is More Than Just a Vocation
Iâve lost count of the hackers Iâve met over the yearsâwhite hat hackers, to be clearâwho hack for the sheer fun and joy of it, rather than out of obligation to their corporate masters.
Information securityâand all of its sub-disciplines, including cryptographyâcan simultaneously be a very serious and respectable professional discipline, and a hobby for nerds to enjoy.
The sheer entitlement of expecting people who are just having fun with their own skills and experience to change what theyâre doing because you stand to benefit from them changing their behavior is similar to another egocentric demand we hear a lot: The cry for âresponsibleâ disclosure.
Weirdness Yields Greatness
The strength of the information security community (read: not the industry, the community) is our diversity.
Pop quiz! What do a gothic enby (and the Bay Areaâs only hacker), the woman who leads cryptography at a FAANG company, the man who discovered the BEAST and CRIME attacks against TLS, several of the most brilliant trans folks youâll ever meet, an Italian immigrant, the co-inventor of the Whirlpool hash function, the Egyptian âfather of SSLâ mathematician, and some gay dude with a fursona who writes blog posts about software security for fun all have in common?
Sure, we all work in cryptography, but our demographics are all over the place.
This is a feature, not a bug.
https://twitter.com/BoozyBadger/status/1314383740999737344
If people who are sharing great contentâbe it on Twitter or on their personal blogâdo something that prevents you from sharing their content with your coworkers, the problem isnât us.
No, the real problem is your coworkers and bosses, and the unquestioned culture of anal-retentive diversity-choking bullshit that pervades business everywhere.
https://twitter.com/DrDeeGlaze/status/1308149586100322304
Remember, security industry:
Homogeneity leads to blind spots
If I find a zero-day in your product and want to share it alongside a dancing GIF of my fursona, thatâs my prerogative. If you choose to ignore it because of the artistic expression, thatâs entirely your choice to make, and your problem to deal with.
In closing, Iâd like to offer a simple solution to the mess many technologists, managers, journalists, and even senior vice presidents find themselves in; wherein they canât readily be more accepting of profanity or quirky interests that are prone to superficial, knee-jerk judgments:
Question it.
Ask yourself âWhy?â Ask your team âWhy?â Ask your boss âWhy?â and keep asking until everyone runs out of canned responses to your questions.
Aversion stems from one of two places:
- Fear of negative consequences
- Severe reverence towards tradition, even at the expense of innovation
But itâs very easy to confuse these two. You might think youâre avoiding a negative consequence when in reality youâre acting in service of the altar of tradition. Knock that shit out!
Tradition is what humans do when theyâre out of ideas. âWe donât know how to be better, and weâve always done it this way, so weâll just keep doing what works.â Fuck tradition.
Art by @loviesophiee
Honorable Mentions
If youâre worried about looking bad, here are some notable entities that have shared my work since I started this blog in April 2020:
https://twitter.com/EFF/status/1307037184780832769
A Google RFC for AES-GCM in OpenTitan cites one of my blog posts.
There are probably others, but itâs late and I need sleep.
https://soatok.blog/2020/10/08/vanity-vendors-and-vulnerabilities/
#professionalism #Technology #Twitter #vanity
Sometimes my blog posts end up on social link-sharing websites with a technology focus, such as Lobste.rs or Hacker News.On a good day, this presents an opportunity to share oneâs writing with a larger audience and, more importantly, solicit a wider variety of feedback from oneâs peers.
However, sometimes you end up with feedback like this, or this:
Apparently my fursona is ugly, and therefore Iâm supposed to respect some random personâs preferences and suppress my identity online.
Iâm no stranger to gatekeeping in online communities, internet trolls, or bullying in general. This isnât my first rodeo, and it wonât be my last.
These kinds of comments exist to send a message not just to me, but to anyone else whoâs furry or overtly LGBTQIA+: Youâre weird and therefore not welcome here.
Of course, the moderators rarely share their views.
https://twitter.com/pushcx/status/1281207233020379137
Because of their toxic nature, there is only one appropriate response to these kinds of comments: Loud and persistent spite.
So hereâs some more art Iâve commissioned or been gifted of my fursona over the years that I havenât yet worked into a blog post:
Art by kazetheblaze
Art by leeohfox
Art by Diffuse MooseIf you hate furries so much, you will be appalled to learn that factoids about my fursona species have landed in LibreSSLâs source code (decoded).
Never underestimate furries, because we make the Internets go.
I will never let these kind of comments discourage me from being open about my hobbies, interests, or personality. And neither should anyone else.
If you donât like my blog posts because Iâm a furry but still find the technical content interesting, know now and forever more that, when you try to push me or anyone else out for being different, I will only increase the fucking thing.
Header art created by @loviesophiee and inspired by floccinaucinihilipilification.
https://soatok.blog/2020/07/09/a-word-on-anti-furry-sentiments-in-the-tech-community/
#antiFurryBullying #cyberculture #furry #HackerNews #LobsteRs #Reddit
While the furry fandom can be a wonderful place and a force for good in the world, the topics that tend to circulate on Furry Twitter are somewhat seasonal: They repeat every so oftenâusually sparked by someone saying or doing something shittyâand never actually lead to a productive result.
Letâs look at a few of these reoccurring topics and suggest actual solutions, rather than reactionary hot takes that only add fuel to an already out-of-control fire.
Safe Spaces for Underage Furries
https://twitter.com/BoozyBadger/status/1275443221624057856
Once upon a time, there was a movement called Burned Furs: A right-wing puritanical effort to rid the early furry fandom of its adult side. If you take the time to read about these clowns, youâll hear a lot of the same arguments that alt-right trolls make today, except now they use the word âdegenerateâ to describe anything vaguely LGBTQ+.
As a result, most adult furries are generally wary of the creation of a âsafe spaceâ for strictly-SFW furry content, because it always gets co-opted by homophobes and the âsex is evilâ variety of bigot. Thereâs also the concern that if you put all of the minors in one place, it will inevitably become a flytrap for creeps looking for their next victim.
There absolutely should be room for furriesâof any age (asexual folks are valid too)âthat only serves work-safe (i.e. non-sexualized) content. However, these spaces should be curated by people with a generally sex-positive mindset.
Why Should Sex-Positive Adults Moderate Non-Sexualized Spaces?
Letâs learn from history, please, so as to not repeat its follies.
If the horror known as conversion therapy has proven nothing else, itâs that telling LGBTQ+ kids that sex is evil is only going to lead to misery and suicide.
(No, Iâm not pulling punches on this one. Religious nuts just love to drive queer people to suicide, and only 20% to 25% of furries are heterosexual.)
Nature abhors a vacuum. If you donât step in, someone else will. If someone else is incentivized to do so, they probably wonât have the kidsâ best interests in mind. Neither anti-sex puritans nor would-be sexual predators should be given access, let alone influence.
Neither should right-wing extremists, such as âalt-furryâ (a movement of imbeciles who follow someoneâs fursona named âFoxlerââliterally âFox Hitlerââyet try to insist they arenât Nazis; yeah right).
What Should Be Done?
Art by circuitslime.
First, accept that a lot of furries are underage and shouldnât be exposed to adult contentâeven if for no other reason than legal risk. (If anyone objects to that, you should feel very concerned about being alone with them.) Furthermore, there are some adults that donât want to be exposed to NSFW content either.
Being sex-positive isnât the same thing as being horny. Sex-positivity requires an understanding and respect for consent and boundaries. If someone doesnât want to see your lewd art or photos, donât go out of your way to make sure they see it (i.e. sending it to them directly).
Have an After Dark social media account for 18+ users? Block minors that try to follow you (and consider making your account private then screening your follow requests to filter out minors).
However, I donât think we necessarily need a separate âlabelâ for SFW furry content. Labels make you more susceptible to being coopted by perverse motives.
Worksafe furry groups on Signal/WhatsApp/Telegram/Discord/etc. are all valid.
If youâre underage and yearn for a SFW space for your furry fandom participation, talking to Moms of Furries is probably the best way to get started. Unlike random furries, their entire schtick is âmake the fandom easier for parents to understand, and safer for their kids to play inâ.
The threat model is complicated, the lines are blurred, and thereâs a lot of shades of gray, but ultimately just letting people have worksafe spaces in the fandom is a good thing.
Just donât let anyone try to convince the folks in those spaces that people who do enjoy the adult side of the fandom are bad and deserve to be shunned. Thatâs the anti-sex puritan bullshit Iâve talked about.
Murrsuits / Pup Hoods / etc.
Like clockwork, a pocket of furries (usually the same agitators mentioned in the previous section) will surface with some sort of hatred/shaming towards murrsuits, pup hoods, and other harmless sources of fun and self-expression.
(A murrsuit, by the way, is a fursuit thatâs specifically intended for use in sexual encounters, and usually has extra zippers for the wearerâs privates.)
The exact nature of their outrage changes with the season. Some folks (like the dumb narcissistic troll who once created a database of murrsuit owners) make unsubstantiated claims about health/cleanliness with sexual fluids and murrsuits.
Others are lazy, and make general hand-wavy statements that strike a moral chord with most people, but donât actually make sense when you think about them for very long. Their structure looks like this:
- If some people have sex in their fursuits, then fursuits are sex toys.
- You shouldnât have sex toys around kids!
This is a lazy attempt to manipulate the listener, for two reasons:
- If some people have sex in their fursuits, that doesnât actually make fursuits sex toysâ and even if it somehow did, it still doesnât make it so for people who donât have sex in their fursuits.
- Lots of people have sex while wearing clothing. Wouldnât the same logic applied to fursuits apply here too? And if so, are you arguing for everyone being naked around children? I sure fucking hope not.
Similar arguments are often raised about pup hoods, because of their apparent BDSM/kink connotations.
If theyâre being worn in a non-lewd, tasteful manner (i.e. nobodyâs genitals are being exposed, thereâs no visible âbondageâ, etc.), thereâs nothing special about the anti-pup hood arguments. Same shit, different day.
What Should Be Done?
Simple: People really need to get over their fear of sex.
When you see someone trying to shame another adult for having a sexuality, tell them to fuck off and leave the other person alone.
People with healthy sex lives donât owe you anything, except a baseline for hygiene that literally every murrsuiter I know already exceeds without ever having to be told. Thereâs no action item here.
Sexual Abusers
They arenât welcome; get the fuck out! I donât care how their victims are classified: You arenât allowed to be a part of our fandom if you perpetrate or support sexual abuse.
Underage, non-human, whatever. Leave.
Begone! (Art by Khia)
Sexual abuse isnât actually part of the Discourse weâre examining. Call those fuckers out and donât let them back in. Youâre doing good work by cleaning house.
Sometimes, youâll come across a furry who decries the fact that their sexual abuser friends got âcancelledâ by âcancel cultureâ and âsocial justice warriorsâ. These putzes ought to be loaded into a rocket and fired into the sun too.
Also: Kero the Wolf is guilty and people who still believe his innocence, or attempt to downplay the severity of his heinous acts, are doing a disservice to the entire fandom. (Or theyâre also animal abusers, in which case, they can get yeeted too.)
Babyfurs
There is a very stark difference between babyfurs (people who mix AB/DL with furry) and pedophiles.
The former is a harmless kink that involves adults roleplaying.
The latter is a sexual disorder that leads to the victimization of children.
Whenever babyfurs come up in the Furry Twitter Discourse, whatâs really happening is the anti-sex crowd is trying to hope you wonât realize these are two very different ideas, and that your well-deserved disgust for one will automatically translate into hatred for the other.
Donât be fooled.
(Hey, itâs not my thing either, but if itâs safe and between consenting adults, who the fuck are either of us to judge?)
A Word on âJust Fantasyâ
Apologists for artistic depictions of pedophilic and zoophilic acts will often try to defend themselves by insisting itâs âjust fantasyâ and isnât hurting anyone because no oneâs consent was violated.
While itâs true that research currently indicates that these kinds of pornography may not be correlated at all with sex crimes, and only the minority of sexual abuse is committed by a stranger, this is not an article discussing what should or should not be legal.
Take that up with the Justice system. Iâm not interested in debating what the law âshouldâ be.
The fact that this type of content is usually illegal, and taken very seriously by authorities (to the point of threatening our right to encrypt), is a premise for this discussion, not a conclusion.
And because it often is illegal (see: the Miller test), the furry fandom should not embrace it. Full stop.
I frankly donât care what a therapist might advise someone with these attractions. Thatâs between them and their patients. Sexual abuse must not be tolerated, and possessing materials that depict sexual abuse (whether against animals or children) are legally perilous.
Itâs also not the furry fandomâs job to be the forerunners of the debate about the social acceptability of art depicting child or animal exploitation fantasies. If thatâs your cause, go find a new shield.
Itâs not appropriate for anyone to expect a community that already struggles with unfair assumptions and connotations of sexuality to move before the rest of society on any issue even vaguely related to sex crimes.
Feral Art and Characters
Some artists have feral art styles (i.e. standing on four legs rather than two; no thumbs).
Feral characters with human sentience are still furry, even if you can superficially relate feral furry art to the kind of content that animal abusers might seek.
As always, thereâs a reasonable litmus test available for judging this kind of content:
The Harkness test, made by BeakieHelmet.
Note: The Harkness Test wasnât created by an academic institution and there is no peer-reviewed pedigree behind it, but itâs sufficient for our purposes. If you donât like it, design a better one and get it peer-reviewed. Until then, we can continue to phone it in with the Harkness Test and not make perfect the enemy of good.
Neither pedophile (âcubâ) nor bestiality/zoophilia art are okay, because they normalize sexual abuse. Cub art in particular is bad, because it has used by perpetrators to groom people into participating (usually as a victim, but sometimes as a co-conspirator).
Ban cub art. Ban artistic depictions of zoophilia.
But donât extend the bans to encompass babyfur art (which is AB/DL, not underage characters) nor feral art (which is an art style, not actual animals being portrayed).
If you cannot distinguish cub from babyfur, you shouldnât be leading any moral crusades on social media or cancelling people, because youâre going to inevitably harm a lot of innocent people if you do.
Same goes for feral/zoo.
What About Pokemon Fursonas (Pokesonas)?
Some furries argue that Pokemon-based fursonasâand any art thereofâis inherently non-furry and therefore any lewd art of their characters is gross and problematic. This warrants a closer look.
Many Pokemon are clearly at, or above, human intelligence (i.e. the psychic types). Furthermore, the fact that Meowth from the anime learned human speech and can directly translate what other Pokemon are saying implies that it is possible to communicate affirmative consent, in the framework of established lore.
Speaking of which: the canon lore for the Pokemon franchise confirms the existence of human-Pokemon marriage (source).
When you combine these observations, itâs pretty clear that Pokemon are generally capable the Harkness test, so these âPokemon yiff is zoophiliaâ takes are either arguing for a special case (i.e. either a specific species of Pokemon lacks the sentience that the rest seem to, or the characters involved are violating boundaries), or theyâre intentionally engaging in social manipulation to push an agenda.
Also, theyâre fictitious creatures. Splitting hairs over this is really petty compared to the harm real people inflict on real animals.
The NSFW Feral Art Acceptability Matrix
If youâre in doubt about whether a piece of NSFW art passes the Harkness test, consult the following table (while being pessimistic; if you canât tell whether a character is a feral fursona or a dumb animal, always assume the worst):
Human | Anthro | Feral | Animal | |
Human | âď¸ | âď¸ | Ehhh* | â |
Anthro | âď¸ | âď¸ | âď¸ | â |
Feral | Ehhh* | âď¸ | âď¸ | â |
Animal | â | â | â | Ehhh* |
This table assumes informed, enthusiastic consent, between adults.
* It might pass the test but itâs still kinda weird for humans to be depicting it in art. Be very careful that youâre not producing material that inadvertently promotes sexual abuse and/or aids groomers.
Update (2020-06-28)
Iâve actually gotten a lot of grief from two camps over this section of the post.
One camp wants all feral art to be banned because of a âslippery slopeâ fallacy, and they believe my argument here doesnât go far enough.
The other wants all feral art to be allowed because they believe âpeople can distinguish between fantasy and realityâ, and believes my argument goes too far.
People who dig their heels in on extreme, opposite positions will never be made to agree. Neither this blog post nor a painstakingly-researched scientific study will sway their minds, and I have no desire to even try.
I am neither a puritanical moral crusader nor an apologist for sexual abuse. If you are, know now that I will not amend this post to further your agenda.
Consent is what ultimately matters, and since animals and children cannot consent, all art portraying either sexually is harmful.
But if the art doesnât portray animals or children, itâs fair game (even if you or I personally dislike it). There are much bigger fish to fry than a (largely) harmless fantasy; what are your priorities?
Popufurs
Before I started this blog, I used to write articles on Medium. My most popular one tackled the topic of âpopufursâ directly. Go read it.
https://www.youtube.com/watch?v=sEJ3usS7bb4
Furries Over the Age of 30
One of the dumbest talking points that recurs on Furry Twitter is the âgay deathâ discourse, cheaply repackaged for furries. So you get a lot of dumb takes like this:
https://twitter.com/JamesCerulo/status/1349071850265972737
The entire concept of Gay Death is stupid, and has roots in the kind of vain heteronormativity that produces dumb memes like this one:
https://twitter.com/SoatokDhole/status/1371862131117801480
Hereâs the simple solution to this age discourse whenever it comes up:
- You can be a furry at any age and it doesnât fucking matter
- Underage furries shouldnât be in adult spaces (but can certainly claim their own spaces, and thatâs totally fine as long as itâs not being used solely to perpetuate the kind of puritanical bullshit that often drives LGBT youth to suicide; see above)
- The greater the gap between your age and another personâs, the more conscientious you should be about leading them on or taking advantage of them in any way
Letâs be real: Weâre all nerdy weirdos and anyone who tries to treat the fandom like a high school popularity contest is totally missing the point of a fandom full of nerdy weirdos. Just stop.
If youâve read this far, consider yourself fully briefed on the recurring topics in Furry Twitter discourse.
If another topic starts rearing its head often enough, Iâll either update this page or write a sequel article to cover the new badness.
https://twitter.com/ArcticSkyWolf/status/1349372061198778368
https://soatok.blog/2020/06/24/resolving-the-reoccurring-discourse-on-furry-twitter/
#antiFurryBullying #furry #FurryFandom #recurringTopics #SocialMedia #Twitter
My recent post about the alleged source code leaks affecting Team Fortress 2 and Counter-Strike: Global Offensive made the rounds on Twitter and made someone very mad, so I got hate DMs.
No more Angry Whoppers for you, mister!
âŚLook, I only said I got hate DMs, not that I got interesting or particularly effective hate DMs! Weak troll is weak, I know.A lot of people online claim they âhate furriesâ, but almost none of them quite understand how prolific our community is, let alone how important we are to the Internet. As Stormi the Folf puts itâŚ
I guarantee you the internet would collapse in a most horrific manner if all the furries in the world got Thano's snapped.They *run* the internet in more ways than most people realize
â đŚStormi the Folfđş đFWA (@StormiFolf) April 23, 2020
Stormi is the Potato of Knowledge and Floof
What Stormiâs alluding to is true, and thatâs a tale best told by an outsider to our community.Telecommunications as a whole, which also encompasses The Internet, is in a constant state of failure and just in time fixes and functionally all modern communication would collapse if about 50 people, most of which are furries, decided to turn their pager off for a day. https://t.co/k1UqOv5kpdâ ZĚÍÍÍ̝̤ĚaÍ̞̿Ě̜̟ĚĚÍnĚĚżÍÍĚĚŹÍĚŤdĚÍŹĚĄĚ°ĚĚÍĚĚĚeĚĚÍŠĚĚÍŁĚşÍrÍŞÍ (@mmsword) November 28, 2019
Their follow-up tweet that elaborates on furry involvement is here.
So Iâd like take the time to explain why nobody should ever underestimate the ingenuity or positivity of the furry community.The Furry Fandom Has Saved Lives
https://www.youtube.com/embed/3h9sO17CV9A?feature=oembed
This is just one of many anecdotes. You can find many more here.
Although the furry fandom is widely misunderstood, itâs difficult to overstate how many lives have been saved and enriched by our community.I wanted to share this touching moment. @Reo_Grayfox was telling me his story, and said those lines while staring straight into his fursuit's eyes. Hearing personal stories like this makes you appreciate the vastly diverse reasons why the furry fandom is essential to so many. pic.twitter.com/fD09Wmv6mfâ JoaquĂn Baldwin (@joabaldwin) January 22, 2018
Furries Provide Much-Needed Comfort to Others
In 2016, refugees from the civil war in Syria ended up in a hotel in Canada. This would have been an utterly remarkable fact if it wasnât the same hotel and weekend as the local furry convention, Vancoufur.The kids loved it.
This isnât an isolated incident either. Our community is well-known for kindness and generosity in spades.https://charcoalthings.tumblr.com/post/132996328881/i-will-defend-furries-to-my-grave
https://wakor.tumblr.com/post/126072529744/ok-you-know-what
Whatâs there to hate?
The Furry Fandom is Collectively Pretty Bad-Ass
Art by RueMaw.
No, not like that.The fandom is bad-ass in as many ways as the fandom is incredibly diverse.
Image source and backstory of this meme: Dogpatch Press90s furries built the Internet pic.twitter.com/Gicxme2HkTâ SwiftOnSecurity (@SwiftOnSecurity) April 30, 2019
SwiftOnSecurity knows the truth about more than just corn.So one of my friends said furries pretty much run the US nuclear response communication networks. Just in case you're worried about Trump.â SwiftOnSecurity (@SwiftOnSecurity) November 12, 2016
Seriously.Some of the Most Talented People Youâll Ever Meet Are Furries
eSports Champions:https://www.youtube.com/embed/TWhrECl6zOY?feature=oembed
Musicians:
https://open.spotify.com/embed/album/4NlXsjKmcWegIfQEI0JzHK?utm_source=oembed
Artists and costume makers: I could literally link to hundreds of artists here. Follow me on Twitter; I retweet a lot of cute stuff.
Pretty much everything you could aspire to be that isnât also terrible, if you look hard enough, youâll find furries in the leaderboards having a fun time with it all.
The only reason to hate furries is thinly-veiled homophobia, because only about 25% of furries are heterosexual.
Why So Curious?
If Iâve made you curious about our community, and now you want to learn more about us, Iâve got you.https://www.youtube.com/embed/K2XeOxWW2oY?feature=oembed
Psychology Today: Whatâs the Deal with Furries?
Furry Fandom Documentary When?
https://www.youtube.com/embed/cF9DQQsUcs0?feature=oembedAsh Coyote is releasing a documentary about our subculture soon, titled The Fandom. You can find out more about it on her YouTube channel.
https://soatok.blog/2020/04/23/never-underestimate-the-furry-fandom/
#furries #furry #FurryFandom #hateMail #positivity #Society
BREAKING!
The Antifa Turtle on #Twitter shared a Twitter API okta leak that shows there is a list of "protected accounts", all of them right wing, who are allowed to break #X Terms Of Services without consequence and includes a list of whitelisted slurs they are allowed to use.
The whistle-blowing Twitter account was suspended by mods shortly after.
#elonmusk #freespeech #whistleblower #leak @UnicornRiot @freedomofpress @OffTheHook
On the Twitter blocking follows to Harris2024 account on announcement day:
a. Nadler is right about the asymmetry of every hiccup like this the GOP launches investigation if they don't go along with this.
b. I doubt this was intentional by Musk but definitely a by-product if him cutting staff to the bone so they or the infrastructure couldn't respond to it accordingly.
c. Since Musk didn't step in to fix it immediately like he does whenever a groyper, right wing edgelord, or Nazi shreeks at much smaller issues it is still proof of his desire to have Twitter be explicitly a right wing vomit hose. At the very least Twitter users should create primary accounts on the fediverse (Mastodon, Bluesky, even eek Threads) and at most secondarily post to Twitter.
#ElonMusk #Twitter #Election2024
Nadler urges investigation into X restriction on Kamala Harris account
Rep. Jerrold Nadler urged the House Judiciary Committee to investigate whether Elon Muskâs X prevented users from following a campaign account for Kamala Harris.Kat Tenbarge (NBC News)
App Store wymaga od firm opublikowania informacji na temat tego, jak one wykorzystujÄ
dane pozyskane od nas i o nas. Oto porĂłwnanie tych informacji od Mastodona, Twittera i Threads.
Mastodon
Threads
#Facebook #mediaSpoĹecznoĹciowe #Meta #prywatnoĹÄ #socialMedia #Threads #Twitter
App Store wymaga od firm opublikowania informacji na temat tego, jak one wykorzystujÄ dane pozyskane od nas i o nas. Oto porĂłwnanie tych informacji od Mastodona, Twittera i Threads.Mastodon
Threads
#Facebook #mediaSpoĹecznoĹciowe #Meta #prywatnoĹÄ #socialMedia #Threads #Twitter
A bus crashed into a shop in London. Two people were reportedly hurt, but obviously the incident could have been worse. An X user named Mark Arby took close photos of the crash, and companies then relentlessly kept asking him for permission to use the photos. A lot of other netizens also wanted to make sure if he was ok.
https://frenchad.blogspot.com/
#blague #drole #rire #france #belgique #nouvelleici #luxembourg #canada #nostress
#marrant #lol #france #rigoler #mourirderire #blague #blagues #memes #instahumour
#tropdrole #jpp #mdrr #rigole #videodrole #mdr #le #humournoir #rigolade #fourire
#tweetdrole #fun #comique #humour #humourdemerde #rire
#drole #rigolo #ptdr #mortderire #frenchhumour
#fou #videohumour #tweet #humourfran #memefrancais
#photodrole #ais #love #memefr #instagram #comptehumour #meme #mdrrr
#amour #dr #droles #rires #delire #vdm #divertissement #drolehumour
#sourire #funny #citation #insolite #desbarres #twitter #haha #xptdr
Articles Holistiques France
Cliquez ici  Tous nos outils holistiques et ÊsotÊriques dont vous avez besoin pour complÊter vos box sont dans notre boutique ÊsotÊrique e...walkerservcom (Blogger)
BOUTIQUE DIGITALE LIVRE, EBOOK + FORMATION
#blague #drole #rire #france #belgique #nouvelleici #luxembourg #canada #nostress
#marrant #lol #france #rigoler #mourirderire #blague #blagues #memes #instahumour
#tropdrole #jpp #mdrr #rigole #videodrole #mdr #le #humournoir #rigolade #fourire
#tweetdrole #fun #comique #humour #humourdemerde #rire
#drole #rigolo #ptdr #mortderire #frenchhumour
#fou #videohumour #tweet #humourfran #memefrancais
#photodrole #ais #love #memefr #instagram #comptehumour #meme #mdrrr
#amour #dr #droles #rires #delire #vdm #divertissement #drolehumour
#sourire #funny #citation #insolite #desbarres #twitter #haha #xptdr
#LIVRE #EBOOK #FRANCE #BELGIQUE #LUXEMBOURG #QUEBEC #MONTREAL #ACARDIE
#SUISSE #FRANCOPHONE #professionnel #maison #famille #informatique
#internet #publicitĂŠ #travail #culture #marketing #formation #achat #shopping
#produit #service #guide #massage #bien #patrimoine #immobilier #chien #chat
#domestique #miracle #energie #soins #spiritualitĂŠ #entrepreneuriat
BOUTIQUE DIGITALE LIVRE, EBOOK + FORMATION
#blague #drole #rire #france #belgique #nouvelleici #luxembourg #canada #nostress
#marrant #lol #france #rigoler #mourirderire #blague #blagues #memes #instahumour
#tropdrole #jpp #mdrr #rigole #videodrole #mdr #le #humournoir #rigolade #fourire
#tweetdrole #fun #comique #humour #humourdemerde #rire
#drole #rigolo #ptdr #mortderire #frenchhumour
#fou #videohumour #tweet #humourfran #memefrancais
#photodrole #ais #love #memefr #instagram #comptehumour #meme #mdrrr
#amour #dr #droles #rires #delire #vdm #divertissement #drolehumour
#sourire #funny #citation #insolite #desbarres #twitter #haha #xptdr
#LIVRE #EBOOK #FRANCE #BELGIQUE #LUXEMBOURG #QUEBEC #MONTREAL #ACARDIE
#SUISSE #FRANCOPHONE #professionnel #maison #famille #informatique
#internet #publicitĂŠ #travail #culture #marketing #formation #achat #shopping
#produit #service #guide #massage #bien #patrimoine #immobilier #chien #chat
#domestique #miracle #energie #soins #spiritualitĂŠ #entrepreneuriat
PrasĂłwka 29.09-6.10.2023
PrasĂłwka 29.09-6.10.2023
PaĹstwo, prawo, inwigilacja, sĹuĹźby i ochrona danych
#ePanstwo #eUE #inwigilacja #Niemcy #kontrolaczatu #palantir #RODO #sluzby
- KE upomina Niemcy. PowĂłd? SĹaba infrastruktura internetowa https://netzpolitik.org/2023/glasfaserwueste-eu-kommission-ruegt-lahme-deutsche-infrastruktur/
- Policja z Hamburga chce stosowaÄ monitoring oparty o AI https://digitalcourage.de/blog/2023/buendnis-hansaplatz
- Europol Ĺźyczy sobie nieograniczonego dostÄpu do danych z kontroli czatu, by za ich pomocÄ trenowaÄ sztucznÄ inteligencjÄ https://netzpolitik.org/2023/interne-dokumente-europol-will-chatkontrolle-daten-unbegrenzt-sammeln/ https://balkaninsight.com/2023/09/29/europol-sought-unlimited-data-access-in-online-child-sexual-abuse-regulation/
- Online Safety Bill: czy Signal opuĹci W. BrytaniÄ? https://techcrunch.com/2023/09/21/meredith-whittaker-reaffirms-that-signal-would-leave-u-k-if-forced-by-privacy-bill/
- âZanim mnie wypuĹcili, straĹźnik w obecnoĹci jakichĹ dwĂłch mÄĹźczyzn kazaĹ mi gĹoĹno podaÄ imiÄ, nazwisko i dokĹadny adres. PowiedziaĹ: âDopĂłki tego nie zrobisz, nie wyjdzieszââ https://wiadomosci.onet.pl/wroclaw/dorota-byla-bita-w-areszcie-dla-tych-kobiet-to-byla-forma-rozrywki/459gwer
- Jak niemieckie wĹadze zabiegajÄ o wzglÄdy Elona Muska https://fragdenstaat.de/blog/2023/09/29/wie-deutsche-ministerien-tesla-hofieren/
- Niemcy. Reforma dot. dowodĂłw osobistych. SĹuĹźby majÄ mieÄ staĹy dostÄp do zdjÄÄ obywateli. https://www.heise.de/news/Ausweise-Staendiger-Zugriff-der-Polizei-auf-Passfotos-muss-sichergestellt-werden-9321598.html
- 60 000 skradzionych maili rzÄ dowych â efekt sĹynnego problemu z kluczem Microsoftu https://www.heise.de/news/60-000-geklaute-Regierungsmails-Erste-Zahlen-nach-Microsofts-Cloud-Key-Debakel-9321044.html
- Niemcy. Netto pracuje nad aplikacjÄ umoĹźliwiajÄ cÄ odblokowanie wĂłzka za pomocÄ smartfona. Co z ochronÄ danych? https://www.heise.de/news/Datenschuetzer-Hohe-Anforderungen-an-Einkaufswagen-mit-App-Entsperrung-9321754.html
- Jordania, Zjednoczone Emiraty Arabskie, Tunezja, Egipt i Arabia Saudyjska majÄ przepisy dotyczÄ ce nadzoru i cenzury wymierzone w osoby LGTBQ+ https://www.eff.org/deeplinks/2023/09/growing-threat-cybercrime-law-abuse-lgbtq-rights-mena-and-un-cybercrime-draft
- Jak paĹstwo niemieckie zbiera dane o przedsiÄbiorcach? https://chaos.social/@Lilith/111151025942889062
- Norwegia: kara 65 mln koron (ok. 5,8 Euro) dla aplikacji randkowej za zĹamanie RODO. Chodzi o reklamÄ behawioralnÄ https://www.heise.de/news/Berufungsinstanz-bestaetigt-Grindr-muss-5-8-Millionen-DSGVO-Strafe-zahlen-9322438.html
- Bundestag: ryzyko zwiÄ zane z cyberatakami i manipulacjami przemawia przeciwko e-gĹosowaniu https://www.heise.de/news/Bundestagsstudie-Es-bleibt-schwierig-mit-E-Voting-wegen-hoher-Voraussetzungen-9322588.html
- AmerykaĹska Komisja PapierĂłw WartoĹciowych i GieĹd rozszerza swoje dochodzenie w sprawie wykorzystywania komunikatorĂłw takich jak WhatsApp i Signal do komunikacji biznesowej. Sprawdzono teĹź prywatne wiadomoĹci czÄĹci pracownikĂłw. https://www.heise.de/news/Gesetzeswidrige-Nutzung-von-WhatsApp-Co-US-Boersenaufsicht-verlangt-Einblick-9316338.html
- Kontrola czatu: szefowa Signala przeciwko inwigilacji https://netzpolitik.org/2023/signal-chefin-zur-chatkontrolle-die-eu-kann-diesen-rueckschritt-bei-den-menschenrechten-stoppen/
- Hejt wobec dziennikarek. Dlaczego w spolaryzowanym Ĺwiecie dostaje im siÄ mocniej? https://oko.press/hejt-wobec-dziennikarek
- Nowe rewelacje Snowdena. NSA wĹamywaĹa siÄ do systemĂłw europejskich sĹuĹźb https://cyberdefence24.pl/armia-i-sluzby/nowe-rewelacje-snowdena-nsa-wlamywala-sie-do-systemow-europejskich-sluzb
- Internetowe testy preferencji wyborczych. Czym siÄ róşniÄ https://demagog.org.pl/analizy_i_raporty/internetowe-testy-preferencji-wyborczych-czym-sie-roznia/
- Cyberpolicja zacieĹnia wspĂłĹpracÄ z NASK https://cyberdefence24.pl/cyberbezpieczenstwo/cyberpolicja-zaciesnia-wspolprace-z-nask
- ChiĹski ĹÄ cznik w Brukseli. Kim jest lider Alternatywy dla Niemiec? https://cyberdefence24.pl/armia-i-sluzby/chinski-lacznik-w-brukseli-kim-jest-lider-alternatywy-dla-niemiec
- Francja i Niemcy za UkrainÄ w Unii https://defence24.pl/geopolityka/francja-i-niemcy-za-ukraina-w-unii
- Laptopy dla nauczycieli. Rozpoczyna siÄ realizacja bonĂłw https://cyberdefence24.pl/polityka-i-prawo/laptopy-dla-nauczycieli-rozpoczyna-sie-realizacja-bonow
- https://netzpolitik.org/2023/medienfreiheitsgesetz-eu-parlament-will-nur-noch-betreutes-loeschen-fuer-musk-und-zuckerberg/
- Debata byĹych ministrĂłw na temat cyfrowej gospodarki https://twitter.com/BochynskaNikola/status/1709130633635598402
- Nowa, dobrze finansowana grupa o szemranych konotacjach naciska na Apple, by firma osĹabiĹa szyfrowanie (link za FundacjÄ Panoptykon) https://theintercept.com/2023/10/01/apple-encryption-iphone-heat-initiative/
- Wielka Brytania: policja chce dostÄp do zdjÄÄ z paszportĂłw, by porĂłwnywaÄ je ze zdjÄciami sklepowych zĹodziei https://eupolicy.social/@panoptykon/111170936687042857
- Odtajniony raport Federalnego UrzÄdu Kontroli dot. kupowania wschodnioniemieckich bankĂłw przez zachodnioniemieckie https://fragdenstaat.de/blog/2023/10/03/geheimbericht-bundesrechnungshof-banken-wiedervereinigung/
- Meta chce wymusiÄ opĹaty za przestrzeganie prywatnoĹci https://noyb.eu/en/meta-facebook-instagram-move-pay-your-rights-approach https://arstechnica.com/tech-policy/2023/10/ad-free-facebook-instagram-access-planned-for-14-per-month-in-europe
- Brytyjski rzÄ d chce zabroniÄ uĹźywania telefonĂłw komĂłrkowych w szkoĹach https://www.heise.de/news/Britische-Regierung-will-Schuelern-Mobiltelefone-verbieten-9323955.html
- Co dzieje siÄ z naszÄ cyfrowÄ toĹźsamoĹciÄ po Ĺmierci? https://cyberdefence24.pl/prywatnosc/co-dzieje-sie-z-nasza-cyfrowa-tozsamoscia-po-smierci
- Tomasz Borys o kontroli czatu https://www.linkedin.com/posts/activity-7114871756909101056--1BG
- Ĺwiat siÄ zbroi w Izraelu. Rekordowe wyniki i handel systemami szpiegowskimi https://cyberdefence24.pl/armia-i-sluzby/swiat-sie-zbroi-w-izraelu-rekordowe-wyniki-i-handel-systemami-szpiegowskimi
- 1/3 ludzi odbierajÄ cych telewizjÄ naziemnÄ nie wymieniĹo odbiornika i nie odbiera ani Polsatu ani TVN (ma nadal dvbt) https://twitter.com/piotrmiecz/status/1709324374413591031
- SĹuĹźby w USA nie chcÄ powiedzieÄ, jak szpiegujÄ . Kongres domaga siÄ wyjaĹnieĹ https://cyberdefence24.pl/armia-i-sluzby/sluzby-w-usa-nie-chca-powiedziec-jak-szpieguja-kongres-domaga-sie-wyjasnien
- ĹmierÄ Dmytra Nikiforenki. Policjanci wyĹÄ czyli kamery https://wiadomosci.onet.pl/wroclaw/ujawniamy-wstrzasajace-nagranie-z-monitoringu-tak-policjanci-zakatowali-ukrainca/wd4xhx6
- Dania: tej jesieni ruszÄ procesy o zdradÄ stanu byĹych przedstawicieli paĹstwa â za poinformowanie prasy o wspĂłĹpracy z NSA https://netzpolitik.org/2023/landesverrat-daenischer-geheimdienstchef-und-ex-minister-vor-gericht/
- Policja chce ukaraÄ pieszego, ktĂłry nagraĹ kierowcÄ ĹamiÄ cego przepisy, bo majÄ go doĹÄ https://spidersweb.pl/autoblog/przechodzenie-przez-pasy-telefon-poznan
- Niemcy: Powstaje platforma dla sygnalistĂłw z policji. MogÄ zgĹaszaÄ seksizm czy prawicowy ekstremizm. https://netzpolitik.org/2023/projekt-mach-meldung-whistleblowing-portal-fuer-polizei-gestartet/
- MiÄdzynarodowy Komitet Czerwonego KrzyĹźa publikuje zasady dla haktywistĂłw https://www.bbc.com/news/technology-66998064
- Ylwa Johasson reaguje na ostatnie doniesienia dot. sojuszu lobbistĂłw i sĹuĹźb na rzecz kontroli czatu. Twierdzi, Ĺźe media szukajÄ sensacji https://chaos.social/@andre_meister/111176576477171268 https://eupolicy.social/@khaleesicodes/111176582596928965 https://netzpolitik.org/2023/chatkontrolle-eu-innenkommissarin-johansson-weist-lobby-vorwuerfe-zurueck/
- Pierwsza w USA kara za kosmiczne Ĺmieci â 150 000 USD https://www.heise.de/news/Weltraumschrott-US-Behoerde-verhaengt-erstmals-150-000-Dollar-Geldstrafe-9324888.html
- Kolejny nalot zwiÄ zany z polowaniem na Indymedia https://netzpolitik.org/2023/indymedia-linksunten-ohne-aussicht-auf-entschluesselungserfolg/
- Czy niemieckie sĹuĹźby korzystajÄ z Palantira? https://www.heise.de/news/Kein-Palantir-Polizei-soll-Big-Data-Analysen-mit-Eigenkompetenz-voranbringen-9325396.html
- Polska. Dane zdrowotne uczniĂłw trafiÄ do ministra https://cyberdefence24.pl/polityka-i-prawo/dane-zdrowotne-uczniow-trafia-do-ministra
- Prace nad AIAct â sĹuĹźby i BigTechy przeciwko prawom podstawowym https://eupolicy.social/@edri/111182316281676038
- Sekretarz Generalny ONZ i Czerwony KrzyĹź wzywajÄ do zakazu broni autonomicznej https://www.heise.de/news/UN-Generalsekretaer-und-Rotes-Kreuz-fordern-Verbot-autonomer-Waffen-9326002.html
- Czy UE moĹźe eksportowaÄ technologiÄ szpiegowskÄ ? https://fragdenstaat.de/blog/2023/10/05/wie-die-europaische-union-ihre-kontrollen-aufweichte-und-deutschland-half/
- Unia Europejska zwiÄkszy ochronÄ kluczowych technologii https://cyberdefence24.pl/cyberbezpieczenstwo/unia-europejska-zwiekszy-ochrone-kluczowych-technologii
- UrzÄ d Miasta w PuĹawach udostÄpnia czasem wpisy z profilu prezydenta miasta. Jeden z mieszkaĹcĂłw nie mĂłgĹ zobaczyÄ ich treĹci, wiÄc zawnioskowaĹ do urzÄdu o ich przesĹanie. W odpowiedzi dostaĹ list z wydrukami z Facebooka. https://twitter.com/SiecObywatelska/status/1708892644904989073 https://jawnylublin.pl/to-nie-zart-prezydent-pulaw-wysyla-tradycyjna-poczta-swoje-facebookowe-wpisy/ https://siecobywatelska.pl/po-co-gminom-ms/
- Operatorzy niemieckich sieci zwrĂłcili siÄ do krajowego regulatora o rozpoczÄcie procedur majÄ cych na celu wykluczenie RouterFreedom z sieci ĹwiatĹowodowych https://fsfe.org/news/2023/news-20230915-01.html
- Kancelaria reprezentujÄ ca Google w sporach z irlandzkim organem danych osobowych ma zasiÄ ĹÄ w komisji wskazujÄ cej kandydatĂłw na szefostwo tego organu https://mastodon.social/@didleth/111179115882130245
Sztuczna inteligencja
- Reklamy w BingChat mogÄ infekowaÄ zĹoĹliwym oprogramowaniem https://www.osnews.com/story/137297/bing-chat-responses-infiltrated-by-ads-pushing-malware/
- AI ma byÄ w stanie odróşniaÄ prĂłbki biologiczne od pozostaĹych, co moĹźe pomĂłc w badaniach nad Ĺźyciem w kosmosie https://www.heise.de/news/Heiliger-Gral-der-Astrobiologie-KI-soll-ausserirdisches-Leben-nachweisen-9316626.html
- AI Anthropic i Amazon podejmujÄ wspĂłĹpracÄ https://www.heise.de/news/Primaerer-Cloud-Anbieter-Amazon-investiert-Milliarden-in-KI-Firma-Anthropic-9315720.html
- Jak zarzÄ dzaÄ ryzykiem dla cyberbezpieczeĹstwa sztucznej inteligencji? https://cyberdefence24.pl/cybermagazyn/cybermagazyn-jak-zarzadzac-ryzykiem-dla-cyberbezpieczenstwa-sztucznej-inteligencji
- AI w sĹuĹźbach USA. CIA mĂłwi wprost https://cyberdefence24.pl/armia-i-sluzby/cia-sztuczna-inteligencja-to-zagrozenie-ale-i-jeden-z-najwazniejszych-zasobow
- Polska: RzÄ d pyta o AI, ale tylko biznes (za PayWallem) https://biznes.gazetaprawna.pl/artykuly/9311826,rzad-pyta-o-ai-ale-tylko-biznes.html
- AI w Ĺodzi podwodnej? To czÄĹÄ rywalizacji amerykaĹsko-chiĹskiej https://demagog.org.pl/analizy_i_raporty/ai-w-lodzi-podwodnej-to-czesc-rywalizacji-amerykansko-chinskiej/
- Sam Altman planuje zastÄ piÄ ludzi sztucznÄ inteligencjÄ https://twitter.com/Przegaa/status/1708108822177292674
- Digital Festival 2023. Polki i Polacy o sztucznej inteligencji i najwaĹźniejszych wyzwaniach dla kraju https://tvn24.pl/kultura-i-styl/digital-festival-2023-polki-i-polacy-o-sztucznej-inteligencji-i-najwazniejszych-wyzwaniach-dla-kraju-7372285
- OdbyĹy siÄ duĹźe imprezy tematyczne poĹwiÄcone AI, w tym DigitalFestival oraz IGF2023 https://www.gov.pl/web/igf-polska/igf-polska-2023
- Rozpoznawanie emocji w call center: Gdy sztuczna inteligencja potajemnie ocenia rozmowy z klientami https://www.heise.de/news/Emotionserkennung-im-Callcenter-Wenn-die-KI-Kundengespraeche-heimlich-auswertet-9325037.html https://twitter.com/piotrmiecz/status/1709927598841897013
(Cyber)bezpieczeĹstwo
- Luka krytyczna w Exim https://www.heise.de/news/Kritische-Luecke-im-Mailserver-Exim-9321943.html https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/
- Wojskowy Starlink z milionowym wsparciem Pentagonu https://space24.pl/bezpieczenstwo/technologie-wojskowe/wojskowy-starlink-z-milionowym-wsparciem-pentagonu
- Chiny wydajÄ miliardy dolarĂłw na globalnÄ dezinformacjÄ. To inwestycja https://cyberdefence24.pl/cyberbezpieczenstwo/chiny-wydaja-miliardy-dolarow-na-globalna-dezinformacje-to-inwestycja
- Firmy z Tajwanu pomagajÄ Huawei. BÄdzie polityczny kryzys? https://cyberdefence24.pl/biznes-i-finanse/firmy-z-tajwanu-pomagaja-huawei-bedzie-polityczny-kryzys
- âMiÄdzynarodowe konsorcjum dziennikarzy przeanalizowaĹo blisko 300 zarejestrowanych w Estonii firm zajmujÄ cych siÄ kryptowalutami i odkryĹo dziesiÄ tki przestÄpstwâ https://infosec.exchange/@avolha/111177001354810617
- W Rosji juĹź nie skorzystasz z VPN-a. Blokada wszystkich sieci https://cyberdefence24.pl/cyberbezpieczenstwo/w-rosji-juz-nie-skorzystasz-z-vpn-a-blokada-wszystkich-sieci
- Weekendowa lektura Z3S https://zaufanatrzeciastrona.pl/post/weekendowa-lektura-odcinek-539-2023-09-30-bierzcie-i-czytajcie/
- Czy mem moĹźe byÄ narzÄdziem szerzenia dezinformacji? https://demagog.org.pl/analizy_i_raporty/kiedy-mem-przestaje-byc-satyra-czyli-jak-nie-ulec-dezinformacji/
BigTechy i wolny internet
#microsoft #mastodon #bluesky #amazon #instagram #twitter #facebook #bigtech
- Microsoft: juĹź nie moĹźna aktywowaÄ Windowsa 10/11 starym kluczem z Windowsa 7/8 https://arstechnica.com/gadgets/2023/09/microsoft-says-you-cant-activate-windows-10-11-with-old-windows-7-8-keys-anymore
- Twitter usuwa nagĹĂłwki z linkĂłw https://www.heise.de/news/Twitter-X-zeigt-bei-Links-keine-Headlines-mehr-an-nur-noch-Bilder-9325705.html
- Twitter chce zachÄciÄ do kont premium wĹÄ czajÄ c im bezpoĹrednie wiadomoĹci do influencerĂłw https://www.heise.de/news/Twitter-X-Premium-Nutzer-koennen-DMs-von-anderen-Premium-Kunden-zulassen-9321939.html
- Niemcy: reklamy partii politycznych na TikToku https://netzpolitik.org/2023/schufa-shisha-spd-verbotene-politische-werbung-auf-tiktok/
- Czy amerykaĹskie BigTechy powinny pĹaciÄ za korzystanie z europejskiej infrastruktury? https://www.heise.de/news/Brief-nach-Bruessel-Google-Amazon-und-Co-sollen-fuer-Netznutzung-zahlen-9322950.html
- OrganicsMaps szuka wolontariuszy https://fosstodon.org/@organicmaps/111156712949513724
- Rekord Guinnessa w edytowaniu Wikipedii https://101010.pl/@rdrozd/111165418948816095
- Facebook kontra faĹszywe treĹci o szczepionkach. Kto wygrywa? https://demagog.org.pl/analizy_i_raporty/facebook-kontra-falszywe-tresci-o-szczepionkach-kto-wygrywa/
- Facebook i Instagram bez reklam? Tak, ale jest jeden warunek https://cyberdefence24.pl/social-media/facebook-i-instagram-bez-reklam-tak-ale-jest-jeden-warunek
- Kolejne zwolnienia w Meta. Tym razem dotyczÄ metawersum https://cyberdefence24.pl/social-media/kolejne-zwolnienia-w-meta-tym-razem-dotycza-metawersum
- Amazon zarobiĹ milion dolarĂłw uĹźywajÄ c niejawnego algorytmu do zawyĹźania cen https://arstechnica.com/tech-policy/2023/10/report-amazon-made-1b-with-secret-algorithm-for-spiking-prices-internet-wide/
- Kolejny odpĹyw uĹźytkownikĂłw z Tweetera(X). Czemu niektĂłrzy wolÄ BlueSky niĹź Mastodona? https://netzpolitik.org/2023/irgendwas-mit-internet-der-exodus-von-twitter-zu-bluesky-und-die-hoffnung/ https://annalist.noblogs.org/post/2023/10/05/warum-bluesky-statt-mastodon/
- FTdL zbiera na sprzÄt do realizacji projektu generatora polskich napisĂłw (srt, txt), z materiaĹĂłw wideo w jÄzyku polskim. Dla osĂłb niedosĹyszÄ cych i na potrzeby transkrypcji materiaĹu https://zrzutka.pl/generator-napisow
- Musk musi zwrĂłciÄ 1,1 mln dolarĂłw zwolnionym dyrektorom tweetera https://arstechnica.com/tech-policy/2023/10/musk-cant-dodge-payments-to-ex-twitter-execs-he-fired-judge-rules/
Podcasty i inne treĹci w formie audio/video
- Polityczne fake newsy w czasach kampanii (pl) https://demagog.org.pl/podcast/polityczne-fake-newsy-w-czasach-kampanii-i-scamy-na-mentzena-prasowka-z-dezinformacji/
- Netzpolitik â Off The Record. 2 lata relacjonowania tematu kontroli czatu. Rozmowa z Markusem Reuterem (de) https://netzpolitik.org/2023/276-off-the-record-beruf-chatkontrolle/
- Pegasus i inne zagadnienia z niemieckiej polityki cyfrowej. ADB Podcast (de) https://mdb.anke.domscheit-berg.de/2023/09/der-adb-podcast-21/
- Logbuch:Netzpolitik. O kontroli czatu i nie tylko (de) https://logbuch-netzpolitik.de/lnp470-farbtoene-sind-auch-ein-teil-der-wahrheit
- PrzeglÄ d wrzeĹnia w niemieckiej polityce cyfrowej â eGovernment-podcast (de) https://egovernment-podcast.com/egov153-monatsschau-09-23/
- Polityka cyfrowa obecnej niemieckiej koalicji rzÄ dzÄ cej oczami Chaos Computer Club (de) https://chaosradio.de/cr283-was-die-ampel-hinbekommen-hat-und-was-nicht
- Seminarium SURVEILLANCE and the EYE of GOD (en) https://www.youtube.com/watch?v=fzhT1cOFZiQ
- Panoptykon 4.0. O wpĹywie algorytmĂłw na kampaniÄ wyborczÄ . Rozmowa z AgatÄ KaĹşmierskÄ i Wojciechem BrzeziĹskim (pl) https://panoptykon.org/algorytmy-wybory-podcast
- Czarownice na stosach historii feminizmu. Dziewczynolata. O kobietach, ktĂłre byĹy pionierkami technologii https://open.spotify.com/episode/0odR3SknMx5dLuEmLE9b7J (sorry za link do spotify, jak dacie fediwersowy to wymieniÄ :â))
Dobre wiadomoĹci
- GNU ma juĹź 40 lat https://www.heise.de/news/40-Jahre-GNU-Grundsatzfragen-zu-KI-Red-Hat-und-Co-9321783.html
- Komisarz krajowego ds. ochrony danych i wolnoĹci informacji w Nadrenii-Palatynacie ma konto na mastodonie https://social.bund.de/@lfdi_rlp/111158703568048886
- ONZ chce wspieraÄ Global Digital Compact, dziaĹajÄ c na rzecz zrĂłwnowaĹźonego rozwoju internetu, w tym cyfrowej przestrzeni publicznej i dĂłbr wspĂłlnych https://netzpolitik.org/2023/oeffentliches-geld-oeffentliches-gut-digital-commons-sind-die-zukunft-des-guten-internets/
- Przyznano nagrody Nobla w dziedzinie medycyny https://www.heise.de/news/Medizi-Nobelpreis-fuer-Forschung-an-Impfung-gegen-das-Coronavirus-9322944.html
- Ministerstwo Spraw WewnÄtrznych i Administracji uruchomiĹo aplikacjÄ mobilnÄ Alarm112 do wysyĹania zgĹoszeĹ alarmowych do Centrum Powiadamiana Ratunkowego. Info za mastodonem Patryka Gronkiewicza https://www.gov.pl/web/numer-alarmowy-112/aplikacja-moblina-alarm112
- Fundacja Orange rezygnuje z publikowania wizerunkĂłw dzieci. W Ĺlad za niÄ idÄ inne organizacje https://fundacja.orange.pl/aktualnosci/artykul/w-poszanowaniu-prawa-do-wizerunkow-dzieci
- WatchDog Polska ma juĹź 20 lat https://siecobywatelska.pl/dzis-sa-nasze-20-urodziny/
- Niemcy: Powstaje platforma dla sygnalistĂłw z policji. MogÄ zgĹaszaÄ seksizm czy prawicowy ekstremizm. https://netzpolitik.org/2023/projekt-mach-meldung-whistleblowing-portal-fuer-polizei-gestartet/
- Fundacja IT Girls przygotowaĹa e-booka âBezpieczni online â twĂłj klik ma znaczenieâ, warto siÄ zapoznaÄ https://infosec.exchange/@avolha/111187217190326934
- SieÄ Obywatelska â WatchDog Polska pomaga ujawniÄ, co staĹo siÄ z dokumentacjÄ pacjentek gabinetu ginekologicznego zabranÄ przez CBA. Jest juĹź pierwsza wygrana w tej sprawie https://siecobywatelska.pl/cba-i-dokumentacja-medyczna/ https://orzeczenia.nsa.gov.pl/doc/77FDCEA180
Ich habe in den letzten Wochen tausende Seiten zum Thema Registermodernisierung von verschiedensten deutschen BehĂśrden per #IFG befreit.Es entsteht technisch gesehen eine zentrale Datenbank mit irgendwann mal allen Daten die der Staat Ăźber uns hat. Ohne ein Sicherheitskonzept.
Einige Highlights im Thread.
https://fragdenstaat.de/anfrage/themenkomplex-registermodernisierung-2/#nachricht-830626
https://fragdenstaat.de/anfrage/themenkomplex-registermodernisierung-3/#nachricht-826162
Themenkomplex Registermodernisierung
- Gutachten & Studien, - Stellungnahmen & Einschätzungen, - Positions-, Grundsatz- und weitere Papiere und - Dokumente mit ähnlichem bewertendem oder analysierndem Charakter zum Themenkomplex Registermodernisierung, die a) innerhalb Ihrer OrâŚfragdenstaat.de
CBA i dokumentacja medyczna - SieÄ Obywatelska Watchdog
Do gabinetu dr Marii Kubisy, ginekoloĹźki ze Szczecina, weszĹo Centralne Biuro Antykorupcyjne i zabraĹo dokumentacjÄ medycznÄ z 30 lat â bez podania przyczyny.Redakcja (SieÄ Obywatelska Watchdog Polska)
I sure hope this finally kills #Twitter.
Elon Musk says X will charge users âa small monthly paymentâ to use its service
X owner Elon Musk today floated the idea that the social network formerly known as Twitter may no longer be a free site. In a live-streamed conversation with Israeli Prime Minister Benjamin Netanyahu on Monday, Musk said the company was âmoving to a small monthly paymentâ for the use of the X system. He suggested that such a change would be necessary to deal with the problem of bots on the platform.âItâs the only way I can think of to combat vast armies of bots,â explained Musk. âBecause a bot costs a fraction of a penny â call it a tenth of a penny â but even if it has to payâŚa few dollars or something, the effective cost of bots is very high,â he said. Plus, every time a bot creator wanted to make another bot, they would need another new payment method.
Musk didnât say what the new subscription payment would cost, but described it as a âsmall amount of money.â
Polski Instytut Ekonomiczny:
đNaukowcy migrujÄ
z X (dawniej Twitter) na inne platformy spoĹecznoĹciowe
âĄ46,9 proc. nowych kont zostaĹo utworzonych na Mastodonie
⥠34,8 proc nowych kont utworzono na Linkedin
Blisko poĹowa ankietowanych osĂłb (47,7 proc.) twierdzi,
Ĺźe w ostatnich szeĹciu miesiÄ
cach rzadziej korzystaĹo z X, a 6,7 proc. w ogĂłle przestaĹo
korzystaÄ z platformy
https://pie.net.pl/wp-content/uploads/2023/09/Tygodnik-PIE_36-2023.pdf
I find one of the most helpful ways you can encourage people to leave hellsites like #Twitter and #Facebook to try out #mastodon / the #fediverse / etc isn't to just tell them "join mastodon" and hope they end up picking a good instance. Actually go the extra step of finding an instance that, to you, an experienced user, seems well moderated, and at least somewhat aligns with that person's interests so they'll find other people's content to keep them interested, and suggest that one directly. @eldritch.cafe remains the first Mastodon instance I ever joined, after my friend and I specifically looked for a server that allows nonsexual female nipples without being focused on actual sex work, and all in all it's been a great experience (and has completely ruined me towards any server with less than a 5,000 character limit, haha).
Especially considering how tech-inclined so many (pre-Twitter-migration) fedi users are--keep in mind that most of us (me included) are not so knowledgeable about this stuff straight out the gate đ We need a little extra guidance, and if you truly think that the fedi is a better alternative, you need to make the extra effort in improving #accessibility to your chosen platform. (It also helps tremendously in making sure that someone's first interaction with mastodon isn't on a huge server with little to no moderation, opening them way more up to attacks from racists, etc than if they had started on a heavily moderated server that is already #defederated from instances that allow that abhorrent behavior)
Your Twitter/X account is a microphone connected to a mixer controlled by a fascist. You can speak all you want. The fascist controls your volume and can mute you whenever he wants. And you might not even know youâve been muted because you can still hear yourself in your headphones.
Itâs not called resistance when your volume knob is in someone elseâs hand.
community feedback, while listening to feedback from former #Twitter users who are rejecting #Mastodon due to the lack of this feature.
Also @alex how hard is functional search to actually integrate? I couldnât imagine it being that hard, but youâve done it before, so Iâm sure youâd know better than me.
users have been begging for this features for years, and the devs have ignored them consistently. The only reason they are acquiescing now is because former #Twitter users are begging for it. The devs seem to care more about disaffected #Twitter user feedback than the feedback of the very #Mastodon users who have helped build #Mastodon up to what it is today.
Is this type of behavior deserving of thanks?
So, Twitter decided to pull a DeviantArt move and change its Terms Of Services to include anything you post there on their AI dataset, to re-publish your art and benefit from it without your consent or compensation.
TIME TO DELETE YOUR ART PORTFOLIO ON TWITTER
I will only leave my contact information there, nothing else.
#Twitter #artistsonmastodon #TwitterAlert #AuthorsRights #AI #DeleteTwitter
Muskâs broken promises have yet to reach anything near the volume of lies that Trump told as president. But given his recent track record, itâs well past time for the press to grant him an equal measure of skepticism."
https://www.theverge.com/2023/8/8/23824184/elon-musk-news-coverage-criticism
Itâs time to change how we cover Elon Musk
Elon Musk keeps making things up and getting credible headlines out of it. The media needs to be more thoughtful about how they approach the X/Twitter/Tesla/SpaceX CEO.Casey Newton (The Verge)