Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
ruby.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
If you are interested in the Ruby programming language, come join us! Tell us about yourself when signing up. If you just want to join Mastodon, another server will be a better place for you.

Administered by:

Server stats:

1.1K
active users

ruby.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#identity

10 posts10 participants0 posts today
Public
Nishant Kaushik

Default passwords (in this case voicemail PIN) strike again! There are many #AuthN systems around that support sending OTPs by a phone call as an alternative/fallback to SMS (and is an accessibility requirement). Unfortunately, they can't account for this attack vector.
(Oh, and use Signal, not Telegram)
#Identity #Security
gbhackers.com/hackers-hijack-t

GBHackers Security | #1 Globally Trusted Cyber Security News Platform · Hackers Hijack Telegram Accounts via Default Voicemail PasswordsThe Israeli Internet Association has issued a public warning about a surge in cyberattacks targeting Telegram accounts in Israel.
Public
Nishant Kaushik

The insatiable hunger to feed #LLMs and #AI is parasitically draining the commons and public internet. Bandwidth costs are spiking as crawlers take data for training and information. For Wikipedia, the lack of attribution means no visitors, no donors, just cost. The #ethics of AI are failing here.

I saw Tim Karr on bluesky suggest that AIs should pay fees or a tax (should that be tariffs?) into a fund that supports public content. Services like Cloudflare and Fastly that defend against bots are evolving for crawlers. In #identity, the implications for #AgenticAI, #AI, and #NHI are vast.

diff.wikimedia.org/2025/04/01/

Diff · How crawlers impact the operations of the Wikimedia projectsSince the beginning of 2024, the demand for the content created by the Wikimedia volunteer community – especially for the 144 million images, videos, and other files on Wikimedia Commons – has grow…
Public
Johnny Taylor

“So on this #TransDayOfVisibility, I see you — the person behind the governmental erasure and deafening public silence. I see your complexity, your resilience, your #humanity that extends far beyond your #gender #identity. And I promise to keep fighting for a world where being seen doesn't come with a side of existential dread.

Because one day, visibility won't be an act of #courage. It will just be #life.”

readtpa.com/p/navigating-trans

The Present Age · Navigating Trans Day of Visibility in Trump's AmericaBy Parker Molloy
Public
OfficinaProgetti.org

What identity do we truly want? That of an isolated country or that of a stronger, more united European community?

#eu #europeanunion #europe #politics #economy #society #identity #humanrights #peace #defenddemocracy

officinaprogetti.org/en/divide

Bandiera UE in rovina
Officina ProgettiDivided and Vulnerable: Europe's Radical Right and Sovereignists - Officina ProgettiIn recent years, the temptation to embrace sovereignism and defend the national identity of individual European states has become a powerful proposition. But what identity do we truly want? That of an isolated country or that of a stronger, more united European community? Economic, political and social challenges cannot be…
Public
Longreads

"Dry-erase ink is not similar to tattoo ink, but it is almost identical to ink from a permanent marker. And if you leave it on a surface for long enough, especially a porous surface, it will remain. The brain is a porous surface. Memory is a porous surface."

A new essay by Aaron Rabinowitz: longreads.com/2025/03/27/tatto

Longreads · TattoosBy Aaron Rabinowitz
#Longreads#Essay#Tattoos
Replied in thread
Public
Erik van Straten

@BjornW :

I've stopped doing that after a lot of people called me an idiot and a liar if I kindly notified them. I stopped, I'll get scolded anyway.

Big tech and most admins want everyone to believe that "Let's Encrypt" is the only goal. Nearly 100% of tech people believe that.

And admins WANT to believe that, because reliable authentication of website owners is a PITA. They just love ACME and tell their website visitors to GFY.

People like you tooting nonsense get a lot of boosts. It's called fake news or big tech propaganda. If you know better, why don't you WRITE BETTER?

It has ruined the internet. Not for phun but purely for profit. And it is what ruins people's lives and lets employees open the vdoor for ransomware and data-theft.

See also infosec.exchange/@ErikvanStrat (and, in Dutch, security.nl/posting/881296).

@troyhunt @letsencrypt

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCES & OCSP ENDING🌒 🧵#1/3 On Jul 23, 2024, Josh Aas of Let's Encrypt wrote, while his nose was growing rapidly: <<< Intent to End OCSP Service [...] We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. [...] CRLs do not have this issue. >>> https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html 🚨 On THAT SAME DAY, Jul 23, 2024, LE (Let's Encrypt) issued at least 34 certs (certificates) for [*.]dydx.exchange to cybercriminals, of which LE revoked 27 mis-issued certs approximately 6.5 hours later. Note that falsified DNS records may instruct DNS caching servers to retain entries for a long time; therefore speedy revocation helps reducing the number of victims. Apart from this mis-issuance *blunder*, CRL's have HUGE issues that Josh does not mention: they are SSSLLLOOOWWW and files are potentially huge - while OCSP is instantaneous and uses little bandwith. 🌘NO OCSP INCREASES INTERNET RISKS🌒 If LE quits OCSP support, the average risk of using the internet will *increase*. 🌘LIES🌒 Furthermore, the privacy argument is mostly moot, as nearly every website makes people's browsers connect to domains owned by Google (and even let's those browsers execute Javascript from third party servers, allowing nearly unlimited espionage). In addition, IP-addresses are sent in the plain anyway (📎). (📎 When using a VPN, source and destination IP-addresses *within the tunnel* are not visible for anyone with access to the *outside* of the tunnel - but they are sent in the plain between the end of the tunnel and the actual server.) Worse, the remote endpoint of your E2EE https connection increasingly often is *not* the actual server (that website was moved to sombody else's server in the cloud anyway), but a CDN proxy server which has the ability to monitor everything you do (unencrypting your data: three letter agencies love it, FISA section 702 grants them unlimmited access - without anyone informing you). 🤷 LE may try to blame others for their mis-issuance blunder, but *THEY* chose to use old, notoriously untrustworthy, internet protocols (BGP and DNS, including database records - that DNSSEC will never protect) as the basis for authentication. By making that choice, LE and other DV cert suppliers were simply ASKING for trouble. 🔓 In fact, the promise that Let's Encrypt would make the internet safer was misleading from the start: domain names are mostly meaningless to users, 100% fault intolerant, unpredictable and easily forgotten. If your browser is communicating with a malicious server, encryption is pointless. Josh, stop lying to us; your motives are purely economical. 🌘CORRUPT: BIG TECH FACILITATES CRIME🌒 DV-certs were heavily promoted by Google (not for phun but for profit) after their researchers "proved" that it was possible to show misleasing identification information in the browser's address bar after certificate mis-issuance (the "Stripe, Inc" incident, https://arstechnica.com/information-technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/). This message was repeated by many specialists (e.g. https://www.troyhunt.com/paypals-beautiful-demonstration-of-extended-validation-fud/) with stupid arguments: certificates do NOT directly warrant reliable websites. OV and EV certificates, and QWAC's, more or less reliably, warrant *WHO OWNS* a domain name. That means that users know *who* they're doing business with, can depend on their reputation and can sue them if they violate laws. "Of course" Google recently lost trust in Entrust for mis-issuing certificates (https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html). Meanwhile the internet has become a corrupt and criminal mess; its users get to see misleading identification info in their browser's address bar WAY MORE OFTEN, e.g. https:⁄⁄us–usps–ny.com (for loads of examples see https://www.virustotal.com/gui/ip-address/188.114.96.0/relations; tap ••• a couple of times). Supporting DN's like "ing–movil.com" and "m–santander.de" *is* facilitating cybercrime, by repeatedly mis-issuing certs for them (see https://crt.sh/?q=ing-movil.com and https://crt.sh/?q=m-santander.de) and by letting them hide behind a CDN (see https://www.virustotal.com/gui/domain/ing-movil.com/details and https://www.virustotal.com/gui/domain/m-santander.de/details). In addition, *thousands* of DV-certs have been mis-issued - without *their* issuers getting distrusted by Google, Microsoft, Apple and Mozilla. People have their bank accounts drained and companies get slammed with ransomware because of this. But no Big Tech company (including the likes of Cloudflare) takes ANY responsibility; they make Big Money by facilitating cybercrime. Not by issuing "free" DV-certs, but by selling domain names, server space and CDN functionality, and by letting browsers no longer distinguish between useful and useless certs. They've deliberately made the internet insecure *FOR PROFIT*. 🌘CERT MIS-ISSUANCE ROOT CAUSE🌒 The mis-issuance of LE certs was caused by the unauthorized modification of customer DNS records managed by SquareSpace; this incident was further described in https://www.bleepingcomputer.com/news/security/defi-exchange-dydx-v3-website-hacked-in-dns-hijack-attack/. Note that a similar attack, also affecting SquareSpace customers, occurred on July 11, 2024 (see https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-platforms-registered-with-squarespace/). Even if it *looks like* that no certs were mis-issued during the July 11 incident, because (AFAIK) none of them have been revoked, this does not warrant that none of them were mis-issued; such certs can still be abused by attackers, albeit on a smaller scale. 🌘MORE INFO🌒 Please find additional information in two followups of this toot: 🧵#2/3 Extensive details regarding Mis-issued dydx.exchange certs on 2024-07-23; 🧵#3/3 Links to descriptions of multiple other DV-cert mis-issuance issues. 🌘DISCLAIMER🌒 I am not (and have never been) associated with any certificate supplier. My goal is to obtain a safer internet, in particular for users who are not forensic experts. It is *way* too hard for ordinary internet users to destinguish between 'fake' and 'authentic' on the internet. Something that, IMO, can an must significantly improve ASAP. Edited 08:16 UTC to add people: @troyhunt @dangoodin @BleepingComputer @agl #DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
#DV#Impersonation#AnonymousCertificates
Public
mailbox.org

📩 Whether at work, with friends or when shopping online - your e-mail is more than just a communications tool. It is your digital ID, the key to online services and often the first impression you make. A personal e-mail address creates trust and underlines your identity.

Find out in our blog how you can strengthen your digital presence with your own domain: mailbox.org/en/post/email-addr

#mailboxorg #OwnDomain #E-mailBrand #Identity #TipsAndTricks

GIF
ExploreLive feeds
About