I hope this is common knowledge, but just in case not: Authorized Fetch does not protect media attachments. Only post contents and (some) user profiles are authenticated.

Likewise, uploaded media is always public. Even if sent as a DM, anyone with the link can access the files without authentication. That includes blocked users / instances, so be careful what you upload!

#PSA #FediTips #Fedi #Fediverse

lol

https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github

Anyone can Access Deleted and Private Repository Data on GitHub ◆ Truffle Security Co.

You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way.

^{trufflesecurity.com}

Campfire Stories 🔥

Commission for Kaiyoht from Jack-Jackal! :3 Higher res version, time lapse video, and drawing stage snapshots are up on my Patreon!: https://www.patreon.com/posts/campfire-stories-108754627

#Furry #FurryArt #FurryArtist #MastoArt #Commission #ArtCommission

Everytime I look up advice/details of how to do something on Linux and the project/guide doesn't explain what to do, but instead has a docker image, my resolve to never use docker increases a little bit more.

I get why docker exists and I'm not saying that it's not useful but wow I really do not want the question "How do I do x" to be answered with "Use this docker image"

"You! Explain what this world is about!"

Seems this sabre has been transported in time to the modern day, and is grumpy about it!

📸 @silverfoxwolf
🐯 @tungro as Seritus the Sabretooth Tiger
✂️ @madebymercury
📆 2024-07-20
🌍 LondonFurs, London, UK

#FursuitFriday
#Furry
#Fursuit

In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.

To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.

On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it.

The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

“It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”

https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/

Secure Boot is completely broken on 200+ models from 5 big device makers

Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway.

^{Ars Technica}

“Imagine a house where the drywall, flooring, fireplace, and light fixtures are all made by companies that need continuous access and whose failures would cause the house to collapse. You’d never set foot in such a structure, yet that’s how software systems are built.

“It’s not that 100 percent of the system relies on each company all the time, but 100 percent of the system can fail if any one of them fails.” https://hachyderm.io/@wka/112849901858780783

Blind spot

This was a "WTF" moment when i first found this out; hope i explained this well enough!

Shreddyfox at FWA24

🦊: shreddyfox
📌: FurryWeekend

#Furry #Furries #Fursuit #FursuitFriday #Photography #Anthro #FurryArt #FurryArtist #FWA #FWA24

These oversized american vehicles are getting out of control! How can someone justify buying something big enough to crack the pavement just to pick up groceries or go to their office job?!

I bet this thing has never even seen mud. It's useless for doing any actual work. Its practically designed just for killing pedestrians and I think that shows exactly how much the landlord class in America values the lives of you and me and anyone else they see as beneath them.

#mecha #keimech

Griffin:

Vote .org just announced a nearly 700% increase in daily voter registrations — more than 38,500 new registrations — in the 48-hour period following President Biden's announcement.

This figure marks the single largest number of voter registrations over a 48-hour period during the 2024 cycle.

👉🏼👉🏼Younger voters between 18 and 34 accounted for 83% of new registrations.

Content warning: UKpol, Trans rights. Reveal/hide

Fantastic news for those of us who rely on breathing for our daily lives.

https://www.theguardian.com/environment/article/2024/jul/25/ulez-expansion-led-to-significant-drop-in-air-pollutants-in-london-report-finds

#London #ulez

Ulez expansion led to significant drop in air pollutants in London, report finds

Change equivalent to removing 200,000 cars for a year, with capital’s air quality improving at faster rate than rest of England

^{Gwyn Topham (The Guardian)}

OpenBSD enthusiast cooks up guide for the technically timid

If you want a simple step-by-step, this is the best we've seen French BSD enthusiast Joel Carnat has written a how-to guide on setting up a laptop with OpenBSD for general use. It's worth a go for the Unix-curious.…
#theregister #IT
https://go.theregister.com/feed/www.theregister.com/2024/07/25/openbsd_for_the_people/

OpenBSD enthusiast cooks up guide for the technically timid

^{Liam Proven (The Register)}

When Sunday made history as the worldwide hottest day on record, it held the top spot for just one day: Monday is now the warmest day of global average temperature
- and Tuesday is second.
Three global temperature records set in three days.

Climate crisis? What climate crisis?

https://apnews.com/article/climate-global-temperatures-10600ef3b2092dfc4d456f0d593ee0de

A slight temperature drop makes Tuesday the world's second-hottest day

Global temperatures have dropped slightly after breaking the all-time heat record the two previous days. The European climate service Copernicus says Tuesday's global temperature was 17.15 Celsius, which is 62.87 Fahrenheit. That's just 0.

^{SIBI ARASU (AP News)}

This is pure cartel behavior: Reddit and Google have cut a deal that will freeze out all other search engines from indexing Reddit, where volunteers do essentially all the work.

This should not be legal.

It is VITAL to replace Reddit, and it will take a global village to do it. If we don't, the cartel wins.

And Google should be broken up by Congress, if the antitrust people won't try.

https://www.404media.co/google-is-the-only-search-engine-that-works-on-reddit-now-thanks-to-ai-deal/

Google Is the Only Search Engine That Works on Reddit Now Thanks to AI Deal

DuckDuckGo, Bing, Mojeek, and other search engines are not returning full Reddit results any more.

^{Emanuel Maiberg (404 Media)}

It's 2026, McDonald's has partnered with IBM again for verbal order placement in the drive through.

You left your wallet at home, but know tap to pay works with your phone.

You arrive at the takeout window, no one is there. Your food is behind a glass mechanical door. You tap your phone and a voice tells you:

"This payment method is not accepted, please use a trusted device."

You ask what a trust device even means, a voice responds devices without any modification to the Operating System. You don't care what an OS is, you want those chicken nuggets.

You press again and the voice gives an example "Your device may be jail broken." You ask why this gets in the way of paying with your card backed by your connection to BigPhoneOSCorp.

The voice says: "I cannot disclose that information"

You drive away.

If Tesla (the organisation) ceased to exist, how much functionality in a Tesla (the car) would cease to work?

Would it still be driveable, able to charge etc.?

Is the same true of other modern cars?

The exciting news about the R21 malaria vaccine makes me want to point out that malaria is endemic in parts of the world. And it kills about half a million people every year.

You know what's coming.

Say it with me.

All together now:

Endemic does not mean benign.

This one weird trick saved countless hours and stress

https://www.theregister.com/2024/07/25/crowdstrike_remediation_with_barcode_scanner/

How a cheap barcode scanner helped fix CrowdStrike'd Windows PCs in a flash

This one weird trick saved countless hours and stress – no, really

^{Simon Sharwood (The Register)}