I like that Jon Stewart/TDS had FTC Chair Lina Khan on the show, but I was seriously let down by her portrayal of “Web 2.0” as when the Web turned to the big social networks like Facebook.
Web 2.0 was a period of time BEFORE the giants got giant, and before capital-S-Social took over.
It was a time of open data, public APIs, mashups, and actual humans contributing to their own little plot of the Internet.
A break between when most-EVERYTHING was driven by big money and digi…
Just deployed a new Kitten¹ version 🎉
• Adds database backup and restore in your app’s Kitten settings page (/💕/settings)
• Upgrades version of JSDB from 4 to 5²
• You can emit and listen for events on the session object you get from `request.session` in your routes now.
¹ https://codeberg.org/kitten/app
Actually reported a spam hitting my GMail inbox (which is essentially a spamtrap, I don’t trust Google with my email, are you high?!?) to what remains of the MailChimp abuse desk inside the Pits’of Mordor^W^W^W Intuit. I even used the web form.
Spam: sewage-grade. No time to dissect, but it is full of random text (hashbusters that really don’t work) & seems to be a phish for something called “Harbor Freight” which I gather is a bit like Menard’s or Duluth Trading. Don’t care. (1/2)…
Evolution of HOD and galaxy properties in filaments and nodes of the cosmic web
Noelia R. Perez, Luis A. Pereyra, Georgina Coldwell, Ignacio G. Alfaro Facundo Rodriguez, Andr\'es N. Ruiz
https://arxiv.org/abs/2405.01671
@…
(With apologies if Mastodon is the wrong place to send this inquiry…)
I’m looking at using TelemetryDeck on my personal web site, because (1) it looks really good and (2) I know at least one of the people behind it is cool.
But…the integration instructions don’t mention using `async` or `defer` attrs on the <script> tag. Won’t tha…
Looking at the beautiful standard for "normal-gauge traction vehicles, classification and marking", I'd like to point out one more historical curiosity.
Electric multiple units are classified as designed "for local and suburban traffic, on lines with low and high platforms" (EN) and "for suburban traffic, on lines with high platforms" (EW) [1].
Let's note that the standard dates back to a time when high-floor railcars were a norm. According to Wikipedia, EN57's "floor is 1153 mm above top of rail" [2]. For these EMUs, the difference between "high-platform" and "low-platform" units boiled down to the latter having stairs leading down. So both kinds of units could be used on high-platform lines.
Most of the modern EMUs are low-floor, and are not suitable for high platforms. Therefore, they technically do not meet the definition for "EN" marking. For example, the Newag Impuls trains ordered by SKM Trójmiasto (the urban train operator) had their train floor height specially raised to 960 mm ATR [3].
[1] #rail
Just signed the open web advocacy letter asking #apple not to fuck with web apps in the #eu.
https://letter.open-web-advocacy.org/
I just updated https://jws.dev: I added my "Vue Offline Boilerplate" to the projects page
I wrote this app as a common "starter app" for 2-3 other apps that I have kicking around in my head. It uses:
- Vue 3 and the Composition API
- Pinia
- The vite-plugin-pwa plugin
Polk with the photo and Hayes’ typewriter.
Cleveland’s recorded voice, McKinley’s first phone campaign, Harding’s amplified inaugural, Coolidge’s first WH broadcast and Hoover filmed in color.
FDR on TV, Truman with the first inauguration on national TV and Ike giving the first TV news conference and first speech via satellite.
Clinton’s email, GWBush’s #SOTU streamed on the net and …
Come on. This push to summarize all webpages and written content with #AI is ridiculous.
See this example from #Arc Search - in what world is this an adequate summary for an 8,000 word article that takes 43 minutes to read?
The amount of detail, specificity, narrative, and actual arguments that get lo…
Google, Apple, Mozilla, and Microsoft release Speedometer 3.0, a benchmark to "create a shared understanding of web performance", after Speedometer 2.0 in 2018 (Abner Li/9to5Google)
https://9to5google.com/2024/03/11/speedometer-3-0/
Web-Apps außer Funktion: iOS 17.4 Beta bereitet Entwicklern große Sorge
Mit Beta 2 von iOS 17.4 funktionierten plötzlich Web-Apps nicht mehr auf dem iPhone. Auch Beta 3 bringt keine Besserung. Entwickler fragen sich: Was ist da los?
A bit of computer nerdery that's too small to be bothered blogging, but I still want to preserve for posterity:
*How to set-up ddclient to update CloudFlare DNS entries*:
1) There's a showstopper bug in the Perl5 IO Socket SSL library <= v1.081 (currently in Fedora 38). Fixed in v1.082 and Fedora 39 contains v1.083
2) If you want to determine your current public IP from a web source (rather than your router for e.g.), you probably want "use=web, web=ifconfig…
February 22, 2024: "Today, we’re excited to announce that the Bluesky network is federating and opening up in a way that allows you to host your own data."
https://bsky.social/about/blog/02-22-2024-open-social-web
Made a bunch of performance improvements to Kitten’s startup time. It now launches in under half a second on my machine vs a couple of seconds previously.
Feels even snappier now.
https://codeberg.org/kitten/app
:kitten: 💕
I just updated https://jws.dev: I added my "Vue Offline Boilerplate" to the projects page
I wrote this app as a common "starter app" for 2-3 other apps that I have kicking around in my head. It uses:
- Vue 3 and the Composition API
- Pinia
- The vite-plugin-pwa plugin
I hesitated sharing this because the alt text is pants, the random  (yes, obj) in the middle suggests missing stuff, it targets WCAG 2.1, has “here” link text, may not grok 1.4.11 & states, maybe thinks they invented shifting left, uses “a11y” in the copy, suggests 1.4.1 is too prescriptive, uses animated GIFs, pushes Material Design, _but_ it is a nice color-blind chart design primer.
“How Accessibility Standards Can Empower Better Chart Visual Design”
Web 3.0 and Quantum Security: Long-Distance Free-Space QSDC for Global Web 3.0 Networks
Yew Kee Wong, Yifan Zhou, Xinlin Zhou, Yan Shing Liang, Zi Yan Li
https://arxiv.org/abs/2402.09108
Ich habe für mich versucht die europäische und deutsche Gesetzgebung zur digitalen #barrierefreiheit visuell in Verbindung zu bringen. Keine Gewähr inwieweit das so stimmt; gerne Korrekturen und Verbesserungsvorschläge.
Apple is officially dropping iPhone support for web apps in the EU
https://www.theverge.com/2024/2/15/24074182/apple-drops-support-iphone-web-apps-eu-dma
<< "While web apps have been broken for EU users in every iOS 17.4 beta so far, Apple has now confirmed that this is a feature, not a bug."
EU needs to issue a massive fine to Apple, who are simply taking the piss now.
#KI killt das Internet - doch das alte Web 2.0 kann sich wehren - Das Internet zu #SocialMedia Zeiten war ein Fast Food-Restaurant. Jetzt ist es nur noch die Erdnuss-Schale an der Theke.
Um so schöner ist, dass es manche Ecken im Web gibt, die im Angesicht der KI-Tools und -Angebote noch ganz na…
It took only 30 days for "Madame Web" to be available on video/streaming after premiering at theaters. https://www.amazon.com/Madame-Web-Bonus-Dakota-Johnson/dp/B0CTW66FJ6/ref=sr_1_2
They have a blog to reassure their users about the changes.
https://bsky.social/about/blog/02-22-2024-open-social-web
A summary of some ways Bluesky differs from Mastodon:
A focus on the global conversation
Which is to say, manipulating the things you are shown such that you are broadcast to from megastars rather than talking to a community.
Your Mastodon server is part of your username, and becomes part of your identity.
I am not a handle! I am a free man! I guess that means on Bluesky you're stuck with the one identity and can't transition into a new identity 😆
breaking news, viral posts, and algorithmic feeds
Ugh.
Composable moderation.
Which is to say hiding the nazis instead of deleting them. Putting up a veil instead of addressing a problem.
Composable feeds:... there are currently over 40,000 algorithmic feeds to choose from!
It's just like TV!
Your Mastodon timeline is only made up of posts from accounts you follow
Damn right.
Moving hosting services should be like changing your cell phone provider — you should be able to keep your identity and data.
I'm leaning more towards auto-delete after a month lately, but that still hasn't quite overcome my inner archivist.
Losing an account when a server went down is indeed a good chunk of why I started a server.
Oh, hey! Despite it being astronomical "Spring" yesterday... it seems we have a big snowstorm coming in tomorrow night to dump maybe over 7 inches (~18cm) of SNOW on us! ❄️☃️
Web 2.0 survivor, Flipboard, recently decided integration was the best path forward.
It ditched Twitter and integrated with Mastodon while rebuilding its back end to join the fediverse
— the decentralized social web.
The social magazine app also became the first app to support Bluesky, Mastodon, and Pixelfed (a decentralized Instagram alternative) last May, allowing users to track updates across these social networks, as well as YouTube, all in one place.
Made a bunch of performance improvements to Kitten’s startup time. It now launches in under half a second on my machine vs a couple of seconds previously.
Feels even snappier now.
https://codeberg.org/kitten/app
:kitten: 💕
Google, Apple, Mozilla, and Microsoft release Speedometer 3.0, a benchmark to "create a shared understanding of web performance", after Speedometer 2.0 in 2018 (Abner Li/9to5Google)
https://9to5google.com/2024/03/11/speedometer-3-0/
Me acordé de ese servicio de arriendo continuo de películas en DVD que hubo aquí en Santiago. Se llamaba "boomerang" parece. Podías tener varios DVD al mismo tiempo, de acuerdo plan que pagabas, cuando devolvías uno te mandaban otro. Era súper bueno para la era pre-streaming.
Después fue comprado por VTR y murió con la masificación del streaming.
Oh man.
I grabbed a copy of phi3, and asked it my "how do you send web push messages in python".
It repeatedly suggested I use a non-existent class. When I pressed about this it noted that the class absolutely does exist in the package and offered a link to npmjs.com to prove it.
I couldn't stop laughing for a good 2 minutes.
(I also found it SUPER arrogant. It was absolutely convinced that there was no reason that python couldn't use node code and…
"It’s almost impossible to believe now, but in #2005 not one of the top ten companies in the #Fortune500 was a technology company. The highest entry was Hewlett-Packard at number 11, but it had nothing to do with the web. #Microsoft, which was coasting along at this point with its dominant Interne…
Actual excerpt from a FAQ on a web page about a river in the US south.
Q: How many people have drowned in the river?
A:
All three parts of this answer are sad (the first one is maddening as well) but I need more to fully understand the third part.
#history #interesting
Kia Orana (live long & prosper in Cook Islands Māori)
🖖🌈🏝️🇨🇰
Still on the mend from that #handfootmouthdisease (#coxsackievirus A16)…
But the web dont wait, so neither does #eleventeen
Dans 2 semaines, le studio web Internet 2000 commence l'intégration de WordPress avec @… !
Les développeurs no-code peuvent concevoir des sites WP headless, tandis que les clients modifient facilement.
Curieux d'une alternative #foss Š
Data to view after voting, see above post
I found lots of websites (¹ ² ³ ⁴) claiming the correct answer is "specced" and only two (Merriam-Webster and Dictionary.com) that referred to the punctuated "spec'd", naming it as an alternative to "specced" with the same pronunciation. (Dictionary.com also named "specking" as a second alternative. I found nothing referring solely to "spec'd".)
However, Google Books Ngram Viewer has "spec'd" as the most common printed form until recently. Continuing the trend past 2019, "specced" should now have a narrow lead. In British English books (not shown), it overtook "spec'd" in 1997 and began a commanding lead in 2010.
Google web searches put "specced" at 3.01M results and "spec'd" at 8.69M, though almost all of the hits refer to "Spec-D" headlights. This is one major advantage of the Ngram Viewer, which doesn't trip over differing punctuation types (it shows "spec-d" at a trickle). It might be more fair to compare "specced out" (348k) with "spec'd out" (739k)
February 22, 2024: "Today, we’re excited to announce that the Bluesky network is federating and opening up in a way that allows you to host your own data."
https://bsky.social/about/blog/02-22-2024-open-social-web
Time For 9 o'clock #HashTagGames hosted by @…
Chinese philosopher Confucius had a lot to say about knowledge, benevolence, loyalty, and virtue. Previously we played little known sayings. But, as much as he said, he axed a few. Let's play!
I just got back from 2 hours of cycling proficiency training - the first time I've ever had any kind of cycling lesson, unless you count my old friend Gwilym showing me the absolute basics when we were about 20.
Some reflections:
🕳️ I'm tired, but not crawling-in-a-hole tired. Hopefully this is a sign that my health is improving, but I'm not going to get cocky.
🚲 I definitely should have done this years ago. I didn't even know it was a thing until recently! I wouldn't have known to what look for ('adult cycling proficiency training').
🆓 These classes are fully funded, but the Cycling Scotland web site is baffling. You need to find and contact trainers directly - they have a page to search for classes, only there aren't any because they're usually arranged and delivered one to one.
🫧 Chris Gibson of Chris' Bike Repairs was my trainer. He was encouraging and informative. Can recommend.
💪🏻 I'll probably go back for a slightly more advanced session with more on navigating traffic, junctions and so on. He's offered to base this around my commute to work!
🚘 Sharing the road with cars is scary, but it's probably been worse because I've lacked confidence in how to deal with them.
S\~onajaht: Definition Embeddings and Semantic Search for Reverse Dictionary Creation
Aleksei Dorkin, Kairit Sirts
https://arxiv.org/abs/2404.19430 https://arxiv.org/pdf/2404.19430
arXiv:2404.19430v1 Announce Type: new
Abstract: We present an information retrieval based reverse dictionary system using modern pre-trained language models and approximate nearest neighbors search algorithms. The proposed approach is applied to an existing Estonian language lexicon resource, S\~onaveeb (word web), with the purpose of enhancing and enriching it by introducing cross-lingual reverse dictionary functionality powered by semantic search.
The performance of the system is evaluated using both an existing labeled English dataset of words and definitions that is extended to contain also Estonian and Russian translations, and a novel unlabeled evaluation approach that extracts the evaluation data from the lexicon resource itself using synonymy relations.
Evaluation results indicate that the information retrieval based semantic search approach without any model training is feasible, producing median rank of 1 in the monolingual setting and median rank of 2 in the cross-lingual setting using the unlabeled evaluation approach, with models trained for cross-lingual retrieval and including Estonian in their training data showing superior performance in our particular task.
Scoperta VulnerabilitŠ Critica nel Protocollo HTTP/2: Continuation Flood Minaccia i Server Web
https://poliverso.org/display/0477a01e-b5696e46-1e3e95cf9fe3cdbc
Scoperta VulnerabilitŠ Critica nel Protocollo HTTP/2: Continuation Flood Minaccia i Serve…
Erinnert ihr euch daran, wie die #CSU in Aschheim versucht mit einem Spielplatz einen Cannabis Social Club zu verhinder?
Die CDU #Dresden versucht jetzt mit einem ähnlichen Manöver der Bau einer Moschee zu verhindern.
Just my luck.
I have an issue with a piece of web software.
About to open a full on forum thread with my issue, only to try one last thing and it worked.
Changed the version of PHP from 8.1 to 8.2 and now it works.
Anyway, I can now see how many hits certain pages have got :D
gonna tell my kids web 3 was just web 2 with rounder corners
That really sucks if true.
Even though I don't use any progressive web app right now.
Update: Seems from the comments that this is only for Home Screen bookmarks and real web apps continue to work.
From: @…
Today we've shipped some great new OmniFocus features for macOS, iOS, iPadOS, watchOS, visionOS, and web:
https://www.omnigroup.com/blog/omnifocus-updates-for-everyone
We've improved performance across the board, and introduced new custom per…
Sonos updates its Android and iOS apps, rebuilding them to become more reliable, and plans to discontinue its Windows and macOS apps in favor of web apps (Chris Welch/The Verge)
https://www.theverge.com/2024/4/23/24137502/sonos-new-app-announced
Kitten breaking change: Route handlers, etc., now take parameter objects
Just pushed the API updates I’d posted about earlier to main and to the latest Kitten release.
This change affects:
- Route handlers (all types of routes)
- `onConnect()` handlers
- The default export on main.script.js files
I’ve updated all the examples, documentation, etc., on Kitten to use the new API but if you see anything I’ve missed, please let me know.
"It was Kathy Sierra who triggered a major, deeper change in the way programming was taught. To be honest, the books by themselves would already have been a major triumph. Her work happened at a time when the dot-com boom opened the door for new ideas, right in the middle of the Web 2.0 craze, and right before the rise of the smartphone and social media."
#InternationalWomensDay
昨日は (今日もだけど) 体調が悪くて、午後帰宅してそのままベッドで横になった。そしたら朝からつけっ放しだった NHKラジオ第1 で阪神 - 中日戦を中継してて。試合は 7回表。戦況をなかなか言わないので Web で速報を見たら、10 - 2 で中日が負けてる!
そこから更に点を取られて、中日ファンのカフェのご主人の SNS を恐る恐る除いたら「なんだこりゃ?」と一行。...胸が痛い。最終的に 15 - 2 で阪神が圧勝。そして今日も 3 - 0 で阪神の勝ち。...で、夕方ちょっと体調が持ち直したので、中日ファンのご主人のカフェへお邪魔して話が盛り上がる。
野球の話しで盛り上がっている自分に我乍ら驚き。そしてラジオの野球中継も、解説は今中慎二だったけど本当に面白かった。阪神の岡田監督も素晴らしい。ちょっとしたチャンスを必ず得点に繋げる感じ。...これから野球ファンになるかも?
2/ Auch die #LTO berichtete: „Die Überwachung sei zum 26. April eingestellt worden, "nachdem auf der Grundlage der bis dahin ermittelten Erkenntnisse die weitere Überwachung nicht mehr verhältnismäßig gewesen wäre", teilte die Generalstaatsanwaltschaft München am Dienstag mit.
Zuvor sei die Verhältnismäßigkeit auch mit Blick auf den Verfassungsrang der Pressefreiheit ständig geprüft worden. Dabei seien Generalstaatsanwaltschaft wie Amtsgericht München zu der Auffassung gelangt, dass diese Maßnahme vor dem Hintergrund des Tatvorwurfes der Bildung beziehungsweise Unterstützung einer kriminellen Vereinigung als Straftat von erheblicher Bedeutung verhältnismäßig sei.“
Das Lustige ist: Die #LetzteGeneration ist so was wie eine #OpenAccess-Protestorganisation. Die komplette Organisationsstruktur wurde auf deren Web-Server dokumentiert. Die Namen der Aktivist*innen im Kernteam standen in der Süddeutschen und es gibt immer mal wieder Updates.
Das alles wurde von einer FDP-Undercover-Agentin bestätigt.
Es kann natürlich trotzdem sein, dass die Struktur der LG eine ganz andere ist und sie heimlich ganz anders arbeiten. Dazu muss man dann das Pressetelefon abhören. Oder? Wenn es die rechtliche Lage denn hergäbe, dann würde ich mal bei den Aktivist*innen anfangen, die sich als Kernteam bezeichnen. Wenn man die eine Woche abhört, kriegt man dann recht schnell mit, ob die was zu melden haben oder nicht. Das Pressetelefon scheint mir eher unerheblich. Nun gut. Ich bin ja kein Nachrichtendienstler. Aber sie haben es nach ein paar Monaten ja auch rausbekommen, dass das Abhören des Pressetelefons nicht (mehr) gerechtfertigt ist.
#krimminelleVereinigung
https://www.lto.de/recht/nachrichten/n/staatsanwaltschaft-ueberwachung-pressetelefon-letzte-generation-beendet/
Just my luck.
I have an issue with a piece of web software.
About to open a full on forum thread with my issue, only to try one last thing and it worked.
Changed the version of PHP from 8.1 to 8.2 and now it works.
Anyway, I can now see how many hits certain pages have got :D
Some sites should fire their web developer. Checking out new dresser for bedroom. One site had a sort by price. Before clicking there are dozens, after the click nothing is found. Major fail in my less than humble opinion. They also have filters for height, length & width. Like WTF for the last 2? Which one is depth?
You’d think that in 2024 you’d have an easier way to enter a true minus sign glyph (−) instead of a dash (-) in Linux.
And this isn’t just one for typography geeks either, it’s an accessibility issue.
Imagine you have a minus button in a web form. A screenreader would read it as a dash button unless you used the proper character. (The workaround, of course, is to use aria-label.)
#typography
In iOS 17.4 Beta 2, Apple demotes PWAs in the EU from standalone apps that use the whole screen to shortcuts within the default browser, to comply with the DMA (Thomas Claburn/The Register)
https://www.theregister.com/2024/02/08/apple_web_apps_eu/
My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…
Over the next 15 years we will spend $3 Trillion on highway expansions and maintenance in the United States
With 2.5% of that funding Amtrak will deliver their vision of adding 39 new routes and enhancing 25 routes!
Imagine what Amtrak could do with 5% of the highway budget?
昨日は (今日もだけど) 体調が悪くて、午後帰宅してそのままベッドで横になった。そしたら朝からつけっ放しだった NHKラジオ第1 で阪神 - 中日戦を中継してて。試合は 7回表。戦況をなかなか言わないので Web で速報を見たら、10 - 2 で中日が負けてる!
そこから更に点を取られて、中日ファンのカフェのご主人の SNS を恐る恐る除いたら「なんだこりゃ?」と一行。...胸が痛い。最終的に 15 - 2 で阪神が圧勝。そして今日も 3 - 0 で阪神の勝ち。...で、夕方ちょっと体調が持ち直したので、中日ファンのご主人のカフェへお邪魔して話が盛り上がる。
野球の話しで盛り上がっている自分に我乍ら驚き。そしてラジオの野球中継も、解説は今中慎二だったけど本当に面白かった。阪神の岡田監督も素晴らしい。ちょっとしたチャンスを必ず得点に繋げる感じ。...これから野球ファンになるかも?
If you are a @… user and work with #WCAG - this extension hit the Raycast store Today: https://www.raycast.com…
2/ Auch die #LTO berichtete: „Die Überwachung sei zum 26. April eingestellt worden, "nachdem auf der Grundlage der bis dahin ermittelten Erkenntnisse die weitere Überwachung nicht mehr verhältnismäßig gewesen wäre", teilte die Generalstaatsanwaltschaft München am Dienstag mit.
Zuvor sei die Verhältnismäßigkeit auch mit Blick auf den Verfassungsrang der Pressefreiheit ständig geprüft worden. Dabei seien Generalstaatsanwaltschaft wie Amtsgericht München zu der Auffassung gelangt, dass diese Maßnahme vor dem Hintergrund des Tatvorwurfes der Bildung beziehungsweise Unterstützung einer kriminellen Vereinigung als Straftat von erheblicher Bedeutung verhältnismäßig sei.“
Das Lustige ist: Die #LetzteGeneration ist so was wie eine #OpenAccess-Protestorganisation. Die komplette Organisationsstruktur wurde auf deren Web-Server dokumentiert. Die Namen der Aktivist*innen im Kernteam standen in der Süddeutschen und es gibt immer mal wieder Updates.
Das alles wurde von einer FDP-Undercover-Agentin bestätigt.
Es kann natürlich trotzdem sein, dass die Struktur der LG eine ganz andere ist und sie heimlich ganz anders arbeiten. Dazu muss man dann das Pressetelefon abhören. Oder? Wenn es die rechtliche Lage denn hergäbe, dann würde ich mal bei den Aktivist*innen anfangen, die sich als Kernteam bezeichnen. Wenn man die eine Woche abhört, kriegt man dann recht schnell mit, ob die was zu melden haben oder nicht. Das Pressetelefon scheint mir eher unerheblich. Nun gut. Ich bin ja kein Nachrichtendienstler. Aber sie haben es nach ein paar Monaten ja auch rausbekommen, dass das Abhören des Pressetelefons nicht (mehr) gerechtfertigt ist.
#krimminelleVereinigung
https://www.lto.de/recht/nachrichten/n/staatsanwaltschaft-ueberwachung-pressetelefon-letzte-generation-beendet/
300,000 inserts per second into a persisted database running entirely in browser on a phone
sqlite is cool. the web is cool.
My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…