@davidcadrian Would you buy a book on this topic?

@__apf__ I am sure more than one person made a mental note to ask you to do some breakdancing the next time they bump into you.

@sdw DoesApple use the same tech to limit EU antitrust conformance geographically to only devices in the EU? 😉

@rmhrisk @WatsonLadd @CrowdStrike @Microsoft I’m guessing it’s closer to arbitrary code execution, but done in a way that allows dynamic loading beyond what the kernel would allow normally, and routing around authenticode using their own authentication.

@WatsonLadd @rmhrisk @CrowdStrike @Microsoft eBPF can hardly be said to be correct. Not only have serious bugs been demonstrated, but the whole implementation strategy is optimized for it to remain a vulnerability factory.

@CloudKickOff @colmmacc The high chairs that are frequently stored in the restroom, you mean?

@conorniland1 @4TheTennis Hello from SoCal. Took about 12 days.

RT @mistymntncop: "Weaponizing Chrome CVE-2023-2033 for RCE in Electron: Some Assembly Required" by @7urb01

@ralphm @AlecMuffett @c7five @mer__edith And Android. And ChromeOS.

@colmmacc @isislovecruft Waitress asked me what I was working on (some math). She had a MS in math. Explained to her how this free program can be used to prove mathematical facts. She thought this was very cool and wanted to try it herself. What was the name of the program, she asked me. Weirded out fr.

@AlecMuffett @c7five @mer__edith I see you other tweets and understand your point now. Desktop OSs should move to a model more like phone OSs & more like the web where applications don’t have access to all your data by default. This could be done w/o reducing user agency b/c file manager could have full access.

@AlecMuffett @c7five @mer__edith macOS at least does try to offer some compartmentalization although I’m not sure of its effectiveness. Windows is moving in that direction with Credential Guard and VBS Enclaves; again, hard to figure out their exact target threat model for enclaves and their effectiveness.

@AlecMuffett @c7five @mer__edith There’s a out of nuances in that (look at how browsers web APIs for file access work and how access is brokered with a fairly convenient UI, which I would love Word to mimic) but I am not sure what that has to do with the tweet you replied to. Note that “silly” ≠ vulnerability.

@AlecMuffett @c7five @mer__edith Also, laptops are difficult to secure, sure. Maybe they aren’t secure enough for Signal’s threat model. But they developed the app for laptops so they’ve taken on the challenge to make it secure. But Electron’s docs basically disclaim its suitability for such threat models…

@AlecMuffett @c7five @mer__edith Other applications have made better choices for key storage using same tools across the same platforms. I think people do generally expect that higher level of key protection from Signal. However, I would say it hardly matters b/c Electron is an overwhelming security weakness.

@tweagio Really nice. Not sure why all the BUILD files still need to be written by hand. It seems like a tool should be generating the initial versions of them, at least. In the past I got stuck with tests because the test environment isn’t the same uunder Bazel as under `cargo test`.

@colmmacc An inexpensive electric emergency one has served me well for those things. I bought a traditional one (California branded aluminum one) and basically never use it because the electric one is much more convenient.

@nick_r_cameron @aeruhxi I think the intent is you use Arc/Rc primarily for cases where that advice is true, so if you’re using Arc/Rc then there is a presumption that you want to increment reference counts instead of copying. Maybe people are too quick to reach for Arc/Rc, but that’s a different issue.

@lcamtuf This goes back to a more fundamental point: OpenSSH is an OpenBSD project ported to other OSs after the fact, where the “portable” version is explicitly 2nd-class. Maybe an implicit protest to the norm of Linux-first and halfhearted effort into supporting OpenBSD.