[email: jonathan at werrett dot co; twitter: http://twitter.com/werrett; mastodon: https://infosec.exchange/@werrett]
---
[age public key: age1jarg867ve9mg6w32vwx80qg873fryvhtuzd204fhxucs5afhns0saa587z; https://age-encryption.org]
- While appalling I don’t think you would find it 'crushing', even ignoring the jibe about expat conclaves.
Costa Rica’s 17 in 100k is ~2.5 times bigger than the US’ 6 in 100k people killed by homicide.
Thanks to gun crime, the US’ homicide rates are at least 7x the rest of the first world, anglophone, countries where rates are sub 1 in 100k.
By that measure it is 2-3x more confronting, to move from the United Kingdom to the States than it is from the US to Costa Rica.
- You guys are tripping. EULAs have had anti-competition, anti-benchmarking, anti-reverse engineering and anti-disparagement clauses since the late 90s.
These unknown companies called Microsoft, Oracle, Salesforce, Apple, Adobe, … et al have all had these controversies at various points.
- At least one person has been subject to secondary screening and ultimately denied entry on the accusation that they had two phones.
> I thought I was just going to be given my passport and sent on my way, or maybe asked a couple of questions, but they made some pretty outlandish accusations. They said, ‘We know you have two mobile phones. We’ve been tracking your calls. We know you’ve been selling drugs’.
https://www.theguardian.com/us-news/2025/apr/11/australian-w...
- This is the ultimate nihilistic take on security.
Yes, 'cyber' security has devolved to box checking and cargo culting in many orgs. But what's your counter on trying to fix the problems that every tech stack or new SaaS product comes without of the box?
For most people when their Netflix (or HN) password gets leaked that means every email they've sent since 2004 is also exposed. It might also mean their 401k is siphoned off. So welcome the annoying and checkbox-y MFA requirements.
If you're an engineer cutting code for a YC startup -- Who owns the dependancy you just pulled in? Are you or your team going to track changes (and security bugs) for it in 6 months? What about in 2 or 3 years?
Yes, 'cyber' security brings a lot of annoying checkboxes. But almost all of them are due to externalities that you'd happily blow past otherwise. So -- how do we get rid annoying checkboxes and ensure people do the right thing as a matter of course?
- I’m a fellow cyclist in SF and can only wholeheartedly second this. To add some extra anxiety, I’m usually riding a cargo bike, ferrying a child to or from daycare.
I still remember the first time I went through a four-way stop intersection and saw a driverless car idling, waiting for its turn. It was weird and nerve-wracking. Now… I’d much prefer that to almost any other interaction at the same spot.
- I've got conflicted feels about Tailscale. I love their product and a bunch of the people I know use their free tier, including myself.
But their enterprise strategy destroys their good will. I can only assume it's focused on killing old school VPN products. The free tier that we love is a marketing expense. And it’s not even a conversion play.
People are complaining about ~10/user/month -- add basic things that you'd need to manage more than 10 peeps (SAML/SCIM support) and you're talking ~20/user/month. For us, a small sub 200 person company, they immediately lost their chance. We have lots of problems in the security space, some we're willing to spend more than 20/user/month to solve. Legacy network access is not one of them.
- As well as being disingenuous your whole argument is beside the point. ASML isn’t threatening to move to the US.
The current administration has created day light between the US and EU governments and ASML is using this leverage to try and get the Dutch to ignore US export bans.
Here are some choice exerts so you can continue to avoid clicking on TFA:
> The pressure on asml began to build in 2019, when the Dutch government, at America's urging, barred the company from exporting its advanced euv machines to China... President Donald Trump's second term brings the threat of still tighter controls
> Referring to the Dutch government's willingness to follow America's lead on export bans, Mr Fouquet says that Europe must "decide for itself what it wants" and "should not be dictated to by anyone else".
- Did you even read the article? ASML is chaffing against American-led export regulations. The Trump government is still very keen on restricting China’s ability to make cutting edge chips.
The threat to move is probably empty. But it’s not a threat to move to the place that is generating their head winds.
- Here ya go:
King Stingray does Coldplays's 'Yellow' https://youtu.be/sr3iI8gg2fo
Denzel Curry does Rage against the Machine's 'Bulls on Parade' https://youtu.be/ZY4ywyFXdik
- Yes. It was probably a maintainer's creds being compromised.
The [malicious commit is masquerading as a commit from Renovate](https://github.com/tj-actions/changed-files/commit/0e58ed867...)((https://github.com/apps/renovate) but it's not a `verified` commit (and so it's trivial for a bad actor to masquerade as them).
https://stackoverflow.com/questions/67609381/why-do-all-my-g...
- I mean maybe! But only if you've removed all of the usage of this compromised `tj-actions/changedfiles` action, across all your repos and their branches.
Otherwise, if you continue to use it and it will run anytime there has been a push. Potentially on any branch, not just `main`! Depending on your GH config.
Unless you've blocked `tj-actions/changed-files` you're banking on the bad actor not coming back tonight and making malicious commit that exfils those secrets to pastebin.com.
- You can pin GitHub Actions to specific versions or specific commits. But note you can change version tags arbitrarily. In this specific case, the bad actor changes all of the version tags to point to their malicious commit: https://github.com/tj-actions/changed-files/tags
So to avoid that you'd have to pin your GitHub Action to specific commits as outlined in this SO post: https://stackoverflow.com/a/78905195
- No idea. But they didn't do a great job -- they broke the action, which caused build failures that people were going to notice.
The malicious commit only landed at 09:57 PDT today (March 14) in one specific action (out of a number that is quite popular). Maybe they were planning on coming back and doing proper exfil?
- Only commit hashes are safe. In this case the bad actor changed all of the version tags to point to their malicious commit. See https://github.com/tj-actions/changed-files/tags
All the tags point to commit `^0e58ed8` https://github.com/tj-actions/changed-files/commit/0e58ed867...
- Exactly. And that's what happened here -- the bad actor changed all of those version tags to point to their malicious commit.
See https://github.com/tj-actions/changed-files/tags
All the tags point to commit `^0e58ed8` https://github.com/tj-actions/changed-files/commit/0e58ed867...
- Not to go too much on an AusPol tangent, LNP Nuclear stuff is more about delaying the green-power transition.
It keeps coal / gas power around for a nuclear future that is decades away at best (and never more likely). It’s a sop to the oil and mining companies. https://youtube.com/watch?v=JBqVVBUdW84
- https://help.nextdns.io/t/x2hmvas/what-is-dns-over-tls-dot-d...
> NextDNS supports all 4 protocols. See the setup tab for more information on how to use them.
- This is the exact opposite of what you should do.
More disenfranchisement means more focus on rage bait / single issues that will rile up your side and juice your participation a little more (see ‘guns’, ‘pro-life’, ‘her emails’, et al). This pushes the parties to extreme opposites.
If you have compulsory voting, as suggested down thread, then that rump of casual voters dampens the extreme views and ends up pulling the parties towards the middle. Lots of “well there’s hardly any difference” swing voters. Parties do still end up competing on differences (‘gay marriage’, ‘immigration crack downs’) but extreme or patently false views are punished (‘jan 6 was a peaceful protest’).
The argument against compulsory voting is it slows ‘political innovation’ and drives a degree of apathy (‘there’s no difference between the bastards’). Minor parties and things like Preferential Voting can help address.
- Jabber/Xmpp? Is that a joke? Not to be rude, but surely the ‘club’ bit is the key part of a ‘book club.’
Most companies with more than a handful of people have, or would be interested in having, a book clubs. In tech forward shops they are more than likely using Slack.
I could imagine targeting some chat apps for a non-work audience, but the age of people having listservs and using email for multi-person back and forth is long gone.
- Started off reasonable and interesting and the slid into:
> For people looking for a conspiracy, the replacement language for C++, Rust, is compromised by a cabal of woke tards that are doing strange things. It's possible this could be a plot to move mission-critical code to Rust.
WTAF? I should have bailed out as soon as I saw it’s from a Twitter Blue Check.
- Doubly so given that Untitled Goose Game is from an Australian game studio.
- You know that is a direct result from competition from rideshare alternatives, right?
Growing up in the late 90s and early 2000s, taxis always added an exciting extra frisson to any airport trip or evening date. Would they turn up at all? Would they turn up, honk their horn, and drive away if you didn't run out the door in under a minute? Were you going to be left stranded at the end of the night with a constantly engaged taxi call line? Leaving you to resort to calling friends and family to pick you up?
Perth taxis were some of the most expensive and hardest to book in all of my experiences around Australia, pretty much right up to the late 2010s, which unsurprisingly was a few years after Uber's entrance into the market.
If taxis are a better service than Uber now, that's great. We probably want to keep that competitive pressure to keep the bastards honest.
https://apps.apple.com/us/app/meditation-timer-zenitizer/id6...