Posts by bojkotiMalbona@infosec.exchange
(DIR) Post #AQi3YksEeHQ0gjIKJM by bojkotiMalbona@infosec.exchange
2022-11-03T09:05:38Z
0 likes, 0 repeats
@r3g_5z @tek Okay but we can do better than a dev promising to be disciplined, or even a coding standard & diligent reviews. There are different flavors of C, some of which involve rules & standards that eliminate ambiguity & compilers doing what they feel like. MISRA-C (#MISRAc) comes to mind, though I don’t know much about it. I’m sure it’s still a big compromise compared to #Ada.
(DIR) Post #AQi3YlRKXnUWRZiM0u by bojkotiMalbona@infosec.exchange
2022-12-17T20:25:36Z
0 likes, 0 repeats
@tek @r3g_5z Came across an article¹ comparing #MISRA C to #Ada & #SPARK. Apparently MISRA is a coding standard with tools to enforce the rules. 1. http://web.archive.org/web/20220820050939/embeddedcomputing.com/technology/security/mirsa-c-cert-c-other-standards/the-place-for-misra-c-in-safe-secure-programming-a-comparison-with-spark
(DIR) Post #AQi3Ym18Og8CEcSwoy by bojkotiMalbona@infosec.exchange
2022-12-17T20:32:39Z
0 likes, 0 repeats
@r3g_5z @tek #MISRAc is still substandard though. The TL;DR: 27 out of 143 rules cannot be reliably enforced, which means developers are bogged down with false warnings. /cc @JoYo
(DIR) Post #AX1jzaANQ4eCjbCRDU by bojkotiMalbona@infosec.exchange
2023-06-24T20:05:03Z
0 likes, 0 repeats
The #InternetArchive #WaybackMachine every single time now:
(DIR) Post #AX1jzbqx9GIZxw7xDc by bojkotiMalbona@infosec.exchange
2023-06-24T20:12:08Z
0 likes, 0 repeats
Apologies for not filling the description of that image. A #MastodonBug forces a #popup that gets suppressed by my browser (I think even when I configure the browser specifically to allow popups). I suspect it’s yet another #wayland or #xwayland glitch.FWIW, the image was an access denied error message from the Wayback Machine saying “Tor clients have already done 100,000 captures today”.This is making #Cloudflare content even less reachable to #Tor users.#a11y #bug
(DIR) Post #AX3H7I8dp2qOmedDZA by bojkotiMalbona@infosec.exchange
2023-06-25T13:58:00Z
0 likes, 0 repeats
#Mastodon #security #bug:I just clicked the “translate” hyperlink on someone’s status. It said something like “translated by DeepL”. Not good. #DeepL is a Cloudflare site. This means Cloudflare gets my IP, browser print, & also gets to see what it is the user is translating.Even the few users who are aware of Cloudflare & the fact that DeepL is compromised in that way are at a disadvantage because it’s not a normal hyperlink. You cannot see any reference to DeepL or Cloudflare. Apparently some fancy JavaScript is masking this important info.#MastodonBug
(DIR) Post #AX52m22Nxs3VmhGgC0 by bojkotiMalbona@infosec.exchange
2023-06-26T05:52:14Z
0 likes, 0 repeats
Good news: @disroot’s #email service finally has an onion¹ host!Bad news: the #onion service times out. And they don’t document what services the hidden service is meant to support (webmail?, imap?, smtp?) or the port numbers.1. vvobhgocv3jvjwjjyrocao3vij4q7xuk5panbckqwihuztuuvjiwqdid.onion
(DIR) Post #AYQJMGBWTLn4NQTBxo by bojkotiMalbona@infosec.exchange
2023-08-03T12:17:25Z
0 likes, 0 repeats
If you’re concerned about username & password being shared, you should certainly avoid both #Fosstodon & #LemmyWorld. They are both centralized in #Cloudflare so your acct creds are exposed to Cloudflare Inc. every time you login, along with all your traffic.
(DIR) Post #AYQJQpC0FxKQ6rs4VE by bojkotiMalbona@infosec.exchange
2023-08-05T11:17:35Z
1 likes, 0 repeats
@kev I’ve detected a bit of intellectual dishonesty here. #Fosstodon used the standard default #Cloudflare configs as early as March & for months thereafter, certainly at least as late as May 29th confirmed by someone’s complaint specifically about the block screen.The timeline shows complaints about CF are littered around before & after that point. If you expand some of the threads in that timeline, it’s clear the default CF configs persisted despite Fosstodon staff being told that the default configs were resulting in users being forced to run non-free software & that the configs needed to change. That change never happened because I know I saw the block screen whenever I tried to directly visit fosstodon.Fosstodon finally made a recent move from CF proxy to CF NS, which was just yesterday announced, a day after my post. I am not checking every day to see what fosstodon does next.Under the current config, you can spontaneously switch on the CF reverse proxy at any moment with immediate effect without even telling users all their traffic will be seen by Cloudflare (including passwords). It’s in fact the only way that the reverse proxy can work. If you don’t use the MitM certs, CF cannot process the requests for you during an attack.So the compromise is still in place. The only difference is that now it’s spontaneous instead of continuously ongoing. And most likely you’ve probably not fixed the CF configs, so when you flip that switch users will get a captcha that pushes #nonfreesoftware. The goal should be to get off CF entirely including nameservers.
(DIR) Post #AYUHxeD6gbbcKTkalk by bojkotiMalbona@infosec.exchange
2023-08-07T12:36:43Z
0 likes, 0 repeats
@selea Indeed. And to expand on that a bit, most Cloudflare customers have *no idea* what the consequences are. I mean admins of sites think erroneously that CF does not terminate the tunnel & that TLS shields them from CF. Thus CF is not informing their customers. When I explain to CF customers that CF sees all the traffic, they are usually shocked & dumbfounded.So in effect you could say that CF is MitMing connections in a social engineering way via deception. They’ve likely covered their asses legally in the fine print that they know no one reads. So they have the legal permission without the customer’s awareness.Also consider the fully informed admin who knows exactly what they are signing up for. They typically never reveal to their users that CF is in the loop. So deception is still in play. Users think they are only trusting the org behind the domain name, but unwittingly so. Users of CF customer’s sites don’t know they’ve extended trust by proxy to a privacy-abusing US tech giant. So it’s another unwelcome MitM in the loop, often without even any fine print as privacy policies tend not to mention CF.@giffengrabber @kev
(DIR) Post #AYuzFKF3ihRytEPjEm by bojkotiMalbona@infosec.exchange
2023-08-20T09:44:15Z
0 likes, 0 repeats
Was #Waveform.social attacked? (#askFedi)Just today #waveformSocial joined #Cloudflare’s walled garden and users apparently got no warning whatsoever. I noticed no sluggish performance to suggest a DDoS attempt so the quiet move to CF seems unprovoked.
(DIR) Post #AYvn067UwEN2SJoGRM by bojkotiMalbona@infosec.exchange
2023-08-20T19:01:40Z
0 likes, 0 repeats
@shrikant @Memeghnad Why use the #bank app at all? I refuse all banking apps on the general principle that the app they push is closed-source exclusively available via Google which unravels into many anti-consumer injustices:* Google gets to know where you bank (and can sell that info to debt collectors)* Google gets to track which software version you have (this sensitive info can be used for attacks on known vulns)* Google forces you to share your mobile phone number just to get a google account, which it will exploit* You might be in a country that forces you to register the GSM account to your ID card* The closed-source app will be loaded with spyware that e.g. tracks your movement & reports that to your bank along with IP.* The bank will update the app frequently & not care if your hardware becomes incompatible with the SDK they’re pushing, thus forcing you to periodically buy a new phone & add your old phone to a landfill.* The app will detect efforts to run it in a virtual machine & refuse to run.Etc.So the obvious smart move is of course to reject the #banking app.
(DIR) Post #AZDgiIr9kAZprgZnCi by bojkotiMalbona@infosec.exchange
2023-08-29T10:16:08Z
0 likes, 0 repeats
#TorBrowser has apparently been designed to hinder users from changing their user agent. They removed the general.useragent.override parameter. Luckily #Firefox is designed so users can add it back.One of the #userAgentSwitcher plugins has become dependent on a #Cloudflare site (WTF)… so the plugin is now broken for privacy seekers who use Tor. Yikes.. the plugin is broken if it can’t phone home.If you manually set the user agent parameter to appear as a Windows user in order to try to fool #HP’s shitty broken website into showing Windows drivers, HP still forces you to see their linux drivers (which is an empty list). So TorBrowser also failed to hide my OS from the website.My disguest is about pegged. In case anyone is wondering: no, I would never buy an #HP product. I rescued an HP MFD from the trash (the only way HP products get into my possession). HP hardware often forces us to run a Windows VM.
(DIR) Post #AZjW5cKiNhRcd8xo5w by bojkotiMalbona@infosec.exchange
2023-09-13T18:47:52Z
0 likes, 0 repeats
Americans who want to use their smartphone for #banking but don’t want Google to know where they bank-- these are your choices:1) download all 6000 US banking apps from the playstore. Repeat this everytime you need to update the app.or2) fetch the banking app from some dodgy 3rd party repo (if you can find one that’s not on Cloudflare) & hope they didn’t tamper with the app.
(DIR) Post #AZovObSqyqyrIYbRdg by bojkotiMalbona@infosec.exchange
2023-09-16T09:24:59Z
0 likes, 0 repeats
A street-wise #Mastodon/ #fedi client would autodetect if the instance your account is on becomes suddenly Cloudflared & refuse to connect. From there, it should perhaps offer an override switch so users can make a final connection to “pack their bags”… get their afairs in order before departure. #security
(DIR) Post #AaK9uEqdqPKovEeNAu by bojkotiMalbona@infosec.exchange
2023-10-01T11:03:37Z
0 likes, 0 repeats
A whole #lemmyWorld community was simply deleted… Despite Lemmy World’s “#Cloudflare will protect us” security model.
(DIR) Post #Aal6Mw9zRmCmaKCRwe by bojkotiMalbona@infosec.exchange
2023-10-14T11:01:08Z
0 likes, 0 repeats
New feature by #Amazon: their purchase process has become #Cloudflare-dependant. If you use a CF-incompatible browser-IP pair, you are now blocked from placing orders with #Amazon. Anything that reduces the possibility of feeding that environmental offender & data abuser is a feature.Of course I have some sympathy for the poor. Poor people need buy stuff the cheapest way possible and now their #privacy is even more compromised.At the same time, fuck all the non-poor people who needlessly patronize Amazon. They should be boycotting already anyway.#boycottAmazon
(DIR) Post #AbA223a184AZoZ0iEy by bojkotiMalbona@infosec.exchange
2023-10-26T11:40:22Z
0 likes, 0 repeats
I just discovered #StackExchange was previously #Cloudflare-jailed in 2016¹. So SE evolved to wisely ditch CF for a number of years then in the past month or so regressed back into foolish exclusive greed.The fix for people living in the free world is #AnonymousOverflow:https://github.com/httpjamesm/AnonymousOverflow① http://web.archive.org/web/20211006120915/https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf#page=4
(DIR) Post #AdbddBzOALlh2NaSDQ by bojkotiMalbona@infosec.exchange
2024-01-07T15:03:04Z
0 likes, 1 repeats
About half of my web access is dependent on archive.org now.If archive.org goes down, decides to block me, or decides to join the walled garden of Cloudflare, half my web access will be instantly gone.Should public libraries around the world take up digital archival duties?#poll
(DIR) Post #AlgidstbRJrSiuZ3VA by bojkotiMalbona@infosec.exchange
2024-09-05T08:42:32Z
0 likes, 1 repeats
@dangillmor This further reinforces what #RMS has been saying for over 20 years, which essentially boils down to: #ebooks enable publishers to bring the shrink-wrap licensing terms of software to books for the purpose of disempowering consumers.Stallman was right, again.But I must say it’s hard to derive much sympathy for #InternetArchive considering they are censoring the #deCloudflare project, perhaps as a consequence of their partnership with #Cloudflare.