Deleted tweet detection is currently running at reduced
capacity due to changes to the Twitter API. Some tweets that have been
deleted by the tweet author may not be labeled as deleted in the PolitiTweet
interface.
Showing page 5 of 28.
Joanna Rutkowska @rootkovska
@jessfraz @zmanian Not the attack I have in mind. — PolitiTweet.org
Joanna Rutkowska @rootkovska
@jessfraz @zmanian How does my docker client know the pubkeys of this omnipotent "1 person" from the docker team? (his/her name, BTW?) — PolitiTweet.org
Joanna Rutkowska @rootkovska
@jessfraz @zmanian So, who can push an 'ubuntu' image that would be fetched e.g. by this Dockerfile: https://t.co/wLlw34iBcr — PolitiTweet.org
Joanna Rutkowska @rootkovska
@jessfraz @zmanian and what stops whoever from publishing an image named 'ubuntu' and uploading their own keys? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@jessfraz @zmanian And how do I explicitly specify the pubkey I wish to trust? — PolitiTweet.org
Joanna Rutkowska @rootkovska
Is there a way to enforce signature verification of the image used by docker for env bootsraping? e.g. Dockerfile: "FROM ubuntu:16.04"? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Also, are you sure that stating "FROM ubuntu:16.04" in your Dockerfile enforces signature verification of the downloaded image? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak So, how does firmware-docker-build.sh _enforce_ signature verification of the cloned repo? E.g. a compromised github case. — PolitiTweet.org
Joanna Rutkowska @rootkovska
Ah, this must be a tweet from 2006, maybe Twitter celebrates its 10th anniversary that way? https://t.co/9rXt72IhDs — PolitiTweet.org
Robᵉʳᵗ Graham @ErrataRob
Reason #8381 why I hate Linux: I can't figure out how to manually set the IP address.
Joanna Rutkowska @rootkovska
The #infosec's dominant theme in 2000s was apps bugs & (anti-)exploitation. Today's is: system & f/w bugd̶o̶o̶r̶s. https://t.co/Et7fWGXrBv — PolitiTweet.org
Dmytro Oleksiuk @d_olex
So, it means that not only Lenovo machines affected, some other vendors also has this old vulnerable code for sure
Joanna Rutkowska @rootkovska
@pavolrusnak (Trying to get your Trezor wallet running with Electrum, and I assume I need python-trezor, which is not available in Debian?) — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Also, what about the python-trezor repo? Last commit not signed, other commits with other keys...? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Do you have an official page stating this is the official signing key for your code? Also can you paste the fpr here? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@d_olex Thanks for clarification and congrats :) — PolitiTweet.org
Joanna Rutkowska @rootkovska
@d_olex (This is not to suggest I believe in UEFI Secure Boot - I don't - just wanted to understand your attack implications) — PolitiTweet.org
Joanna Rutkowska @rootkovska
@d_olex So, this is not really UEFI Secure Boot bypass, correct? Even if you do: OS->SMM->SPI? Because Boot Guard+UEFI would not execute? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Also, the *.deb package with trezor-bridge seems unisgned? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Ah right, I'm used to signed tags, not commits. Can you point me to where you announce your public key(s)? Also paste here? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Hey, it looks like Trezor sources on GitHub are not signed. Do you mind adding proper signatures to all the sources? Thx. — PolitiTweet.org
Joanna Rutkowska @rootkovska
@d_olex AFAIU, your ThinkPwn.efi can be loaded with UEFI SecureBoot enabled, correct? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@hdevalence Elaborate? — PolitiTweet.org
Joanna Rutkowska @rootkovska
Heh, I wonder how people imagine they could "notice a negative impact" from a weak RNG... https://t.co/SJsB4FmTPl — PolitiTweet.org
Torsten Jerzembeck 🇪🇺🌈 @to_je
@rootkovska I've been deploying it as part of my standard setup for quite some time now. No negative impact that I'd notice.
Joanna Rutkowska @rootkovska
So, what people think about the haveged (entropy daemon)? Any reason _not_ to have it enabled, always? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@mindypreston Hi, are there slides/video available? — PolitiTweet.org
Joanna Rutkowska @rootkovska
FWIW, I can reliably (~75%) crash my iOS 9.3.2 by looking at the "EU Radar" screen in the Sat24 app... ;) /cc @i0n1c — PolitiTweet.org
Joanna Rutkowska @rootkovska
Great overview: https://t.co/vVMp5MuvMF — PolitiTweet.org
Robᵉʳᵗ Graham @ErrataRob
I attempted to create a simple explanation of the Ethereum/TheDAO failure: https://t.co/KZ4oDCrJhD
Joanna Rutkowska @rootkovska
Heh. And somebody just bragged how offensive infosec if so damn 1337 today ;) https://t.co/lXO3k8Xvat — PolitiTweet.org
Dmytro Oleksiuk @d_olex
You can craft Apple powered PCI-e DMA attack equipment for only 30 bucks https://t.co/HLSuKbPV8P https://t.co/dp26789cv6
Joanna Rutkowska @rootkovska
@isislovecruft generally : 1. lack of proof of work (multiple accounts become meaningless), 2. lack of reputation (moves work to reader). — PolitiTweet.org
Joanna Rutkowska @rootkovska
RT @MeetAnimals: he needs those parts for his space ship hes going to otter space https://t.co/a3XrdLm1Wm — PolitiTweet.org
Joanna Rutkowska @rootkovska
@dindjic Unfortunately even @QubesOS is powerless against a hypothetical rootkit in ME. But might be other ways: https://t.co/I2o6XYwJTo — PolitiTweet.org
