Deleted tweet detection is currently running at reduced
capacity due to changes to the Twitter API. Some tweets that have been
deleted by the tweet author may not be labeled as deleted in the PolitiTweet
interface.
Showing page 104 of 151.
Joanna Rutkowska @rootkovska
I think it'd also be useful if Linux distros published statements how they verified each of the sources they use (X… https://t.co/clcRRRf3uY — PolitiTweet.org
Joanna Rutkowska @rootkovska
@nathanmccauley Thx! It'd be useful if - for each official image - you could also describe how you obtained the key/hash used to verify it.
Joanna Rutkowska @rootkovska
@nathanmccauley E.g. "For XYZ OS image we start with their long-term master, which out staff verified in person at a conference ABC, ..."? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@nathanmccauley Thx! It'd be useful if - for each official image - you could also describe how you obtained the key/hash used to verify it. — PolitiTweet.org
Joanna Rutkowska @rootkovska
@nathanmccauley Perhaps you can have a webpage allowing ppl to browse these hashes? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@nathanmccauley I assume I can only get the notary from git, correct? But how do I verify the sources? Neither commits nor tags are signed? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@nathanmccauley Is there a reproducible way for others the calculate these hashes, starting from the hashes of the official Ubuntu ISOs? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@murmosh I'd check the DB from different machine over Tor, write down the hash, then hardcode in my project's Dockerfile. — PolitiTweet.org
Joanna Rutkowska @rootkovska
@murmosh Sure, I'm aware of that. Only Q is: how does one figures the correct hash? Is there a public DB of such hashes? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@veorq Heh ;) — PolitiTweet.org
Joanna Rutkowska @rootkovska
@veorq E.g. so that some MitM attack not serve you a backdoored SDK files, or the Ubuntu image used as the build env? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@veorq I wonder what scripts you use to fetch, verify, and create a build env for SGX apps *securely*? — PolitiTweet.org
Joanna Rutkowska @rootkovska
Just a reminder that this issue still doesn't seem to be resolved(?) See the thread between @jessfraz and me below: https://t.co/s5lsG9RnJQ — PolitiTweet.org
Joanna Rutkowska @rootkovska
Is there a way to enforce signature verification of the image used by docker for env bootsraping? e.g. Dockerfile: "FROM ubuntu:16.04"?
Joanna Rutkowska @rootkovska
RT @marver: @rootkovska @tehjh we will update the blog soon, actually plaintext is partially controllable. So better patch, Signal 3.1.19 s… — PolitiTweet.org
Joanna Rutkowska @rootkovska
But as I argued in [1], "airgapping" is IMHO no replacement for Qubes OS (but great to complement it): [1] https://t.co/qvzTwbr4Sv — PolitiTweet.org
Joanna Rutkowska @rootkovska
This is a prudent approach, of course. And I also recommend it. https://t.co/7fNlHvWd8a — PolitiTweet.org
Peter Todd @peterktodd
@rootkovska Shit, I don't even trust just one layer of compartmentalization: I use Qubes in addition to physically separate hardware.
Joanna Rutkowska @rootkovska
@marver @tehjh You're probably right. — PolitiTweet.org
Joanna Rutkowska @rootkovska
@marver @tehjh I meant: what if the attacker was one of the contacts: could she add a suffix causing Signal to somehow mishandle the attchm? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@tehjh @marver E.g. if the attack is performed by your legitimate Signal contact (who wishes to attack you) not a MitM attacker? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@tehjh I like how they can inject arbitrary suffix to attachment. True, not in plaintext. But maybe RCE when opened by 3rd app? @marver — PolitiTweet.org
Joanna Rutkowska @rootkovska
@tehjh Sure. I'm not saying safe langs are not desirable. Only they are not to be a replacement of compartmentalization. Think Singularity. — PolitiTweet.org
Joanna Rutkowska @rootkovska
Depending on who you are this article might be read as both for- and against- Snowden actions. Interesting. https://t.co/IaU5kYizdE — PolitiTweet.org
Jack Goldsmith @jacklgoldsmith
My take: Why President Obama Won't, and Shouldn't, Pardon Snowden. https://t.co/BGNmYGZEkf
Joanna Rutkowska @rootkovska
RT @marver: @rootkovska thx :) exactly the point - there is this fetish about attributing security problems to single features such as memo… — PolitiTweet.org
Joanna Rutkowska @rootkovska
Very smart. Perhaps a lesson to those who think that "safe" langs might replace compartmentalization: https://t.co/ENwR7seL1D — PolitiTweet.org
Markus Vervier @marver
Vulnerabilities we (@veorq+me) found in Signal: https://t.co/k8KveIm3lA, MAC bypass and crash via malformed RTP packets, more results soon.
Joanna Rutkowska @rootkovska
"Sapiens" by Harari is a great & intriguing book. Highly recommended. https://t.co/4yrRsMzHnL — PolitiTweet.org
Joanna Rutkowska @rootkovska
@copumpkin You mean VDI-like scenario? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@rektide @dakami Yeah, back in 2009 it took is a while to figure out it was ARC indeed... https://t.co/1JVCUTGXRI — PolitiTweet.org
Joanna Rutkowska @rootkovska
@copumpkin Why would you like to run Qubes OS in the cloud (apart from testing)? Most of Qubes' innovation is specially for _desktops_... — PolitiTweet.org
Joanna Rutkowska @rootkovska
RT @laparisa: Him: Ummm... I need you to help me with my computer, again. Me: OK. Can you make me lunch? #brokenStereotype #ITOncall24x7 #s… — PolitiTweet.org
Joanna Rutkowska @rootkovska
RT @gavinandresen: I wish our brains were better at separating "I disapprove" from "Untrue" And our hearts were better at loving people wh… — PolitiTweet.org
Joanna Rutkowska @rootkovska
@AlenaSatoshi @BitcoinTrezor No, priv keys is clearly smth-you-have. — PolitiTweet.org
