Mapache
Cory DoctorowWell this is fucking clever - hide a malicious powershell script inside a license file, assuming (correctly) that no one EVER looks inside a license file. #DEFCON31 (from Andrew Brandt' War Stories presentation)
Alastair McKinstry@pluralistic Hmm. Now looking at integrating amavisd support into #Debian licensecheck ...
Lou Zell@pluralistic Would the powershell scripts automatically execute when the license was opened? How would the base64 be decoded and run on open?
@louzell it was one stage in a multi part attack against defense contractors in several countries. It got called from another script. https://news.sophos.com/en-us/2023/08/10/image-spam-attack/
@pluralistic This is wild, thanks for sharing!
Domestic Supply 
For anyone who hasn't read your modest proposal, or has forgotten it, I suggest the perfect test of whether someone reads the license they agree to:
https://pluralistic.net/2022/08/10/be-reasonable/#i-would-prefer-not-to
David Zaslavsky@ddgulledge @pluralistic Heh, interesting... I'm not 100% sure I agree with all of it, but it's interesting
Filip@ddgulledge
Fantastic! Credit goes to
@marklemley. This idea is brilliant:
"Lemley says that if a seller prices their product at $25 with the EULA and $1 million without, then the buyer who accepts the EULA is handing over $999,975 worth of value when they click 'I agree.' Lemley says we should tax that as income."
That might also be a neat solution to the "Pay or Okay" consent paywalls used to take #GDPR rights away: Tax every "consent" as income equal to the pay option @noybeu
@pluralistic
ideaPDish@fnohe @ddgulledge @marklemley @noybeu @pluralistic
How come no one talks about the time value of news or new vs old information. The papers could drop the paywalls as the news ages. Then when they get read, peeps can refrence their publications and it's back to eyeballs on a page.
Pomegranate County Irregulars@fnohe @ddgulledge @marklemley @noybeu @pluralistic Have we forgotten basic accounting? If I book income, there’s a credit to an income account and a debit to an asset account. I debit cash 25. Which asset category for the rest? Some bogus “What if no one chooses the EULA” account?
1000 choose EULA, a $1,000,000,000 tax liability on $25,000 in payments?
100K spent in improvements. 100K * subscriber count tax liability increase?
Isn’t value ultimately arbitrary? Make it $1. Tax credits!
Steve E@fnohe @ddgulledge @marklemley @noybeu @pluralistic unfortunately many platforms will not let you opt out of ads, tracking, etc. at any price, because their business model doesn't allow for it.
Olivier Mengué@steveediger @fnohe @ddgulledge @marklemley @noybeu @pluralistic But when you pay you are tracked anyway. Even more as tracking is now associated to your payment information.
Chester Wisniewski 🇨🇦
Andrew 🌻 Brandt 🐇@pluralistic Cory! I didn't recognize you!
@threatresearch I was the one who asked about whether the attack was targeted or opportunistic! Great talk .
Sean Gallagher 
🐀 
Addison Crump@pluralistic A few years ago, we hosted a CTF where one of the challenges was accidentally published with a README that included the solution script. One solve, 1.4k competing teams.
J@addison @pluralistic Reminds me of a situation in a CTF I participated in once (I don't remember the name - it was held at Intuit's campus in socal, I think) where there was an issue with one of the flags - the organisers posted a link to the solution so the contest could proceed. I did some URL Shifting and got the rest of the solutions... I brought it to the contest organisers and, to their credit, they were like "yes, that's valid - but do you want to win that way?" - "no, I want a t-shirt."
Roswell 
@pluralistic BEWARE OF THE BLOBS
oceaniceternity@pluralistic legally binding malware? Does putting the malware in the terms and conditions make it legal?
RealGravitas -Citizen Saboteur@pluralistic “Beware of the blobs.”
hexaheximal@pluralistic and then there are people like me who read it anyways 🙃