Mastodawn

nixCraft 🐧15h ago

RE: https://infosec.exchange/@SecurityWriter/116305873092655616

if people stopped giving all these corporations their age or id/kyc info and just canceled their subscriptions or accounts for 4 months we'd see how fast they stop asking once those next quarter results show up.

governments would wake up pretty fast with less VAT, GST, and Tax revenue, too. you give them an inch and they will take a mile. cut that inch and cut their source of revenue, and they will all fall in line.

that is the only solution to all these stupid laws.

pippo30_16 9h ago

the only time you should hand over your ID like a passport or stuff like that is when you absolutely need to. for example like crossing international borders, opening or operating a bank account or applying for a driver's license. those are all valid cases and highly regulated.

but this for profit corporation will just use your data to target you for profit. they even sold mobile phone numbers used for 2FA to advertisers. can you really trust them now with this nonsense?

Toot Terrorist 14h ago

@nixCraft Why? Don't you want to be next?

https://www.voicemedia.global/article/sweden-s-digital-id-system-hacked-public-s-data-sold-on-dark-web

Sweden’s Digital ID System Hacked, Public’s Data Sold on Dark Web

Frank Bergman Sweden’s sweeping national digital ID system has been hacked, with the public’s sensitive data already being sold on the dark web...

txtx 🇪🇺14h ago

@twit_terrorist @nixCraft Click bait.

"CGI also stated that the attackers accessed an older version of the source code and insisted there was “currently no indication of any impact on customers’ production environments, production data, or operational services. Information to the contrary is not accurate.”

The Swedish Tax Agency echoed that position.

“We take all incidents seriously, but we don’t see anything that affects us right now,” IT Director Peder Sjölander said."

Robin Palotai 13h ago

@txtx @twit_terrorist @nixCraft

> However, cybersecurity experts warn that exposure of source code, even from test environments, can provide attackers with a roadmap to exploit live systems, including authentication flows and security architecture.

This always bugged me.. just as we say open-source is better for security due to the many eyes, shouldn't we say open architecture is better for the same reason?

Yeah, while your arch is closed it is more likely crappy, but that would change fast.

Robin Palotai 13h ago

@txtx @twit_terrorist @nixCraft

I imagine if sufficiently many arch were open, this would fly. It might be a problem for you to be the first one to open up your arch. It could be an invitation for bad actors (or those with incentive to keep security bad) to prove your idea wrong.

txtx 🇪🇺14h ago

@nixCraft I should be able to walk to a post office or bank where, after presenting an ID card, they give me a single use token I can use to prove to an organization I'm a real human — or that I'm of a certain age, etc.

I think this should work well enough even if no personal information is stored on that token.

I would happily join a Mastodon server that only accepts authentic users...kind of like the "blue checkmark" of Twitter but democratized so it's not just celebrities.

nathanael 14h ago

i give the token to a bot...

CC: @[email protected]

txtx 🇪🇺14h ago

@nathanael And there are people who hire a kidnapper, assassin, human trafficker...

I don't need to live in a crime filled world because someone found a clever way to abuse a system.

txtx 🇪🇺14h ago

@nathanael and anyway, who said there's no way to prevent or curtail abuse?

For example: a hypothetical Mastodon server can be set to never accept more than one token per individual. So, ok, some jerk enables one bot. That's not a great success right? The fewer bots there are, the easier they are to fight.

nathanael 14h ago

no i wouldn't. i wanted to show you, that your solution doesn't work like you intend it to work. you don't prove with a token that you are a certain age or are a real human. you just prove that the token was obtained by a real human

CC: @[email protected]

txtx 🇪🇺13h ago

@nathanael To stop 99.9% of bots, this is enough, so it works.

Russians working at a troll factory are creating millions of accounts. Having a few accounts isn't doing much for them.

It should be possible to ban future tokens from an individual as well. Like any good bar, you ban someone from ever coming again if they are a nasty jerk.

txtx 🇪🇺13h ago

@nathanael Every social media site is already or is in danger of becoming infested with propaganda agents, nazis, scammers, etc.

Mastodon hasn't been hit as hard yet because it's not as popular — but from what I've read from server owners, it's heading in a bad direction now.

txtx 🇪🇺13h ago

@nathanael It's no wonder that age verification is so popular amongst the general population. People don't want their kids to turn into nazi q-anon weirdos, as it turns out.

Unfortunately, because much of the tech community is only pushing to maintain the broken status quo, politicians are responding without guidelines from the people who have the knowledge to change things for the better.

This is what happens when we point our fingers while burying our head in the sand.

txtx 🇪🇺13h ago

@nathanael Anyway sorry for the reply deluge. You are not wrong that there are possibilities to abuse this kind of hypothetical system.

I will admit I get a little bit frustrated since I do think that there are valid uses for authentication. I don't like how it's done now, or many of the current proposals.

But if we don't bother brainstorming better solutions, we'll be stuck with whatever is given to us.

nathanael 13h ago

all good. it seems to me that age verification doesn't work. it didn't work when i wasn't allowed to drink alcohol and i can't see it working online...

txtx 🇪🇺13h ago

@nathanael I edited my post to be a little bit friendlier, hope you don't mind 🙏

Justin Crozer 13h ago

@txtx @nixCraft that would work in theory however you will need to trust the vendor for authentication and there would need to be a link from said token to the ID in someway or another even if it’s not on the token itself.

Martin Vermeer FCD 13h ago

@txtx @nixCraft

> I would happily join a Mastodon server that only accepts authentic users

fediscience does that for people who are plausibly research scientists.

@nixCraft I resent having to provide ID for a bank account. I didn't need to when I was 12, why should I need to now (Some 40 odd years later)

Martin Vermeer FCD 13h ago

@hypostase @nixCraft But, you could be a terrorist. Anybody could be a terrorist. Heck, I am probably a terrorist, judging by my posting history 🍉

Darwin Woodka 12h ago

@martinvermeer @hypostase @nixCraft

According to Trump we're all terrorists anyway, so what's the point?

@darwinwoodka o In this household we prefer the term ”freedom fighter”

Darwin Woodka 12h ago

Cool. I'm more of a freedom nonfighter. I don't fight them, I just wait for them to fail miserably so everyone hates them forever.

I already spent all my energy warning everyone what these fuckers were gonna do, nobody believed us so now everyone is finding out.

And I'll expend more energy helping the people who fix things on the way back up.

But I'm too tired to argue with clowns any more.

Elijah Ryu 5h ago

@nixCraft I don't even trust them when I make a pseudo account.