runejuhl

@[email protected]
22 Followers
64 Following
125 Posts

Geek, nerd, IT professional, neutral good, free and open source software enthusiast, pragmatic, pedantic, optimistic, skeptical, carbon-based, agnostic, thoughtful, dad joke emitter, (local, at home) celebrity chef, (often) untalkative, devils advocate, adjectifying. Interested in everything from chemistry to computers (not alphabetically), with a preference for exploring alternatives.

If you already know me you may or may not agree with the above word salad; patches welcome!

mehttps://petardo.dk
githubhttps://github.com/runejuhl
matrixhttps://matrix.to/#/@runejuhl:matrix.org
openstreetmaphttps://www.openstreetmap.org/user/runejuhl
runejuhlFeb 28
hannoFeb 26
This is really a "WTF how could they ever think this is a good idea?" kind of vulnerability. Usually the kind of stuff you get from shady, incompetent startups, but this is Google...
https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules
Google API Keys Weren't Secrets. But then Gemini Changed the Rules. ◆ Truffle Security Co.

Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true.

runejuhlJan 27
JadeJan 25

I'm really happy to share I'll be at #FOSDEM - I'll be giving a talk with @nex about Continuwuity on Sunday. I'll also be at the @matrix booth 5pm-6pm both days, if you want to track me down to chat!

Schedule link: https://fosdem.org/2026/schedule/event/ETMLM8-signed_sealed_stolen_how_we_patched_critical_vulnerabilities_under_fire/

FOSDEM 2026 - Signed, Sealed, Stolen: How We Patched Critical Vulnerabilities Under Fire

runejuhlOct 12

@campuscodi

What repercussions has the ransomware attack had on the people in your IT/cybersecurity team, if any?

...I can't imagine a ransomware attack not resulting in just a tiny bit of "increased pressure" from senior leaders.

"Oh, we're under a ransomware attack? Not to worry, all in good time, folks. No need to work overtime, we'll get around to fixing things eventually."

I'm not sure I'd be able to respond to the question without clarification. Are they talking about increased pressure during the attack, or increased pressure after the next quarterly financial report? Constant pressure or only while stuff is on fire?

Show threadrunejuhlOct 12
@dthompson glad to hear the kids are alright, but can't help but wonder What’s the Matter with Parents Today? ;)
runejuhlOct 11
daniel:// stenberg://Oct 10

A new breed of analyzers.

And they use AI.

https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/

A new breed of analyzers

(See how I cleverly did not mention AI in the title!) You know we have seen more than our fair share of slop reports sent to the curl project so it seems only fair that I also write something about the state of AI when we get to enjoy some positive aspects of this technology. … Continue reading A new breed of analyzers →

daniel.haxx.se
runejuhlOct 7
Bogomil Shopov - БогоOct 7

A few days left to propose a developer room at #FOSDEM

https://fosdem.org/2026/news/2025-09-21-call-for-participation/

#foss

FOSDEM 2026 - FOSDEM 2026 Call for Participation

runejuhlOct 7
sam henri goldOct 7, 2025

hey wanna see something kinda interesting? this was the entire fix to the iPhone Antennagate in 2010. 20 bytes.

(this is going to be a very long thread 🧵)

runejuhlSep 17, 2025
daniel:// stenberg://Sep 17, 2025
Who could have figured out that automatically downloading half the internet and ten thousand always-changing dependencies every time you build could actually be a weakness?
runejuhlMar 12, 2025
BellingcatMar 12, 2025
Don't forget Eliot Higgins will be going live on Patreon in 20 minutes, join to see how the Bellingcat founder takes on this month’s Bellingcat Open Source Challenges. The livestream is open to the public, find us here: https://www.patreon.com/bellingcat
Bellingcat | Patreon

Creating Open Source Investigations

Patreon
runejuhlFeb 28, 2025
Fiona  Feb 28, 2025
Since I just checked again for a lemmy post and verified that my complaints are still current:

I explicitly recommend against the use of @threemaapp as a messenger because of their bad #encryption.

I make this recommendation as a professional cryptographer who holds a PhD in that field and give explicit permission to be quoted on it.

The reason for this recommendation is that Threema’s End-to-End encryption offers no forward- or backward secrecy of any kind. This follows directly from the protocol description they themselves publish in their own whitepaper, so if this is a wrong claim, their own publications are wrong, which would be just as much of a reason not to use them!

Any claims about forward-secrecy they make is purely about their transport-layer encryption, which offers zero protection against corrupted servers. If someone corrupts signal’s servers they don’t get anything. If they corrupt Threema’s servers they get everything as ciphertexts that are merely encrypted with a pairwise static key that does not get updated.

A good messenger should not rely on the trustworthiness of the servers, so doing it like that does is not acceptable and enough reason to give the boot to their app.

As much as I dislike its lack of federation (not that Threema is doing any better there), this still means that #Signal remains my recommendation as messenger, with #matrix being an alternative that feels like it makes a degree of sense to me. Other than those two we quickly get into “wouldn’t recommend” territory!

#Threema #itsec #cryptography