@Informatica (Italy e non Italy 😁) L'intelligenza artificiale fa ingresso nei processi di digitalizzazione anche delle piccole e medie imprese. Molte Pmi si considerano un improbabile bersaglio di attacchi cyber evoluti, ma la realtà dimostra il contrario. Ecco i rischi
@Informatica (Italy e non Italy 😁) Il mondo della sanità è costantemente tra le mire dei criminal hacker. Healthcare Security Summit guarda al futuro facendo anche affidamento sulle normative e, tra queste, in particolare modo la NIS2. C’è la consapevolezza dei problemi e c’è la volontà di risolverli. A fare difetto,
Tutto sommato noi con Berlusconi siamo stati fortunati, lui voleva farsi solo gli affari suoi, il resto non gli interessava più di tanto. Trump invece ha manie di grandezza, è convinto di poter fare tutto e che tutto gli sia dovuto, temo soffra un pochino di megalomania, ma si sa, gli americani fanno tutto in grande anche le stronzate.
Airlines selling detailed flight data to DHS; how AI scrapers are hammering open archives; and the casual surveillance relationship between ICE and local cops.#Podcast
Podcast: Airlines Sold Your Flight Data to DHS—And Covered It Up
This week we start with Joseph’s article about the U.S’s major airlines selling customers’ flight information to Customs and Border Protection and then telling the agency to not reveal where the data came from. After the break, Emanuel tells us how AI scraping bots are breaking open libraries, archives, and museums. In the subscribers-only section, Jason explains the casual surveillance relationship between ICE and local cops, according to emails he got. playlist.megaphone.fm?e=TBIEA4… Listen to the weekly podcast on Apple Podcasts,Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player. youtube.com/embed/Auc7NPD2ig4?…
Questa settimana, Asus ha annunciato una correzione per una vulnerabilità di bypass dell’autenticazione in Armoury Crate. Il problema avrebbe potuto compromettere completamente il sistema interessato, consentendo a un aggressore di elevare i propri privilegi a SYSTEM.
Armoury Crate è il software ufficiale Asus che fornisce un’interfaccia centralizzata per il controllo dell’illuminazione RGB (Aura Sync), la configurazione delle impostazioni delle ventole, la gestione dei profili delle prestazioni e delle periferiche Asus, nonché il download di driver e aggiornamenti del firmware.
Per eseguire tutte queste funzioni e il monitoraggio di basso livello del sistema, viene utilizzato un driver del kernel.
Il nuovo bug è tracciato con l’identificatore CVE-2025-3464 (punteggio CVSS 8,8) è descritto come un bypass di autorizzazione correlato al problema TOCTOU (Time-of-check Time-of-use).
Secondo Cisco Talos , il team che ha scoperto il bug, lo sfruttamento della vulnerabilità consiste nel creare un hard link da un’applicazione di test innocua a un file eseguibile fittizio. L’aggressore avvia l’applicazione, la sospende e quindi modifica l’hard link in modo che punti ad AsusCertService.exe.
Di conseguenza, quando il driver controlla l’hash SHA-256 del file, legge il binario attendibile associato, consentendo all’applicazione di test di aggirare l’autorizzazione e ottenere l’accesso al driver.
Ciò fornisce all’attaccante privilegi di sistema di basso livello, consentendo l’accesso diretto alla memoria fisica, alle porte I/O e all’MSR (Model-Specific Register), esponendo il sistema alla possibilità di compromettere completamente il sistema operativo.
Sebbene un aggressore debba essere presente nel sistema per sfruttare il CVE-2025-3464, data la diffusione di Asus Armoury Crate sui computer di tutto il mondo, la vulnerabilità potrebbe rappresentare una seria minaccia.
Cisco Talos segnala che CVE-2025-3464 riguarda Armoury Crate versione 5.9.13.0, ma il bollettino di sicurezza di Asus sottolinea che la vulnerabilità riguarda tutte le versioni comprese tra 5.9.9.0 e 6.1.18.0.
Gli sviluppatori di Asus consigliano vivamente agli utenti di aggiornare l’installazione di Armoury Crate alla versione più recente.
Nota: questo sarà un post noioso, ma, a volte, le aride cifre fotografano nitidamente le situazioni, anche quelle molto grandi, anche quelle che dentro hanno milioni di persone. D’altro canto sono certo che chiunque vorrà leggere queste righe sa comprendere benissimo numeri e percentuali. Altrimenti sarebbe un guaio.
Nel corso del 2024, l’Italia ha registrato un aggravamento significativo sia della #povertà assoluta sia di quella relativa, alla luce di dati ufficiali e referti della società civile. Secondo l’ultimo rapporto ISTAT e della “Caritas”, la quota di persone in condizione di povertà assoluta ha raggiunto il 9,7 %, pari a circa 5,6–5,7 milioni di individui, corrispondente a circa 2,2 milioni di famiglie. Lo stesso rapporto segnala come la povertà assoluta, benché stabile tra il 2022 e il 2023, risulti al livello più elevato dell’ultimo decennio, con una progressione costante dal 2014 (dal 6,9 % al 9,7 %) per quanto riguarda le persone.
Sul versante della povertà relativa, si evidenzia un ulteriore peggioramento: nel 2023 le famiglie colpite dal fenomeno superavano i 2,8 milioni (10,6 %) e le persone in difficoltà ammontavano a 8,4 milioni (14,5 %). Parallelamente, l’Eurostat stima che nel 2024 il 23,1 % degli italiani – circa 13,5 milioni – viva in condizioni di rischio di povertà o esclusione sociale, con aumenti particolarmente allarmanti per quanto riguarda i minori e le persone over 60.
A questi numeri drammatici si accompagna la crescita del fenomeno dei “Working poor”: in Italia il 21 % dei lavoratori percepisce un reddito insufficiente per condurre una vita dignitosa, con una situazione che colpisce in modo particolarmente intenso le classi operaie (tra le quali la povertà assoluta ha superato il 16,5 %) e i 35-54enni, oltre il 30 % dei quali non riesce a evitare uno stato di indigenza.
Tale contesto si dispiega in un quadro di politiche pubbliche inadeguate: le misure statali di contrasto alla povertà — dal “reddito di inclusione” alla spesa sociale — risultano insufficienti e, in molti casi, inefficaci. Nonostante il “Reddito di cittadinanza” abbia avuto un impatto importante, ben il 56 % delle persone povere non lo ha percepito, per cause che vanno dai problemi di residenza alla burocrazia. Le politiche di welfare restano lacunose e non affrontano adeguatamente la questione del “lavoro povero”, né investono in una rete di protezione robusta per le famiglie vulnerabili.
Questa fragilità sociale si inserisce in un contesto europeo che appare sempre più orientato verso la militarizzazione. Il “ReArm Europe – Readiness 2030”, lanciato a marzo 2025 dalla Commissione UE, punta a mobilitare fino a 800 miliardi di euro in spese per la difesa, tra aumenti delle spese nazionali, fondi comuni e prestiti SAFE da 150 miliardi, con la possibilità di dirottare risorse dai fondi di coesione e sostenibilità. Secondo le ultime stime, per colmare il gap militare si dovrebbe arrivare a investire fino al 5 % del PIL, una cifra che in Francia, Regno Unito e in molti altri Paesi corrisponde all’intero ammontare delle loro politiche di welfare e di protezione sociale. Analisti economici sottolineano che una simile quantità di risorse sarà sottratta a capitoli cruciali per combattere la povertà, rafforzare l’istruzione, la sanità e l’inclusione sociale, aumentando di conseguenza le disuguaglianze e l’emarginazione delle fasce più deboli.
La convergenza tra crisi del reddito, insufficienza delle politiche sociali e spinta europea verso spese militari aggressive aggrava la condizione dei più deboli. Se non si rivedono le priorità — affiancando politiche attive per il lavoro, la dignità universale del reddito e un welfare veramente inclusivo — il rischio è quello di lasciare milioni di cittadini italiani ed europei in una situazione di esclusione sempre più profonda.
Ma, forse, è proprio questo lo scopo ultimo di tutta questa sequela di mancanze, di tutti i soldi che non andranno ad aiutare le persone, soprattutto quelle povere, emarginate, fastidiose: la loro eliminazione. Se non fisica (almeno lo spero), almeno dalla vita pubblica, dalla società. Relegare coloro che non possono più permettersi la dignità sarebbe un ottimo viatico alla dittatura totale del liberismo, dell’effimero, del domani concesso solo a chi i soldi li ha e non viene disturbato da Governi sempre più distanti da una minima idea di democrazia.Se il futuro deve ancora essere scritto, non può diventare così. Non dovrebbe permetterlo nessuno, mai.
Gli scritti sono tutelati da “Creative Commons” (qui)
Tutte le opinioni qui riportate sono da considerarsi personali. Per eventuali problemi riscontrati con i testi, si prega di scrivere a: corubomatt@gmail.com
@Informatica (Italy e non Italy 😁) Meta introduce la pubblicità su WhatsApp, ma la Commissione europea sottolinea che questa decisione non è conforme con il Digital Markets Act (DMA) né con il GDPR. Ecco cosa implica l'annuncio della società per la privacy degli utenti e per le
@Kamo le inserzioni advertising si vedranno nella scheda "Aggiornamenti" dell’applicazione mobile (dove ci sono gli Statui e i Canali pubblici) ma non nelle chat personali.
La Nato si prepara al summit dell’Aia, tra nuove sfide e obiettivi ambiziosi. L’ammiraglio Giuseppe Cavo Dragone, presidente del Comitato militare della Nato, ha spiegato ad Airpress cosa aspettarsi da questo vertice. Ammiraglio, quello
@Giornalismo e disordine informativo articolo21.org/2025/06/bombard… Bombardare un’Università di Teheran è parte di quel lavoro sporco che Israele sta facendo per noi occidentali come ha affermato ieri il cancelliere tedesco Metz? Se colpire un luogo di studio è un pezzo di quel lavoro sporco,
🖊 Le tracce ufficiali della #Maturità2025 sono disponibili sul sito del #MIM.
Le trovate qui ▶ https://www.mim.gov.it/web/guest/-/-maturita2025-sul-sito-del-ministero-pubblicate-le-tracce-della-prima-prova
Voi quale avreste scelto?
@Politica interna, europea e internazionale Senatrice Alessandra Maiorino, oggi l’evento “UNITE”, promosso dal comitato Politiche di Genere e Diritti Civili del M5S, arriva alla sua seconda edizione: quali sono gli obiettivi? «Abbiamo dato vita al
For quite some time now, Marlin has been the firmware of choice for any kind of custom 3D printer, with only Klipper offering some serious competition in the open-source world. [Liam Powell] aims to introduce some more variety with the development of Prunt, a 3D printer control board and firmware stack.
Smooth motion control is Prunt’s biggest advantage: Klipper and Marlin use trapezoidal (three-phase) motion profiles, which aim for acceleration changes with physically impossible rapidity, leading to vibrations and ringing on prints. By contrast, Prunt uses a more physically realistic 31-phase motion profile. This lets the user independently adjust velocity, acceleration, jerk, snap, and crackle (the increasingly higher-order derivatives of position with respect to time) to reduce vibration and create smoother prints. To avoid sharp accelerations, Prunt can also turn corners into 15-degree Bézier curves.
The focus on smooth motion isn’t just a software feature; the Prunt control board uses hardware timers to control step generation, rather than the CPU. This avoids the timing issues which Klipper sometimes faces, and avoids slowing other parts of the program down. The board also seems to have a particular focus on avoiding electrical damage. It can detect short circuits in the heaters, thermistors, fans, and endstops, and can cut power and give the user a warning when one occurs. If the board somehow experiences a serious electrical fault, the USB port is isolated to prevent damage to the host computer. The firmware’s source is available on GitHub.
If you’re more interested in well-established programs, we’ve given a quick introduction to Klipper in the past. We’ve also seen people develop their own firmware for the Bambu Lab X1.
@Notizie dall'Italia e dal mondo Tra riforme minime, scarsa comunicazione e silenzi su temi internazionali cruciali, il nuovo governo del Frente Amplio fatica a imprimere una svolta. L'articolo I primi 100 giorni di Orsi in Uruguay: tra continuità, delusione e poco coraggio
@Giornalismo e disordine informativo articolo21.org/2025/06/contrat… Lo scorso giovedì 12 giugno si è tenuta una manifestazione davanti alla vecchia direzione generale della Rai di viale Mazzini -ora chiusa a causa della presenza di amianto e per questo in ristrutturazione-
La chiave ministeriale, per aprire il plico telematico della prima prova scritta, è disponibile sul sito del #MIM.
La trovate qui ▶️ https://www.mim.gov.it/web/guest/-/esami-di-stato-prima-prova-scritta
È iniziata la #Maturità2025!
#MIMaturo
e così i russi si sentono le vittime eh? lasciamo perdere. suppongo sia questione di punti di vita. dall'altro lato non sono mai apparsi come vittime ma come carnefici. un'autentica minaccia. ma davvero ci biasimano per questo dopo quello che hanno fatto e che fanno? il loro è un "normale" modo di relazionarsi con alleati e amici? mandare l'esercito o governi fantoccio? se per loro la seconda guerra mondiale fosse stata una guerra di liberazione dall'oppressione forse le avrebbero dato un altro nome. stalin comunque non ha aiutato a migliorare l'immagine russa nel mondo. quando si controlla un paese straniero si usa a volte il bastone o la carota. ma per i russi la carota in cosa consisterebbe? invio di armi al dittatore di turno per reprimere il popolo? alcune di queste accuse possono anche riguardare gli usa in certi contesti ma questo non giustifica la russia. e se incredibilmente i popoli volessero la libertà? i russi ci hanno mai pensato? palro anche die loro "lleati" e "amici"…. come iran o corea del nord o la siria (ex).
C’è un dettaglio, di cui tenere conto: a quel che sembra il Consiglio d’Amministrazione di Mediobanca ha deciso di rinviare a settembre l’Assemblea, prevista per i prossimi giorni, pur avendo visto crescere le adesioni alla resistenza che si stava opponendo a un tentativo di scalata. La decisione è stata letta come una condizione di
IN RICORDO DI ENZO TORTORA E DEI QUASI MILLE INNOCENTI PRIVATI OGNI ANNO DELLA PROPRIA LIBERTÀ 17 giugno 2025, ore 12:00, Piazzale Cimitero Monumentale, 20154 Milano Ai primi 30 under 30 che si registreranno e saranno con noi a Milano verrà regalata una copia di Storia della colonna infame
Every Thursday of the week, Bastian’s Night is broadcast from 21:30 CET (new time).
Bastian’s Night is a live talk show in German with lots of music, a weekly round-up of news from around the world, and a glimpse into the host’s crazy week in the pirate movement aka Cabinet of Curiosities.
L'articolo proviene da #StartMag e viene ricondiviso sulla comunità Lemmy @Informatica (Italy e non Italy 😁) Microsoft avrebbe investito finora in OpenAi almeno 19 miliardi di dollari, ma Sam Altman reclama più spazio e maggiore indipendenza. La geografia della software house sarà ridisegnata con la
La Cina ha compiuto un altro passo nel suo programma spaziale. Alle 12:30 del 17 giugno, ora di Pechino, dal centro di Jiuquan è stato eseguito con successo un test di “pad abort” del nuovo veicolo spaziale con equipaggio Mengzhou. Il test ha
Una vita difficile freezonemagazine.com/rubriche/… Nell’introduzione alla precedente puntata di Celluloide, dedicato a Le ragazze di Piazza di Spagna, abbiamo accennato ai tre filoni principali che caratterizzano (ovviamente tenendo presente tutte le sfumature e le varianti indipendenti) il panorama del grande cinema italiano del secondo dopoguerra: il neorealismo di impegno e denuncia sociale, il neorealismo rosa antropologico, che con locuzione Nell’introduzione
Ieri è scaduto il mio contratto di lavoro. Settimana scorsa mi è stato detto che me l'avrebbero prolungato fino a marzo 2026, con una percentuale lavorativa del 80%. Per me va bene. Nonostante diverse sollecitazioni da parte mia (e a diversi livelli) non ho ancora ricevuto il nuovo contratto. E, d'accordo col mio superiore, oggi non mi sono presentata al lavoro. Domani è festivo in Ticino. Venerdì cosa farò?
Per il resto è ancora tutto difficile.. problemi di salute (non miei), problemi familiari, problemi con l'appartamento, ... 😱
Stavamo pianificando le vacanze di agosto, ma aspetto il contratto.
questa settimana ci immergiamo nel vero sport del social web: mantenere le conversazioni leggibili una volta che iniziano a riprodursi come conigli decentralizzati. Allacciate le cinture, perché le catene di risposta sono un argomento di cui presto vorrete non sapere così tanto.
Welcome back to the Ghost Lab, where pull requests multiply faster than gremlins in the rain, and the phrase “just one more edge case, I swear” has been officially banned by HR (hi Beccy).
Last week, we swapped war stories about shipping ActivityPub; this week we’re diving into the true sport of the social web: keeping conversations readable once they start breeding like decentralized rabbits. Buckle up, because reply chains are a subject you're about to wish you didn't know so much about.
What's new with ActivityPub?
Discussions on the social web are surprisingly complex things, and recently we spent some time wrapping our paws around some of the finer details. The joy of this newsletter is that whenever we suffer, you get to share in that experience.
On the face of it, a discussion is just a chain of replies. You make a post, and someone else responds. You get a notification about the response, and that response shows up somewhere in the app, below the post you made.
All pretty straightforward. We know about your post, because it was made in Ghost, and we know about the replies, because they got sent directly into Ghost and they reference the post you made as what they're in response to.
So, a simple discussion is easy to render:
📍 Your original post
Reply to OP
Reply to OP
Discussions are rarely one-layer deep, though. When two people go back and forth with each other, each one of those responses is a new reply to a previous post.
Something you may have noticed in Ghost for the past few months, though, is that it took a lot of clicking to follow a discussion between two people. We'd only fetch the immediate replies to the post you're viewing, so for a long reply chain, you'd only see 1 level of replies below the current post. To see replies to the next level, you'd constantly need to click deeper into the discussion
📍 Your original post post you're viewing
Reply to OP you can see this
Reply to reply you can't see this, or below
Reply to reply-guy
Reply to that reply
Ok this is becoming a debate
No, you
Actually
As well as multiple layers of depth to a discussion, there might be multiple threads of discussion happening under your post. And this is where it starts to get interesting. You post from Ghost, someone replies to that post on Mastodon, someone else replies to the reply from Mastodon, on Mastodon. Now we're in a place where we (Ghost) aren't necessarily aware of all the replies taking place, because they're happening elsewhere.
📍 Your original post
Reply to OP
Reply to reply
Reply to reply-guy
Reply to reply
Reply to OP
Reply to reply
It doesn't stop there, though. Your original post might actually, itself, be a reply to a post that came before it. So when you view that post, you probably also want to see what it's in-reply-to, otherwise the context of the discussion is going to be hard to figure out.
If the first post is "That's the craziest thing I've ever heard" and the replies are all "I've heard crazier" – you're likely to have questions about the topic at hand.
Parent post
📍 Your original post
Reply to OP
Reply to reply
Reply to reply-guy
Reply to reply
Reply to OP
Reply to reply
And (you can probably see where this is going) that post you're replying to may, itself, be a reply to some other post. The discussion tree has infinite levels in both directions. Your post and its replies may be a tiny branch on the end of a far larger tree of conversation.
Great-grandparent post
Grandparent post
Parent post
Someone else's original post
Reply to OP
Reply to reply
Parent post
Grandparent post
Parent post
📍 Your original post
Reply to OP
Reply to reply
Reply to reply-guy
Reply to reply-guy
Reply to reply
Reply to reply guy
Reply to OP
All this to say, we've done a bunch of work in Ghost to crawl our way up and down the branches of a discussion, pull the most relevant posts around yours, and make them visible inline on the post you're viewing.
Now, rather than just seeing the immediate replies to a single post, you'll start to see larger chains of replies that have been surfaced to make it easier for you to follow a discussion.
Replies-to-replies are connected with a line: And when the discussion has even more levels available to explore, we show a link to allow you to expand that particular thread: The same is true when you click on a notification, where we'll load the post you clicked on and the 'parents' of that post, so you can scroll up to see the context of what came before.
It's not perfect, of course, but it's now much easier to get a feel for the conversation(s) happening in and around the posts you're viewing.
That’s the tour for this week’s code safari. Hit publish, poke the new threads, and let us know where the discussion tree still gets tangled.
Coming up next week (and you may have already seen some hints of this):
Il “Trump Phone” è praticamente un telefono cinese Wingtech REVVL 7 Pro 5G con qualche fronzolo dorato, venduto a 499 dollari contro i 171,65 del modello originale (un ricarico del 191% solo per dei loghi personalizzati e la colorazione patriottica).
Il lancio è stato un disastro: sito andato in tilt coi preordini, addebiti sbagliati e poi la gaffe epica della mappa di Trump Mobile che mostrava ancora “Golfo del Messico” invece del nuovo “Golfo d’America”. Mapbox non aveva ancora aggiornato la denominazione e Trump si è incazzato.
Un telefono made in China venduto a peso d’oro tutto “made USA” tranne il prodotto stesso.
Developers of the WordPress ActivityPub talks about how they plan to make WordPress websites a full member of the fediverse, videos of FediForum available, and bridging to Bluesky op a per-server basis.
Developers of the WordPress ActivityPub talks about how they plan to make WordPress websites a full member of the fediverse, videos of FediForum available, and bridging to Bluesky op a per-server basis.
I also run a weekly newsletter, where you get all the articles I published this week directly in your inbox, as well as additional analysis. You can sign up right here, and get the next edition this Friday!
The News
Fediforum has published the videos of the keynotes and the software demos. For a list of all the demos, you can check out the website. Some thoughts on some of the demoes that stood out to me. For some of the other cool demos (such as Bounce and Bandwagon), check out last week’s news.
The keynote by Christine Lemmer-Webber talks about how the social media style of the 2010s is no longer good enough. With this, she refers to both the fediverse as well as Bluesky. Lemmer-Webber makes the case we live in an age of surveillance, and both Bluesky and the fediverse do not meet the need for safety and privacy that comes with that. She says that shame is not an effective way to get people to use better platforms, and that we need to bring joy to the new platforms. Lemmer-Webber is now working on different protocols with the Spritely Institute, that use Object Capabilities. I’ll go into more detail on that once Spritely gets closer to public usage, but to hugely oversimplify: with Object Capabilities, you can enforce who has access to your data that you send out. Seeing one of the co-authors of ActivityPub actively advocating for further development of new open protocols indicates to what extend the space of the open social web is still in active development.
BadgeFed is a platform for issues badges using the Open Badges standard and ActivityPub protocol, where the badges can later be verified cryptographically. There are some interesting parallels with how people are developing badges on ATProto, and it seems to me that both networks are now in the stage that there are solid proofs that you can build systems for credentials on decentralised protocols. The next stage is seeing how people will start using these new systems.
For developers: ActivityFuzz is an upcoming project from Darius Kazemi, and builds upon the Fediverse Schema Observatory. These tools give a much greater insight into how all the different fediverse projects have implemented ActivityPub in practice, and shows all the differences. This makes building fediverse platforms that are compatible with other platforms more accessible.
Gobo is a client that allows people to post to multiple different platforms, including Mastodon and Bluesky. One of the challenges with cross-posting tools is that these platforms have different character limits, which Gobo has some nice ways of setting the cutoff-point for a longer text thats different for each platform.
Encyclia is a recently-announced project to make ORCID (Open Researcher and Contributor ID) records connected to the fediverse, with the demo providing a first view of what this looks like in practice.
The Build Your Own Timeline Algorithm takes your Mastodon timeline and uses various customisable algorithms to create custom clusterings for the post, allowing you to sort your timeline into various different topics.
The team implementing the ActivityPub plugin for WordPress has posted a blog with a roadmap what they are working on. The team has plans to majorly expand the plugin, and make WordPress a full member of the fediverse. So far, the interaction has mainly focused on publishing to the fediverse, which will now be expanded to also be able to follow, read and interact with the rest of the fediverse directly via a WordPress account. The main feature will be a reader experience, which is effectively a timeline feed within WordPress. It places WordPress into even more direct competition with Ghost, who also offers a timeline reader as part of their ActivityPub integration.
The Social Web Foundation released a draft of their work to implement end-to-end encrypted (E2EE) messaging over ActivityPub. Their plan uses Messaging Layer Security (MLS), a protocol for encrypting messages, that is designed to be used in combination with other protocols for sending the encrypted messages. One of the parts that is missing for ActivityPub is the ability to send real private messages to each other, and an integration with MLS can help with that. It might take a while before it gets there, this first version of the draft is now ready for proof-of-concept implementations and interoperability testing.
Bridgy Fed, the bridging software that connects ActivityPub with ATProto, has gotten an update where server admins can opt-in to the bridge for their entire server. For some context: Bridgy Fed was originally designed to be opt-out, meaning that every fediverse account could automatically be bridged to the Bluesky network and visa versa. After massive pushback from the fediverse community, this was changed to opt-in, where people have to actively take action to have their account be connected to the other network. The debate laid bare to what extend the fediverse struggled with being a decentralised network, where decentralised means that there are different communities with values that at times are incompatible with each other. Instead the debate got largely framed in terms of what the value (opt-in or opt-out) should be for the entire network. However, with this latest update individual communities can now be independently decide for themselves if they want to be connected to other protocols by default.
The Links
Bonfire has added the ability to create a separate ‘Events’ feed for Mobilizon and Gancio events.
Canvas is a yearly fediverse event where people can paint on a shared canvas, one pixel at a time, for 48 hours. This year’s Canvas event will start on July 12th.
Mastodon has made some tweaks to smaller screen layouts on web.
That’s all for this week, thanks for reading! You can subscribe to my newsletter to get all my weekly updates via email, which gets you some interesting extra analysis as a bonus, that is not posted here on the website. You can subscribe below:
Torna la Festa della Fiom a Firenze: 4 serate alla Flog al Poggetto tra dibattiti, musica, teatro, cucina. Tra gli ospiti, i sindaci di Firenze, Prato e Pistoia ed Eugenio Giani. Chiusura con Michele
From Daniel Ellsberg’s Pentagon Papers to Edward Snowden’s National Security Agency surveillance disclosures, whistleblowers have been behind some of the most impactful revelations in American history.
Both Ellsberg and Snowden risked their safety and personal freedom to leak documents to the press. While whistleblowers face similar risks today, they can protect their identities using modern whistleblowing platforms like SecureDrop — a project of Freedom of the Press Foundation (FPF) — and anonymity systems like the Tor Network.
To answer questions about how the public can safely share information with the press and use available tools to do so, FPF’s Chief Information Security Officer and Director of Digital Security Harlo Holmes and SecureDrop Staff Engineer Kevin O’Gorman engaged with Reddit’s r/IAmA community members on June 10 in a Q&A session.
The following select questions from various Reddit users, and Holmes and O’Gorman’s answers, have been edited for brevity and clarity. You can view the full thread here.
If I were a whistleblower with top-secret information, how would I get it to the newspapers without getting caught? What’s the high-level process like?
Harlo: There are a lot of variables that you’d have to consider and would only know of once you’re in that position! But, please know that whistleblowing is a hugely heroic act and there are always risks. Not only is there the possibility of “getting caught,” as you say, there is the prospect of retaliation down the line, loss of livelihood, and a lot of trauma that comes with making such a huge decision.
Other higher-level processes have to do with the aftermath. In a newsroom, journalists and their editorial team deliberate a lot about how best to write the story with what the whistleblower has supplied them. This may mean weighing matters of security, reputation, and the protection of everyone involved.
About a year ago, Signal introduced phone number privacy and usernames, effectively enabling Signal users to be (almost) anonymous if they want to. And major news outlets like The New York Times and The Guardian accept tips through Signal. Can you tell me how SecureDrop is more secure and better at protecting the privacy of the whistleblower?
Harlo: They’re both good. It’s all about “right-sizing” your tipline support. SecureDrop can be beyond the budget or bandwidth for some small newsmakers, and that’s why we at FPF can help in building a solution that fits. Fundamentally, a newsroom should ensure confidentiality and encryption. Both tools will get you there.
Kevin: Further to Harlo’s point, Signal’s approach is definitely better at scale and in general, while SecureDrop is designed to solve a more specific problem. That said, SecureDrop has some advantages for leaking to the press.
Signal requires a dedicated app, which leaves traces of its use. A source facing potential seizure and examination of their devices will leave fewer traces using Tor Browser. SecureDrop relies on an airgap to protect its decryption key, which protects journalists and sources by quarantining file submissions and makes it harder to target journalists with malware.
There are always trade-offs in play between security and ease of use, Signal is a solid choice and, from a purely cryptographic perspective, there’s no faulting it.
The Democrats released their own “whistleblowing” form a few months back for federal workers. That seems like a supremely bad idea, yes? It just looks like a Google form. Are there any big failures that you are aware of?
Harlo: Not my show, not my monkeys. We work with the press and are restricted from working with political parties. That said, we can share some tips regarding safer whistleblowing practices that anyone can adopt if they’re building a platform for intake!
First off, “be available everywhere.” In the past, whistleblowers have been burned because their web histories pointed directly to when and where they reached out to their journalist. So, use the commons of the internet to give people the information they need to securely establish first contact. If you’re running a tipline advertisement on your own website, use an encrypted and safe URL that will not indicate that the public has visited your explicit whistleblowing instructions.
Third-party services like Google are not your friend for the most sensitive of data. Google can definitely be subpoenaed for all the juicy whistleblower details. Find an alternative. Make your submission portals available over Tor, too! Visiting an onion address can make a huge difference.
Lastly, encrypt all the things. This means data in transit as well as at rest. If you are going to plop the next Panama Papers on your hard drive, encrypt that computer like your life depends on it.
As we have recently seen in some dramatic examples, all of the world’s encryption can’t help if the users misuse it. When you help news orgs set up SecureDrop, doesn’t this basically mean that you have to be giving them constant support to them and to whistleblowers on how to use it?
Kevin: This is the gig 😀
By design, we have no contact with whistleblowers using SecureDrop. A key property of the system is that it is self-hosted with no subpoenable third parties in the loop, including us.
But we do journalist digital security training, publish guides for whistleblowers, and work with newsrooms to ensure they’re providing prospective sources with good operational security guidelines via their sites.
On the administration side, once set up, SecureDrop instances are actually pretty low-maintenance in terms of support — most updates are automated, for example. We run a support portal available to all administrators, but probably only about half of instances ever need to reach out. The system’s applications do need frequent security updates, and while the codebase is mature at this stage we do regular audits and make changes as a result, so there is an ongoing development effort there.
What do you all think about the security of good ol’ postal mail for whistleblowers, especially if they have a hard drive or doc trove to share? Is it always better to go with a secure digital solution or is there still a utility to the old-fashioned tactics like mail and IRL dead drops?
Kevin: A lot of newsrooms still offer postal mail as an option for tips, and there are definitely cases where it makes sense. If you’re dropping multiple gigabytes worth of files for example, systems using Tor are going to be slow and prone to network issues. (SecureDrop has a hard limit of 500MB on individual submissions, partially for this reason).
But it’s important that sources remember they still need to take steps to protect their anonymity when using postal mail. Obviously, adding a return address that is associated with the source in any way is a bad idea, as is mailing it from a post office or a mailbox somewhere you spend any amount of time. So sources should be posting their tips from mailboxes somewhere they don’t normally go.
L’immediata presa di posizione a favore di Israele da parte delle prime tre “potenze” europee (Francia, Germania, Regno Unito) e dei membri del G-7 con dichiarazioni di stampo orwelliano, se non appare per nulla una sorpresa, rivela nel modo più chia…
Nel contesto del progressivo mutamento degli equilibri geopolitici globali e della ridefinizione delle rotte strategiche per l’approvvigionamento energetico e lo scambio di merci, il corridoio Imec (India-Middle East-Europe Corridor) rappresenta una delle più rilevanti iniziative
New data obtained by 404 Media also shows California cops are illegally sharing Flock automatic license plate reader (ALPR) data with other agencies out of state, who in turn are performing searches for ICE.#FOIA
In an industry full of grifters and companies hell-bent on making the internet worse, it is hard to think of a worse actor than Meta, or a worse product that the AI Discover feed.#AI #Meta
Meta Invents New Way to Humiliate Users With Feed of People's Chats With AI
I was sick last week, so I did not have time to write about the Discover Tab in Meta’s AI app, which, as Katie Notopoulos of Business Insider has pointed out, is the “saddest place on the internet.” Many very good articles have already been written about it, and yet, I cannot allow its existence to go unremarked upon in the pages of 404 Media.
If you somehow missed this while millions of people were protesting in the streets, state politicians were being assassinated, war was breaking out between Israel and Iran, the military was deployed to the streets of Los Angeles, and a Coinbase-sponsored military parade rolled past dozens of passersby in Washington, D.C., here is what the “Discover” tab is: The Meta AI app, which is the company’s competitor to the ChatGPT app, is posting users’ conversations on a public “Discover” page where anyone can see the things that users are asking Meta’s chatbot to make for them. This includes various innocuous image and video generations that have become completely inescapable on all of Meta’s platforms (things like “egg with one eye made of black and gold,” “adorable Maltese dog becomes a heroic lifeguard,” “one second for God to step into your mind”), but it also includes entire chatbot conversations where users are seemingly unknowingly leaking a mix of embarrassing, personal, and sensitive details about their lives onto a public platform owned by Mark Zuckerberg. In almost all cases, I was able to trivially tie these chats to actual, real people because the app uses your Instagram or Facebook account as your login. In several minutes last week, I saved a series of these chats into a Slack channel I created and called “insanemetaAI.” These included:
entire conversations about “my current medical condition,” which I could tie back to a real human being with one click
details about someone’s life insurance plan
“At a point in time with cerebral palsy, do you start to lose the use of your legs cause that’s what it’s feeling like so that’s what I’m worried about”
details about a situationship gone wrong after a woman did not like a gift
an older disabled man wondering whether he could find and “afford” a young wife in Medellin, Colombia on his salary (“I'm at the stage in my life where I want to find a young woman to care for me and cook for me. I just want to relax. I'm disabled and need a wheelchair, I am severely overweight and suffer from fibromyalgia and asthma. I'm 5'9 280lb but I think a good young woman who keeps me company could help me lose the weight.”)
“What counties [sic] do younger women like older white men? I need details. I am 66 and single. I’m from Iowa and am open to moving to a new country if I can find a younger woman.”
“My boyfriend tells me to not be so sensitive, does that affect him being a feminist?”
Rachel Tobac, CEO of Social Proof Security, compiled a series of chats she saw on the platform and messaged them to me. These are even crazier and include people asking “What cream or ointment can be used to soothe a bad scarring reaction on scrotum sack caused by shaving razor,” “create a letter pleading judge bowser to not sentence me to death over the murder of two people” (possibly a joke?), someone asking if their sister, a vice president at a company that “has not paid its corporate taxes in 12 years,” could be liable for that, audio of a person talking about how they are homeless, and someone asking for help with their cancer diagnosis, someone discussing being newly sexually interested in trans people, etc.
Tobac gave me a list of the types of things she’s seen people posting in the Discover feed, including people’s exact medical issues, discussions of crimes they had committed, their home addresses, talking to the bot about extramarital affairs, etc. “When a tool doesn’t work the way a person expects, there can be massive personal security consequences,” Tobac told me.
“Meta AI should pause the public Discover feed,” she added. “Their users clearly don’t understand that their AI chat bot prompts about their murder, cancer diagnosis, personal health issues, etc have been made public. [Meta should have] ensured all AI chat bot prompts are private by default, with no option to accidentally share to a social media feed. Don’t wait for users to accidentally post their secrets publicly. Notice that humans interact with AI chatbots with an expectation of privacy, and meet them where they are at. Alert users who have posted their prompts publicly and that their prompts have been removed for them from the feed to protect their privacy.” Since several journalists wrote about this issue, Meta has made it clearer to users when interactions with its bot will be shared to the Discover tab. Notopoulos reported Monday that Meta seemed to no longer be sharing text chats to the Discover tab. When I looked for prompts Monday afternoon, the vast majority were for images. But the text prompts were back Tuesday morning, including a full audio conversation of a woman asking the bot what the statute of limitations are for a woman to press charges for domestic abuse in the state of Indiana, which had taken place two minutes before it was shown to me. I was also shown six straight text prompts of people asking questions about the movie franchise John Wick, a chat about “exploring historical inconsistencies surrounding the Holocaust,” and someone asking for advice on “anesthesia for obstetric procedures.”
I was also, Tuesday morning, fed a lengthy chat where an identifiable person explained that they are depressed: “just life hitting me all the wrong ways daily.” The person then left a comment on the post “Was this posted somewhere because I would be horrified? Yikes?”
Several of the chats I saw and mentioned in this article are now private, but most of them are not. I can imagine few things on the internet that would be more invasive than this, but only if I try hard. This is like Google publishing your search history publicly, or randomly taking some of the emails you send and publishing them in a feed to help inspire other people on what types of emails they too could send. It is like Pornhub turning your searches or watch history into a public feed that could be trivially tied to your actual identity. Mistake or not, feature or not (and it’s not clear what this actually is), it is crazy that Meta did this; I still cannot actually believe it. In an industry full of grifters and companies hell-bent on making the internet worse, it is hard to think of a more impactful, worse actor than Meta, whose platforms have been fully overrun with viral AI slop, AI-powered disinformation, AI scams, AI nudify apps, and AI influencers and whose impact is outsized because billions of people still use its products as their main entry point to the internet. Meta has shown essentially zero interest in moderating AI slop and spam and as we have reported many times, literally funds it, sees it as critical to its business model, and believes that in the future we will all have AI friends on its platforms. While reporting on the company, it has been hard to imagine what rock bottom will be, because Meta keeps innovating bizarre and previously unimaginable ways to destroy confidence in social media, invade people’s privacy, and generally fuck up its platforms and the internet more broadly.
If I twist myself into a pretzel, I can rationalize why Meta launched this feature, and what its idea for doing so is. Presented with an empty text box that says “Ask Meta AI,” people do not know what to do with it, what to type, or what to do with AI more broadly, and so Meta is attempting to model that behavior for people and is willing to sell out its users’ private thoughts to do so. I did not have “Meta will leak people’s sad little chats with robots to the entire internet” on my 2025 bingo card, but clearly I should have.
AI 'influencers' on Instagram have racked up hundreds of thousands of followers and millions of views by stealing reels from real women to make the AI seem more "believable."
Scrollone
in reply to Cybersecurity & cyberwarfare • • •like this
Cybersecurity & cyberwarfare likes this.
lelloba
in reply to Scrollone • • •Cybersecurity & cyberwarfare likes this.
Cybersecurity & cyberwarfare
Unknown parent • •Informatica (Italy e non Italy 😁) reshared this.