Malcolm Gin ☵ @perigee@octodon.social

A friend of mine reports that Mozilla Seamonkey responds well to the Firefox fix to disable punycode (found in the article I posted in the OP).

Also, the profusion of Google Safe Browsing and other safe browsing extensions make it impossible to predict what any individual's Chrome install is going to do with the testing URL. Best to test and then take measures to fix if you see it as "https://www.apple.com/" in whatever is your favorite browser.

@cwylo Do you eat meat?

... (according to Slashdot, Chrome/Chromium v. 59 handles this and I looked it up; it's due by early June, but according to Google's IDN documentation, it's fixed in 58, which is due at the end of April).

Honestly if you use Chrome, I wouldn't recommend assuming you're safe. Perhaps try Chrome Canary, or use Firefox (after you fix its settings) or Safari until this blows over. And/or avoid unreliable sites with shitty or no security.

It looks like the test URL I posted earlier can show up as invalid in some versions of Chrome and also in Safari. Because of how Chrome updating works, as well as how Google Safe Browsing works, it's hard to tell which versions and configurations of Chrome will show the problem URL and which ones won't. My guess is that Google is busting ass to make sure all known tester URLs are handled by Google Safe Browsing and thinking about accelerating their update schedule ...

Note: Safari will show the attack URL as invalid or invalid.invalid. That's good. It looks like Safari isn't vulnerable because it doesn't support punycode. Chrome and Firefox are vulnerable because they do. I think the fix here is to fix punycode, but I don't know enough about the internals of this exploit to be totally sure.

Here's a tester for the new punycode phishing attack: https://www.xn--80ak6aa92e.com/

If your browser takes you to an SSL-secured site that it shows you as https://www.apple.com/

then your browser has problems.

More info: http://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

Article has instructions on fixing in Firefox. I tested in Chrome Canary (Chrome v 60) and it's fixed there too.

@emdeesee Dundracon, I think. My then partner and I (we were in out twenties) played a scenario in Call of Cthulhu written and run by Greg Stafford (then, I think, of Chaosium), that was based on the song "Elvis is Everywhere" by Mojo Nixon: https://www.youtube.com/watch?v=mpb4ZAAP6Z4

(He even made us get up and dance to the song.)

"Elvis is in your Mom!"

@starbreaker I get that too. Personally, I've identified, since I was 7 or 8 years old, for more than 40 years, as a feminist. Because when I was younger, we masculine feminists were very few and far between, and it was a revolutionary act. But now not so much. Even with my Women's Studies minor and my provable activism, it's becoming less and less sure that I can ID as feminist. And tbh, some arguments against seem a bit TERFy, but not all of them.

@3goliad Yes. I totally agree with that, and I don't often self-identify. I think most often the urge to self-identify/self-label is when I'm participating in discourse where my investment/experience in feminist activism is trivially dismissed but where it seems like an important factor.

On the FB, there's a renewed discussion of men-who-call-themselves-feminist and whether we should call ourselves something else. I think it's because a bunch of fake-seeming bros are now sort of predatorily calling themselves feminist, but as with all movements and generalizations, it catches those of us with more profound investments up in it too. I'm not offended that I may need to change self-labeling. But do I? To what? FYI: I am trans/intersex.

@emdeesee Oh the snootiness. Back in 6510 Assembly, we were encouraged to do the equivalent of cat > a.out but I try not to tell people they're not using the right language. That way lies insufferable snootiness.

@forteller The US Government, unfortunately, even the really deep tech network groups, eventually, generally, have to answer to their own security audits and recommendations, which are so far behind the times as to beggar the imagination. So yeah, they know about Linux and use it where they can, because there are so many Windows exploits, but the requirements and audits are so mandatory they cannot always do so (I contracted to the DHS for a while).

... Turns out this is kind of a difficult challenge. Even if you have a need for something utilitarian and relatively long-lasting, it's not a great choice to buy, say, heavy duty wire racks for basement storage. So I'm looking at high quality steak knives. Which I think fulfill the directive. My sweetie's looking at silverware and place settings (plates, etc.), all heirloom quality. So of course all the web ads I'm seeing are now for steak knives.

One of the traditions I experienced when my ex-wife's family member passed away in the 1990s was a fairly significant monetary gift (then about $1,000) my in-laws specified should be spent on an heirloom or memorial gift for myself. They said it should be something I would keep with me all my life, and that would be useful. So I bought a pocket watch and a wristwatch. I chose, as executor, to carry that tradition along, with my Dad's passing...

In the US. Anyone have any reccs for graphic novels good for a pro civil rights 12 year old black teen femme who lives in San Francisco? She is comics curious. I would like to start her off with good impressions. Feminist, empowered, self-assured stories!

@perigee er I meant "fighty" not righty but whatever. Thanks autocorrect!

Today I was Right (and not righty) about a tech/security/process/privacy related thing and the white dude stranger I confronted about it, while not pleased, didn't white mansplain and didn't double down but went and fixed his mistake.