Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Lance R. Vick ( @lrvick@mastodon.social ) Profile picture
Lance R. Vick ( @lrvick@mastodon.social )
@lrvick
Security/Privacy Consultant, Cypherpunk, OSS Advocate PGP: 6B61ECD76088748C70590D55E90A401336C8AAA9 #infosec #foss #opensource #sysadmin #privacy #security
May 9, 2022 4 tweets 2 min read
1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination. I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.
Mar 14, 2022 6 tweets 2 min read
PSA: Stop using Lastpass for anything valuable.

Malware is a thing.

```
lpass ls \
| grep -oP '(?<=id: )([0-9]+)' \
| xargs -n1 bash -c 'lpass ls | grep "id: $1]"; lpass show $1' --
``` Before anyone asks, no 1password is not any better, or any other pure software password manager.

```
op list items \
| jq -r '.[].uuid' \
| xargs -n1 bash -c 'op get item "$1"' --
```
Jan 8, 2021 11 tweets 2 min read
The Internet was built as a kind of decentralized democracy. Change is slow and messy but it protects us from a single entity forcing their will on us.

When you move your data and social graph to a closed platform you vote for authoritarian rule.

Such choices never end well. Many trusted their data and social graph to VK in Russia under a benevolent dictator that fought for their rights.

The Russian government saw him replaced with someone more ethically flexible and now they control those systems.
Oct 23, 2020 19 tweets 8 min read
The RIAA just got GitHub to ban open source YouTube downloaders.

They don't want anyone to share this code:

mplayer $(echo -s "youtube.com/get_video.php?… $youtube_url | sed -n "/watch_fullscreen/s;.*\(video_id.\+\)&title.*;\1;p")&fmt=22")

Woops.

github.com/github/dmca/bl… Note: this version probably doesn't work on most/all videos today.

It is an iteration of one I wrote years ago:
commandlinefu.com/commands/view/…

Thanks to @_julijane_ for testing!

I may try updating it for funsies this weekend.

Join #!:matrix.org to help :)
Apr 14, 2020 4 tweets 2 min read
Months ago my phone died and now I need 1+ man-week to de-backdoor my new Pixel 4.

Being mostly phoneless warms me up to a simple device that respects my rights out of the box.

Continuing phone detox until I get a Pinephone or Librem 5.

I'm done funding #SurveillanceCapitalism Devices like the Pinephone and the Librem5 don't have biometric unlock options. I now understand this is a feature.

A: Biometrics have limited 5th Amendment protection
B: Biometrics can be used without your knowledge
C: A long password makes you check your phone less.
Sep 28, 2019 5 tweets 2 min read
The WhatsApp backdoor is now public and official. I have said this many times: there is no future for privacy or security tools that are centralized or proprietary. If you can't decentralize it some government will strongarm you for access. bloomberg.com/news/articles/… This is why I am so obsessed with decentralized reproducible builds for #!os so no one ever trusts me by design. When some entity asks me to backdoor it won't matter as people will just see the new backdoor patch file in the repo and opt to not include it in their builds.