I forgot who here did the "QR code on the porch, to see which delivery company scrapes shit" (edit: @SecureOwl !!!) but it would be interesting to take this one step further: Present QR codes for unique honeyurls in public & monitor visits.

@catsalad @SecureOwl ah, yeah! that was the post!!

I forgot who here did the "QR code on the porch, to see which delivery company scrapes shit" (edit: @SecureOwl !!!) but it would be interesting to take this one step further: Present QR codes for unique honeyurls in public & monitor visits.

Option one would be just showing them in-the-moment to surveillance cameras etc.

Option two, and this would require some work, is having a display of sorts (epaper?) on a backpack/jacket/... that encodes the curren coordinates into the honeyurl, allowing you to create a map off accesses

@da_667 Ok, so, some thoughts, I was uncertain if I should post it as a reply or a standalone post as its more "my own thoughts than a reply" but ...

I srsly dislike the term "responsible disclosure", most cold take, I know - framing all other methods as irresponsible while only creating one-sided responsibility, yadda yadda yadda. This is in addition to the discussion of financial incentives/bug bounties - morality & work often do not combine well in our current economic system.

The responsible thing to do with a detected vulnerability absolutely depends on the vendor (or as a stand-in the industry), on the downstream impacts of the vulnerability, exploitation status, ... - full disclosure can absolutely be the morally right thing to do. Unfortunately, without pressure (be it economic or legal - rip social pressure/shame as a functional tool...) for software & service providers to clean up their shit (be it with actual functional CVD programs or proactively not putting customers/users at risk by actually writing reliable software) there is absolutely no incentive to do so. Repeated painful full disclosures might actually be a positive as it can contribute to such pressures. If you, however, were to drop a RCE in curl on 4chan I would feel the need to slap you

Things get a lot more complicated imo when it comes to using/selling/non-publicly distributing vulnerabilities with impact potential. While I said that morality & work don't combine well this doesn't mean you get a blank check if you do it for paying your bills - amoral & immoral are very much different things. I am young, naive, and privilege-maxxing, but I believe there is a duty to, at least, not make the world worse.

None of this precludes it from being the right thing - hi, the thing that got me into political action (non-digital!) was the Phineas Fisher texts. Ignoring the particulars I still believe the basics hold true: We need to make the world better & hacktivism or distribution of secrets can be a tool in this toolbox. For me, as your local non-ideologically-committed certified left wing extremist this precludes support for states (in most situations) & a universal objections to private sector sales (as you srsly cant control it at that point), but my framework isn't your framework.

Anyway, too many words, tldr: Fuck responsible disclosure, do a case-by-case assessment & please try not to make the world worse, thats all I am asking for

@cR0w where does "execs using AI" rank in this?