Hi, Michael Altfield here. I was the sysadmin for OSE from 2017-2020.

Everything OSE does is transparent, so you can just check the OSE websites to see what everyone is currently working-on. OSE contributors log their hours in a worklog called "OSE Dev". There you can quickly see who is working on what.

• https://osedev.org/graphs

The above graphs show 4 contributors in the past ~10 weeks (one is me; we had some issues with the apache config recently). There's no direct link, but you can then check the wiki to see people's work logs (just search for the person's name and Log):

• https://wiki.opensourceecology.org/wiki/Marcin_Log
• https://wiki.opensourceecology.org/wiki/Catarina_Log
• https://wiki.opensourceecology.org/wiki/Alexa_Log
• https://wiki.opensourceecology.org/wiki/Maltfield_Log

I also like to look at the MediaWiki "Recent Changes" page to peak at what people are up-to as well:

• https://wiki.opensourceecology.org/index.php?title=Special:RecentChanges&limit=500&days=30

I told Marcin about Lemmy back in June 2023. Another OSE contributor even created an OSE community on the slrpnk.net instance, but it appears to have been abandoned. I'll email him about this thread to see if he'll bite and publish updates in this community since there's clearly interest :)

Also, shameless plug: I started an org that's very similar in spirit to OSE called Eco-Libre, with a focus on projects to sustainably enfranchise human rights in smaller communities. We're currently accepting volunteers ;)

• https://eco-libre.org/join

I made a video of this (demo in Windows, MacOS, Linux, TAILS, and QubesOS) with the old DIY model here (sorry for the terrible audio quality)

• https://www.buskill.in/demo-2/

We're currently working on an updated video with someone who is much better at video production than me; it should be finished in early 2024.

Theft of high-risk users' data. Data could include private keys (eg theft of cryptocurrency assets), contacts of correspondence (eg sources of a journalist -- such as whistleblowers), etc.

For more information, see the Who Uses BusKill? section of the documentation.

• https://docs.buskill.in/buskill-app/en/stable/introduction/what.html#who-uses-buskill

Good bot

Yeah, it's dangerous for a community to tolerate and adopt closed-source software. We should have done a better job pressuring them to license it openly.

The OSM wiki pointed me to Maperitive first, but I wish it pointed me to qgis first. We should probably edit the wiki with a huge warning banner that the code is closed, the app is full of bugs, and that it is not (and can not be) updated.

Edit: I took my own advice and added a big red box to the top of the article warning the user and pointing them to QGIS instead.

Edit 2: Do we have any way to know when the latest version of Maperitive (v2.4.3) was released? Usually I'd check the git repo, but..

Edit 3: stat on the Maperitive-latest.zip file says that it's last modified 2018-02-27 17:25:07, so it's at least 6 years old.

It's called cross-posting. Welcome to Lemmy.

I'm curious if any security engineers have covered this incident.

Stripe does support generating Restricted API Keys. With "Restricted API Keys" you're able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account's payout methods (eg adding a new "Instant Payments" debit card to the merchant account as this attacker did).

Unfortunately, I've asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as "low priority"

• https://github.com/woocommerce/woocommerce-gateway-stripe/issues/634#issuecomment-1168340952

...I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)

Yes BusKill works similarly -- any USB drive can use the BusKill software

• https://github.com/buskill/buskill-app

The BusKill cable is just nice because it includes a magnetic breakaway, so it works when the laptop is snatched-away at any angle. There's actually a ton of anti-forensics software like usbkill and BusKill; we enumerate them all on our documentation's Similar Projects section

• https://docs.buskill.in/buskill-app/en/stable/attribution.html#similar-projects

You may want to check ^ it out :)

I've paid myself nothing so-far. The price just barely breaks-even for the business. There's one-time costs like a few grand for a CNC'd injection mold and assembly jig, but also certification fees, product boxes, cardstock paper for documentation inserts, printing fees, artist commissions, packaging materials, warehousing, shipping, other logistics fees, etc.

All of this is explained in-detail in "The Finances" section here.

I prefer open-source hardware to be designed using common off-the-shelf items that are easily found everywhere in the world. Unfortunately, the one vendor of a USB-A magnetic breakaway couplers decided to EOL their product shortly after I published a guide on how to build your own BusKill cable. After we published, they all got sold-out, and we had to go to manufacturers for a custom component.

Prices would drop dramatically if we could do production runs (and actually sell) >10,000 units at a time. Currently we only sell a few cables per month. If you want to help, please tell all your security-conscious friends about BusKill :)

Unfortunately, that's what it costs to make open-source hardware at small-scale.

There's a cheaper $59 cable available or you could build your own.

I build open-source USB Dead Man Switches and the accompanying (also free) software

Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

You attach the kill cable to your body and if the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys. It's designed to protect high-risk users’ data. Data could include private keys (eg theft of cryptocurrency assets), contacts of correspondence (eg sources of a journalist – such as whistleblowers), etc.

It should only be posted once to this community. It's also been cross-posted to other relevant communities.

The problem is that creating a "Restricted API Key" means you have to tick "read" or "write" for dozens of different API "resource types".

So if WooCommerce doesn't document which resource types are needed, then "Restricted API Keys" are basically not supported because even security-conscious users cannot know how to produce a key that is fully functional yet satisfies the PoLP.

Everything is blocked by beehaw lol

I'm curious if any security engineers have covered this incident.

Stripe does support generating Restricted API Keys. With "Restricted API Keys" you're able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account's payout methods (eg adding a new "Instant Payments" debit card to the merchant account as this attacker did).

Unfortunately, I've asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as "low priority"

• https://github.com/woocommerce/woocommerce-gateway-stripe/issues/634#issuecomment-1168340952

...I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)

Thank you for supporting open-source security hardware <3

This can be avoided by enabling CAPTCHA

Sorry, this is misinformation. Graphical CAPTCHAS can be trivially defeated by bots, as the lemmy devs have said.

If you want to slow the bots down, a hashcash implementation like mCAPTCHA would actually work and the lemmy devs already said they'd accept a PR for this.

• https://github.com/LemmyNet/lemmy/issues/3204

This article is literally a guide to building your own.

Most people don't, but there are many high-risk folks who do. The main target is journalists, activists, and human rights defenders operating in oppressive countries.

There's also benefits for anyone with very sensitive private keys or other IP on their machines, including some businesses and cryptocurrency traders.

For more info, see Who Uses BusKill? in our documentation

• https://docs.buskill.in/buskill-app/en/stable/introduction/what.html#who-uses-buskill

You'd need magnets, pogo pins, wire, glue, solder, etc. The list of materials needed is listed in the "Materials" section of this article.

@[email protected] can provide more info