An Open Letter to Humanity

I openly discuss things which many people are afraid to discuss publicly. These include being transgender, drug addiction, eating disorders, and being a victim of domestic abuse.

I do not do this because it is safe. I do this because I want to let those who are scared to discuss it know that they are not alone. I want them to know that, yes, others dealing with these things do exist. That there are people they can trust. That if they decide they do wish to reach out publicly, in spite of the dangers of doing so, then they will be received with something other than pure hatred.

read more

On Open Companies, Consent, and Safety (among other things)

There are two goals of Open Companies, as I understand them. The first is to create companies that are actually considered trustworthy, instead of barely above the legal minimum for trustworthiness. That is to say, companies that go out of their way to make sure that they are doing right by everybody who interacts with them – owners, employees, customers and/or users, society at large, etc. The second is to create an environment where people can more easily become involved with the company.

read more

Also on Model View Culture

An Interview About Gittip With Marie Markwell

Gittip has since renamed to Gratipay.

We sat down with Marie Markwell, a contributor and user advocate at crowdfunding platform Gittip, to talk about community management, open company principles and what Gittip has done right and wrong so far.

read more

Also on Model View Culture

Hello, Marie

tl;dr: I'm transgender. Going forward, please refer to me as Marie and use the pronouns she/her/hers.

read more

Untrusted Code Execution Bug in Sicuro (Round 2)

This has been fixed as of Sicuro v0.6.0.

This is a required update. There should be no loss in functionality.

Scott Olson found a major security hole in Sicuro, 8 months (almost to the day) after the one Jens Nockert found.

Scott demonstrated that you could use the $stdin variable to get a reference to the IO class. This provided undetered access to the filesystem and shell.

read more

Untrusted Code Execution Bug in Sicuro

This has been fixed as of Sicuro v0.4.0.

Unfortunately, I had to disable require and load almost entirely. The exception is that require will return false if a file was already included.

Jens Nockert has exposed a rather major security hole in Sicuro.

Under basically any circumstances, Sicuro can be used to execute untrusted code. The demonstrated technique used by Jens was to terminate the process group that Sicuro#eval was called from. By modifying one of the parameters, it would instead terminate all processes that can be terminated by the user who ran the initial Sicuro#eval call. I have demonstrated the ability to use it to access a remote shell, but am unsure if it could be used for privilege escalation.

read more