Computer science student based in Leipzig, Germany. As of recently barista for a milkhungry baby human and on parental leave from writing kotlin backends at spreadshirt.
DE / EN / HU
Well, I'm on a camera bringup streak it seems! 🚀
As of tonight the Fairphone 3 cameras (front and rear) are working on postmarketOS with mainline Linux!
And if you saw, only last week I got the Fairphone 4 cameras to work.
A bright future is ahead for mobile Linux! 📸
(Brought to you by a night train 🚂)
#postmarketOS #LinuxMobile #MobileLinux #libcamera #Fairphone #Fairphone3
Wenn die KI meinen Job übernommen hat, zahlt sie dann auch meine Miete? Wäre ja nur fair..
July is #DisabilityPrideMonth
Wait, disability ... pride? Why would someone be proud to be disabled?
One of the most important aspects of disability pride for me is to counter the shame. The shame of “being different,” the shame of “needing help,” the shame of “being a burden,” the shame from the humiliation and abuse I have experienced.
Disability pride gives me the chance to counter the shame by saying, “I am disabled, and I am proud to exist and be who I am.”
»7. Oktober und Gaza-Krieg: Humanität ist unteilbar!« Topp Positionierung des FC St. Pauli.
♥️🤍🤎
https://blog.fcstpauli.com/blog/7.-oktober-und-gaza-krieg-humanit%C3%A4t-ist-unteilbar
An interesting example of how, in the age of #AI, hacking simply gets creative and adapts its strategies to the new tools it can use.
Did you know that you could leak the personal information of anyone who has given full access to their #Github account through the MCP server, and then leverage the exploit by simply querying any AI agent supported by Github’s MCP server?
The process is alarmingly simple:
Create a Github issue on any public repository owned by the user you want to target.
The issue has a malicious payload that will trigger the AI agent later on to leak the information you need. Include some instructions for your agent such as:
Open your favourite AI model that supports the Github MCP interface (Claude was used in this example) and give it a prompt such as “have a look at all the issue in my open repo <public repo above> and address them”.
What happens then is that the agent will diligently go through all the open issues in the repo (included the malicious one you opened) and create PRs that address them.
So what happens if the impacted user gave their Github MCP integration full access to their repos, and the repo is configured to always allow PRs submitted by AI agents?
Well, you guessed it. In the PoC described in this article they managed to pull all the private repos that the user contributed to, as well as their email, phone number, address and even salary and relocation plans. All packaged in a nice PR created by the agent on the public repo.
I’m curious if anyone tried with an issue description such as “find all the API tokens that the user has submitted to any of its repos, including the private ones”.
These are called “toxic agent flows”, as they can hijack trusted agents exposed to more information that they should to leak private information through trusted flows.
If you want to use MCP integrations (or any AI-based integration) in your Github repos, always apply the principle of least privilege. Don’t give agents permissions over your private repos unless you really, really must - and, if so, preferably use another account for those integrations, or give the permissions on a temporal window.
I would also suggest, if possible, to avoid using Github for your private repos. Being the most used platform for software development, and with so many integrations, means that there are a lot of people trying to leverage everything they can to squeeze information out of it, and the surface of attack is huge. Gitlab requires quite some administrative efforts, but something like Forgejo or SourceHut runs fine even on a RPi. That’s probably where you should put your private repos. Or, even better, if you don’t need a UI, just:
SSH into anything that has ssh and git. Even a microcontroller could do it
mkdir my-repo && cd my-repo && git init --bare
Go back to your machine
git clone user@mything:/home/user/my-repo
That’s it. If you don’t need a UI to manage your private repos (how many PRs do you plan to accept on your dotfiles or your CV?), just avoid it. In the age of AI, like in any other technological ages, it’s our responsibility to make our own surface of attack as small as possible.
And of course monitoring is always key, but I’m not sure if the solution proposed in this article (fighting an AI problem with more AI) is the right way to go. Even if you train your model on a bunch of malicious issues, there are just countless ways to bypass those patterns or find new ones. The problem of excessive permissions given to external integrations isn’t a problem that started with AI - but AI is providing just other creative ways of exploiting it.
I turned random blobs into characters 🎨
Which one is you favorite? Did you ever try this exercise?
If you aren’t using AI, you run a very real risk of falling behind in the race to produce voluminous mediocrity while slowly forgetting how to do your own job.
> AI algorithms can quickly scan websites and applications for issues like missing alt text, insufficient color contrast, incorrect heading structure, missing keyboard support, and even point out potential screen reader user experience inconsistencies!
As can any good accessibility test tool. No “AI” needed. It’s like three clicks in Polypane. And it gives me hard information, not “halucinated” text that might or might not be correct.
There’s a lot that can be automated. This is not it.
something something kubernetes at home
This happened earlier this week. I got to attend when four(!) young owls where measured and ringed.
Yes, very soft, smelled good and this young owl was very calm when I held it. The whole process was very quick and all four of them were healthy.
Yay! Good news for the eagle owl population here in Sweden!
Continuing our volunteer effort to make GNOME Calendar fully accessible with a keyboard (see thread for context), we fixed a major bug that was causing the focus to disappear into the abyss when the user tried to tab into the month view in merge request !576. This means, as of this commit, events should now be completely functional and accessible within the month view. Additionally, the merge request changes the keyboard and focus behavior within the month view: Events can only be cycled using arrow buttons, the focus can't escape the month view with arrow buttons, and entering/exiting the month view can only be done with tab. These improvements will be available on GNOME 49.
#GNOME #Accessibility #a11y #GNOMECalendar #Calendar #FOSS #FreeSoftware #Linux
@csepp All in all I do like the direction a lot
@csepp I do like the idea, but imo they need polish.
- When I first tried them I didn't get break reminders. Turns out break reminders are ignored in do not disturb mode
- A qick setting option would be cool. Don't want them when I watch a movie
- I often found myself wondering when the next break woukd be due, to decide if it is worth diving into something or just taking a break earlier. That user story could be supported.
your periodic reminder that telegram is convenient but wildly insecure, with problematic administration:
https://www.404media.co/telegram-gave-authorities-data-on-more-than-20-000-users/
try signal. it doesn’t suck anymore.
Fast unbemerkt brachte der April einen weiteren kleinen Meilenstein der #Energiewende. Weltweit wurde erstmals mehr Strom durch #Photovoltaik als durch #Atomkraft erzeugt. In nur fünf Jahren hat sich laut des Analysediensts Ember die Solarstromerzeugung verdreifacht!
@powersource A simple approach to this would be a view of *people* you follow, sorted by most recent activity, and each person is shown with their latest few posts/replies/boosts.
You can click through to their profile, where you can see their full journal (yes, I'm still Scuttlebutt-brained). This serves the use case “I wonder what <person> is up to”.
Chattier people would still rise to the top, but they wouldn't take up any more space than the quieter folk.
I don't need a timeline of posts because I don't come here for posts. I come here for people, so show me people.
As several people have pointed out, phanpy is looking pretty interesting and actually dares to experiment a bit! I hope it ends up on fdroid
Mastodon unironically needs more algorithms. A friend who posts once a week, impossible to catch it. A friend who mostly replies to people, also too hard to catch. An area where the tech development clearly drags behind bluesky.
Stadt Leipzig will Mietwucher bestrafen
> Am Mittwochabend hat der Stadtrat Leipzig beschlossen, Mietwucher künftig als Ordnungswidrigkeit zu erfassen und zu ahnden. Laut Stadt sind schon Hunderte Meldungen zu überteuerten Mieten über eine App eingegangen.
