Can’t edit. Gogs I’m happy to see did receive security fixes 3 months ago. Also Gitea being a no-go…get it, no-go…hahah.

It is good and proper to hate Google services.

Fossil requires its own download client (not git) and like the other guy said Forgejo only accepts certain licenses, Gitea is Google which is obviously a no-go.

Gogs abandoned, Kallithea abandoned.

Realistically that leaves GitBucket https://github.com/gitbucket/gitbucket and Tuleap https://docs.tuleap.org/install.html

I feel bad for you OP, I get this a lot and I’m totally gonna go there because I feel your pain and your article was fantastic! I read almost every word ;p

This phenomena stems from an aversion to high-confidence people who make highly logical arguments from low self-confidence people who basically make themselves feel unworthy/inadequate when justly critiqued/busted. It makes sense for them to feel that way too, I empathize. It’s hard to overcome the vapid rewarding and inflation in school. They should feel cheated and insolent at this whole situation.

I’ll be honest in front of the internet; people (in majority mind you, say 70-80% of Americans, I’m American) do not read every word of the article with full attention because of ever present and prevelant distractions, attention deficit, and motivation. They skip sentences or even paragraphs of things they are expecting they already know, apply bias before the conclusion, do not suspend their own perspective to understand yours for only a brief time, and come from a skeptical position no matter if they agreed with it or not!

In general, people also want to feel they have some valid perspective “truth” (as it’s all relative to them…) of their own to add and they want to be validated and acknowledged for it, as in school.

Guess what though, Corporations, Schools, Market Analysis, Novelists, PR people, Video Game Makers, Communications Managers and Small and Medium Business already know this! They even take a much more, ehh, progressive? approach about it, let’s say. That is, to really not let them speak/feedback, at all. Nearly all comment sections are gone from websites, comment boxes are gone from retail shops, customer service is a bot, technical writers make videos now to go over what they just wrote, Newspapers write for 4th graders, etc., etc.

Nothing you said is even remotely condescending and nothing you said was out of order. Don’t defend yourself in these situations because it’s just encouragement for them to do it again. Don’t take it personally yourself, that is just the state of things.

Improvise, Adapt, Re-engineer, Re-deploy, Overcome, repeat until done.

Ah, much better. MITRE CWSS + CWARF is comprehensive, yet insular and as is MITRE, Military/NATSEC Focused. I do not see any flaws in my reasoning, but words as communication. I do concede that maybe my saying an alternative to CVSS is not really the best wording as I see such things in very broad terms, but I get the perspective now. As in, the common singular, Gov/Corp system does not fit, I need an alternative model that does. In contrast to I need another exactly scoped system that does it differently alternative.

To evidence this I can point to that fact that I even advocated that CVSS-BTE v4.0 should be NVD baseline, but I didn’t make this very clear that I’m expanding the CVSS as an alternative use, different in applicability, essential in nature, and somewhat built upon CVSS and OWASP with a different, very important objective.

Not replacment which I never intended… I’ll change the article to reflect those views, well done.

Help me understand your glancing criticisms that I’m taking with a grain of salt.

1. You didn’t mention the central premise that is flawed, what do you think it is?
2. I’m not confused about vulnerability and threat, what specifically did read to you give you that impression?

You mention that CVSS, which I hold Certification in, is for scoring single threats which I said so many times that is why I made such a system, to depart from CVSS singular, that is inadequate in being singular and common. Glance again?

Compare what with attack? Also, if you mean Lockheed Martin Cyber Kill Chain, that has nothing to do with scoring, that is the methology OF the attack and defense of it, not the attack itself, is a defensive strategy includng reconaissance and nothing to do with scoring.

You know what else was also super sophisticated, chained, and confident enough in it’s APT to not be persistent across reboots? DOUBLEPULSAR.

Skill is certainly one evaluation parameter and Fin7, JokerStash, Carbanak fit that bill but that is not their MO. Target, motive, opportunity -> Embassy Employees/Diplomats -> Nation-State or Intergovernmental Group (like 5/9/14 eyes) as eval combined with skill rating, @95% confidence.

I recently invented a “People First” Cybersecurity Vulnerability Scoring method and I called it CITE, Civilian Internet Threat Evaluation with many benefits over CVSS. In it, I prioritize “exploit chains” as the primary threat going forward. Low and behold, this new exploit, although iOS, possibly one of the most sophisticated attacks ever using one of the longest exploit chains ever! Proof positive!

Depending on how you define it; I define the Kaspersky diagram has 8 steps. In my system, I define steps that advance the exploit discretely as stages, so I would evaluated Triangulation to be a 4 stage exploit chain. I should tally this attack to see how it scores and make a CITE-REP(ort).

You can read about it if interested. An intersting modeling problem for me was does stages always equate to complexity? Number of exploits in the chain make it easier or harder to intrusion detect given that it was designed as a chain, maybe to prevent just that? How are stages, complexity, chains and remediation evaluted inversely?

https://www.quadhelion.engineering/articles.html

Mozilla Foundation fronts Mozilla Corporation which is for-profit and brings in nearly a Billion in revenue.

Don’t donate, do harden it.

The Internet can be a really mean place, thank you for the kind words.

Interesting timing, myself having spotlighted Corporate greed in my screed. The internet is afire, bringing the website offline at times, with the supremely influential updated tonight https://usdebtclock.org/ covering up all it’s valuable financial data in a foreboding hint with the following quotations:

“You are a den of vipers and thieves. I intend to rout you out, and by the eternal God, I will rout you out. If Congress has the right under the constitution to issue paper money, it was given them to be used by themselves, not to be delegated to individuals or corporations.”

“The mischief springs from the power which the monied interest derives from a paper currency which they are able to control, from the multitude of corporations with exclusive privileges…which they have employed for their benefit"

• Andrew Jackson.

Bringing the big brain out on me! This is off the cuff.

1. I was not aware of Universal Design principles but a quick look suggests Principle 5: Tolerance for Error is most applicable to Software Engineering. Why not 1-5 bedrock? Because, in my opinion the general state of software is that it is more functional yet just as unreliable in decades past. What is the first thing a little experienced user to do when an error occurs? Yeah, they quit. No access. The micro-service paradigm has made the situation emminently worse as even finding the blame/responsibility for “no access” is fruitless.

2a. With anything of this type, the most obvious risk is to my own reputation. Security is a field burdened with responsiblity, people come to rely on it, what if they get hacked using my repo? I only took on things I spent months understanding and testing absolutely everything by hand. I limited myself to only distributions I could juggle, use daily, so I could be responsive to needs.

2b. Risk is competing objectives. FreeBSD and thus it’s reliants, Ghost and Dragonfly, are in a strange position right now. FreeBSD is Linuxifying itself and adding more Corporates Sponsorships than ever in a path away from traditional BSD security. This presents itself a potentially competiing ethos situation for me, but not yet.

2c. OpenBSD is used by world security intelligence agencies and I hear the DoJ. Am I without my knowledge picking sides here and favoring some entities over others? Famously DARPA and FBI backdoor right? I researched the OpenBSD Sponsorship list carefully and asked around. The OpenBSD availability (at least of the version we use!) is equitable and I purposely put out an OpenBSD honeypot to see which entities would try to compromise it! Results: Fair.

3. This is a can of worms because what we are really talking about is the Linux-Effect. Started out community home-grown to now be a Corporate Globally Mega-Corp sponsorship vehicle estimated to be worth $100 Billion. Even Apple is now a Silver Linux sponsor. What am I saying is Corporate dominance is think-tanking and policy making. Data selection is inherently profit focused instead of Humanity Progression focused. Bodies like the UN, EFF, et al. are wholly ineffective.

The paths forward on that are gruesome to be honest as what would be best would be something like a randomly selected group of High School Science Fair finalists and Waitresses to form a Governance body with teeth to dissolve Corporations completely for profiteering off populace private data, genetic data, financial data, and the engineering decisions that are ubiqutously driven by them when determined that a Corporation or other Government body is acting against out future.

I was thinking the exact same thing, thanks for the awareness! Tangentially, problem with Wiki is it’s excellent for Who, What, Where, but is nearly totally bereft of how to do anything.

Yes, I’m serious about my mission statement in the beginning and I have some more ideas. First there is a Linux OS that installs all kinds of Educational Software, like Encyclopedia, Maps, Learning Tools that is all available offline in the full 17GB Full Version. It’s called Endless OS (no affilitions) and here is the excerpt.

Multi-language system, pre-loaded with apps in English including games, productivity software, reference materials like Cooking, Farming, Health, Travel, and educational materials like a robust Encyclopedia.

It would be great if all of us could have some of the civilization important databases on this BSD installation of yours. Please contribute a downloadable database file or file set you know of. I’ll start.

Downloadable Wikipedia Database Encyclopedia Britannica All Volumes

Spyware is a bit of a stretch. However, let’s talk about Firefox. Mozilla Corporation is a Billion Dollar Corporation that is tied at the hip to Google and uses 115+ servers to track every single thing you do.

Chromium explicitly uses shared memory and is technically able to write and execute not only shared data from private/incognito to regular windows or tabs but adjacent processes. You can search for mmap in the Chromium repo or try to use Chromium with FreeBSD or GhostBSD sysctl.conf set with kern.elf64.allow_wx = 0 - it won’t run.

The Precise Geolcation Timeout for Firefox is 68 years.

I’m now a sponsor of NetBSD! Wallpaper added!

I have something fantastic for you and any techies reading this that have not seen “The Mother of All Demos”. It is like a Stanley Kubrick Movie on the Invention of Computers! Like the Moon landing footage of Silicon Valley. You are in for a real treat! After that I would recommend for any students thinking CSC in High School and definitely University to read Charles Petzold’s, "Code: The Hidden Language of Computer Hardware and Software, 2nd Edition.

https://codehiddenlanguage.com/

https://www.youtube.com/watch?v=yJDv-zdhzMY

Sure, feel free. I’m getting quite good at helping College students make the right decisions.