Notices by Daniel Micay (danielmicay@grapheneos.social)

@warai_o @tastytea @Froggo

We initially used infosec.exchange and we created this up after infosec.exchange started being defederated due to CISA making an account. CISA is the US federal agency for cybersecurity infrastructure security, and definitely not law enforcement as it was portrayed. Even if they were law enforcement, I still would have found defederating the instance because of a completely non-toxic, innocuous account to be ridiculous. This plays into why we didn't import a list.

@warai_o @tastytea @Froggo I think you saw the one making a completely baseless claim that the person who did the swatting was trans. I suspect they are harassing one of my followers, saw my post on their feed and then showed up here.

https://cum.salon/notice/AV1R0WeDiCMrcgb3Ka is another similar example. Yesterday, the person who did the CSAM spam and swattings a couple days was also doing something similar using "blacklivesmatter" as a prefix on their names to try to make us look bad when we banned them.

There's an active police investigation into what happened. It was a very serious incident going far beyond online harassment and libel. There was very a clear cut attempt to have me killed by a Calyx supporter who was raiding our chat rooms spamming child porn and harassing me.

GrapheneOS infrastructure and data is safe. I am currently safe but there is someone actively trying to get me killed. There is harassment and libel occurring across platforms, and there are certain people spending hours every day targeting GrapheneOS and myself in multiple ways.

Calling the police and telling them a fake story that I have murdered multiple people with a gun and will shoot the police when they come is attempted murder. They even pretended to be me on one of the calls. They have attempted this multiple times now so it doesn't work anymore.

Standard approach from Techlore, Calyx and their associates is to spread misinformation about GrapheneOS and claim I'm delusional, insane, etc. in response to technical rebuttals. They'll claim their harassment is imagined while directly engaging in it.

https://freeradical.zone/@sylentpunk/110265883127641344

There have been years of spreading fabricated stories about me, vicious personal attacks and harassment targeting me. https://twitter.com/DanielMicay/status/1547286521597894657 is one of many examples of people who are welcomed in the open source community participating in this and encouraging these attacks on me.

When I talk about it, they claim they are being harassed by me talking about their toxic behavior towards me. They claim that refuting their many fabricated stories about is somehow toxic. They have created a substantial harassment campaign towards me from their communities.

These two people spend hours every day trying to harm me:

https://reddit.com/user/SecureOS/comments/
https://reddit.com/user/1MxtaL6FHK/comments/

The 2nd account is the latest sockpuppet of someone who has cycled through over 20 accounts. They have raided our Matrix rooms, threatened us, blackmailed us and more.

Reddit admins are completely missing in action. Mods of major subreddits like /r/privacy and /r/degoogle are permitting this in the name of free speech.

People doing also heavily abuse Reddit's blocking feature which prevents people replying to them or even to replies to them.

There is a very high likelihood that this person is the one who raided our Matrix rooms spamming child porn and then tried to have me killed via swatting. Take a look through their comments and bear in mind they have many other accounts. They post clear falsehoods over and over.

There is a large conspiracy-focused subreddit being used to direct harassment towards open source developers, particularly myself. Reddit has done nothing about it. Accounts linked above are heavily active there. A major focus is spreading fake stories from Calyx and Techlore.

This has reached a completely unacceptable and intolerable level. I am not getting nearly enough help dealing with this. I don't expect the police investigation into the people who tried to get me killed to identify them, but I already know who is responsible for the harassment.

@warai_o @tastytea @Froggo

I've blocked the person you're referring to and their instance is now blocked too. They refused to remove the comment.

I have been clear about what happened:

https://grapheneos.social/@DanielMicay/110267918805461751

An alternative is that I will simply shut down grapheneos.social because our experience with the fediverse has not been good.

@warai_o @tastytea @Froggo I have seen long lists of toxic instances provided by others, but I cannot really trust that there aren't bans due to personal grudges or overreactions. I would have to go through each instance and check that the people hosting it are creating a haven for toxic behavior like racism, etc.

Trolls got attracted to this thread and have been bothering me. As you noticed, some were claiming to be supportive but they would not remove their posts when I politely requested it.

The harassment targeting me has escalated to attempted murder. That is not hyperbole in any way. I will be talking with my lawyer and deciding which information can be published about this. Endless fabricated stories about me from Techlore and Calyx are directly to blame for it.

@dalias @aral Firefox and Safari haven't implemented it yet but Mozilla has an incomplete linting tool meant to enforce the same rules:

* https://github.com/mozilla/eslint-plugin-no-unsanitized
* https://github.com/mozilla/eslint-plugin-no-unsanitized/issues/81

Nicer to have it enforced as part of Content-Security-Policy instead of as a linting tool. I can understand not wanting the complexity of non-browser-defined sanitizers. Maybe they'd be willing to implement only the 'perfect types' mode (trusted-types 'none') without it. It just rules out ugly frameworks.

@dalias @aral This can be enabled using Content-Security-Policy: require-trusted-types-for 'script'; trusted-types 'none'. It disables the unsafe APIs (XSS sinks) like innerHTML injecting text as HTML and similar problematic approaches. Defining `trusted-types 'none'` disables non-browser-defined trusted sanitizers.

https://microsoftedge.github.io/edgevr/posts/eliminating-xss-with-trusted-types/ is a good article about it from Microsoft. We use this approach for the GrapheneOS sites, although zip library used for the web installer is incompatible.

Linux 6.1 broke something about memory management and causes perfectly normal mmap requests with MAP_ANONYMOUS, PROT_READ|PROT_WRITE, MAP_PRIVATE and no hint to fail in OpenJDK while generating the ART boot image as part of an Android builds. Stuck on Linux 5.15 because of this.

#linux #mmap #bug #openjdk #android