hello

  • 184 Posts
  • 273 Comments
Joined 1Y ago
cake
Cake day: Jan 17, 2022

help-circle
rss

src https://nitter.net/ayko2718/status/1597432454070956032
fedilink
12


i thought this headline couldn’t possibly be something the guardian actually published, but: here it is. they later edited the headline now to replace “doesn’t have to be” with “is”, but the original headline seen in the screenshot lives on in the URL. (I also confirmed that it isn’t one of those CMSes that ignores the last part of the URL - if you change anything it does become a 404.)

amazing.


https://www.semafor.com/article/11/22/2022/ap-fired-a-reporter-after-a-dangerous-blunder-slack-messages-reveal-a-chaotic-process
fedilink

using the word “toot” was a bad decision, as Eugen acknowledged when he made his mobile apps stop using the word back in May. And as of this month, it’s finally gone from the web app too. Good riddance!



the server software is non-free. iiuc it would be easy enough to reverse engineer the protocol from the client software (which is free software) but (last I checked, anyway) the server URLs are not configurable so you would actually need to patch and recompile the client to use a different server.


I’m certainly not recommending snaps, but, it is important to acknowledge the problem they’re trying to solve. “The debian model” means using years-old versions of everything, having a single set of dependency versions every program must share, and giving every package’s control scripts root access while you install it. This paradigm made sense when it was developed 25 years ago but it is far from ideal today.

i still ♥ Debian but there are tons of things I need to use which I can only get from somewhere else, so, “the Debian model” for me nowadays means a stable base system and then lots of software from other distributors (sometimes flatpak or appimage, but also a lot of podman containers of various distros).

What I am almost never willing to do is use 3rd party entries in my apt sources.list file on an actual host system (though I do in containers when necessary) - down that path lies madness.


yeah, I am aware, and I do actually think the xdg portal stuff is generally a good idea for a lot of programs… but the way it works right now sacrifices a lot of usability and doesn’t gain much security.

passing files given as commandline arguments seems like an easy problem to solve, but the linked file situation with SVG is much harder (probably requires a whole new flow for xdg portals where a program can request access to a bunch of files and prompt the user once to allow access to all of them). in the absence of any solution, imo it is silly that they’re shipping inkscape as a snap with strict confinement today.


I’m unsurprised to see lots of good reasons here why not to use them already, and none for why anyone does :)

I imagine the vast majority of snap users are using them only because Ubuntu ships a few things (like firefox) as snaps by default now.

I tried the Inkscape snap recently on an ubuntu system where i needed the latest release, and found that due to its sandboxing security theater (last I heard it is still not difficult break out…) it is impossible to open files from the commandline. And, even worse, when you use the Open command from File menu, it just passes the one file you selected in to the sandbox, so, when you open a file which has references to other files (which is not uncommon with SVG) it is not able to load them! So, I ended up using Inkscape’s AppImage instead.



true, though, i guess a lot of people use mostly (or entirely?) degoogled android things but then need/want/decide to use some shitty apps that bring back the tracking.

(i think there are android distributions that don’t actually make any connections to google? i’m not sure.)


i can’t tell if you’re saying that you read the arguments against phone numbers (for personal communication) that i linked to and you disagree with them all, or if you’re saying you didn’t read them.


Friendica-Lemmy federation question
cross-posted from: https://lemmy.ml/post/607806 > This profile: https://forum.friendi.ca/profile/helpers > > Appears on lemmy as a remote community here: https://lemmy.ml/c/helpers@forum.friendi.ca > > ...which i found interesting because so far I've only seen lemmy be able to support remotely subscribing to peertube channels (and remote lemmy communities). > > However, when I put another friendica profile URL like https://forum.friendi.ca/profile/news in to the lemmy search box, it federates it as a remote user instead of a community: https://lemmy.ml/u/news@forum.friendi.ca > > Can anyone explain what is going on here? cc [@nutomic@lemmy.ml](https://lemmy.ml/u/nutomic) [@dessalines@lemmy.ml](https://lemmy.ml/u/dessalines)
fedilink


Google and Amazon Helped the FBI Identify Z-Library’s Operators
cross-posted from: https://lemmy.ml/post/607133 > "It was fairly straightforward [for the FBI] to connect the dots, largely thanks to data provided by Google and Amazon, which led directly to the suspects."
fedilink

Google and Amazon Helped the FBI Identify Z-Library’s Operators
cross-posted from: https://lemmy.ml/post/607133 > "It was fairly straightforward [for the FBI] to connect the dots, largely thanks to data provided by Google and Amazon, which led directly to the suspects."
fedilink

xmpp and matrix are both interesting and useful, but both were first designed to send unencrypted messages which has led to many complications/difficulties/caveats when using them with e2ee nowadays.

sorry i don’t have time to properly enumerate those issues here right now :)


in a nutshell: imo you shouldn’t use anything that requires a phone number, and especially not things that use phone numbers as the identifier your contacts need to know to reach you. i wrote some reasons why here.

https://dessalines.github.io/essays/why_not_signal.html (by @dessalines, one of the authors of lemmy) has a lot of other reasons why not to use signal; i have mixed feelings about all of the things in their list of alternatives there but I think I’d use any of them before signal.


any privacy-related product that touts being in switzerland as a feature is immediately suspect. threema’s cryptography is some goofy stuff they made up themselves with numerous shortcomings documented elsewhere, but a big one which for me makes it not worth spending time looking in to further is that their forward secrecy story is this:

Threema provides forward secrecy on the network connection (not on the end-to-end layer).

This means that a malicious server can record all of your encrypted end-to-end messages, and decrypt them later if they ever obtain the key from one of the participants in the conversation. E2E forward secrecy is an extremely basic feature, invented more than 30 years ago and present in almost every new encrypted protocol released in the last decade. But threema decided to not even try!

Having FS between the user and the server, but not end-to-end between the users, only makes sense if you completely “trust” the server - which you’re supposed to do because they’re in Switzerland, I guess. But in that case, why bother with end-to-end encryption at all? 🤡


you could setup a bot to follow your own pixelfed from your mastodon and repeat every post. but, why? if you instead only post your photos to pixelfed and other stuff to mastodon, people get the choice of following either your photos OR your links and microblog posts (as we used to call them over a decade ago when the fediverse was called the federated social web) OR they can follow both. and that way, when someone on friendica or another mastodon replies to your pixelfed post, pixelfed-only users can see their reply, right? (i don’t know, i haven’t actually used pixelfed…)

the feature you’re looking for is called “cross-posting”, and there are many tools that do it, but this is an inferior stopgap solution to the problem of lack of interoperability in the incumbent platforms… which activitypub is attempting to provide a better solution for.

another downside to cross-posting is the lack of deduplication: if i want to just use one thing and follow your mastodon but i also want to see the comments on your pixelfed, i might end up following both and then seeing all of your posts twice.

(NB activitypub is also a technically lacking architecture in many ways… but it is better than cross-posting)

tldr you can post on your mastodon (and/or put in your profile there) “you can also follow my pixelfed (probably using whatever you’re using to read this) if you want to see my photos too”.


I’m not going to give a VPN-selling privacy tips site any credit for steering people to Firefox; Firefox has been one of the top browsers for longer than a lot of web users today have been alive.

Tutanota’s encryption is not compatible with anything else, and their freemium business model seems implausible. My understanding is that when you send an encrypted email to a non-tutanota user it sends them a link to the tutanota website, where they send some javascript on-the-fly which does the decryption (and hopefully doesn’t exfiltrate the key - but good luck verifying that at the time you’re actually using it). This is security cosplay, and can be very convenient for some adversaries who might otherwise be thwarted by people using some standardized encryption with software that isn’t running in a web browser. I recommend against Tutanota.

“What VPN do you use” is a complicated and personal question :)

For accessing lemmy I am using Tor Browser, with all of its problems. Neither Tor nor any VPN are really sufficient for hiding your location from serious adversaries, but for hiding from the copyright police while torrenting I recommend Mullvad. Click here to get a 68% discount when you sign up with my affiliate code!

want to become an affiliate yourself?

you can’t, because they actually don’t play that game :)


It had access to a lot more than just S3 buckets 😱

AWS docs say AdministratorAccess means "This user has full access and can delegate permissions to every service and resource in AWS. Presumably a company the size of InfoSys has other AWS accounts too though; who knows which or how many projects this one is actually used for. It’s perhaps worth noting the other permission it apparently had: access to the Amazon Redshift data warehousing product.

I’m trusting that the access key has really been revoked now, so it should be safe to say this:

Github won’t show the diff of the PR, probably because the InfoSys person deleted their account, but anyone who is curious can see the file they were trying to delete here: https://github.com/orf/pypi-data/blob/main/release_data/i/h/ihip.json … which in turn has the URL for the source package on files.pythonhosted.org, which is also still available right now due to the joy of CDNs (despite that the package metadata has been deleted from PyPI now so it is no longer searchable there). So, if anyone wants to see the ihip source code they still can.

Kudos to the pypi-data maintainer for their responsible handling of this. I think making the decision to nuke the leaked token themself was the right thing to do, and I really hope they don’t face legal persecution for it!

Everyone should assume that any AWS credentials accidentally published to a place like pypi will be exploited, even if they are only there for a short time (much less a year!) because there are definitely people with automated systems looking for things like this for purposes other than responsible disclosure.

And yet, somehow I think it’s probably reasonable to assume that InfoSys will not be notifying the patients who’s data is in Johns_Hopkins_Hospital/Input/Excel/Covid_patientdetails/covid_patient_details.xlsx and the presumably many other similar files there, and they also probably will not be doing any kind of massive audit of everything else that god mode on that AWS account could read and write.

Everything is terrible 😢


Headline: “all trackers”

First sentence: “most third-party trackers”

I already had this website flagged in my memory as being full of shit, and this headline is another datapoint supporting that conclusion. Their recommendations are more bad than good; I mean, they recommend things like NordVPN and Signal and Threema among lots of other garbage. Their mission page says “No paid rankings, paid content, or paid linking schemes” and “We follow standard webmaster guidelines and do not accept payment for links or content in any form”… but then also admits “If you buy through links on this site, we may earn a commission, which helps support our mission.” 🤣

Obviously the reason their first VPN suggestion is NordVPN (a shady company that is most likely not only giving data to cops but also selling it to other companies), and they offer you a 68% Off Coupon for it, obviously that has nothing to do with them being paid earning a commission.

🤦 🤮

(I don’t have an opinion about the DuckDuckGo Android App Tracking Protection thing; assuming it is free software enough that it can be installed from f-droid, it might be worth looking in to.)


The Single Board Computer Database, a comparison website for SBCs and SOMs (formerly known as Board-DB), has relaunched!
cross-posted from: https://lemmy.ml/post/604088 > cross-posted from: https://lemmy.ml/post/604087 > > > cross-posted from: https://lemmy.ml/post/604086 > > > > > Thanks to [@MartijnBraam](https://lemmy.ml/u/MartijnBraam): https://blog.brixit.nl/finding-an-sbc/
fedilink

The Single Board Computer Database, a comparison website for SBCs and SOMs (formerly known as Board-DB), has relaunched!
cross-posted from: https://lemmy.ml/post/604087 > cross-posted from: https://lemmy.ml/post/604086 > > > Thanks to [@MartijnBraam](https://lemmy.ml/u/MartijnBraam): https://blog.brixit.nl/finding-an-sbc/
fedilink

Signals alternative to SMS

lmao, simplex is not Signal’s and also not exactly an alternative to SMS.

fwiw the confusion in this thread was presumably inspired by another recent one asking for a Signal alternative for SMS (which simplex is also not, but was mentioned there).




I think OP is not looking for an encrypted chat but rather looking for a replacement app to send unencrypted SMS messages (and store them encrypted on the device) like Signal has done since it was called TextSecure and is finally going to stop doing now.





OpenSSL: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
see also: https://nitter.net/hanno/status/1587775675397726209
fedilink