cypherpunks

cypherpunks , 12 days ago

https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision

cypherpunks , 25 days ago

Mattermost isn't e2ee, but if the server is run by someone competent and they're allowed to see everything anyway (eg it's all group chat, and they're in all the groups) then e2ee isn't as important as it would be otherwise as it is only protecting against the server being compromised (a scenario which, if you're using web-based solutions which do have e2ee, also leads to circumvention of it).

If you're OK with not having e2ee, I would recommend Zulip over Mattermost. Mattermost is nice too though.

edit: oops, i see you also want DMs... Mattermost and Zulip both have them, but without e2ee. 😢

I could write a book about problems with Matrix, but if you want something relatively easy and full featured with (optional, and non-forward-secret) e2ee then it is probably your best bet today.

cypherpunks Mod , 26 days ago

FICO is just one of a multitude of scoring systems which impact people's lives in the US today.

https://en.wikipedia.org/wiki/Criticism_of_credit_scoring_systems_in_the_United_States

You and your friends' social media activity, among numerous other things, can absolutely affect your ability to get a loan, a job, a rental contract, etc.

cypherpunks Mod , 26 days ago

https://news.uga.edu/how-social-media-posts-could-affect-credit-scores/ (via)

cypherpunks Mod , 26 days ago

Tell me you didn't click either link in my comment without telling me you didn't click either link

cypherpunks , 27 days ago

The basis of this joke is the Simplified-vs-Traditional character sets for Chinese languages, but, there actually is a thing called Basic English which is sometimes called Simple English and which is used on the Simple English Wikipedia.

cypherpunks OP Mod , 25 days ago

Color can provide useful context. For example, in the case of this image, imagine if in a thread about it there was some discussion of the ripeness of the yuzu fruit.

cypherpunks , 29 days ago

BonziBuddy

cypherpunks Mod , 1 month ago

I'm the worm in the apple car.

That worm has a name: Lowly

cypherpunks Mod , 1 month ago

no, it's because the basis of your joke is elder abuse.

cypherpunks Mod , 1 month ago

https://en.wikipedia.org/wiki/List_of_countries_that_have_gained_independence_from_the_United_Kingdom says the current count is 65 countries, but cites https://www.guinnessworldrecords.com/world-records/most-countries-to-have-gained-independence-from-the-same-country which says 66 (4 + 62).

France and Spain are in second and third place with 28 and 17, respectively.

cypherpunks , 1 month ago

Title card from Star Trek: Voyager S02E01, with the crew of Voyager standing around a 1936 Ford truck in their cargo bay. The episode title "The 37's" is at the top left of the image.

cypherpunks , 1 month ago

that nostr link doesn't load for me but this is the url that the post in the screenshot is ultimately linking to: https://www.patrick-breyer.de/en/eu-cash-cap-and-ban-on-anonymous-crypto-payments-results-in-financial-paternalism/

cypherpunks , 1 month ago

You act like it is Google’s fault that someone found questionable software on the phone they got from Rent-a-center or Alibaba.

Google made the app.

cypherpunks , 1 month ago

https://play.google.com/store/apps/details?id=com.google.android.apps.devicelock (via this comment 15 hours ago...)

cypherpunks , 1 month ago

So then send the URL to the play store page from the app posted in ops photo. Go ahead, waiting.

lol, what? i did, in another comment, shortly before you posted this. here it is again: https://play.google.com/store/apps/details?id=com.google.android.apps.devicelock

cypherpunks , 1 month ago

screen grab of Colm Meaney in Con Air

cypherpunks , 2 months ago

sources and image transcript:

• the top half of the image is screenshot of this article about a startup claiming to be able to use ultrasound to induce lucid dreams so that "people can work in their sleep". (spoiler: it's vaporware)
• the lower half of the image is a screenshot from this (imo worth-watching) 2 minute video from 2016: Hayao Miyazaki's thoughts on an artificial intelligence with the subtitle "I strongly feel that this is an insult to life itself." There is a more detailed description of that video here. (Guillermo del Toro agrees.)

cypherpunks Mod , 2 months ago

You interpret this meme as being in favor of the US banning TikTok? I don't.

cypherpunks , 2 months ago

Vegeta Over 9000 meme with text "it's under $9,000"

cypherpunks , 2 months ago

It sure is convenient for law enforcement and others to have the ability to immediately get the IP addresses of all visitors to a specific URL. (They just need to circumvent the OHTTP by asking fastly and google to collude...)

cypherpunks OP , 2 months ago (edited 2 months ago)

post-quantum cryptography can be compared with a remedy against the illness that nobody has, without any guarantee that it will work. The closest analogy in the history of medicine is snake oil.

Good on them for saying that.

A "remedy against the illness that nobody has" is a good analogy, but it is important to note that it's an illness which there is a consensus we are likely to eventually have and a remedy that there is good reason to believe will be effective.

It isn't a certainty that there will ever be a cryptographically relevant post-quantum computer, and it also isn't a certainty that any of the post-quantum algorithms (as with most classical cryptography) which exist today won't turn out to be breakable even by yesterday's computers. The latter point is why it's best to deploy post-quantum cryptography in a hybrid construction such that the system remains secure even if one of the primitives turns out to be breakable.

That said, I think it is totally wrong to call PQC snake oil because that term in the context of cryptography specifically means that a system is making dishonest claims: https://en.wikipedia.org/wiki/Snake_oil_(cryptography)

cypherpunks OP , 2 months ago

they basically agree with you

yes, I realize :)

I should've made clear in my comment that, aside from a bit of imperfect English and incorrect use of the term snake oil, I think this is an excellent blog post.

cypherpunks , 2 months ago

gif of Jeremiah Johnson (Robert Redford) nod of approval

cypherpunks Mod , 2 months ago (edited 2 months ago)

fred armisen "right to jail, right away" meme

cypherpunks , 2 months ago

next time you can use su or sudo

cypherpunks , 2 months ago

Only with --user (I think)? Root can also update the "system installation" flatpaks, which are presumably what OP needed a password for.

cypherpunks , 2 months ago

That installs and or updates roots flatpaks

Which is what flatpak will always do unless provided with the --user flag.

By default it operates in system-wide mode, which is different from "root's".

flatpak list and sudo flatpak list will both show you what is installed system wide, and flatpak list --user will show you your user's, and sudo flatpak list --user will show you the root user's flatpaks installed in per-user mode (of which there are typically none).

cypherpunks , 2 months ago (edited 2 months ago)

That "Tool Options" window you have open contains one tab, which is (also) called "Tool Options". You can drag it (dragging the tab, not the window that it is inside of) on to any of the other tabs representing docked dialogs and the window will disappear and Tool Options will be docked as a tab there. By default the Tool Options dialog would be docked in the top right region where you currently have four docked dialogs (with Brushes selected). HTH.

cypherpunks , 2 months ago

someone did that before microsoft had even released WSA but I don't see anything about people doing it recently. probably someone is working on it right now though, given this news.

cypherpunks , 2 months ago

https://web.archive.org/web/20240303071843/https://github.com/yuzu-emu/yuzu/commits/master/

-> latest commit hash as of march 3rd was 15e6e48bef0216480661444a8d8b348c1cca47bb

-> https://duckduckgo.com/?q=15e6e48bef0216480661444a8d8b348c1cca47bb (many copies of the repo exist)

https://lemmy.ml/pictrs/image/1f193d3c-1c6a-45fe-b86d-bd3ea6bd1ef4.png

cypherpunks , 2 months ago

via this thread here is a 🧲 magnet link for a torrent someone made containing "all their Github issues, the git repo on its last version, the latest available release binaries from the Github page, and all of their progress reports from the Yuzu website".

cypherpunks , 2 months ago

Young Michael Scott Shaking Ed Truck's Hand meme with Truck as "OP's proposed nation" and Scott as "Utah"

cypherpunks , 2 months ago

Great Salt Lake

lol, i guess that must be why.

fwiw, regardless of its name or how great it is, it is not one of the Great Lakes 😂

cypherpunks , 2 months ago (edited 2 months ago)

LLM detractors hate this one weird trick

cypherpunks , 2 months ago (edited 2 months ago)

edit: the two issues i raised in this comment had both already been addressed.

this was the developer's reply on matrix:

1. We do have a CLA: https://cla-assistant.io/ente-io/ente
2. We will update the iOS app to offer you an option to point to your self hosted instance (so that you can save yourself the trouble of building it): https://github.com/ente-io/ente/discussions/504
3. The portion of the document that deals with authentication has been outdated, my bad. We've adopted SRP to fix the concerns that were pointed out: https://ente.io/blog/ente-adopts-secure-remote-passwords/

here is my original comment

AGPL-3.0

Nice

This would be nice, but, this repo includes an iOS app, and AGPL3 binaries cannot be distributed via Apple's App Store!

AGPL3 (without a special exception for Apple, like NextCloud's iOS app has) is incompatible with iOS due to the four paragraphs of the license which mention "Installation Information" (known as the anti-tivoization clause).

Only the copyright holder(s) are able to grant Apple permission to distribute binaries of AGPL3-licensed software to iOS users under non-AGPL3 terms.

Every seemingly-(A)GPL3 app on Apple's App Store has either copyright assignment so that a single entity has the sole right to distribute binaries in the App Store (eg, Signal messenger) or uses a modified license to carve out an Apple-specific exception to the anti-tivoization clause (eg, NextCloud). In my opinion, the first approach is faux free software, because anyone forking the software is not allowed to distribute it via the channel where the vast majority of users get their apps. (In either case, users aren't allowed to run their own modified versions themselves without agreeing to additional terms from Apple, which is part of what the anti-tivoization clause is meant to prevent.)

Only really nice when not CLA is required and every contributor retains their copyright. Ente doesn’t seem to require a CLA.

I definitely agree here! But if it's true that they're accepting contributions without a CLA, and they haven't added any iOS exception to their AGPL3 license, then they themselves would not be allowed to ship their own iOS app with 3rd party contributions to it! 😱 edit: it's possible this is the case and Apple just hasn't noticed yet, but that is not a sustainable situation if so.

If anyone reading this uses this software, especially on iOS, I highly recommend that you send the developers a link to this comment and encourage them to (after getting the consent of all copyright holders) add something akin to NextCloud's COPYING.iOS to their repository ASAP.

cc @ioslife @baduhai @skariko

(i'm not a lawyer, this is not legal advice, lol)

edit: in case a dev actually sees this... skimming your architecture document it looks like when a user's email is compromised ("after you successfully verify your email"), the attacker is given the encryptedMasterKey (encrypted with keyEncryptionKey, which is derived from a passphrase) which lets them perform an offline brute-force attack on the passphrase. Wouldn't it make more sense to require the user to demonstrate knowledge of their passphrase to the server prior to giving them the encryptedMasterKey? For instance, when deriving keyEncryptionKey, you could also derive another value which is stored on the server and which the client must present prior to receiving their encryptedMasterKey. The server has the opportunity to do offline attacks on the passphrase either way, so it seems like there wouldn't be a downside to this change. tldr: you shouldn't let adversaries who have compromised a user's email account have the ability to attack the passphrase offline.

(i'm not a cryptographer, but this is cryptography advice)

cypherpunks , 2 months ago

That’s complicated to do correctly. Normally, for the server to verify the user has the correct password, it needs to know or receive the password, at which point it could decrypt all the user’s files. They’d need to implement something like SRP.

What I proposed is that the server does not know the password (of course), but that it knows a thing derived from it (lets call it the loginSecret) which the client can send to obtain the encryptedMasterKey. This can be derived in a similar fashion to the keyEncryptionKey (eg, they could be different outputs of an HKDF). The downside to the server knowing something derived from the passphrase is that it enables the server to do an offline brute force of it, but in any system like this where the server is storing something encrypted using [something derived from] the passphrase the server already has that ability.

Is there any downside to what I suggested, vs the current design?

And is there some reason I'm missing which would justify adding the complexity of SRP, vs what I proposed above?

The only reason I can think of would be to protect against a scenario where an attacker has somehow obtained the user's loginSecret from the server but has not obtained their encryptedMasterKey: in that case they could use it to request the encryptedMasterKey, and then could make offline guesses at the passphrase using that. But, they could also just use the loginSecret for their offline brute-force. And, using SRP, the server still must also store something the user has derived from the password (which is equivalent to the loginSecret in my simpler scheme) and obtaining that thing still gives the adversary an offline brute-force opportunity. So, I don't think SRP provides any benefit here.

cypherpunks , 2 months ago

It is, but in this case I think it isn't actually a weakness for the reasons I explained.

cypherpunks , 2 months ago

They’d need to implement something like SRP.

Update: I contacted the developers to bring my comment to their attention and it turns out they have already implemented SRP to address this problem (but they haven't updated their architecture document about it yet).

cypherpunks , 2 months ago

Ente doesn’t seem to require a CLA.

It turns out, they do have a CLA (with full copyright assignment 😢).

cypherpunks Mod , 2 months ago

I'm curious if you actually read the whole (admittedly long) page linked in this post, or did you stop after realizing that it was saying something you found disagreeable?

I’m a high school Maths teacher/tutor

What will you tell your students if they show you two different models of calculator, from the same company, where the same sequence of buttons on each produces a different result than on the other, and the user manuals for each explain clearly why they're doing what they are? "One of these calculators is just objectively wrong, trust me on this, #MathsIsNeverAmbiguous" ?

The truth is that there are many different math notations which often do lead to ambiguities.

In the case of the notation you're dismissing in your (hilarious!) meme here, well, outside of anglophone high schools, people don't often encounter the obelus notation for division at all except for as a button on calculators. And there its meaning is ambiguous (as clearly explained in OP's link).

Check out some of the other things which the "÷" symbol can mean in math!

#MathNotationsAreOftenAmbiguous

cypherpunks Mod , 2 months ago

Has literally never happened. Texas Instruments is the only brand who continues to do it wrong [...] all the other brands who were doing it wrong have reverted

Ok so you're saying it never happened, but then in the very next sentence you acknowledge that you know it is happening with TI today, and then also admit you know that it did happen with some other brands in the past?

But, if you had read the linked post before writing numerous comments about it, you'd see that it documents that the ambiguity actually exists among both old and currently shipping models from TI, HP, Casio, and Canon, today, and that both behaviors are intentional and documented.

There is no bug; none of these calculators is "wrong".

The truth is that there are many different math notations which often do lead to ambiguities

Not within any region there isn’t.

Ok, this is the funniest thing I've read so far today, but if this is what you are teaching high school students it is also rather sad because you are doing them a disservice by teaching them that there is no ambiguity where there actually is.

If OP's blog post is too long for you (it is quite long) i recommend reading this one instead: The PEMDAS Paradox.

In Australia it’s the only thing we ever use, and from what I’ve seen also the U.K. (every U.K. textbook I’ve seen uses it).

By "we" do you mean high school teachers, or Australian society beyond high school? Because, I'm pretty sure the latter isn't true, and I'm skeptical of the former. I thought generally the ÷ symbol mostly stops being used (except as a calculator button) even before high school, basically as soon as fractions are taught. Do you have textbooks where the fraction bar is used concurrently with the obelus (÷) division symbol?