cypherpunks , 3 months ago

Young Michael Scott Shaking Ed Truck's Hand meme with Truck as "OP's proposed nation" and Scott as "Utah"

cypherpunks , 3 months ago

Great Salt Lake

lol, i guess that must be why.

fwiw, regardless of its name or how great it is, it is not one of the Great Lakes 😂

cypherpunks , 3 months ago (edited 3 months ago)

LLM detractors hate this one weird trick

cypherpunks , 3 months ago (edited 2 months ago)

edit: the two issues i raised in this comment had both already been addressed.

this was the developer's reply on matrix:

1. We do have a CLA: https://cla-assistant.io/ente-io/ente
2. We will update the iOS app to offer you an option to point to your self hosted instance (so that you can save yourself the trouble of building it): https://github.com/ente-io/ente/discussions/504
3. The portion of the document that deals with authentication has been outdated, my bad. We've adopted SRP to fix the concerns that were pointed out: https://ente.io/blog/ente-adopts-secure-remote-passwords/

here is my original comment

AGPL-3.0

Nice

This would be nice, but, this repo includes an iOS app, and AGPL3 binaries cannot be distributed via Apple's App Store!

AGPL3 (without a special exception for Apple, like NextCloud's iOS app has) is incompatible with iOS due to the four paragraphs of the license which mention "Installation Information" (known as the anti-tivoization clause).

Only the copyright holder(s) are able to grant Apple permission to distribute binaries of AGPL3-licensed software to iOS users under non-AGPL3 terms.

Every seemingly-(A)GPL3 app on Apple's App Store has either copyright assignment so that a single entity has the sole right to distribute binaries in the App Store (eg, Signal messenger) or uses a modified license to carve out an Apple-specific exception to the anti-tivoization clause (eg, NextCloud). In my opinion, the first approach is faux free software, because anyone forking the software is not allowed to distribute it via the channel where the vast majority of users get their apps. (In either case, users aren't allowed to run their own modified versions themselves without agreeing to additional terms from Apple, which is part of what the anti-tivoization clause is meant to prevent.)

Only really nice when not CLA is required and every contributor retains their copyright. Ente doesn’t seem to require a CLA.

I definitely agree here! But if it's true that they're accepting contributions without a CLA, and they haven't added any iOS exception to their AGPL3 license, then they themselves would not be allowed to ship their own iOS app with 3rd party contributions to it! 😱 edit: it's possible this is the case and Apple just hasn't noticed yet, but that is not a sustainable situation if so.

If anyone reading this uses this software, especially on iOS, I highly recommend that you send the developers a link to this comment and encourage them to (after getting the consent of all copyright holders) add something akin to NextCloud's COPYING.iOS to their repository ASAP.

cc @ioslife @baduhai @skariko

(i'm not a lawyer, this is not legal advice, lol)

edit: in case a dev actually sees this... skimming your architecture document it looks like when a user's email is compromised ("after you successfully verify your email"), the attacker is given the encryptedMasterKey (encrypted with keyEncryptionKey, which is derived from a passphrase) which lets them perform an offline brute-force attack on the passphrase. Wouldn't it make more sense to require the user to demonstrate knowledge of their passphrase to the server prior to giving them the encryptedMasterKey? For instance, when deriving keyEncryptionKey, you could also derive another value which is stored on the server and which the client must present prior to receiving their encryptedMasterKey. The server has the opportunity to do offline attacks on the passphrase either way, so it seems like there wouldn't be a downside to this change. tldr: you shouldn't let adversaries who have compromised a user's email account have the ability to attack the passphrase offline.

(i'm not a cryptographer, but this is cryptography advice)

cypherpunks , 3 months ago

That’s complicated to do correctly. Normally, for the server to verify the user has the correct password, it needs to know or receive the password, at which point it could decrypt all the user’s files. They’d need to implement something like SRP.

What I proposed is that the server does not know the password (of course), but that it knows a thing derived from it (lets call it the loginSecret) which the client can send to obtain the encryptedMasterKey. This can be derived in a similar fashion to the keyEncryptionKey (eg, they could be different outputs of an HKDF). The downside to the server knowing something derived from the passphrase is that it enables the server to do an offline brute force of it, but in any system like this where the server is storing something encrypted using [something derived from] the passphrase the server already has that ability.

Is there any downside to what I suggested, vs the current design?

And is there some reason I'm missing which would justify adding the complexity of SRP, vs what I proposed above?

The only reason I can think of would be to protect against a scenario where an attacker has somehow obtained the user's loginSecret from the server but has not obtained their encryptedMasterKey: in that case they could use it to request the encryptedMasterKey, and then could make offline guesses at the passphrase using that. But, they could also just use the loginSecret for their offline brute-force. And, using SRP, the server still must also store something the user has derived from the password (which is equivalent to the loginSecret in my simpler scheme) and obtaining that thing still gives the adversary an offline brute-force opportunity. So, I don't think SRP provides any benefit here.

cypherpunks , 2 months ago

It is, but in this case I think it isn't actually a weakness for the reasons I explained.

cypherpunks , 3 months ago

This is also available as a book: https://en.wikipedia.org/wiki/The_Speech_(Sanders_book)

cypherpunks , 3 months ago (edited 3 months ago)

There is a well-timed musical change just after 3:13:44 when Mary Landrieu is describing her surprise at learning about the severe racial disparities in US households' net worth:

screeshot of youtube transcript with text:
3:13:44
average median net worth not income net worth of households is
3:13:50
67,000 so that's very interesting I thought it would be higher than that I mean that's taking everything that you
3:13:57
own minus everything you owe and the difference is your net worth I thought people might have more than that I mean
3:14:03
in terms of equity in their homes you know couple hundred th000 67,000 it was
3:14:08
concerning to me say said do you have that broken down by Race by any chance oh yes ma'am we have that so would you
3:14:15
share it they did and I'm going to share it with you because I have not recovered from what I
3:14:22
heard the gentleman says to me well for white families in
3:14:28
America the average median not average median which is 50% more 50% less the
3:14:34
median the White household Senator is 87,000
3:14:41
87,000 for Hispanic families it is
3:14:49
8,000 and for African-American families it is
3:14:56
5,000 I want to repeat that again 50% of all families in America who are

edit: fwiw the numbers she cites are substantially lower (though the disparities are similar) than what Pew Research reported for that timeframe.

cypherpunks , 3 months ago (edited 3 months ago)

The ECHR ruling is good news (and there was already a post about it in this community and many others, a week ago, from a reputable publication), but this post about that news is actually spam for a company selling a snakeoil privacy product thinly disguised as news.

It's worth taking note of the details of the court's ruling in the context of Tuta's architecture: this ruling specifically is not about when police demand that services like tuta use their capability to bypass encryption for specific users, which the architecture of services like Tuta very conveniently makes easy for them to do. Instead, it is about when authorities try to mandate that better-designed systems move to a tuta-like architecture to make targeted surveillance easy. Which makes Tuta's use of this particular news for advertising purposes even more disgusting.

cypherpunks , 3 months ago (edited 3 months ago)

fwiw i deleted the crossposts of this post from /c/privacy@lemmy.ml and /c/opensource@lemmy.ml (because protonmail is a faux-opensource snakeoil privacy product) and flagged the posts in other communities as spam.

i encourage anyone who thinks protonmail's non-interoperable end-to-end encryption is useful to read my comment about it here.

edit: wow, such downvotes. i elaborated here.

cypherpunks , 3 months ago

You have now banned me from both of those communities

I actually banned you from both of them at the same time I deleted those two protonmail posts, but then unbanned you a minute later after reviewing your account further.

You can view your modlog here.

You have deleted another post of mine

I commented about that deletion here.

cypherpunks , 3 months ago (edited 3 months ago)

almost every proprietary thing, including windows and macos, has some open source components.

cypherpunks , 3 months ago (edited 3 months ago)

fwiw, besides the "Proton's Free plan now offers up to [...] after completing certain tasks." post earlier, i also just deleted some adverinfonewstainment tutanota spam blogpost ("Chat Control May Finally Be Dead: European Court Rules That Weakening Encryption Is Illegal") from this community.

tutanota is just like protonmail except there is more evidence indicating that they are primarily a honeypot for privacy-seeking rubes (as opposed to protonmail where it is maybe only obvious to people knowledgeable about the history of the privacy industry).

People should be skeptical of anyone selling a service involving cryptography software which has nearly no conceivable purpose except for to protect against the entity delivering the software. Especially if they re-deliver the software to you every time you use it, via a practically-impossible-to-audit channel, and require you to identify yourself before re-receiving it (as almost any browser-based e2ee software which doesn't require installing any software does, due to the current web architecture).

If you think this kind of perfect-for-targeted-exploitation architecture isn't regularly used for targeted exploitation... well, you're mistaken. In the web context specifically, it has been happening since the 90s.

imo this community should not tolerate advertising (or other posts who's purpose is to encourage using/purchasing) this type of deceptively-marketed service.

cypherpunks OP , 3 months ago

you're not entirely wrong, but, fwiw this image was created 11 years after he was fired from Apple (and 5 months before he returned).

cypherpunks , 3 months ago

https://simplex.chat/ is probably the best option today

cypherpunks , 3 months ago

ProtonMail's encryption system isn't particularly useful

cypherpunks , 3 months ago

it turns out the option was right there in their CMS all along!

🤦

cypherpunks , 3 months ago

all articles on nottheonion are actual, real events

😱

original "do not want" star wars screengrab

cypherpunks , 3 months ago (edited 3 months ago)

shoutout to @jaromil who (i believe?) created this fork bomb :)

there is a great in-depth writeup about fork bombs in general, and this one specifically, here.

cypherpunks , 3 months ago (edited 3 months ago)

This is worthy of a more usable interface than this spreadsheet widget.

It took me a fair bit of scrolling to identify which attributes each of the six purple "N/A" values for SimpleX are, but now that I have I agree they're accurate (though I think there is an argument to be made for just writing a green "no" for each of them).

It is noteworthy that SimpleX is currently the only one of these (currently 34) messengers to not have a single red or yellow cell in its column. well done, @epoberezkin! 😀

edit: istm that SimpleX (along with several other things) getting a "no" in the "can hand IP address to the police" row is not really accurate. SimpleX does better than many things here in that they don't have a lot of other info to give to the police along with the IP, but, if Bob has their phone seized (or remotely compromised) and then the police reading Alice and Bob's messages from Bob's phone want to know Alice's IP address... they can compel a server operator to give it to them. (And it is the same for a user who posts a SimpleX contact link publicly.)

cypherpunks , 3 months ago (edited 3 months ago)

Briar has even fewer N/As than SimpleX and all greens otherwise. Second column in the table.

Briar has a yellow Yes in row 12 ('requires global identity')

https://lemmy.ml/pictrs/image/fb1b9368-9ea5-4863-89d6-fd4e9e3a7d5b.png

... presumably because (if you have one instance of the Briar installed) when you're talking to two different people they can check and confirm you're the same person, while in SimpleX you can create disposable/ephemeral identities for different chats.

I haven't reviewed this thoroughly but I can see that there are a lot of attributes that could be added to this table in regards to metadata protection against various parties, including revealing online presence to servers and contacts (which is a place where briar falls short).

cypherpunks Mod , 4 months ago

And operating system engineers wear boots.

cypherpunks OP , 4 months ago

The lack of details in the advisory is only a minor impediment for a malicious person who wants to figure out how to implement their own exploit for this vulnerability. Anyone can read the patch that fixes it and figure it out.

TLDR: if you run your own instance, update it ASAP. If an instance you rely on hasn't updated yet, consider asking its admins to do so. And if they don't update it soon, you might want to reconsider your choice of instance.

cypherpunks OP , 4 months ago

No, this is a server-side vulnerability. Clients do not need to update, instances do.

cypherpunks Mod , 4 months ago

I don’t think I’m educated enough to say anything against the group as a whole, as I haven’t sat down to do a lot of research on them (I’m realizing now that my comment was made from a BS bias that I had picked up from when I was a conservative).

You should do more research :)

Unless you're talking about this one, referring to "the antifa organization" makes as little sense as saying "the conservative organization". There are many organizations with variously overlapping goals and strategies for achieving them, but there hasn't been a singular "antifa organization" since 1933.

cypherpunks Mod , 4 months ago

I also don’t support violence and property damage to get the message across

so, you condemn the boston tea party, right?

I will never take a “movement” seriously that uses vandalism to get a message across.

what's your favorite successful social movement from history that didn't use any vandalism to get a message across?

cypherpunks , 4 months ago

it's a shame that @NYTOnIt isn't being updated anymore

cypherpunks , 4 months ago

There is a version of VLC for the Nvidia Shield, but it has a somewhat irritating UI and I don't know if it can actually read the menus like the desktop version can.

cypherpunks , 4 months ago

some of them are built so that the front doesn't fall off at all.

cypherpunks , 4 months ago

meme template of Mandy Patinkin as Inigo Montoya in The Princess Bride

cypherpunks Mod , 4 months ago

4 hours later... yep :(

cypherpunks Mod , 4 months ago

👍

cypherpunks Mod , 4 months ago

prefixing it with "# " makes it a heading (larger text).

cypherpunks OP , 4 months ago

Meh, how’s this different from RH?

It took Canonical about four times as long (twenty years vs five) to start doing this.

Dissatisfaction with RedHat's introduction of RHN (in 2000) was arguably a significant factor contributing to Ubuntu's rapid growth when it was first released (in 2004).

cypherpunks OP , 4 months ago

Okay tbf this is meant for companies that need to meet specific requirements like government privacy regulations, which change every year and need to be actively maintained or else you get in legal trouble.

Yeah you pretty much would only ever need to install these updates to libavcodec and imagemagick for regulatory compliance reasons, or maybe if you wanted to be able to safely load video or image files found on the internet without being subject to compromise by widely-available exploits for vulnerabilities that were published and fixed upstream last year.

cypherpunks OP , 4 months ago

huh? what is the misinformation here?

cypherpunks OP , 4 months ago

I’ll assume you’re genuinely unaware

I'm perfectly aware of what Ubuntu Pro is, and the difference between Ubuntu main and universe.

The current meme implies that Ubuntu/Canonical have actively disabled safety/security features in the form of withholding security updates, unless you pay for Ubuntu Pro subscription. The Ubuntu package support hasn’t changed with the introduction of Ubuntu Pro. The packages that were supported by Canonical prior to this are supported the same way today. The packages that were community supported prior to this are supported the same way today. Without Ununtu Pro.

If you think the meme implies that, then surely you must think that the message printed by Ubuntu's apt upgrade command in the screenshot implies that too, right?

One of the packages listed in this screenshot is libavcodec, which is required by things like VLC (which is in Ubuntu universe, which is enabled by default).

If you think it is perfectly fine for Canonical to do the work to patch that library and then withhold the security update from the vast majority of Ubuntu users who won't sign up for Ubuntu Pro... we'll have to agree to disagree.

cypherpunks , 4 months ago

the option of a subscription is fine IMO

excerpt of "this is fine" comic

cypherpunks , 4 months ago

I am glad I live in a place where many grocery stores don't have this problem, because they don't have parking lots, because most of their customers don't even have a car much less would drive it to get groceries if they did. (Yes, I do realize how fortunate I am.)

cypherpunks Mod , 4 months ago

What is “the enshitification face”

maybe one of these?

https://lemmy.ml/pictrs/image/e2c8fcb2-7ea2-4de7-88ff-c7fd975d2332.png https://lemmy.ml/pictrs/image/8cb77de5-518d-4b6b-bdff-2ef8ef9acaf7.png https://lemmy.ml/pictrs/image/ee7dac5b-a8cc-44d9-85d2-0f46078deb50.png

cypherpunks Mod , 3 months ago

I'm curious if you actually read the whole (admittedly long) page linked in this post, or did you stop after realizing that it was saying something you found disagreeable?

I’m a high school Maths teacher/tutor

What will you tell your students if they show you two different models of calculator, from the same company, where the same sequence of buttons on each produces a different result than on the other, and the user manuals for each explain clearly why they're doing what they are? "One of these calculators is just objectively wrong, trust me on this, #MathsIsNeverAmbiguous" ?

The truth is that there are many different math notations which often do lead to ambiguities.

In the case of the notation you're dismissing in your (hilarious!) meme here, well, outside of anglophone high schools, people don't often encounter the obelus notation for division at all except for as a button on calculators. And there its meaning is ambiguous (as clearly explained in OP's link).

Check out some of the other things which the "÷" symbol can mean in math!

#MathNotationsAreOftenAmbiguous

cypherpunks Mod , 3 months ago

Has literally never happened. Texas Instruments is the only brand who continues to do it wrong [...] all the other brands who were doing it wrong have reverted

Ok so you're saying it never happened, but then in the very next sentence you acknowledge that you know it is happening with TI today, and then also admit you know that it did happen with some other brands in the past?

But, if you had read the linked post before writing numerous comments about it, you'd see that it documents that the ambiguity actually exists among both old and currently shipping models from TI, HP, Casio, and Canon, today, and that both behaviors are intentional and documented.

There is no bug; none of these calculators is "wrong".

The truth is that there are many different math notations which often do lead to ambiguities

Not within any region there isn’t.

Ok, this is the funniest thing I've read so far today, but if this is what you are teaching high school students it is also rather sad because you are doing them a disservice by teaching them that there is no ambiguity where there actually is.

If OP's blog post is too long for you (it is quite long) i recommend reading this one instead: The PEMDAS Paradox.

In Australia it’s the only thing we ever use, and from what I’ve seen also the U.K. (every U.K. textbook I’ve seen uses it).

By "we" do you mean high school teachers, or Australian society beyond high school? Because, I'm pretty sure the latter isn't true, and I'm skeptical of the former. I thought generally the ÷ symbol mostly stops being used (except as a calculator button) even before high school, basically as soon as fractions are taught. Do you have textbooks where the fraction bar is used concurrently with the obelus (÷) division symbol?