he/him/his, cis, gay, husband, Beagle chew-toy, JavaScript jockey, Rustacean

  • 17 Posts
Joined 2Y ago
Cake day: Apr 06, 2021


Hopefully we’ll see more driver developers pick up Rust

Weird, I’ve been using 1.2, 1.5 and 2.0 scale with sway (wlroots) for a while now

So, is this announcement for something new? Or this standardizing/stabilising something that has already been working (in potentially a different / non-standard way) so far?

I think Poettering’s assumption here, which I agree with, is that it’s difficult to produce software without bugs, and it’s even difficult to patch those bugs without ever introducing new bugs

But, let’s pretend that we’ve accomplished this and never have to fix any bugs: we’ll still have to update firmware and other software components when a new CPU or other device needs to be supported

Although, admittedly, a user might not decide to install a hardware-enablement update if they know in-advance that they’ll never upgrade their hardware or plug in a new device

Netfilter Workshop 2022 summary (nftables, etc)
> This is my report from the Netfilter Workshop 2022. The event was held on 2022-10-20/2022-10-21 in Seville, and the venue was the offices of Zevenet. We started on Thursday with Pablo Neira (head of the project) giving a short welcome / opening speech. The previous iteration of this event was in virtual fashion in 2020, two years ago. In the year 2021 we were unable to meet either in person or online. > > This year, the number of participants was just eight people, and this allowed the setup to be a bit more informal. We had kind of an un-conference style meeting, in which whoever had something prepared just went ahead and opened a topic for debate. Neat summary of topics discussed around nftables

> Google has a right to decide which users it wants to host. But it was Google’s incorrect algorithms, and Google’s failed human review process, which caused innocent people to be investigated by the police in these cases. It was also Google’s choice to destroy without warning and without due process these fathers’ email accounts, videos, photos, and in one case, telephone service. The consequences of the company’s error are not trivial.

> The reasons for NOT tracking are myriad: First, you’ll engender goodwill with your supporters. Second, you may not imagine your organization to be the likely target of ransomware or of a data breach, but the less data you collect, and the less you share with outside organizations or companies, the less likely that your supporters will be affected. Third, data privacy laws vary across regions, and we are in a time of rapid change with respect to those laws. Minimizing data collection and retention can help ensure you’re complying with those laws.

> Australian police last month arrested the man, now 24, and identified at least 201 of his Australian customers, in an investigation that began in 2017 and involved a dozen law enforcement agencies in Europe and Australia, and information provided by Palo Alto Networks and the FBI. The case underscores the sheer scope of the market for stalkerware—the app, costing just $35, was sold for seven years before law enforcement shut it down. Tens of thousands of victims were spied on, police said. Its customers included domestic violence perpetrators and even a child sex offender.

> Regulators must take more effective voluntary actions against harmful content and adopt moderation frameworks that are consistent with human rights to make the internet free and limit the power of government agencies in flagging and removing potentially illegal content.

PGPP | What Is Pretty Good Phone Privacy?
Fascinating service, just wish I was in one of the available countries

> The Digital Advertising Act is a bold, promising legislative proposal. It could split apart the most toxic parts of Big Tech to make the internet more competitive, more decentralized, and more respectful of users’ digital human rights, like the right to privacy. As with any complex legislation, the impacts of this bill must be thoroughly explored before it becomes law. But we believe in the methods described in the bill: they have the power to reshape the internet for the better.

> Today’s release of Total Cookie Protection is the result of experimentation and feature testing, first in ETP Strict Mode and Private Browsing windows, then in Firefox Focus earlier this year. We’re now making it a default feature for all Firefox desktop users worldwide.

The mature answer is “it depends”

Absolutes are rarely 100% true, and it entirely depends on your perspective, your use cases, and your expectations

Neither DuckDuckGo nor CloudFlare (the other favourite punching bag around here) have surveillance capitalism business models, but they do require you to trust someone else’s software running on someone else’s computers, and you still need to communicate with them over someone else’s networks

From my own perspective, which suits me fine but might not suitable for you, I prefer to avoid surveillance capitalism companies like Facebook/Meta, Amazon, Google

I’m also not a free-speech maximalist: I want to live in a world where information flows freely, but I acknowledge that not every single idea deserves exactly the same amplification

The same people screeching about DuckDuckGo and CloudFlare regarding censorship are often exactly the same people claiming that LGBTQIA and Black history education is not “age appropriate”, so even free-speech maximalists are rarely consistent

Google must believe eBPF is mature enough (although they’ve been wrong before, see the Bluetooth stack rewrites and reverts in Chrome OS)

Note that desktop Linux distributions are working towards replacing iptables with nftables (added in kernel 3.13), so it seems as though there is some/broad consensus that we can do better than iptables these days

AOSP has dropped iptables in favour of the far more efficient and powerful eBPF: https://www.xda-developers.com/lineageos-19-android-12/

It completely breaks compatibility with decades of code that requires iptables, but there’s nothing stopping new work that embraces eBPF

Of all the commercial networks they could use, surely CloudFlare is less evil than e.g. Google

It sounds like your use case requires more assurances than can be provided by any external hosting provider

So, your best bet is to self-host, in which case you aren’t using GitHub, and these 2FA changes aren’t impacting you at all, and you don’t have to feel disturbed by them

2FA for a centralized capitalist platform has nothing to do with security.

Really, nothing? Nothing at all? Not even a teensy bit?

Absolute statements like this are almost always inaccurate, because it’s incredibly difficult to know the heart/mind of someone else and what truly motivates them

Of course, it depends on your usecase.

This is probably the most important thing anyone has said on this whole page

Okay, you got me stumped here

Either I added my 3x Yubikey security keys prior to that feature being taken away, or there’s a bug, or there’s some condition that has to be met before you can add security keys to your account: are you using a compatible web browser (e.g. recent Firefox), and have you downloaded/viewed/printed your recovery codes?

Mobile phones are the least secure device that you are likely to own

Un-nuanced absolutist statements like this grind my gears a little, haha

SMS is plain-text, and codes from the authenticator apps (and possibly also the GitHub Mobile app) can be phished, so in this regard I agree that the security key option offers the strongest safety/privacy, but those other phone options are still better than nothing for the majority of users

As far as devices I own, the only TV I could buy here was one running Android 10 without any software updates in the last 2 years, I feel I can confidently state that the TV is less secure than the phone I bought this year with an OS patch from this month


You don’t need to add a phone number at all: https://lemmy.ml/post/257191/comment/176967

And security keys can be independently manufactured (even by ourselves) and disposed of when desired: https://www.indiegogo.com/projects/solo-v2-safety-net-against-phishing

I don’t disagree that many governments aim to increase surveillance, but non-SMS 2FA can be used to thwart government access to our accounts, so I don’t think you can accurately state that 2FA is a pro-government mechanism

Anonymity (which I am generally in favour of) can protect victims of abuse, yes, but it can also protect online abusers, so I don’t think absolute statements about it are helpful


It has always been possible (and likely) to misuse encryption technology in ways that jeopardise security

So, I don’t think it’s true that the presence of alleged mechanisms are intended to be marker of quality/security/etc

Independent security audits and reviews are a better marker, as this is the only way you can know if a service is correctly hashing+salting your password in a database instead of storing it in plain text

You’re argument here is like saying HTTPS is meaningless now that almost everyone is using it, when the security uplift is such a huge net positive for everyone


I agree, this is a huge current use case

We don’t have the details yet, but, I will speculate that GitHub will leave SSH authentication alone, but you’ll need MFA to use the website/app, so you’ll need MFA to e.g. add a new SSH key to an account/repository

Please stop sharing inaccurate information

There are many 2FA options, and you never need to add a phone number to your account if you don’t want to

this does not require sharing your cell phone number with them at all

Wow, please read more carefully next time, you missed a word :)

I suppose it’s also a horrendous infringement on our freedoms to require HTTPS </sarcasm>

There are a range of two-factor authentication mechanisms that can be added to your GitHub account, so this does not require sharing your cell phone number with them at all if you don’t want to

I’m not sure why people are complaining about this change, this seems like a reasonable security uplift that will hopefully be adopted across more services

> Nimbuspwn, as Microsoft has named the EoP threat, is two vulnerabilities that reside in the networkd-dispatcher, a component in many Linux distributions that dispatch network status changes and can run various scripts to respond to a new status. When a machine boots, networkd-dispatcher runs as root. > > The flaws, tracked as CVE-2022-29799 and CVE-2022-29800, combine threats including directory traversal, symlink race, and time-of-check time-of-use (TOCTOU) race condition.

> Now that those bunny eggs have been painted and the afikomen has been found, it’s time to upgrade Pop!_OS! Here’s what’s new in Pop!_OS 22.04 LTS...

> Whatever final legislation comes out of the negotiations won’t be perfect, and it won’t address every concern. But we urge both businesses and advocates not to make the perfect the enemy of the good. Or of better, more consistent protections for all Americans. > > In closing, I’ll say this: Google is an engineering company — and we look at problems from an engineering perspective. When we spot an issue with our services, we make fixing it a priority, and we often move engineers from other projects to help. > > This is that all-hands-on-deck moment for privacy. I can't help but assume that whatever legislation Google backs here will not especially "good" and will be intentionally far from "perfect", but it would be nice to be surprised It'll be interesting to see what happens here, if anything

> Last year, we released Proton Calendar beta on Android, marking a significant milestone in the expansion of Proton’s privacy ecosystem. We’ve been busy incorporating your feedback over the past year, and today we’re happy to officially launch Proton Calendar on Android!

Looks like EU and USA agreed on an approach It's light on details though, I am not sure exactly how USA intelligence agencies are limited and monitored How much less information about EU citizens will be scooped up by the USA in practice?