“We don’t work with advertisers. We only work with governments and secret police to slaughter their own population or go colonize other countries.” <-- that line of defense reminds me of the Amesys story, in which french television interviewed an Amesys representative who insisted their spyware they sold to north african dictatorships before the arab spring only ever caught terrorists and pedophiles ^^
Nope, nothing at all. It’s just a masquerade. I don’t like absolutist statements in general, but in that specific case, multi-factor auth does not provide code signature to other users, it’s just a gatekeeping mechanism for Github to authenticate you. This means whether they have a security breach or someone at Github wants to harm you, they definitely can push out malicious updates in your name, and therefore such measures have nothing to do with security in the context of “who wrote the code i’m downloading?”.
It’s a little bit like banks: they may require all the security measures they like, at the end of the day they can run away with all our money like they did in Greece and there’s absolutely nothing we can do about it.
To be fair, multi-factor authentication can help reduce the most obvious cases of password theft (eg. via a virus on a single device). But it does very little to stop phishing (unless using TOTP precisely, which is slowly becoming unsupported), bit/typo-squatting, etc.
We can disagree on political stuff all day, but you will find this very interesting.
I read it when you previously published it, and i’m personally not a fan of GrapheneOS approach. I was just pointing out posts on /c/privacy should be understandable by people passing by who don’t know the whole story, and that you could make a /c/graphenelies community dedicated to this particular story, where no additional context would be required in a post.
There is also a section where one of the Reddit power mods admittedly want Lemmy to stay obscure.
Fun fun fun :)
These people do not merely reside in my brain
Sorry i think you misunderstood me, and i meant no insult. I meant we other Lemmy users who are not in your brain need additional context/info to understand the matter.
As for the work I do, I have been arguably one of the people who have done the most legitimate work in privacy community
So to be clear i was not attacking/diminishing you in any way (or at least did not intend to) and you do not have justify your involvement. Still, thank you for taking part in privacy struggles.
You don’t need to add a phone number at all: https://lemmy.ml/post/257191/comment/176967
At least they support TOTP. I heard lately a lot of service providers (including banks) are dropping TOTP in favor of hardware tokens and phone apps. That’s a worrying trend.
And security keys can be independently manufactured (even by ourselves) and disposed of when desired
I think that’s part of the problem: we don’t need or want junk electronics for every single person/identity that goes online. It brings little benefits (a hardware token is much easier to steal than a private TOTP key on an encrypted system) and is bound to help destroy the environment ever more.
Anonymity (…) can protect victims of abuse, yes, but it can also protect online abusers
For sure, but there is a power imbalance that pseudonymity helps address. Harassers/stalkers/rapists are often empowered by their local legal system and law enforcement agencies: Facebook introduced a “real name” policy about 10 years ago pretending it would magically stopped harassment… has it?
You’re argument here is like saying HTTPS is meaningless now that almost everyone is using it, when the security uplift is such a huge net positive for everyone
I agree HTTPS is good (although it would be better with encrypted SNI and such). But 2FA for a centralized capitalist platform has nothing to do with security. If you want more-secure code distribution, use PGP git signatures and a distribution mechanism like guix channel introductions.
you’ll need MFA to use the website/app
That’s already the case to some extent, and i hate it. I hate that Github forces me to open my mail client every time i want to login (because my Tor browser doesn’t keep cookies across sessions).
Of course, it depends on your usecase. I use Github for minor contributions to volunteer projects. In this specific case, anything that gets in the way of user contribution is in my view a problem.
Thanks for sharing your thoughts. I hope you understand the nuance i’m trying to bring and that i’m not opposed to security practices in general. Hell, i would love if i could use PGP/SSH auth everywhere… :D
Nice blog post, and always nice to see RSS feeds.
Thanks! The RSS feeds are generated by Zola, the SSG i use (and contribute to sometimes).
I think the best general solution for normal end-users getting packages they can trust is always a well-audited package manager.
I entirely agree! And i personally don’t think that distro packaging is dead (or should die), but i do believe there’s a crisis in the field: nix/guix certainly represent a far better model in a day and age where there are dozens of thousands of packages to maintain for many architectures.
The Debian/Fedora packaging system makes it more complex than it has to be to just push an update because most of the steps have to be done manually. Of course, i appreciate when some packages are maintained by trustworthy people inspecting the changelog, but no distro has the energy to do that for all packages…
I can’t imagine a general solution to Github workflows
Do you mean for CI/CD? I don’t understand why we need Github Actions at all. If only we could have a standardized protocol/vocabulary (like ForgeFed/ForgeFriends) to subscribe to updates across different forges, we could have pretty basic/standard tooling performing tasks as we like them.
This is a post about the biggest cult in privacy community witch hunting, and you do not recognise it.
I do recognize it because you talked previously about it. I just don’t think it’s pertinent to show in this form for people who don’t know about the entire story (even i don’t know the whole story). I would recommend either to make a community dedicated to this topic, with a stickied thread serving as introduction, or to give more context to your post on the topic. But shitposting random conversations about a topic of interest of yours into random communities is not really cool for people who do not reside in your brain :D
Also, bit of personal advice: you seem really obsessed with this community and story. I think it would do you good to focus on something else… You seem to imply it’s a “big” thing but seriously i’ve never met a single person using GrapheneOS and they only support Google phones so there’s no risk it’s becoming a big thing any time. Maybe try to get involved in Lineage or /e/OS or PostMarketOS communities? You may help build the mobile distro you wanna see instead of loosing a little bit of your sanity every time the GrapheneOS mods do something. Take care :)
I don’t agree:
- Encouraging hardware tokens and multi-factor auth paves the way for less pseudonymity across the network: this is the dream of all governments and secret services, and does not help protect users from abuse (nicknames are a useful feature when you’re targeted by harassment campaigns)
- Most people don’t have decent security: if you force everyone you use MFA or PGP signatures, the scheme becomes meaningless. It’s supposed to be a marker of additional security measures, but if everyone and their bad practices uses it, malicious code will slip through anyway but we may be desensitized from that idea
- As @Ghast@lemmy.ml pointed out, pushing code from scripts is a common pattern. Of course it could be hacked and become a problem for security, but that’s still a more-than-valid usecase.
You can download all Github projects, and wikis, because they’re all based on Git, and the only ‘extensions’ particular to Github are CLI specs, and issues, which can also be ported easily.
Technically correct (although you’d need to migrate Github Actions also, which is yet another beast), but politically misguided. Migrating from Github as a organization (a closed pool of contributors) is a rather easy task that’ll take you a week worth of work.
The actual problem is that Github acts as a centralized social network for developers and represents the biggest contributors pool across the FLOSS ecosystem. As a volunteer-run project, moving away from Github means loosing much visibility and many contributors. I’m not saying it’s not worth it, but it’s not just a technical question of whether that’s possible.
Also worth noting that we have many alternatives but none of them are specified/interoperable. I have a longer blog post exploring that question if you’re interested.
Maybe the official site uses cloudflare but out of the several gitea instances i’ve used exactly 0% used cloudflare ;)
To be fair Gitea development does use Github at the moment, and developing ActivityPub-based federation is part of the project to break out of Github entirely.
EDIT: wrote lemmy instead of gitea :)
TLDR: in this day and age i would go with Gitea because it’s going down the federated route.
I have a longer blog post presenting the many concerns about software forging Decentralized forge: distributing the means of digital production
In matrix pretty much everything is a public, logged append-only datastore (a room in matrix vocabulary). There is some access-control applied on top but it means that basically any server involved in some room (because their users are part of it) gets a full copy of the full history of the room including all user addresses.
In contrast, XMPP has a clearer threat model: your server knows about you, the server of a user you’re communicating with knows about you, 3rd party services you employ know about you (eg. chatrooms) but other users of that 3rd party service don’t. Practical example: when i join room anarchism@chat.jabberfr.org from southerntofu@userserver.net address, i’m giving the chatroom server (MUC server) a nickname to identify me with. When other users receive messages in the chatroom from me, they see it from southerntofu from chatroom anarchism@chat.jabberfr.org but have no idea what my actual JID (XMPP address).
That’s certainly good for reducing chances of having all your messages being logged by a sysadmin somewhere, but it’s even better for abuse-resistance. Having your address leaked in every public interaction is fine for most people but is a no-go for people who have stalkers or are targeted by harassment campaigns. See also this HN thread on XMPP and anti-abuse mechanism.
Well that’s the reason upstream Signal was not packaged on F-Droid, that it required Google Play Services to run. That’s why Signal was forked into LibreSignal (which didn’t change anything beyond removing this dependency) which could be distributed on F-Droid. [This ticket]https://github.com/LibreSignal/LibreSignal/issues/37) is where the discussion took place. m0xie from Signal team said:
I’m not OK with LibreSignal using our servers, and I’m not OK with LibreSignal using the name “Signal.” You’re free to use our source code for whatever you would like under the terms of the license, but you’re not entitled to use our name or the service that we run. (…) It is unlikely that we will ever federate with any servers outside of our control again, it makes changes really difficult. (…) I understand that federation and defined protocols that third parties can develop clients for are great and important ideas, but unfortunately they no longer have a place in the modern world
This discussion ultimately led to an article (and a CCC talk) called The ecosystem is moving, to which Conversations developer Daniel Gultsch replied. There was also a more XMPP-centric reply to the talk. Happy reading.
By this standard you should probably not trust any entity at all because all governments are evil and their secret police are after revolutionary troublemakers. I agree that Signal being centralized is a huge problem, but i personally believe the bigger problem is that it requires a unique identifier (the phone number).
We all use centralized services sometimes, for example to sign up on a forum. But when we do so over Tor and with a nickname (pseudonym) that’s a reasonable security practice.
Disclaimer: i’m no cryptographer
I think the crypto in Signal looks fine. The double ratchet isn’t bad, although it has some drawbacks (at least the OMEMO variant) about long-absent participants running out of published ephemeral keys.
The problem with Signal is the centralized system (which relies on absolute trust in a server’s “trusted computing” module) and the business governance. I’m very critical of m0xie and friends in their political/economic decisions, but they seem to produce good cryptography…
I upvoted because the phone number requirement is the n°1 problem with Signal.
But to be clear, Signal does meet F-Droid’s policy (albeit with a “centralized service” antifeature flag). The only reason Signal is not distributed on F-Droid is because Signal threatened legal action if it ever was (LibreSignal scandal).
Also, i appreciate that Matrix (Element is just a client) is a federated protocol. Unfortunately, it consumes a lot of resources server-side (like A LOT of RAM and disk storage), and the default client Element is nearly unusable with high-latency links (eg. over Tor). I personally recommend getting into XMPP… there is no default client because XMPP is an ecosystem not a government-backed startup and some of them really suck (see joinjabber.org for the better clients) but at least the client and server don’t eat all your resources (a “big” XMPP server for hundreds of users uses <500MB RAM, a similar matrix server uses 5-20GB RAM).
Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.
Oh no it’s a pretty good idea, and unfortunately mosibo isn’t the first project to implement it… in an entirely new protocol that nobody will ever adopt. Implementing SMP in a widely-used protocol (email/PGP, IRC/OTR, XMPP/OMEMO) would benefit a lot more users.
Using phone numbers as identifiers is a well-known Signal flaw.
Indeed, but once again we have dozens of protocols providing messaging primitives, whether federated or centralized. Why should we even consider Signal or Mesibo? To be honest, i appreciated Mosibo’s criticism of Signal: it’s fair and strongly deserved. I would add to this that Signal dropped on-disk database encryption which is horrible: users set a passphrase expecting some security… only to find out later that the passphrase is purely cosmetic and the local DB is unencrypted.
I am just trying to understand how this criticism of Signal would be invalid, or FUD.
I don’t think it’s either FUD or invalid. It just looks like yet another corporation making yet another protocol for yet the same usecases we already have a dozen protocols for. If mesibo is only about cryptographic research, OMEMO/MegOLM could use a refresher… but unfortunately they’re promoting an entire ecosystem and it’s really not clear what the technical/business model is (i found the code for libmesibo but i don’t see any server implementation on their github).
I think given the very fragmented ecosystem we already have, the burden is on them to prove that their project is interesting/useful. From my perspective, it looks like some cryptographers wanted to do cool stuff, but need a bullshit business front (like any startup) to operate… like a lot of crypto research, unfortunately…
@k_o_t@lemmy.ml @TheAnonymouseJoker@lemmy.ml can we get this thread pinned? i didn’t read it all but it looks like decent advice and the question about what’s tor and how to use it best comes up frequently
There’s a lot more than that, but here’s a quick list compiled from filtering suspicious actors (for-profit etc…) from privacytools:
- applied-privacy.net (DoH, DoT)
- libredns.gr (DoH, DoT)
- nixnet.services (DoH, DoT)
- snopyta.org (DoH, DoT)
- uncensoreddns.org (DoH, DoT)
- blahdns.com (DoH, DoT, DoQ)
Not sure about PowerDNS and Quad9 because they appear shady from the outside but they may be options as well.
BTW thanks for sending me down a rabbit hole that Mastodon account is a gold mine ;)