cultural reviewer and dabbler in stylistic premonitions

  • 9 Posts
  • 48 Comments
Joined 2Y ago
cake
Cake day: Jan 17, 2022

help-circle
rss

If you’re ready to break free of Android, I would recommend https://postmarketos.org/ though it only works well on a small (but growing!) number of devices.

imho if you want to (or must) run Android and have (or don’t mind getting) a Pixel, Graphene is an OK choice, but CalyxOS is good too and runs on a few more devices.


It’s literally a covert project funded by google to both sell pixels and harvest data of “privooocy” minded users. It seems to be working well.

Is it actually funded by Google? Citation needed.

I would assume Graphene users make up a statistically insignificant number of Pixel buyers, and most of the users of it I’ve met opt to use it without any Google services.


Indeed, the only thing WhatsApp-specific in this story is that WhatsApp engineers are the ones pointing out this attack vector and saying someone should maybe do something about it. A lot of the replies here don’t seem to understand that this vulnerability applies equally to almost all messaging apps - hardly any of them even pad their messages to a fixed size, much less send cover traffic and/or delay messages. 😦




So then send the URL to the play store page from the app posted in ops photo. Go ahead, waiting.

lol, what? i did, in another comment, shortly before you posted this. here it is again: https://play.google.com/store/apps/details?id=com.google.android.apps.devicelock



You act like it is Google’s fault that someone found questionable software on the phone they got from Rent-a-center or Alibaba.

Google made the app.


It sure is convenient for law enforcement and others to have the ability to immediately get the IP addresses of all visitors to a specific URL. (They just need to circumvent the OHTTP by asking fastly and google to collude…)


they basically agree with you

yes, I realize :)

I should’ve made clear in my comment that, aside from a bit of imperfect English and incorrect use of the term snake oil, I think this is an excellent blog post.


post-quantum cryptography can be compared with a remedy against the illness that nobody has, without any guarantee that it will work. The closest analogy in the history of medicine is snake oil.

Good on them for saying that.

A “remedy against the illness that nobody has” is a good analogy, but it is important to note that it’s an illness which there is a consensus we are likely to eventually have and a remedy that there is good reason to believe will be effective.

It isn’t a certainty that there will ever be a cryptographically relevant post-quantum computer, and it also isn’t a certainty that any of the post-quantum algorithms (as with most classical cryptography) which exist today won’t turn out to be breakable even by yesterday’s computers. The latter point is why it’s best to deploy post-quantum cryptography in a hybrid construction such that the system remains secure even if one of the primitives turns out to be breakable.

That said, I think it is totally wrong to call PQC snake oil because that term in the context of cryptography specifically means that a system is making dishonest claims: https://en.wikipedia.org/wiki/Snake_oil_(cryptography)




fwiw, besides the “Proton’s Free plan now offers up to […] after completing certain tasks.” post earlier, i also just deleted some adverinfonewstainment tutanota spam blogpost ("Chat Control May Finally Be Dead: European Court Rules That Weakening Encryption Is Illegal") from this community.

tutanota is just like protonmail except there is more evidence indicating that they are primarily a honeypot for privacy-seeking rubes (as opposed to protonmail where it is maybe only obvious to people knowledgeable about the history of the privacy industry).

People should be skeptical of anyone selling a service involving cryptography software which has nearly no conceivable purpose except for to protect against the entity delivering the software. Especially if they re-deliver the software to you every time you use it, via a practically-impossible-to-audit channel, and require you to identify yourself before re-receiving it (as almost any browser-based e2ee software which doesn’t require installing any software does, due to the current web architecture).

If you think this kind of perfect-for-targeted-exploitation architecture isn’t regularly used for targeted exploitation… well, you’re mistaken. In the web context specifically, it has been happening since the 90s.

imo this community should not tolerate advertising (or other posts who’s purpose is to encourage using/purchasing) this type of deceptively-marketed service.


almost every proprietary thing, including windows and macos, has some open source components.




Briar has even fewer N/As than SimpleX and all greens otherwise. Second column in the table.

Briar has a yellow Yes in row 12 ('requires global identity')

… presumably because (if you have one instance of the Briar installed) when you’re talking to two different people they can check and confirm you’re the same person, while in SimpleX you can create disposable/ephemeral identities for different chats.

I haven’t reviewed this thoroughly but I can see that there are a lot of attributes that could be added to this table in regards to metadata protection against various parties, including revealing online presence to servers and contacts (which is a place where briar falls short).


This is worthy of a more usable interface than this spreadsheet widget.

It took me a fair bit of scrolling to identify which attributes each of the six purple “N/A” values for SimpleX are, but now that I have I agree they’re accurate (though I think there is an argument to be made for just writing a green “no” for each of them).

It is noteworthy that SimpleX is currently the only one of these (currently 34) messengers to not have a single red or yellow cell in its column. well done, @epoberezkin@lemmy.ml! 😀

edit: istm that SimpleX (along with several other things) getting a “no” in the “can hand IP address to the police” row is not really accurate. SimpleX does better than many things here in that they don’t have a lot of other info to give to the police along with the IP, but, if Bob has their phone seized (or remotely compromised) and then the police reading Alice and Bob’s messages from Bob’s phone want to know Alice’s IP address… they can compel a server operator to give it to them. (And it is the same for a user who posts a SimpleX contact link publicly.)


It’s possible that it had some vulnerability which was automatically exploited by one of her majesty’s secret services (perhaps with help from their US counterparts) to make it a component of their covert infrastructure.

Sounds outlandish, but

this was happening in 2010:


(The onlt client that implements material you in a fun and usable way, sync is usable one-handed)

Touchscreen keyboards and their consequences have been a disaster for the human race.


Sure, fuck WhatsApp, but Telegram isn’t even end-to-end encrypted most of the time. Their group chats never are, and their “secret chat” encryption for non-group chats must be explicitly enabled and hardly ever is because it disables some features. And when it is encrypted, it’s with some dubious nonstandard cryptography.

It’s also pseudo open source; they do publish source code once in a while but it never corresponds to the binaries that nearly everyone actually uses.

And the audacity to talk about metadata when Telegram accounts still require a phone number today (as they did five years ago when this post was written) is just… 🤯

State-sponsored exploits against WhatsApp might be more common than against Telegram, or at least we hear about them more, but it’s not because the app is more vulnerable: it’s because governments don’t need to compromise the endpoint to read your Telegram messages: they can just add a new device to your account with an SMS and see everything.

(╯° °)╯︵ ┻━┻

Anything claiming to prioritize privacy yet asking for your phone number (Telegram, WhatsApp, Signal, …) is a farce.


I haven’t had a chance to check anything yet, but given who (Mozilla) is reacting and how, I suspect this is just another case of EU authorities acting to protect their citizens from (American) corporate abuse

Not in this case. I suggest you read the open letter (which is signed by 335 scientists and researchers from 32 countries so far).

Or, do you consider it to be corporate abuse when Mozilla prevents governments from using their certificate authorities to launch MITM attacks and impersonate websites for the purpose of intercepting internet traffic? Because that is what we’re talking about.


This article makes some good points generally, but it is ultimately marketing for a commercial snakeoil service which has a gigantic backdoor in its very threat model: when a tutanota users send an “end to end encrypted email” to a non-tutanota user what actually happens is that they receive a link to a web page which they type the encryption key in to.

Even if the javascript on that page is open source and audited, it is not possible (even for sophisticated users) to verify that the server is actually sending the correct javascript each time that a user accesses it. So, the server can easily target specific users and circumvent their encryption. The same applies to tutanota users emailing eachother when one of them is using the webmail interface.

This effectively reduces the security of their e2ee to “it works as long as the server remains honest”. But, if you fully trust the server to always do what it says it will, why bother with e2ee at all? They may as well just promise not to read your email.

I am removing this from !privacy@lemmy.ml with the reason “advertising for snakeoil”. (If you’re reading this on another instance and the post isn’t deleted, ask your instance admins to upgrade… outdated versions of lemmy had a bug which prevents some moderation actions from federating.)



where you insert yourself as an expert on what Open Source is/not is

this is not really a controversial topic; assuming you were just confused, I linked to the definition and (in another comment you replied to) to the list of governments and other entities which all agree about it. i again encourage you to read those links as it sounds like you haven’t.

since you’ve declined to remove the inaccurate statement “The Software is open-source” from your post here in !privacy@lemmy.ml I am removing the post. (since I am an admin rather than a mod of the community, the moderation action will only federate to instances running the latest version of lemmy, which your instance isn’t, but fyi it should be removed from lemmy.ml and any other instances running updated software.)

fwiw i think this is the first time i’ve used my admin privileges to remove something in a discussion i participated in myself, which tbh feels a little weird, but since this is a clear case of someone declining to remove a post making an objectively false claim, i’m going to.



Still i would argue that it is open source, since it is open for everyone to see.

You are mistaken. Please read The Open Source Definition and the Open-source software wikipedia article, and then kindly edit your post to remove the inaccurate statement “The Software is open-source”.


yes, as i said, it is not free software.

it is also not open source software.

hey @ToxicWaste@lemm.ee can you please edit your post to remove the inaccurate statement “The Software is open-source”? you could say it is “source-visible software” or some other 🤡 term, but “open source” has a definition and this software’s license aint it.


where did you find that gitlab link? it isn’t linked from the project website; looking at the website i would assume it isn’t free software.

edit: oh, i see it isn’t actually free software after all, it is under source ‘source visible’ proprietary license. 🥱




What stops them from being able to? They could actually infer a lot of the metadata just from the encrypted network traffic, without even looking inside the VMs at their execution state. But, they can also see inside, so they can keep the kind of logs (outside the VM) which Signal [says that they] wouldn’t.



They say that they don’t, and I think it is extremely likely that Signal employees are entirely sincere when they say that.

But, even if they truly don’t keep metadata, they can’t actually know what their hosting provider (Amazon) is doing. And, their cryptographic “sealed sender” thing doesn’t really solve the problem. If someone with the right access at Amazon really wants the Signal metadata, they can get it, and if they can, anybody who can coerce, compel, or otherwise compromise those people (or their computers) can get it too.

One can say they’re confident that the kind of adversaries they care to protect against don’t have that kind of capability, but it isn’t reasonable to say that Signal’s no-logging policy protects metadata without adding the caveat that routing all the traffic through Amazon makes the metadata of the protocol’s entire userbase available in a single place for the kind of adversaries that do.


i wish we had a remindme bot so i could remember to come back to this comment in a year or so 🙄


not that it matters (see my other comment in this thread), but, citation needed? wikipedia says it is maybe in Dubai.


It’s tragicomic how some people trust Telegram specifically because they perceive CEO Pavel Durov to be an enemy of the Russian government, while others trust Telegram because they think it is actually a Russian company and thus won’t share data with western governments. (Durov talking about the facts that Signal has received millions from the US government’s Radio Free Asia and sends all messages through Amazon servers helps with this second perception).

I assume Durov’s relationship status with various governments is it’s complicated but also cordial. IMO it would be prudent to assume that intelligence and law enforcement agencies from lots of countries, including ones that are adversaries of each other, are all getting lots of data from Telegram both with and without the company’s cooperation.

There is literally no e2ee for most messages, and new devices can be added and authenticated by SMS, so, even the weakest of adversaries can play with it. Telegram really democratizes surveillance capabilities.


Like telegram, threema insists on making up their own 🤡-crypto constructions which (unsurprisingly) are not very good: https://breakingthe3ma.app/ (see also The Register’s summary, and/or here for some earlier research).

Their response to those findings was to reinvent and replace everything (again). It seems like a pretty safe bet that their new amateur cryptographic constructions will get broken too, just as soon as the next bored researcher gets around to looking closely at it.


I’m not sure what exactly you mean by “always active desktop sessions” but for any definition I could imagine it is possible to do that while having e2ee. Many e2ee messengers have multi-device support nowadays.

Telegram doesn’t need to have e2ee because they’ve pulled some trick of becoming widely perceived as being privacy friendly despite not actually offering any e2ee in most cases, and offering only some 🤡-protocol in the few cases where they do.

Another reason for them not to implement e2ee is that they’re most likely monetizing their users content data as well as the metadata (and in more ways than just charging some types of police for access to it, which is presumably only a small fraction of their revenue).


🤔

both require phone numbers, and both concentrate metadata in a central location (Amazon servers, in the case of signal).

both sort of pretend to be free open source software, and sort of are but with a lot of caveats.

telegram doesn’t even have end-to-end encryption (except for some wacky not-peer-reviewed thing in 1:1 ‘secret chats’ which are rarely used); at least signal has it beat there.

https://simplex.chat/ is a new messenger which doesn’t have any of the above problems and seems quite promising imo.


I’m deleting this (from lemmy.ml) because people are flagging it as an ad and after a couple of minutes looking at their site and github my impression is that, while they have published some source code, this is not a thing you can actually self-host or use without paying them. If I’m mistaken feel free to make a new post linking to the install instructions instead of the signup instructions.


they said their knew one is all new code by thier own engineers

where did they say that?


Well I hear Duckduckgo’s new browser something new finally instead of based off an existing browser

Where did you hear that? According to wikipedia DuckDuckGo’s browser uses the operating system’s rendering engine on mobile (chromium’s on android, and safari’s on ios), and the mac version also uses webkit (safari’s engine).

The windows version doesn’t appear to even be open source but I would be surprised if it isn’t also using chromium’s rendering engine.



...but participating websites aren't supposed to use it unless you "consent" 🤡
fedilink