anti-idpol action

I am working on fedi software that is hoping to allow Kodi, Plex and Popcorn Time get rid of IMDb/TMDB dependency. Dm me if you’re skilled in SvelteKit and/or Go, especially the Fiber framework, or machine learning with Rust and willing to contribute.

  • 0 Posts
  • 21 Comments
Joined 1Y ago
cake
Cake day: Sep 10, 2023

help-circle
rss

a decentralized file hosting/sharing protocol that powers library genesis, for example




one of the best

(link in alt text) https://github.com/signalapp/Signal-iOS/issues/641

And then for no good reason a “FOSS” app’s binary grows by a couple MB…


I see your point and don’t negate such possibility. Although the black box nature of proprietary dependencies in vanilla Signal means an inclusion of potential trojan spyware. Speaking of the need for app lock, as an alternative solution, you can create a separate profile for Signal to have a dedicated PIN. But afaik only GrapheneOS allows notification relaying to main profile. LineageOS on the other hand has a feature called AppLocker. If you intentionally lend your device to kids, Android has a feature called app pinning.


maybe try setting up a matrix bridge if you feel confident you can secure that properly. On one hand it might increase attack surface (use only servers and bridges with End to Bridge Encryption) but what’s an attack surface on software that is so ridiculously compromised. Also you can try using an alternative client such as Flare. Though YMMV, for me the last time I’ve used it it was quite rough around the edges but I’m happy to see it’s actively maintained so might be worth checking out.

Also no, flatpak doesn’t fix this issue. Yeah it provides some isolation which can be further improved with flatseal, and other defense-in-depth methods. But unless you are willing to face the trade-offs of using Qubes, you won’t compartmentalize your entire system. The key file in question is stored in ~/.local/share. I’m not denying vulnerabilities in userland applications, but thanks to it’s wide reach, often massive codebases and use of unsafe languages like C, it’s the core system or networked software that is the most common attack vector. And that doesn’t ship and will never ship via flatpak.

The most obvious way this is exploitable is directory traversal. But not only that. Just look up “Electron $VULNERABILITY”, be it CSRF, XSS or RCE. Sandbox escape is much easier with this crap than any major browser, since contextIsolation is often intentionally disabled to access nodejs primitives instead of electron’s safer replacements. Btw Signal Desktop is also an electron app.


French authorities consider it a “terrorist app”. Louis Rossmann made a video about it. It was in some court case but at this point I don’t remember whether it was a local court or higher and frankly don’t care enough to check.


Also don’t get me wrong. Molly might be written by less experienced programmers. And if it was written from scratch, it could be very likely it would contain more vulnerabilities per 1000 lines of code than standard Signal app. But it’s mostly just it’s a hardened superset sans some nasty stuff. I’d compare that more to how Calyx or GrapheneOS are to plain AOSP than how some low maintenance random custom ROM from XDA with fuckton of bells and whistles that will leave your bootloader unlocked is.


Have you seen signal’s issue tracker? Ik it’s a big project, but it’s literally getting spammed, plus the desktop app that keeps database key in plaintext and won’t work natively under wayland (needs xwayland, making basic stuff like sending attachments hard if you use most tiling compositor, tho that’s partly Wayland’s design flaw of lacking consistent reference implementation). Also I principally don’t trust apps that rely on both proprietary network services and libraries. The very fact that they don’t leverage their funding to reduce their costs by working on support for federation that is not a matrix bridge (which hasn’t been even developed by them btw) or decentralization, especially since XMPP, SimpleX and Matrix (which has currently 3 well developed server implementations: Synapse, Dendrite and Conduit) have been able to do so with much smaller funding. And it’s Signal, not Molly’s maintainers who have been putting more effort into shiny UX improvements over hardening infrastructure code lately. And even if Signal does improve it’s security, the patches get regularly backported into Molly, whereas even such basic shit implemented solely in Molly, such as app passwords that actually encrypt it’s database is pretty useful. Because even PIN scrambling is not fully immune to shoulder surfing. Defense in deph matters.

tl;dr a longer rant about decentralization vs federation 👇

Even the argument of network effect achieved thanks to reliance on phone numbers is becoming less relevant these days, with DeltaChat providing a convenient way to have encrypted chats using the existing email infrastructure in much more convenient way than traditional PGP. Pixelfed has already achieved E2EE DMs and it’s being worked on for Mastodon. If the UI of the most popular apps and the official web interface are also redesigned to make messaging more convenient to use it might have the same positive effect on user retention as Facebook Messenger once had. Anyway things are bound to change in favor of federation, but not necessarily decentralization. For instance I got mixed feelings about EU’s DMA. I’m optimistic about the interoperability benefits it could bring, but even the official act doesn’t specify how it’ll be implemented. If it relies on something like WebFinger which does require a domain name it’ll end up just grouping a couple of major walled gardens together, so for example SimpleX, Session or Status users still might not be able to chat with people on centralized platforms


Also, Signal’s centralization, sussy shenanigans with mobilecoin and not updating their server app repo for over a year (latter they ceased afterwards iirc but still very detrimental to trust, especially since git reflog manipulation is ridiculously easy) and dependence on proprietary libraries and network services (in case of libraries there are thankfully at least a couple forks without such dependencies). Plus most of their servers that aren’t necessarily CDN being located in glowieland…


I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they’d rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)



You can set up an account over Tor in case of 1984. Haven’t used Orange but mainly due to bigger costs. Iirc the only time my 1984 Wireguard VPN was facing issues was when trying to edit Wikipedia, so not a big problem. Searxng was also working fine.


Buy yourself a VPS at a provider that accepts untraceable cryptos, like 1984.hosting and self-host





Though beware that although good in terms of performance, features and sturdiness (as long as you encase that glass back) or camera, Pixels are not flawless in terms of plain quality. Their battery life could be better and mine loses signal from time to time. Some features like 5G might not be available at every carrier in your country as well if Google has no official distribution there.


OsmAnd is better since Petal Maps is proprietary.