cley_faye

@cley_faye@lemmy.world

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨LibreOffice blasts 'fake open source' OnlyOffice for working with Microsoft to lock users in⁩ ⁨⁨8⁩ ⁨hours⁩ ago⁩:
Microsoft-supported formats are badly documented, and regularly broken by updates of the software before changes are understood (if there’s even an update to the loose spec we used to have). That’s a problem.
⁨Comment⁩ on ⁨California’s New Bill Requires DOJ-Approved 3D Printers That Report on Themselves⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
That’s… not applicable here. Like, at all. To reproduce a printed document, you input it. To make a 3D print, you produce tailored list of operations depending on many, many settings. Usually, the file that reach the printer have little in the way of knowing what is printed, aside from expensive reconstruction that would only give the general shape, if even that. And even if you can send actual 3D model files to a printer that would do the slicing locally, there’s no “absolutely required” fingerprint there. A tube is a tube.

And, just so you know, there’s a slew of public printers and scanners that will just plain not recognize any of this, too. There’s also some “protection” pattern in some official document; large office printers would choke on them, where a home scanner was fine. This is, at best, only enforceable in the flimsiest of ways.
⁨Comment⁩ on ⁨California’s New Bill Requires DOJ-Approved 3D Printers That Report on Themselves⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Let’s entertain the thought. How would one identify what is a gun part being printed, and what is a tube, a mechanical latch, or whatever else. Heck, I printed a plastic replica of a movie prop once. Would that be illegal?

I mean, I’m not in the US, and I know how to drive three steppers according to a list of extremely basic instructions that never ever represent anything “final part-y” looking, but the question remains. How do we go from “lots of gcode” to “yep, that’s definitely illegal” without saying that everything is illegal?
⁨Comment⁩ on ⁨California’s New Bill Requires DOJ-Approved 3D Printers That Report on Themselves⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
That’s basically what we used to do before big printer came in :D
⁨Comment⁩ on ⁨California’s New Bill Requires DOJ-Approved 3D Printers That Report on Themselves⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Private workshop are next on the chopping block, then. Totally feasible. /s
⁨Comment⁩ on ⁨Small little shenanigans⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Doctores HATE this funny prank
⁨Comment⁩ on ⁨You probably can't trust your password manager if it's compromised⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
If the entire supply chain up to the software you’re running to perform actual decryption is compromised, then the decrypted data is vulnerable. I mean, yeah? That’s why we use open-source clients and check builds/use builds from separate source, so that the compromission of one actor does not compromise the whole chain. Server (if any) is managed by one entity and only manage access control + encrypted data, client from separate trusted source manage decryption, and the general safety of your whole system remain your responsibility.

Security requires a modicum of awareness and implication from the users, always. The only news here is that people apparently never consider supply chain attacks up until now?
⁨Comment⁩ on ⁨BMW’s Newest “Innovation” is a Logo-Shaped Middle Finger to Right to Repair⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:

a novelty security feature for hubcaps that you don’t want to be removed too easily

If this picks up, the people you’d want to not be able to remove these too easily will be the first to have the adequate tools to remove them easily.
⁨Comment⁩ on ⁨A succulent meal⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
That’s propaganda by Hulk (big green).
⁨Comment⁩ on ⁨A succulent meal⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Dang, medieval peasant had it better than I thought.
⁨Comment⁩ on ⁨Epstein Files: X Users Are Asking Grok to 'Unblur' Photos of Children⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Didn’t they already do that in their public posts or whatever? They don’t care.
⁨Comment⁩ on ⁨What launcher should I replace Nova with?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Hey, I’m using that. It works fine.

…well, I have little to no expectations from a launcher beyond “can have pages, shortcuts, widgets, and hide apps”, so there’s that. It got a few visual customization regarding icons and grid size, and so on. The biggest praise I can give them is that nothing seemed out of place or annoying.
⁨Comment⁩ on ⁨Discord will require a face scan or ID for full access next month⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Matrix, the central service, might work, but I’m not sure if it could handle the load well. Matrix, the federated service, hosted by many people, have performance issues with the “free” version. I could not test the paid/more optimized version, so I can’t talk about that.

Anyway, the protocol and clients have their issues. All these stems from usage; I did not do a deep dive in the internal of it. But on the top of my head:
- joining a room will sometimes not send you keys to see older messages, despite being configured to do so. When it works, it’s ok. When it doesn’t, there’s little to no recourse.
- sometimes (rarely) rooms have to be upgraded to use new versions/features. So far it happened once (to my knowledge). The issue is that “upgrade” means locking the existing room, creating a new one, inviting everyone in the new room, and putting a link to the old room as read only. Sure, the process is mostly automated… except the best way to start it is using dev commands on a client, and every user will have to accept the invite. Just hope you don’t have too much rooms.
- Logging into a new device/client sometimes will works perfectly fine. Other times it will obstinately refuse to retrieve your room’s keys from another existing, online, logged-in device. Despite the “confirmation” dialog, it won’t work. You can manually export/import your keys from one device to another, but for large scale adoption? Not good. You can say goodbye to all previous messages if that happens.
- Interface is relatively barebone, and some features gets pushed quickly (like, throwing confettis), while other (like, proper room management, fine notification controls, etc.) are held back forever.
- Features are limited. It works very well as a chat, and they recently worked on a built-in video/audio call service, but that’s it. A few “plugins” are supposed to work but are clunky as hell (they’re basically iframes). Some features that people consider important (like stickers) are definitively an afterthought, and searching for a sticker is a pain (dicslaimer: I’m not using the central service/app, so that part might be specific to my instance)
With that said, nothing’s actually a show stopper for small usage, and the heavily optimized server might handle itself well enough, as long as you’re mainly concerned with having text rooms. But open instances handling hundreds of users might be a stretch… for now. Maybe this will cause more development into the Matrix/Element ecosystem.
⁨Comment⁩ on ⁨FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Math have little room for backdoors.
⁨Comment⁩ on ⁨FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Unless there’s an incredible amount of people “not in” on some universal secret, maths gonna maths, and physics gonna physics. Actual encryption works well in a proven way, computational power isn’t as infinite as some people think, and decent software implementations exists.

Getting hold of anything properly encrypted with no access to the key still requires an incredible amount of computing power to brute force. Weak/bad implementations can leave enough info back to speed this up, malicious software can make use of an extra, undocumented encryption key, etc. but a decent implementation would not be easy to break in.

Now, this does not say anything about what Apple actually do. They claim to have proper encryption, but with anything closed source, you only have your belief to back you up. But it’s not an extraordinary claim to say that this can be done competently. And Apple would have a good incentive in doing so: good PR, and no real downside for them since people happily unlock their phone to keep their software running and doing whatever it wants locally.
⁨Comment⁩ on ⁨Notepad++ Hijacked by State-Sponsored Hackers⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I don’t know how most package managers on windows work, but usually, auto updates are disabled by default for software that comes from one. For example, Firefox installed using APT on various linux distro will not auto-update out of it.

I vaguely remember chocolatey packages not really doing that, causing mismatch between installed versions and its internal database, though, so maybe it wasn’t that good of a solution.
⁨Comment⁩ on ⁨Notepad++ Hijacked by State-Sponsored Hackers⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
The software itself, and the devs, have little to nothing to do with this besides detecting the issue. Which was not obvious, since (it seems) the attack was targeted at specific IPs/hosts/places. It likely worked transparently without alteration for most users, probably including the devs themselves.

It also would only affects updates through the built-in updater; if you disabled that, and/or installed through some package managers, you would not have been affected.

A disturbing situation indeed. I assume some update regarding having adequately digitally signed updates were done (at least, I hope… I don’t really use N++ anymore). But the reality is, some central infrastructure are vulnerable to people with a lot of resources, and actually plugging those holes requires a bit of involvement from the users, depending how far one would go. Even if everything’s signed, you have to either know the signatory’s public key beforehand or get a certificate that you trust. And that trust is derived from an authority you trust (either automatically through common CA lists, or because you manually added it to your system). And these authorities themselves can become a weak point when a state actor butts in, meaning the only good solution is double checking those certificates with the actual source, and actually blocking everything when they change, which is somewhat tedious… and so on and so on.

Of course, some people do that; when security matters a LOT. But for most people, basic measures should be enough… usually.
⁨Comment⁩ on ⁨Notepad++ Hijacked by State-Sponsored Hackers⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Notepad++ installed from any package manager was perfectly fine and safe.
⁨Comment⁩ on ⁨Notepad++ Hijacked by State-Sponsored Hackers⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I’ve kind of stopped following things up since I left windows, but maybe you’re remembering when this actually happened a while ago? This is just some in-progress post-mortem report.
⁨Comment⁩ on ⁨You won: Microsoft is walking back Windows 11’s AI overload — scaling down Copilot and rethinking Recall in a major shift⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Oh, yes, I won. I’ve known for months. Microsoft have nothing to do with it anymore.
⁨Comment⁩ on ⁨⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Maybe if they keep making it worse and worse it will kind of circle back to good.
⁨Comment⁩ on ⁨Pornhub, YouPorn, and Redtube and other content sharing platforms will block New users in the UK starting next week(February 2)⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Steganography is extremely far from undetectable, unfortunately. And trivial to find out once you know its there; if we ever allow a framework to be put in place to intercept communication at a large scale, it will be the inverse of the cat and mouse game we have with encryption : very hard to improve, very easy to detect.

And I’m aware of the many funky things we did. At some point people tunneled DNS queries through HTTPS, to get through wifi captive portal that only allowed HTTPS traffic until authenticated.

Just to be clear, I’m aware of the issues of detecting stealth data, and even detecting encryption against seemingly random data. It’s kinda fascinating to detect the difference, too; some people have looked into that. But the point is, if you’ve already agreed on “banning encrypted communication that can’t be listened to easily”, you can basically just say “this is gibberish, decrypt it or get to jail”. I also know that this sounds insane and throw away the “innocent until proven guilty” principle, but we’re slowly creeping toward a world where our device scans all our document and communication to notify of issues to a central authority, where black box in large networks are already present, and so on.

It’s been slowly creeping toward that. Finding way to hide traffic on public networks can only go so far if the listener can just stop you if it detect what looks like encrypted content.

And, since this is kind of a heated discussion, I’ll reiterate: it would be batshit crazy to go this way. But I would have found batshit crazy to have our own devices spy on us and report suspicious activities to third parties years ago, and yet here we are.
⁨Comment⁩ on ⁨Pornhub, YouPorn, and Redtube and other content sharing platforms will block New users in the UK starting next week(February 2)⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
It’s not unsubstantiated. Push for government-sanctioned client-side spyware already happened years ago with the intent to scan all content and keeps happening every other year, each time with more support, inefficient laws about age control have been pushed in many countries and other are following suits, there’s constant harassment to tech company for them to create backdoor for spying on demand, device manufacturer are threatened for allowing custom software that can be used to circumvent such provisions, etc.

If you haven’t seen any of this, then sure, be surprised that a ban on general public encryption is not unthinkable.
⁨Comment⁩ on ⁨Pornhub, YouPorn, and Redtube and other content sharing platforms will block New users in the UK starting next week(February 2)⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:

Anyone who thinks a government can ban VPNs without destroying economy is deluded

Anyone who thinks government would never do something as utterly stupid as shooting itself repeatedly in the everything out of spite is deluded. Banning all form of encrypted traffic would be insane. Now tell me, how many insane things have we witnessed in the recent years from our collective governments?
⁨Comment⁩ on ⁨Pornhub, YouPorn, and Redtube and other content sharing platforms will block New users in the UK starting next week(February 2)⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Anything encrypted is blocked. Boom, done.

Is it stupid? Yes. Never stopped lawmakers.
⁨Comment⁩ on ⁨Lawsuit Alleges That WhatsApp Has No End-to-End Encryption⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
It’s E2EE alright. Just, don’t ask what “ends” we’re talking about.
⁨Comment⁩ on ⁨Lawsuit Alleges That WhatsApp Has No End-to-End Encryption⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
The drunk dude that’s always sitting on the ground near the park entrance and sell weird tissue dolls with curly hairs is more trustworthy, I’d say.
⁨Comment⁩ on ⁨Le Tits, Now!⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
The fuck you’re on about.

You know what? Don’t bother. Ignoring that we’re “in control of violent Islamic extremists”, I’ll just keep on trucking in relative peace (even though I’m in one of the worst city out there).
⁨Comment⁩ on ⁨Just the Browser: tools to remove AI and other bloatware from Chrome, Edge and Firefox⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:
No need. It seem it got fixed along the way. But that’s the point; I tried this a year ago, and it would not work, either under the default configuration with DRM enabled, or after disabling most of the privacy features, so I just gave up on it.

Firefox, for all the flaws regarding the direction Mozilla is taking, just worked out of the box. And for adoption, working out of the box immediately is kind of a requirement.
⁨Comment⁩ on ⁨Microsoft gave FBI a set of BitLocker encryption keys to unlock suspects' laptops: Reports | TechCrunch⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:
Both are completely unrelated to the discussion. TPM sometimes have issues regarding their security, but you can certainly use Secure Boot with your own signing keys to ensure the kernel you run is one you installed, which improves security. And you can use TPM to either keep your FDE keys, or only part of them combined with a PIN if you don’t fully trust them to be secure, so you keep strong encryption but with a bit of convenience.

Without a (properly configured) Secure Boot startup, anyone could just put a malware between the actual boot and your first kernel. If the first thing that happens when you boot is something asking for a password to be able to decrypt your storage, then an attacker can just put something here, grab your password, and let you proceed while storing in a a place it can be retrieved.

Is this scenario a concern for most people? That’s unlikely. But every computer sold these last five years (at least!) can be setup to reduce this risk, so why not take advantage of it.