WingNews logo WingNews GitHub [2]

Roujo's comments

Roujo | 6 years ago | on: Let's Encrypt Has Issued a Billion Certificates

> To say they don't have any way of MITM'ing a connection is wrong even if it's unlikely.

I totally agree, it's why I qualified it with "just by virtue of them being the one validating the cert for a certain website" and later on adding that they could do so in other ways, like the one you're suggesting. Reading it again makes me realize that it could be understood that way, though, sorry if I wasn't clear enough. Sometimes not being a native English speaker betrays me a little bit. =)

Roujo | 6 years ago | on: Let's Encrypt Has Issued a Billion Certificates

As I understand it, a CA doesn't have a way of MITMing connections just by virtue of them being the one validating the cert for a certain website. You don't share the private keys of your certs when you generate them[0], you just need for a CA to attest that yes, this certificate's public key is allowed to be used for whatever use you're applying for. ACME doesn't change that, it just allows this verification to be done automatically.

Let's Encrypt doesn't have any more ways of MITMing people using their certs than any other CA - that is, they _could_ do it by generating rogue certs, but that's no different than what Google can already do since they're a CA as well. Plus, certificate transparency logs should make it visible if they ever do so.

0: Barring weird cases I've seen of some companies letting you generate a cert entirely on their website, letting you download the private key once it's done. Which is bad practice for the reason you're talking about right now, since by then you have no assurance that they haven't kept a copy of that private key for later use.

Roujo | 6 years ago | on: Freedom of expression is at a ten-year low globally, study says

I agree with the similarity but as you're saying there was always the possibility of leaving town. It wasn't a convenient solution, and you might very well repeat the same actions wherever you go, but at least you could get a chance to start over elsewhere. IMO that's quite a bit different than the current situation, where I feel you'd have to go and change your legal name, move to another location and get new accounts online to manage to shake off what is now attached to your real name, and _even then_ the paper trail would probably be found at some point and it would all come back to you.

So small town rules, yes, but practically speaking there's only one town left. Whether it's a good thing or not is a matter of opinion - and depends on the specific context as far as I'm concerned - but overall I feel like something of value has been lost in the transition. It might have been possible to make amends and/or show that whatever you did was a temporary lapse in judgement before, but doing that one the scale of the whole internet audience we have nowadays doesn't feel practical, or even possible really. =/

Roujo | 6 years ago | on: Sony launches a taxi-hailing app in Tokyo

> The only thing I didn't like about Suica/Pasmo when I was in Japan was that, unlike a credit card, there doesn't seem to be a way to get a statement so you can see where you spent all your money

I use Suikakeibo [0] for that. The latest 20-ish transactions seem to be stored on the card, so by scanning it using my phone every day I could keep a history of everything I used it for. You can even put in notes, since non-transit transaction don't list what you bought with it - just the amount.

It makes for a nice reminder of my past trips. =)

[0] https://play.google.com/store/apps/details?id=net.mediavrog....

Roujo | 7 years ago | on: I tried creating a web browser, and Google blocked me

> So what is this DRM supposed to achieve?

It's a good point, but I believe DRM isn't just about piracy. It's also about control. I read a good article about this once, but I can't find it anywhere right now so I'll summarize what I remember.

As long as DRM exists, if you want to make a Blu-ray player you have to go and ask the Advanced Access Content System Licensing Administrator for their blessing, so that you can decrypt and play (for example) AACS-protected media. It doesn't really matter that AACS has been broken since early 2007 and that pirates can easily circumvent it - as long as you want to sell a player above-board and not risk potential lawsuits, you still have to go and license it.

(This might not be true for AACS in particular, but AFAIK it is generally true of more recent content protection systems.)

That's when the control part kicks in. Good luck getting that Blu-ray player approved for content decryption if it allows the user to skip commercials, or make small clips of movies and send them to your friends, or other such features. I do believe there would be some amount of demand for those features - well, mostly the first one. However, I don't see the AACS LA ever approving such features while having Disney and Warner Bros as founding members[0].

I'll try to find the original article I got those ideas from. I'll reply again if I ever find it.

[0]: https://web.archive.org/web/20120218192257/https://www.aacsl...

Roujo | 7 years ago | on: Pixelfed – An alternative to centralized image sharing platforms

As I recall the idea was to promote looking for a Pixelfed instance with a community that fits your needs and interests, which in turn makes the network stronger by distributing the userbase over a variety of servers.

Keeping registrations open on what is often perceived as an "official" instance can lead to that instance getting most of the new users of the network, since it's usually the one you'll find if you search for the corresponding software. mastodon.social (previously open, now invite only) is a good example of that, IMO. I'm not sure if it's a good or a bad thing, but I do feel it subverts the idea of a federated network if most users are on a handful of known instances.

Roujo | 8 years ago | on: First Lightning mainnet release

Yes, is does. However, the amount of electricity used isn't directly correlated with the number of transactions on the network. It instead follows the number of miners validating those transactions. A empty block validating no transaction takes more or less the same amount of work as a full block to mine. That was GP's point, I think.

That being said, having a lot of transactions going around is probably correlated with Bitcoin getting more popular, which is again probably correlated with more miners coming in, which would indeed lead to higher energy consumption. That's an indirect effect, however.

Roujo | 8 years ago | on: A proof-of-concept system for counter-surveillance against spy drones

> Instead of filling the stream and having a constant stream size, you could just code the drone do add random bursts of data, making any prediction from the observer useless.

If it's actually random, wouldn't the average bitrate of "still scene + occasional random data" still be lower than "active scene + occasional random data"? Given enough samples, of course.

Roujo | 8 years ago | on: Disney acquires own streaming facilities, will pull Netflix content

I feel like the title might be jumping to conclusions. From the article, emphasis mine:

> With this strategic shift, Disney will end its distribution agreement with Netflix for subscription streaming of new releases, beginning with the 2019 calendar year theatrical slate.

I don't read this as "Disney will pull content currently on Netflix from the platform", and I can't see anything else in the article that would suggest this.

Roujo | 8 years ago | on: Dark Matter May Be Trapped in All the Black Holes

IMO, Occam's Razor is only meaningful when there are two competing hypothesis, one of which is markedly simpler than the other. Mentioning it in a context of "surely it can't be this complicated" without pointing towards a simpler alternative doesn't strike me as very useful. I know you're not the person who made the original argument, just chiming in on the discussion.
page 1
more