bruo's comments

This text is not a news report, it’s a technical one about this specific bug. It shows how the attack develops and suggest mitigations at the kernel development level.

The bug itself is small and it lead to a whole system compromise, and the title is very good to guide us to the point they are trying to make… memory corruption is a problem and that needs to be addressed at early stages even, even if the overhead seems not worth it.

This kind of text work is called essay, it doesn't need to follow the rules of writing an article because it's not one.

The author probably knows how complicated it's to write (he is a professional writer), and still manages to do it good enough to get some prizes for his work https://en.wikipedia.org/wiki/Cory_Doctorow#Awards

Subgraph is making one, for their subgraph os

https://github.com/subgraph/fw-daemon

it provides a very close experience to little snitch

The critics are valid, the solutions are not (for activists, as it's it focus)

Conversations.im was (or is, haven't checked in a month) logs encrypted chats on cleartext by default, and history shows why that is a bad idea [0]

Until today I haven't seen a single XMPP that protects metadata, the roster is always on cleartext, to support omemo you are storing yet more info always, etc.

If the answer to Signal issues is XMPP, there is a lot of work to do before to even suggest going this path.

[0]: https://trac.adium.im/ticket/15722

While you are not lying, and mailing lists should be avoided if you want to share secrets, most of the times you need a mailing lists not to do that, but to simplify communications.

At least in the global south, most of radical activists groups have strong "no-internet policies" for any type of secret, and no cellphones ones for their work. They have learned with their own history what they can or can't do, learned how to deal with IRL infiltration, and even learned how to communicate without any kind of contact or even agreements between groups. To survive and act against dictatorships or invading armies is not easy, they had to be smart.

But still, because travelling is expensive and networking today is a need for some of those groups or collectives, they can communicate with each other talking about their resolutions or activities, which are not secret (as I already said, it's assumed there can be a IRL infiltrate) but they are also not public.

You can see SMTP and mailing lists as a huge security risk, and they are, it's just not very common to see people that assume the opposite around here.

I didn't downvote you, but there are different reasons why you would like to use a wildcard certificate and even if those reasons are not aligned with your goals they shouldn't be dismissed.

I know two, at least. For a small communitary school in my city, teachers and students keep blogs in a wordpress multi user server, for storing data or doing webdev examples. They have a subdomain setup and cannot use ssl as the domain name will always be unknown by the person who creates the blog and the wildcard is too expensive for something they do in their free time.

Sandstorm uses unknown subdomains as a way to avoid possible security issues https://docs.sandstorm.io/en/latest/administering/wildcard/#...

I'm sure your points are valid, but you cannot define the thread model of others so easy. And don't get mad by downvotes, upvoting or downvoting is pretty boring

I understand the point, what I am saying is that things don't work this way, neither in my personal experience (which i told) and neither in the areas i work (i work for a human rights organization, which doesn't recommend any software btw). There is a difference on what you think people should react and what people really react.

If it's as concepts, "human rights" triggers less alarms than anonymity, first because while I don't know which regimes you consider oppressive there is a big probability they themselves think they comply and/or promote human rights. Iran for example have a Islamic Human Rights Commission and proudly promote it. Israel would be another country that fits this example.

Then we have that anonymity could mean something it scares them the most, which is not human rights defenders but spying. Tor is already in a bad list for this reason, same as any anonymity software. The biggest threat those countries face is still military intervention or terrorism. A friend was arrested while taking pictures in Palestine, when questioned he was asked if he had Tor or i2p installed, PGP or any encryption software on his laptop. They didn't took his laptop away, but that was before the switch to "human rights" brand.

Then there is another vector we can take, Tor as circunvention. Another friend when visiting sudan got a pamflet to not use Tor, VPNs or Proxies when asked for the visa. The hotel made the same requeriment. This was 4 years ago. The reason was not that Sudan has been in the list of the worst human rights offenders but that you could access immoral content with it.

So, while I understand the point, it doesn't seem to have a backed reality to be sustained.

I haven't live in a lot of oppressive regimes, but usually this is not how it works. I lived two close examples

When i was a kid a friend of my grand mother was arrested because a neighbor said he was a communist. He was tortured for a week and his party, kind of center/right wing took him out as they were a close party to the current government. Oppressive regimes usually don't need evidences.

A friend of mine was arrested for two years, accused for terrorism. The proofs? a war and peace copy (not even a photocopied book) and a guns and roses poster. And this was in "democracy"... so stupid proofs are also used, and whatever can be a proof, like a book about cubism was considered that was a book of cuba's ideology.

Tor has been for years looked by "regular"/"normal"/"common" people as a tool for drug dealers or child molesters. The switch to a human rights tool doesn't seem to really put it more into the illegal line.

Anyway, oppressive regimes do whatever they want, Tor can avoid some of the spying but if the state is already taking your computer you are screw up with Tor or without it.

I agree with you, there is no alternative to StartCom right now in wildcard certs. While GNOME got a free account to get those certs, the last time i checked is still the cheapest way to get wildcard certificates (60 usd for unlimited wildcard certs).

It also removes the complexity of having to deploy let's encrypt certificates every X months without storing the LE's account key online. But if they release certificates for anybody claiming to be you there is no advantage in this area.

nitrokey supports rsa4096, just be aware that it can take time on processing.

I have used nitrokeys and FST-01, the FST-01 beats the nitrokey in speed and in freedom, i currently use two of them, one with rsa 4096 and one with 25519 (for decryption you need libgcrypt 1.7). The nitrokey beats the FST-01 in the case, it's by default more weareable without need to make your own one.

It seems there is a big plus when you use a board made by the person who makes gnuk which is the same person who makes the smartcard gnupg code.

less battery life? i don't have an x1, but a x240 and doing the same things i get twice the battery of the last mbp i used when new.

edit: but i used a different os, which could explain that too.

Oh, "Sorry, we don't ship to Chile." :(

I tried the pro model but went back to the FST-01 as it was too slow for RSA 4096 and doesn't support curve25519 for sign/auth.

But, yes, it does work with gpg-agent with ssh support.

This is not how torture works in real life. At least, not the one made by security forces.

Both of my parents were tortured, both faced it several times. My father was in prison twice and my mother was never in prison but took directly to military places. But not only they were tortured, several people from the circle of family friends were tortured too. One of them now works in a state program trying to help the people who were tortured to continue with their lifes, even if they were tortured in 1974-1980.

While the 1973 was made with support of US and brazilian governments, there was no support when the firsts arrests came. Most of people faced strong pain under different methods, including electricity, beating to almost dead, removing nails, etc... but it was only after the US experts arrived that torture became effective.

Torture is about removing will. A common practice after that was not only rape by military, but they put dogs to rape woman. They took their fingers off and put them in cells full of shit so they had to avoid the infections. Put them in really small spaces until they were lost.

This were process made by days, they didn't get into shock status, they were destroyed as human beings. When they go out, torturers didn't ask them: "hey, how do i find this person"... they just took a bunch of pictures and check the reactions. Or they put them in a car and go around the city and let them see somebody they knew.

By the way, when you reach this point you don't care about torture anymore like to try to avoiding it letting the torturer hear anything they want to hear. You are broke, you don't have will, the only thing you can wish is to be dead. You don't resist anymore.

Torture was so effective that political organizations who were fighting the dictatorship adopted the policy of when somebody is arrested, all their known people had to run and disappear in 24 hours.

Worse for some people and better for other. My mother (58) and my grand mother (82) love how easily is to do what they usually do contrasted to the windows 8 experience.

I don't know if that is a common case or not, but at least it's not a definitive "worse" or "good". And for me, it's great as I never got a call to ask me where is something anymore.

I think GPL is forbidden from the AppStore. That's Apple's rules to enforcing it.

And yet, the whole iOS environment uses several permissive licensed software. This is a very good example how they damage user freedom, thank you.

Black's essays are often cataloged as post-left anarchism which i guess it's one of the main reasons it can look like that. But also because in this essay it attacks something that is commonly accepted by everyone, we all work, even him.

The abolition of work is one of the most important political essays after the situationist international. It was published in 1986 and also published in over 30 languages.

While what you want from Black is hard data, he wants from you to think and discuss. It's not a post in a blog, it's not a paper, it's an essay and that's what it aims.

I use passff a lot of times everyday. I can't complaint :)