112·
2 days ago
Arthur Besse
cultural reviewer and dabbler in stylistic premonitions
- 21 Posts
- 72 Comments
Joined 2 years ago
Cake day: January 17th, 2022
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
python -c 'print((61966753*385408813*916167677<<2).to_bytes(11).decode())'how?
$ python >>> b"Hello World".hex() '48656c6c6f20576f726c64' >>> 0x48656c6c6f20576f726c64 87521618088882533792115812 $ factor 87521618088882533792115812 87521618088882533792115812: 2 2 61966753 385408813 916167677
because i thought the situation described by the post was tragicomic (as was somewhat expressed by the line from it quoted in the post title)
7·2 months agoMattermost isn’t e2ee, but if the server is run by someone competent and they’re allowed to see everything anyway (eg it’s all group chat, and they’re in all the groups) then e2ee isn’t as important as it would be otherwise as it is only protecting against the server being compromised (a scenario which, if you’re using web-based solutions which do have e2ee, also leads to circumvention of it).
If you’re OK with not having e2ee, I would recommend Zulip over Mattermost. Mattermost is nice too though.
edit: oops, i see you also want DMs… Mattermost and Zulip both have them, but without e2ee. 😢
I could write a book about problems with Matrix, but if you want something relatively easy and full featured with (optional, and non-forward-secret) e2ee then it is probably your best bet today.
As the image transcript in the post body explains, the image at the bottom is a scene from a well-known 1998 film (which, according to Wikipedia, was in 2014 selected for preservation in the United States National Film Registry by the Library of Congress as being “culturally, historically, or aesthetically significant”).
This meme will not make as much sense to people who have not seen the film. You can watch the referenced scene here. The context is that the main character, The Dude (played by Jeff Bridges) has recently had his private residence invaded by a group of nihilists with a pet marmot (actually portrayed by a ferret) and they have threatened to “cut off his Johnson”. In an attempt to express sympathy, The Dude’s friend Walter (played by John Goodman) points out that, in addition to the home invasion and threats, the nihilists’ exotic pet is also illegal. The Dude’s retort “what, are you a fucking park ranger now” is expressing irritation with that observation, because it is insignificant compared with the threat of the removal of his penis.
This meme attempts to draw a parallel between this humorous scene and XZ developer Lasse Collin’s observation that the XZ backdoor was also a violation of Debian’s software licensing policies.
Thank you for reading my artist’s statement.
2·3 months ago
141·4 months agothat was predictable
5·4 months agoIt's a great product, but this one comes in more varieties:
i wonder how waydroid is these days. i still haven’t gotten around to trying it but I just looked again and I see its downloads are still hosted on Sourceforge 😖
apparently there was a proof-of-concept of it working on windows before Microsoft’s thing that died today had even been released. if many people actually used Microsoft’s thing I imagine some will turn their attention to waydroid now.
It’s not GNUIMP it’s GIMP
what do you think the G is for
(before it was Kool, KDE was a reference to CDE, the Common Desktop Environment)
Ente doesn’t seem to require a CLA.
It turns out, they do have a CLA (with full copyright assignment 😢).
They’d need to implement something like SRP.
Update: I contacted the developers to bring my comment to their attention and it turns out they have already implemented SRP to address this problem (but they haven’t updated their architecture document about it yet).
It is, but in this case I think it isn’t actually a weakness for the reasons I explained.
That’s complicated to do correctly. Normally, for the server to verify the user has the correct password, it needs to know or receive the password, at which point it could decrypt all the user’s files. They’d need to implement something like SRP.
What I proposed is that the server does not know the password (of course), but that it knows a thing derived from it (lets call it the
loginSecret) which the client can send to obtain theencryptedMasterKey. This can be derived in a similar fashion to thekeyEncryptionKey(eg, they could be different outputs of an HKDF). The downside to the server knowing something derived from the passphrase is that it enables the server to do an offline brute force of it, but in any system like this where the server is storing something encrypted using [something derived from] the passphrase the server already has that ability.Is there any downside to what I suggested, vs the current design?
And is there some reason I’m missing which would justify adding the complexity of SRP, vs what I proposed above?
The only reason I can think of would be to protect against a scenario where an attacker has somehow obtained the user’s
loginSecretfrom the server but has not obtained theirencryptedMasterKey: in that case they could use it to request theencryptedMasterKey, and then could make offline guesses at the passphrase using that. But, they could also just use theloginSecretfor their offline brute-force. And, using SRP, the server still must also store something the user has derived from the password (which is equivalent to theloginSecretin my simpler scheme) and obtaining that thing still gives the adversary an offline brute-force opportunity. So, I don’t think SRP provides any benefit here.
edit: the two issues i raised in this comment had both already been addressed.
this was the developer’s reply on matrix:
- We do have a CLA: https://cla-assistant.io/ente-io/ente
- We will update the iOS app to offer you an option to point to your self hosted instance (so that you can save yourself the trouble of building it): https://github.com/ente-io/ente/discussions/504
- The portion of the document that deals with authentication has been outdated, my bad. We’ve adopted SRP to fix the concerns that were pointed out: https://ente.io/blog/ente-adopts-secure-remote-passwords/
here is my original comment
AGPL-3.0
Nice
This would be nice, but, this repo includes an iOS app, and AGPL3 binaries cannot be distributed via Apple’s App Store!
AGPL3 (without a special exception for Apple, like NextCloud’s iOS app has) is incompatible with iOS due to the four paragraphs of the license which mention “Installation Information” (known as the anti-tivoization clause).
Only the copyright holder(s) are able to grant Apple permission to distribute binaries of AGPL3-licensed software to iOS users under non-AGPL3 terms.
Every seemingly-(A)GPL3 app on Apple’s App Store has either copyright assignment so that a single entity has the sole right to distribute binaries in the App Store (eg, Signal messenger) or uses a modified license to carve out an Apple-specific exception to the anti-tivoization clause (eg, NextCloud). In my opinion, the first approach is faux free software, because anyone forking the software is not allowed to distribute it via the channel where the vast majority of users get their apps. (In either case, users aren’t allowed to run their own modified versions themselves without agreeing to additional terms from Apple, which is part of what the anti-tivoization clause is meant to prevent.)
Only really nice when not CLA is required and every contributor retains their copyright. Ente doesn’t seem to require a CLA.
I definitely agree here! But if it’s true that they’re accepting contributions without a CLA, and they haven’t added any iOS exception to their AGPL3 license, then they themselves would not be allowed to ship their own iOS app with 3rd party contributions to it! 😱 edit: it’s possible this is the case and Apple just hasn’t noticed yet, but that is not a sustainable situation if so.
If anyone reading this uses this software, especially on iOS, I highly recommend that you send the developers a link to this comment and encourage them to (after getting the consent of all copyright holders) add something akin to NextCloud’s COPYING.iOS to their repository ASAP.
cc @[email protected] @[email protected] @[email protected]
(i’m not a lawyer, this is not legal advice, lol)
edit: in case a dev actually sees this… skimming your architecture document it looks like when a user’s email is compromised (“after you successfully verify your email”), the attacker is given the
encryptedMasterKey(encrypted withkeyEncryptionKey, which is derived from a passphrase) which lets them perform an offline brute-force attack on the passphrase. Wouldn’t it make more sense to require the user to demonstrate knowledge of their passphrase to the server prior to giving them theencryptedMasterKey? For instance, when derivingkeyEncryptionKey, you could also derive another value which is stored on the server and which the client must present prior to receiving theirencryptedMasterKey. The server has the opportunity to do offline attacks on the passphrase either way, so it seems like there wouldn’t be a downside to this change. tldr: you shouldn’t let adversaries who have compromised a user’s email account have the ability to attack the passphrase offline.(i’m not a cryptographer, but this is cryptography advice)
when For All Mankind hits the 2020s in Season 6, we’ll get the Bell Riots and the start of World War III
this would be nice but it would be complicated due to the fact that (RDM says) Star Trek: Phase II (along with TOS and TNG) exists in the For All Mankind universe. maybe he’ll at least fill in some details from Phase II though :)
There is a version of VLC for the Nvidia Shield, but it has a somewhat irritating UI and I don’t know if it can actually read the menus like the desktop version can.
5·6 months ago
