cultural reviewer and dabbler in stylistic premonitions

  • 38 Posts
  • 294 Comments
Joined 3 years ago
Cake day: January 17th, 2022
  • Arthur Besse@lemmy.mltoFediverse@lemmy.worldThe 17th Year Anniversary of the Fediverse network is upon us!English
    2·
    1 month ago

    The network never went down.

    You say that but, everything I ever posted on identica (and also on Evan’s later OStatus site Status.Net, which i was a paying customer of) went 404 just a few years later. 😢

    When StatusNet shut down I was offered a MySQL dump, which is better than nothing for personal archival but not actually useful for setting up a new instance due to the OStatus having DNS-based identity and lacking any concept for migrating to a new domain.

    https://identi.ca/evan/note/6EZ4Jzp5RQaUsx5QzJtL4A notes that Evan’s own first post is “still visible on Identi.ca today, although the URL format changed a few years ago, and the redirect plugin stopped working a few years after that.” … but for whatever reason he decided that most accounts (those inactive over a year, iiuc, which I was because I had moved to using StatusNet instead of identica) weren’t worthy of migrating to his new pump.io architecture at all.

    Here is some reporting about it from 2013: https://lwn.net/Articles/544347/

    As an added bonus, to the extent that I can find some of my posts on archive.org, links in them were all automatically replaced (it was the style at the time) with redirects via Evan’s URL shortening service ur1.ca which is also now long-dead.

    screenshot of Roy Batty (Rutger Hauer) in the 1982 film Blade Runner, during his "Tears in rain" monologue. (no text)

    imo the deletion of most of the content in the proto-fediverse (PubSubHubbubiverse? 😂) this was an enormous loss; I and many other people had years of great discussions on these sites which I wish we could revisit today.

    🪦

    The fact that ActivityPub now is still a thing where people must (be a sysadmin or) pick someone else’s domain to marry their online identity to is even more sad. ActivityPub desperately needs to become content addressable and decouple identity from other responsibilities. This experiment (which i learned of via this post) from six years ago seemed like a huge step in the right direction, but I don’t know if anyone is really working on solving these problems currently. 😢

  • Arthur Besse@lemmy.mlMtoLinux@lemmy.mlA good e-mail client for linux?English
    2·
    2 months ago

    still of Obi-wan Kenobi in Star Wars with subtitle "Now, that's a name I've not heard in a long time. A long time."

    At first i thought, wow, cool they’re still developing that? Doing a release or two a year, i see.

    I used to use it long ago, and was pretty happy with it.

    But looking closer now, what is going on with security there?! Sorry to be the bearer of probably bad news, but... 😬

    The only three CVEs in their changelog are from 2007, 2010, and 2014, and none are specific to claws.

    Does that mean they haven’t had any exploitable bugs? That seems extremely unlikely for a program written in C with the complexity that being an email client requires.

    All of the recent changelog entries which sound like possibly-security-relevant bugs have seven-digit numbers prefixed with “CID”, whereas the other bugs have four-digit bug numbers corresponding to entries in their bugzilla.

    After a few minutes of searching, I have failed to figure out what “CID” means, or indeed to find any reference to these numbers outside of claws commit messages and release announcements. In any case, from the types of bugs which have these numbers instead of bugzilla entries, it seems to be the designation they are using for security bugs.

    The effect of failing to register CVEs and issue security advisories is that downstream distributors of claws (such as the Linux distributions which the project’s website recommends installing it from) do not patch these issues.

    For instance, claws is included in Debian stable and three currently-supported LTS releases of Ubuntu - which are places where users could be receiving security updates if the project registered CVEs, but are not since they don’t.

    Even if you get claws from a rolling release distro, or build the latest release yourself, it looks like you’d still be lagging substantially on likely-security-relevant updates: there have actually been numerous commits containing CID numbers in the month since the last release.

    If the claws developers happen to read this: thanks for writing free software, but: please update your FAQ to explain these CID numbers, and start issuing security advisories and/or registering CVEs when appropriate so that your distributors will ship security updates to your users!

  • Arthur Besse@lemmy.mlMtoLinux@lemmy.mlSupply Chain Vulnerabilities found and fixed in Fedora's Pagure and openSUSE's Open Build ServiceEnglish
    1·
    3 months ago

    Nice post, but your title is misleading: the blog post is actually titled “Supply Chain Attacks on Linux distributions - Overview” - the word “attacks” as used here is a synonym for “vulnerabilities”. It is not completely clear from their title if this is going to be a post about vulnerabilities being discovered, or about them actually being exploited maliciously, but the latter is at least not strongly implied.

    This lemmy post however is titled (currently, hopefully OP will retitle it after this comment) “Supply Chain Attack found in Fedora’s Pagure and openSUSE’s Open Build Service”. edit: @OP thanks for changing the title!

    Adding the word “found” (and making “Attack” singular) changes the meaning: this title strongly implies that a malicious party has actually been detected performing a supply chain attack for real - which is not what this post is saying at all. (It does actually discuss some previous real-world attacks first, but it is not about finding those; the new findings in this post are vulnerabilities which were never attacked for real.)

    I recommend using the original post title (minus its “Overview” suffix) or keeping your more verbose title but changing the word “Attack” to “Vulnerabilities” to make it clearer.

    TLDR: These security researchers went looking for supply chain vulnerabilities, and found several bugs in two different systems. After responsibly disclosing them, they did these (very nice and accessible, btw - i recommend reading them) writeups about two of the bugs. The two they wrote up are similar in that they both involve going from being able to inject command line arguments, to being able to write to a file, to being able to execute arbitrary code (in a context which would allow attackers to perform supply chain attacks on any software distributed via the targeted infrastructure).

  • Arthur Besse@lemmy.mltoAsklemmy@lemmy.mlWhat are the reasons to use Signal over Telegram
    1·
    4 months ago

    They have to know who the message needs to go to, granted. But they don’t have to know who the message comes from, hence why the sealed sender technique works. The recipient verifies the message via the keys that are exchanged if they have been communicating with that correspondent before or else it is a new message request.

    So I don’t see how they can build social graphs if they don’t know who the sender if all messages are, they can only plot recipients which is not enough.

    1. You need to identify yourself to receive your messages, and you send and receive messages from the same IP address, and there are typically not many if any other Signal users sharing the same IP address. So, the cryptography of “sealed sender” is just for show - the metadata privacy remains dependent on them keeping their promise not to correlate your receiving identity with the identities of the people you’re sending to. If you assume that they’ll keep that promise, then the sealed sender cryptography provides no benefit; if they don’t keep the promise, sealed sender doesn’t really help. They outsource the keeping of their promises to Amazon, btw (a major intelligence contractor).

    2. Just in case sealed sender was actually making it inconvenient for the server to know who is talking to who… Signal silently falls back to “unsealed sender” messages if server returns 401 when trying to send “sealed sender” messages, which the server actually does sometimes. As the current lead dev of Signal-for-Android explains: “Sealed sender is not a guarantee, but rather a best-effort sort of thing” so “I don’t think notifying the user of a unsealed send fallback is necessary”.

    Given the above, don’t you think the fact that they’ve actually gone to the trouble of building sealed sender at all, which causes many people to espouse the belief you just did (that their cryptographic design renders them incapable of learning the social graph, not to mention learning which edges in the graph are most active, and when) puts them rather squarely in doth protest too much territory? 🤔

  • Arthur Besse@lemmy.mltoAsklemmy@lemmy.mlWhat's a sentence nobody has said in 20 years?English
    5·
    5 months ago

    “Sorry, I got to return this video”

    2004 is when the Blockbuster video rental chain was at its peak (cite), and VHS was still in wide use at the time having only been surpassed by DVD rentals a year earlier. Speed dial was also still a thing then, payphones still exist today, and, although complaints were filed against Bill Cosby much earlier the public wasn’t widely aware of them until 2014.

    How about “John Kerry is the candidate who can prevent a second Bush term” ?

Moderates