Slashdot Mirror

France went with a Matrix/Riot.im public fork/derivative as their government encrypted messenger app. Why reinvent the wheel, when this is something that works at scale?

Un-AC bump with links.

Go to task scheduler, identify the various jobs that deal with user data telemetry, and set them to "disabled". The OS will continue to collect data, but it will never be sent.

Sadly they have the telemetry tendrils very deep and plentiful into the system.
Scheduled tasks are not the only processes that submit the stored data.
There are even functions in "service host" to both send data and undo tampering with other telemetry processes. Simply disabling svchost would rightly fuck most everything on the system.

There are lists of hosts you can block in an external firewall, but naturally Microsoft doubled up duty for those hosts, so that may break other things.
Also don't forget that Win 10 now can fall back to peer-to-peer as well, so it can get updates and relay diagnostic info through other Win 10 systems on the LAN that do have access to those MS hosts.

One thing I've never explored, though - where does the OS store that data pending its journey to Microsoft? You could have another scheduled job clearing (or better, poisoning) that data every few minutes.

It's littered around in many places. Event logs, system folders, the windows data store, applications individual logs, etc.

Here's a tool from MS that will gather all those locations up in one view, similar to how event viewer does for the normal logs:
https://docs.microsoft.com/en-us/windows/privacy/diagnostic-data-viewer-overview

At the very least go check out that first screen shot. See the list of telemetry sources on the left? See the size of that scroll bar? It's fucking disgusting.

I've been using a modified version of this for a few years:
https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/block-telemetry.ps1

Some of the domains in there that it blocks are commented with other functions that break by blocking it.

From personal experience:

You'll need to setup an NTP and SNTP server and manually point windows to it. Clock drift can break various forms of encryption.

Windows will be convinced you have no internet connection anymore, and I've had a few programs check that status and refuse to even try (spotify, nvidia experience, and a couple games)

Make sure you don't have any programs installed from the MS store you want to keep, they won't be able to validate their licenses. Even free ones.
Hope you didn't upgrade from home to pro or from pre-10 to 10 using an online license :P

All Microsoft AV software will stop updating, so you'll want to be sure to have something from a 3rd party. 10 gets annoying with the notifications with nothing installed/active.

Some things that break but are likely considered a good thing:
Windows updates, bing and all integrated searches (start menu search included), contra, skype, itunes, and newer versions of office (2016 and 365 have issues, but 2010 continues to work fine, haven't tried others)

Good luck

Katie Bouman, a computer scientist and assistant professor at the California Institute of Technology, led the development of the algorithm that imaged the black hole.

That depends on what you mean by "led." She only committed about 0.4% of the actual algorithm code (affecting 3675 lines), and many of those commits were for superficial things like the font color of the output. Other commits were to place other people's code into the project. The other 99.6% of the code was committed by men.

She did not lead in the sense that she did not do most of the work, or most of the programming. Perhaps she was appointed to supervise the people who actually developed the algorithm, and in that sense she "led" the development.

Mod parent up. Links given above, made active:

Public Sans Regular.

Github page.

Public Sans seems far better than Libre Franklin.

And here I am, living in Communist Belgium, where I am forced to walk around with an ID (even though I was never asked to show it. Why am I paying the police if they can not even do that?) and when I need one or need a renewal, I just make an apointment online for thursday evening, walk in and walk out after 15 minutes. The repeat it after a month to pick it up. That goes even faster.

And voting is is an obligation, not a privelage, so every Belgian MUSTR vote when there are elections. They are held on Sunday. Not voting can cause a fine (or nothing, depending on the city and how the judge feels)

The Communist Governement even made it so that EVERYBODY can read the information on the card, as it is a card with a chip. They even open sourced it.
Price is 18 EUR (0 EUR for your first one when you are 12) and are valid 5 years.

And Belgiumis not the only country where you must have an ID. It is not even the only country where voting is a must.

This ID will be used to verify that you voted once. You will be on the list and been told where you have to vote. You show up, they ID you, you vote. That's it.

They could increase the yearly city tax with 4.00 EUR per person and get to the same result.

It is crazy that many countries in the world have already solved the things the US seem to struggle with.

In America it often costs 40$ or more for a government ID, and requires taking a dayoff work to go to one of 3-10 buildings in a 400 mile radius that can give you IDs, meaning you lose 1/5th of your income that week plus the $40.

Conveniently, if you require IDs to vote, you get to suppress the poor. The poor are very likely to vote against ideas wealthy people like.

And here I am, living in Communist Belgium, where I am forced to walk around with an ID (even though I was never asked to show it. Why am I paying the police if they can not even do that?) and when I need one or need a renewal, I just make an apointment online for thursday evening, walk in and walk out after 15 minutes. The repeat it after a month to pick it up. That goes even faster.

And voting is is an obligation, not a privelage, so every Belgian MUSTR vote when there are elections. They are held on Sunday. Not voting can cause a fine (or nothing, depending on the city and how the judge feels)

The Communist Governement even made it so that EVERYBODY can read the information on the card, as it is a card with a chip. They even open sourced it.
Price is 18 EUR (0 EUR for your first one when you are 12) and are valid 5 years.

And Belgiumis not the only country where you must have an ID. It is not even the only country where voting is a must.

This ID will be used to verify that you voted once. You will be on the list and been told where you have to vote. You show up, they ID you, you vote. That's it.

They could increase the yearly city tax with 4.00 EUR per person and get to the same result.

It is crazy that many countries in the world have already solved the things the US seem to struggle with.

it shouldnt take more than a notarized copy of your driver's license,

Unless Facebook already has a notarized copy of your DL on file, or you somehow linked your FB account with real-life ID info which can be linked via authenticated services (e.g. state DL database) to that DL, how is FB supposed to know that the John Doe on your DL is the owner of the account, and not a John Doe on someone else's DL? If you did the typical thing and provided only the bare minimum of info needed to create a FB account, then it's impossible to "prove your identity" to FB. To prove your identity at a future date, you must have confirmed your identity at a previous date. Submitting proof of your ID after the fact, is like trying to restore from a backup when you never made backups.

I suppose people's reasoning is that since FB is learning and tracking all this stuff about their identity anyway, it would be relatively trivial for FB to confirm that the identity info they've collected on your account profile's matches your identity, not the impostor's. But that opens up a huge liability issue. Since you allowed your account to be hacked, FB is not liable for the consequences. If they start handing back accounts to people who claim to have been hacked, and they screw up and actually take it away from the real owner and hand it over to an impostor, FB becomes liable for the consequences.

The only real way to prevent this stuff while maintaining your anonymity is to create 2FA recovery tokens - unique cipher-texts which can be used to confirm that you were the person who used the account to create the cipher-texts. By creating those tokens at a previous date, you can provide them at a future date as proof that you're the account's real owner. I've done it for my Google and web hosting accounts (I assume FB has something similar; I wouldn't know since I don't use FB). For domains, I register the important ones for multiple years, and set reminders for myself to renew them before they expire (I deliberately picked my birthday as the renewal day, even if it meant I lost a half year of registration fees - a whole $6).

vtwm. Extremely light, privides virtual windows to organize your work with, takes almost *no* respources compared to the encumbered Gnome and KDE monstrosoties. Hasn't been patched in 10 years because it *had no noticeable flaws*. got an update last year, at http://www.vtwm.org/ . For Red Hat and Fedora users, there's an RPM building tool at https://github.com/nkadel/vtwm... .

There is a mode for that too:
https://github.com/ryanprior/e...

No, Psi seems to have OMEMO support only since last year.

Right but existing contributions are FOSS.

Right but existing contributions are FOSS.

Right but existing contributions are FOSS.

As I've said multiple times before, Firefox's saving grace is that it is free software—software we're free to run, inspect, share, and modify. If you don't trust Firefox you can make it trustworthy by examining what it does, changing it to meet your needs, and share improved copies to help your community. These freedoms are a clear difference from proprietary (user-subjugating) software such as Microsoft's browsers, Google Chrome, Apple Safari, and Opera. These freedoms are why Firefox is the basis of so many other browsers such as Tor Browser (making it easier to web browse on Tor) and LibreFox (which aims to "enforc[e] privacy and security of Firefox without forking the project").

Users don't need a VPN provider to use a VPN, they need a single-core VPS which can be obtained for the around monthly cost of a VPN and without making a traceable payment.

Scripts like streisand mean that a user can put together their own VPN server (and Tor OBFS4 private bridge) on a cheap VPS paid with monero.

How can countries who claim to 'ban VPNs' ever hope to ban every VPS provider in the world?

No. You cannot force people to think.

You're trying to substitute a different premise to tilt the argument in your favor. That sort of underhanded argumentation is obnoxious and you should avoid such assholery if you want to be taken seriously.

This false belief is at the root of the current mess, were more and more effort is poured into languages with no real effect

Except there has been a real effect. Modern, typesafe, bounds-checked programming languages and well-designed libraries cause demonstrably fewer security vulnerabilities to be written, and the vulnerabilities to be less severe. This is because these languages inherently make whole classes of vulnerabilities impossible. Comparing, say, Java and C, there is no vulnerability you could write in Java that you can't write in C, but there are large classes of vulnerabilities -- including the most critical remote code execution vulns -- that you cannot write in Java. This comes at a cost... there are also classes of programs you cannot write in Java but can write in C, and Java programs tend to be much larger and consume much more memory.

This means that while Java programmers still have to think about security, there are many kinds of potential security mistakes that they do not have to think about. This is positive progress.

I do crypto, and bad crypto APIs (like those provided by Java) are huge source of vulnerabilities. Better, simpler APIs like Tink or libsodium make a big difference, and programmers write far better code when they use them. This doesn't eliminate the need for programmers to understand cryptography, but it does eliminate the need for them to be crypto experts. Perhaps the best thing ever to happen in this space is TLS. There are still plenty of things to screw up, but if you need private, authenticated network connections, there is almost never a better answer than "Use TLS, and follow these rules to configure it correctly", except, maybe "Use TLS and use <library> to configure it" (e.g. Use OkHttp on Android).

Or are you seriously going to try to tell me that a Good Programmer should be able to design and implement secure crypto code from scratch, and that if they'll just think they'll do fine? If you believe this, please, please, never write any code that implements or uses any form of cryptography.

No tools can help here.

What studies have shown to date is that better tools are needed. Luckily, better tools are available.

Show me a study which backs your claim that no tools can help. If you can't show me any research to support your position then this is just more baseless pontificating.

The featured article is light on details on the patterns used to determine whether a string is "in the format of particular API tokens or cryptographic keys." GitHub's page about "token scanning" likewise doesn't say much. A link deeper in the article to "git secrets" by Amazon gives regular expressions for Amazon API credentials but not those of other well-known providers. The actual regular expressions used are buried in Table III of a PDF linked near the end of the article.

Fortunately, ZDNet is not paywalled.

The featured article is light on details on the patterns used to determine whether a string is "in the format of particular API tokens or cryptographic keys." GitHub's page about "token scanning" likewise doesn't say much. A link deeper in the article to "git secrets" by Amazon gives regular expressions for Amazon API credentials but not those of other well-known providers. The actual regular expressions used are buried in Table III of a PDF linked near the end of the article.

Fortunately, ZDNet is not paywalled.

Interesting that you mention sonarr and radarr. I subscribe to three different NNTP providers and over half a dozen indexers. What's so bad about that? Are you really getting by with just one of each?

Why would you shell out for NNTP access when you can get private torrent tracker access for free and use Jackett to hook into Sonarr and Radarr?

Sigh, /. is dead. It's like none of the posters even looked at the code.

For anyone who's interested, the encryption used here is very poor. He leaves the mode and padding unspecified for both the asymmetric (RSA) and symmetric (AES) encryption operations. That causes the provider defaults to be used. In the case of the RSA step that's not terrible, since every provider I'm aware of uses PKCS#1 v1.5 padding. This isn't great, since PKCS#1 v1.5 is vulnerable to an adaptive chosen ciphertext attack, but in this usage that doesn't really matter.

The bigger problem is that AES typically defaults to ECB mode. Using ECB means that any repeated 16-byte blocks of plaintext will encrypt to identical 16-byte blocks of ciphertext. This can often expose enough structure to allow the file contents to be partially recovered. It's particularly bad in this case since the same key is used to encrypt all of the files. If AES were in any way vulnerable to brute force, this would almost certainly provide many "cribs" (known plaintext/ciphertext pairs) which could be used to discover the key and decrypt everything else. AES-256 is not, however, vulnerable to brute force, and won't be until computers are made of something other than matter and occupy something other than space (anyone catch the reference?).

Overall, I suppose the chosen encryption was adequate to the task, but it was very sloppy.

Do you think he'd accept a pull request to fix it up?

The minimum required changes are small. I'd use "RSA/ECB/OAEPWithSHA-256AndMGF1Padding" for the RSA operation, just because, and "AES/GCM/NoPadding" for the AES op. It would also be necessary to get the IV (let the provider generate it) and prepend it to each encrypted file. The files would be 28 bytes larger (12 for IV, 16 for tag), but secure.

Also, I'd process files in chunks rather than reading a whole file into memory and then encrypting and writing it back out. It could then handle files of any size. His code just skips any files larger than 20 MB. That's actually the biggest flaw in the implementation; given file sizes today, lots of stuff would just be skipped. All of my RAW photos would be safe, for example. The JPEGs would get encrypted, but who cares about them?

Oh, one more problem: Most systems these days don't overwrite in place, so the plaintext file will be left on the drive, available for recovery. Granted that recovery is not trivial, but still, the data will be there. Fixing this would require doing something like filling the drive with garbage files, forcing the drive to overwrite all free blocks. Overwriting multiple times might be a good idea, too, though that's probably not necessary. Some systems offer free space shredding as a feature; on those that could be used to ensure destruction of the plaintext.

LLVM is a big project, and not all developers with commit access contribute text to the release notes.

If you need to know exactly what changed you could search the raw history, or diff the release tags from the github mirror.

It's much better to use whatever comes with your distro.

Which Google Drive and Microsoft OneDrive clients in the Debian or Ubuntu repository are any good?

Dolphin (and other KDE applications) works well with Google Drive. There's a KIO slave for OneDrive here, but I haven't used it, nor do I know which distributions include it in their main repositories.

If you're interested in alternatives, I've been really happy with this OneDrive client for Linux. It even supports syncing SharePoint Sites and Office 365 groups. https://github.com/abraunegg/o...

Why would you want some closed source client? You're running GNU/Linux, wouldn't you want to use something that's open source? Both Google and Microsoft supply API access.

https://github.com/ncw/rclone/https://github.com/ncw/rclone Supports over 40 providers including things you can run yourself.

Yes, this is the server end code. You can find the clients here.

Yes, this is the server end code. You can find the clients here.

[css-values] Trigonometric functions #2331

The contributor documents potential use cases in his opening post, and a little later on, the irc log is visible

AmeliaBR: Once you start doing graphical layouts involving arcs and stuff, you need trig functions to convert from width/height distances to angular distances

My read of the Lightning protocol spec is that the meaning isn't obscured. An LN invoice is authenticated, but it isn't encrypted. I may be misinterpreting this spec, which I just found 5 minutes ago and kind of skimmed, but it makes sense: this is a request for a transaction on a fully public blockchain, so there can't really be anything private there.

I can't tell if they're using testnet bitcoins in this, but that would be one way to avoid any commerce happening for the purposes of this demo. It does kind of put a damper on the practical applications, though.

KB3VDK

I dunno, I've been doing linux since the slackware days, and I remember when Microsoft was astride the world, bullying everyone.

In this case, for Skype specifically the underlying tech is ReactXP https://github.com/microsoft/r... (which just takes react-native and extends it to the web) and is not just open source but pretty righteously herded by Eric Traut on github with respect and fast merging of contributions on a valuable project.

I'm having a hard time feeling indignant about the behavior here, rather I'm using ReactXP in a project of my own because it's good tech with a good license and good community management. Even if it feels like hell just froze while I'm doing it ;-)

I went to file this on webcompat.com, but it looks like it's already been filed as #27392.
View on webcompat | View on Microsoft GitHub

Reko is already open source. It has a disassembler and a GUI.
https://uxmal.github.io/reko/
https://github.com/uxmal/reko

And here is the flag https://github.com/Microsoft/c...

Even calculator is spying.

The link is the very last word of the article, "here". https://github.com/Microsoft/c...

First, sniff the robot's wifi traffic using Mallory transparent MITM proxy ( https://github.com/intrepidusg... ). Note that there might be better intercepting wifi proxies available now... possibly, based upon other platforms like ESP32, ESP8266, or RasPi. I really haven't kept up with it. I just remember that at the time I did it, using Mallory with a desktop PC and PCIe wifi card seemed like the obvious choice.

The last time I used Mallory (~5 years ago), it was somewhat straightforward to set up (with slightly above-average Linux experience)... AS LONG AS you used a wifi card with a supported chipset:

* It HAS to be a PCIe wifi interface, because the host PC needs realtime access to the bare-metal wifi hardware that USB just isn't suited for.

* Not all wifi chipsets have binary Linux kernel modules available that support the features necessary to fully implement a wireless access point. I think I remember that most/all Atheros-based cards were suitable, but only a select few Realtek-based cards were... and then, with major disclaimers and caveats. This situation might have gotten better OR worse over the past 5 years. I haven't kept up with it.

* Use EXTREME caution before buying a Linksys or Netgear interface card, based upon web reviews saying that it uses some specific (and supported) Atheros chip. Both companies have a really nasty habit of using Atheros chips for their first generation of a product, racking up glowing 5-star reviews and people praising it as the greatest product the company has ever made... then quietly redesigning later versions to use cheaper, less flexible chipsets. Sometimes, without even bothering to change the UPC... occasionally, without even mentioning on the packaging that it's a later revision. You might be better off skipping the brand-name card, and just hunting on eBay for a generic card that identifies its chipset by name. Generally speaking, Linux doesn't care about the brand or model number of the card... it only cares about the chip used to implement it. In theory, two cards built around the same chip COULD be wired up differently... but 99 times out of 100, companies in China that make generic cards just take the chipset vendor's reference design and copy it verbatim.

Anyway, once you have Mallory up and running, it looks just like a wireless access point. Connect the robot to it just like you'd connect the robot to a normal access point, and have Mallory begin capturing traffic WITHOUT decrypting it.

At this point, you'll know two things:

1. The hostname it's connecting to for its web service calls, and the protocol it's using.

2. Whether or not it's encrypting its traffic. If it's encrypted, you'll basically see a CONNECT followed by garbage. If it's NOT encrypted, you'll probably see straightforward http GET or POST requests in the log.

If it's NOT encrypting the traffic at all, you're in luck. Jump ahead to step 4.

3. Enable Mallory's decryption, and restart the robot so it will attempt to connect to its home server like it did before. If you're EXTREMELY lucky, it'll decrypt the traffic without a hitch. If you're unlucky, the robot will either hang, or give an error that's ultimately caused by an invalid TLS certificate.

If the Robot's software was written properly, it won't make it past this point, and you'll basically be out of luck absent some as-yet undiscovered exploit. HOWEVER, it's quite possible that it MIGHT just ignore the certificate error. There's literally a metric shit-ton of bad example code on StackOverflow and elsewhere that gives the impression that it's OK for apps to just ignore certificate errors, and I'd say that in the real world, probably 60-80% of "secure" devices that "use https" will completely IGNORE certificate errors. Why? Certificates are a royal pain in the ass to deal with during development, because the debugging needs of developers are more or less perpendicular to the demands made by robust security. More often tha

https://github.com/Microsoft/c...

"while VMware's vSphere is used by Amazon Web Services"

VMWare's Hypervisor is VMWare ESX/ESXi. vSphere is the management software for managing ESX/ESXi.

Amazon doesn't use VMWare, but VMWare was the first customer of AWS's bare-metal instance type (i3.metal), allowing VMWare users/customers the ability to easily migrate VMWare VMs to AWS.

However, in theory, customers can run any x86_64 hypervisor they want on AWS using the EC2 .metal instance types (in practice, there may be some work involved, and would be easier if an ENA driver is available.

AWS is known to run Xen, their own KVM-based hypervisor they call "Nitro", and their recently open-sourced MicroVM hypervisor (also using KVM), Firecracker ( https://github.com/firecracker... ).

As far as I know, AWS has never run customer instances on VMWare.

You need to be aware that if you are using your ISPs DNS server, your ISP will still be able to see and log where you go. You must setup another dns server on your machine or possibly use a dns server that says they don't log your dns request. CloudFlare promises to not keep track of your dns lookups. Their dns is 1.1.1.1 and 1.0.0.1.

Another site that gives a good explanation on using Putty to create a tunnel through a cheap VPS ($5/mo) is at:
https://github.com/inwtx/SSH-W...

That is an interesting point. MySQL's server license is available at https://github.com/mysql/mysql... . It is a _peculiar_ license. It refers to itself in some places as GPLv2, which seems nonsensical with the various other confusing and inconsistent components outlined in the same license. It also deliberately conflates the phrase "free software" with "open source software".

They are not the same thing, legally nor in common English language. The FSF published a good essay on this at https://www.gnu.org/philosophy... .

For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/s... In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/e.... So even if the OS isn't up yet DMA attacks are still locked out. Assuming you are running a recent OS and firmware, this is now a non-issue.

The problem myself and others face with allowing VTd virtualization is that for some this will be the only lever available for stopping Intel AMT from being accessed externally.

When enabled and your computer is off it's still listening on TCP ports. When stealth mode firewall is on with all incoming ports blocked the port is still open. Virtualization is the only thing that physically allows the network hardware (wired and wireless) to be shared concurrently with both the host and management engine.

For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/status/985618204184768513 In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/edk2/tree/master/IntelSiliconPkg/Feature/VTd. So even if the OS isn't up yet DMA attacks are still locked out. Assuming you are running a recent OS and firmware, this is now a non-issue.

This is probably more of an attempt to let the software pick the underlying software for you with pre-packaged open source software ready to configure. Rather than going to WordPress for a blog, Shopify for a store, or whatever, you just go to one provider and their software picks the package that suits your needs.

Developers will always have a job because the skilled ones already have the toolbox for setting up the baseline software or working with the existing software. They are paid good money to fill the gap between what the software does and what the company needs.

The work that the AI is doing is an afternoon for a skilled developer. Any skilled developer already has written code that writes code for them based on patterns they use that need repeating. The most common being an ORM. The skilled developer designs the database and then the code generates the code so that the developer does not need to hand code a bunch of repeating patterns.

It's funny that they call it DRY.io because my own PHP framework is QuickDRY. It has written millions of lines of code for me so I can focus on business logic and not grunt work.

https://github.com/BenKucenski...

For this reason, Windows now has IOMMU virtualization enabled to prevent DMA attacks (starting with Windows 10 RS4/1803/April 2018 Update): https://twitter.com/AmarSaar/status/985618204184768513

In conjunction, tianocore also has IOMMU based DMA protection for 2 years now: https://github.com/tianocore/edk2/tree/master/IntelSiliconPkg/Feature/VTd. So even if the OS isn't up yet DMA attacks are still locked out.

Assuming you are running a recent OS and firmware, this is now a non-issue.

Does anyone know any neat Redis alternatives/forks?

There is always Pedis .. It doesn't do everything that Redis does, but for the vast majority of cases thats ok.

This one seems to have merged together the most host files, with over 4100 entries https://github.com/StevenBlack...

Just read title, facebook is indiscriminate and grabs all. I just downloaded this facebook hosts file and added it to my own.
https://github.com/jmdugan/blo...

https://raw.githubusercontent....
or start here,
https://github.com/StevenBlack...

Try this one instead:

https://github.com/M66B/NetGua...

It's open source (GPL) and appears to improve battery life on my Android, by blocking the incessant network chatter of many apps.

read https://github.com/WOA-Project...

it pulls the files directly from microsoft