HackerLangs
TopNewTrendsCommentsPastAskShowJobs

jnxx

no profile record

Submissions

Oscar, the Open Source Analysis Reporter for CPAP Sleep Apnea Treatment

sleepfiles.com
3 points·by jnxx·5 lat temu·0 comments

comments

jnxx
·9 miesięcy temu·discuss
Also: Eroding the checks and balances and state monopoly and legitimation on use of violence.
jnxx
·9 miesięcy temu·discuss
https://xkcd.com/2030/

Here in Germany, the Pirate Party has discussed the topic at length, since they (1) love voting innovations, and (2) have generally good knowledge on CS stuff, and so far I think no real solution is known for anonymous, confidential, secure digital voting with verifiable results, which is easy to reach with paper ballots and public observers of the counting.
jnxx
·9 miesięcy temu·discuss
Especially since all the above is designed as additive tech which uses a lot of brain hacks: Infinite scrolling, dopamine maximization, "check for new messages!" and so on.

How do you reduce your consumption of addictive stuff, in the easiest way? You quit, full stop.

It is the same as if you want to quit smoking, or as if you realize that you are drinking four cans of beer each summer evening and realize this is not good for you. It is far easier to quit, and decide what to do instead, than to "reduce".
jnxx
·10 miesięcy temu·discuss
> The UK's proposal makes the "digital ID" a pointer to an entry in a centralized database.

Very similar to the "EU settlement scheme" which would gave EU citizens which had work and settled in the UK pre-Brexit after a very lengthy and non-deterministic application process the right to stay without any paper document to prove that they actually got that right. Just a database entry on a government computer. Too bad if an extreme right-wing goverment came to power and something happened to that database.
jnxx
·10 miesięcy temu·discuss
There is another technical reason:

A digital ID requires essentially a digital signature running on a secure device (for example, a smart card).

Thus it implements public key cryptocraphy. Which makes confidentiality and integrity of computing two inseparable sides of the same medal.

You simply cannot break confidentiality of communication without practically breaking integrity of digital signatures at the same time. (Otherwise, a user, for example could generate a fresh random public key, sign it with their digital id, and send it to any communications partner).

Breaking this in turn means that the government can sign on behalf of you, without your knowledge.

Human communication is based on symbols and whatever the means are to transport these symbols, cannot work without trust.
jnxx
·10 miesięcy temu·discuss
> I’m sure it’s not even deliberately dismantling privacy. They’re doing it blindly.

That is often a variant of Hanlor's razor brought up on questions like this. How do certain actors turn reliably to a course of action that is so damaging - but to any expert or even rational mind seems stupid! That can't be what they want?!

I do not think that this reasoning holds.

Hannah Arendt, when writing about totalitarism, came to the conclusion that there is a kind of complicity between evil and thoughtlessness. (I am still trying to find her exact words on this.)
jnxx
·10 miesięcy temu·discuss
> would this scale?

Consider how much space you do need ahead for safe travel as a pedestrian, on a bicycle, on an interstate highway in a car, or on a plane taking off at an airport, and you have the answer.

Cars already require a ridiculous amount of space for safety. I live in Germany and there are cities with 200,000 inhabitants that are smaller in area than a single highway intersection.
jnxx
·10 miesięcy temu·discuss
The argument is like it is unethical to lock my front door because this also stops people which genuinely only want to enter to have a look at my living room.

That's not how boundaries work.
jnxx
·2 lata temu·discuss
That critique adresses security aspects.
jnxx
·2 lata temu·discuss
Yes, I think if a project has backdoors and its old maintainers are unable to review them, I am more critical than with normal projects. As said, compression is used everywhere and in embedded systems, it touches a lot of critical stuff. And the project went straight for that since the beginning.

And this is in part because I can not even tell for sure that he even exists. If I had met him a few times in a bar, I would be more inclined to believe he is not involved.
jnxx
·2 lata temu·discuss
> Why would they even do that

More layers of obfuscation. For example in order to be able to attribute the backdoor to a different party.

It is of course also possible that Lasse Collins is a nice real person who just has not been able to review this. Maybe he is too ill,or has to care for an ill spouse, or perhaps he is not even alive any more. Who knows him as a person (not just an account name) and knows how he is doing?
jnxx
·2 lata temu·discuss
The thing is there are two possibilities:

1. An important project has an overburdened / burnt out maintainer, and that project is taken over by a persona who appears to help kindly, but is part of a campaign of a state actor.

2. A state actor is involved in setting up such a project from the start.

The first possibility is not only being an asshole to the original maintainer, but it is also more risky - that original maintainer surely feels responsible for his creation and could ring alarm bells. This is not unlikely because he knows the code. And alarm bells is something that state actors do not like.

The second possibility has the risk of the project not being successful, which would mean a serious investment in resources to fail. But that could be countered by having competent people working on that. And in that case, you don't have any real persons,just account names.

What happened here? I don't know.
jnxx
·2 lata temu·discuss
If a project targets a high-profile, very security sensitive project like the linux kernel from the start, as the archived tukaani web site linked above shows, it is justified to ask questions.

Also, the exploit shows a high effort, and a high level of competence, and a very obvious willingness to play a long game. These are not circumstances for applying Hanlon's razor.
jnxx
·2 lata temu·discuss
It is not just systemd which uses xz. For example, Debian's dpkg links xz-utils.
jnxx
·2 lata temu·discuss
[flagged]
jnxx
·2 lata temu·discuss
[flagged]
jnxx
·2 lata temu·discuss
One scenario for malicious code in embedded devices would be a kind of killswitch which listens to a specific byte sequence and crashes when encountering it. For a state actor, having such an exploit would be gold.
jnxx
·2 lata temu·discuss
[flagged]
jnxx
·2 lata temu·discuss
If this is a conspiracy or a state-sponsored attack, they might have gone specifically for embedded devices and the linux kernel. Here archived from tukaani.org:

https://web.archive.org/web/20110831134700/http://tukaani.or...

> XZ Embedded is a relatively small decompressor for the XZ format. It was developed with the Linux kernel in mind, but is easily usable in other projects too.

> *Features*

> * Compiled code 8-20 KiB

> [...]

> * All the required memory is allocated at initialization time.

This is targeted at embedded and real-time stuff. Could even be part of boot loaders in things like buildroot or RTEMS. And this means potentially millions of devices, from smart toasters or toothbrushes to satellites and missiles which most can't be updated with security fixes.
jnxx
·2 lata temu·discuss
The web of trust is a really nice idea, but it works badly against that kind of attacks. Just consider that in the real world, most living people (all eight billions) are linked by only six degrees of separation. It really works, for code and for trusted social relations (like "I lend you 100 bucks and you pay me them back when you get your salary") mostly when you know the code author in person.

This is also not a new insight. In the beginning of the naughties, there was a web site named kuro5hin.org, which experiemented with user ratings and trust networks. It turned out impossible to prevent take-overs.