HackerTrans
TopNewTrendsCommentsPastAskShowJobs

dane-pgp

no profile record

comments

dane-pgp
·4 năm trước·discuss
The task force's original top priority was convincing the world that they don't exist, but they apparently gave up any pretence of that last year when they rewarded Lennart Poettering with a job at the company.
dane-pgp
·4 năm trước·discuss
> If this precluded the ability to eg install a program via curl or brew, or even just a .dmg you download from your browser

I expect that governments will offer a "compromise" which is that you can run these "unapproved" apps, but they must be signed by a developer key which is tied to a domain name, and that domain name must be checked (by the OS) against a blacklist of banned applications/developers/websites.

That should be enough to block any encrypted messaging apps without backdoors, or apps like Tor, or bittorrent clients.

There could be a cat-and-mouse game as developers try to rename their apps, generate new keys, and register new domains, but when governments notice that their ability to censor is at stake, they will spare no expense on whichever intelligence agency or defence contractor is tasked with keeping the blacklists updated faster than any banned applications can reach mass adoption.

In parallel to this, governments will require that ISPs only let devices access the internet if they pass a "secure boot" check, which confirms that the device is running an operating system which enforces this blacklist.

We're probably less than 5 years away from some G7/EU country mandating this system, with the timeline only limited by the rate of adoption of technology like Windows 11 and Pluton. Older devices (and those running "unapproved" OSes) will be limited to specific ports and IP ranges, for "cyber-security" reasons.
dane-pgp
·4 năm trước·discuss
That's a pretty thorough debunking, thank you, and you're right that it's a huge leap to connect Aaron Swartz to this (which I've seen no evidence for). I do want to say, though, that it's a pity that the debunker didn't get better responses from believers on Twitter, as there are some reasonable counter-arguments.

Firstly, I'm not impressed by the (lack of) probability calculations. The article concedes that the Reddit user and Ghislaine are both born in December, which has, let's say, a 1 in 12 chance, and also says that there are "hundreds of thousands" of Maxwells in the world, so let's say 800,000 out of 8 billion, or 1 in 10,000. So the chance of these two details both coinciding is 1 in 120,000.

On the other hand, there are apparently 430 million active monthly users on Reddit, so we should expect there to be some December Maxwells in there, but considering the user's interests (US politics) and their use of British English spelling and phrases[0], I think the number of non-Ghislaine accounts with all these attributes would be very low.

So the fact that this Reddit user posts consistently for 14 years and then abruptly stops posting (publicly) right at the time of Ghislaine's arrest does seem statistically improbable. The debunker would have us believe that the account is still active sending private messages and posting in private subreddits (and no doubt has a girlfriend who lives in Canada), but if they're happy to have their activity disclosed like that, why wouldn't they also post publicly saying "I'm not Ghislaine you idiots!" or respond to the Vice journalist, for that matter?

Is it really that hard to imagine that influential people on Reddit would fake screenshots of post-arrest MaxwellHill activity to try to distance themselves from the actions of a notorious criminal? Do we just have to take these screenshots at face value, despite all the incentive to fake them, and the fact that a mod has already been caught out in a lie about whether MaxwellHill lived in or visited Malaysia?

The debunker also claims that someone trying to hide their identity (by falsely claiming to be male) wouldn't be so stupid as to use their actual name as part of their username, but obviously the motivation to hide what you are doing changes over time. When MaxwellHill was first registered, it probably seemed anonymous enough (there are "hundreds of thousands" of Maxwells in the world, after all), but over time, as the account became more influential (and Ghislaine got involved in more and more shady activities, and gave away more and more clues about her identity from her posts) she would develop a need to throw people off the trail by dropping some false biographic details.

I won't go into more details about the stylometry and contents of MaxwellHill's posts, as that is more subjective, but I will end by saying there is nothing contradictory about Ghislaine as a Redditor making negative comments about Trump (which is implied but not cited by the debunker) but Ghislaine in person bragging to someone about being a friend of Trump. It's possible that she hates Trump's current politics, but got on fine with him in a social setting 20 years ago, for example. In fact I suspect that one of her greatest talents is being able to seem friendly and trustworthy to powerful people whose actions she doesn't fully agree with.

[0] https://www.rareddit.com/r/conspiracy/comments/hnfx0r/not_co...
dane-pgp
·4 năm trước·discuss
I'm not sure what this prank showed beyond what all the previous malicious NPM packages already showed, other than that developers of free software are unstable and can sometimes ruin your day for lolz.

Even if you accept the idea of vandalism being used for a positive purpose, a better form of protest would have been to make the package just print a message saying "This software has been abandoned by its author. Please pin your dependencies to known good versions." and then exit.

That would still have been annoying to the people having to do that unnecessary version pinning work, but would at least have preserved some shred of sympathy for the maintainer.
dane-pgp
·5 năm trước·discuss
I don't have an answer to your question, but I'm glad you've highlighted this part of the article. The idea that an attacker "has done all of us a huge favor" by attacking the free software community is so toxic that it needs to be called out, even if it was meant somewhat in jest.

If we don't reject this logic, then we'll get more attackers claiming "just a prank, bro!" and "social experiment!", like the University of Minnesota researchers carrying out human experimentation on kernel developers without their consent:

https://www.theverge.com/2021/4/30/22410164/linux-kernel-uni...
dane-pgp
·5 năm trước·discuss
> the debunked theory that an account on Reddit named "MaxwellHill" was hers.

I assume by "debunked" you are referring to the Vice article, which offered nothing beyond name-calling of the people investigating the theory, and ended with "u/MaxwellHill did not immediately respond to a request for comment sent through Reddit."[0]

An example of a relevant fact might be that vice.com was the most popular domain among all the links submitted to Reddit by the user MaxwellHill.[1]

It's also worth pointing out that another Reddit mod tried to debunk the theory by claiming that they knew MaxwellHill and that he was a Malaysian man, but this claim started to look suspicious when people found that MaxwellHill had mentioned he/she had "visited" Malaysia before (which is not something one typically says about one's home country).[2]

[0] https://www.vice.com/en/article/y3zbaj/incoherent-conspiracy...

[1] https://www.reddit.com/r/conspiracy/comments/hoqheb/vice_pub...

[2] https://rareddit.com/r/conspiracy/comments/hoopdf/why_is_vic...
dane-pgp
·5 năm trước·discuss
And of course a clever attacker would do this:

* add some code with a subtle and accidental-looking vulnerability to a package

* wait until lots of other packages were dependent on it

* report the vulnerability so the package got flagged by "npm audit" as needing an urgent update

* release a new version with a more damaging malicious payload in it, which everyone would rush to install.

The way to stop this scheme would be for NPM to make sure that "npm audit fix" installs the earliest non-exploitable version, and to make sure that that version contained only the minimum changes necessary to fix the reported vulnerability.

That would mean having engineers whose job it is to do security reviews of patches to packages that have vulnerabilities found in them, but that shouldn't be too much work to take on. I mean, how often are NPM package vulnerabilities found? Two per day, or something?[0] Also it would require that packages are reproducibly built from their published source code, which sadly isn't a thing yet.[1]

[0] https://github.com/advisories?query=type%3Areviewed+ecosyste...

[1] https://hackernoon.com/what-if-we-could-verify-npm-packages-...
dane-pgp
·5 năm trước·discuss
Because it would make presidential election outcomes more likely to reflect the popular vote (which is the morally right thing to do), and because it reduces the risk that small changes in big states create vastly different election outcomes (which is the strategically right thing to do, if you expect your opponent to cheat, lie, and start insurrections based on false claims).
dane-pgp
·5 năm trước·discuss
If the demographics of Texas is really shifting more progressive, then the writing could also be on the wall for Republican presidential campaigns.

Perhaps at that point the party will suddenly find itself again embracing the wisdom of the proposed Lodge-Gossett constitutional amendment, which got as far as approval by a super majority in the US Senate in 1950.

https://www.nationalpopularvote.com/analysis-fractional-prop...
dane-pgp
·5 năm trước·discuss
I'm imagining that the wealth tax would only apply to people with more than $1bn in net assets, so the overhead for almost every tax payer is to simply tick a box each year saying "I am not a billionaire".

More precisely, the law would require anyone with gross assets above some threshold, say $500m, to report the value of those assets to the IRS every year, based on some simple valuation rules, like "How much did you pay for the asset?" and "What is the market value of those shares / cryptocurrencies?". Only assets worth more than $1m would need to be declared.

Then, as I say, the IRS can go down the list of people with the most assets and do a more thorough audit, to make sure their valuations are correct, while also making sure that there aren't any billionaires who have forgotten to file, since it should be hard to hide that much wealth.
dane-pgp
·5 năm trước·discuss
The good thing about a law targeting billionaires (and taxing their wealth at 10%) is that the administration costs can be at least $100m per investigation and still break even.

(Admittedly at the bottom end someone might manage to sneak in under the threshold, making the investigation a waste, but there's no harm in the bureaucrats starting with the richest person and working their way down the list, gaining skills and efficiency as they go).

Even if all the money that the government collects ends up going to pay the investigators, at least that would be creating thousands of decent jobs. Also, assuming a balanced game, if the investigators are being paid $100m to find evidence then the billionaire would have to pay a similar amount to hide evidence, which means they might as well not bother hiding it.
dane-pgp
·5 năm trước·discuss
“When I was poor and complained about inequality they said I was bitter; now that I'm rich and I complain about inequality they say I'm a hypocrite. I'm beginning to think they just don't want to talk about inequality.”

― Russell Brand
dane-pgp
·5 năm trước·discuss
If someone brings to light an injustice which prompts the legislature to fix the laws to better match the public consensus of fairness, that seems a perfect example of what the presidential pardoning power is intended for.

I understand that the word "If" is doing a lot a work in that sentence, and I have some sympathy for law-abiding billionaires who don't deserve to have their privacy invaded, but they should receive some form of compensation rather than legal punishment of the leaker.
dane-pgp
·5 năm trước·discuss
> these ultra-rich pay 0% in taxes, while I pay 30%.

Then I have a modest proposal. If the median household net worth[0] in the US is about $120k, and the median household federal tax burden[1] is about $10k per year, then let's say that anyone with a net worth more than $1 billion should pay an annual wealth tax of 10%.

The G7 have already agreed to a global minimum corporation tax rate, so let's make this wealth tax global too, and forbid billionaire residents of non-compliant countries from visiting or passing through countries that implement this tax.

[0] https://dqydj.com/average-median-top-net-worth-percentiles/

[1] https://www.propublica.org/article/the-secret-irs-files-trov...
dane-pgp
·5 năm trước·discuss
> institutions and experts are failing all around us

Is that what we're seeing? Which institutions and experts do you think are failing us?

Could it actually be the case that institutions and experts are 99% accurate in their output, but the information ecosystem around us is highlighting the 1% of inaccuracies and presenting them as fatal flaws (while ignoring the fact that the alternatives to these institutions and experts have less than 50% accuracy)?

Certainly you could make the case that there are some people with an ideology and/or incentives to make sure that governments don't work for the benefit of the people they are supposed to serve, but if that's the threat model then all proposed plans need to be considered against that threat.
dane-pgp
·5 năm trước·discuss
> Email is centralized because every time I send an email, I'm doing a DNS lookup.

And every time the Signal app connects to its centralized servers, you're doing a DNS lookup too.

> By contrast, if I use a true P2P solution, I never need to do a DNS lookup. My chats in Signal can't be disrupted by a change in MX records.

But Signal isn't a true P2P solution. As your linked description of the Signal Protocol states:

"It does not provide anonymity preservation and requires servers for the relaying of messages and storing of public key material."

> It's like telling people that the WWW is decentralized as long as you use .onion addresses. That's not true because as soon as you get off of public domains, you're not on the WWW anymore.

If you're using HTTP and HTML and hyperlinks and URIs, then you are using the WWW. I suppose you could say that .onion addresses are the Dark Web, but saying they are not part of the web is pointless gatekeeping, like saying that HTTPS sites aren't part of the web because some web clients don't support TLS.

> I don't think you understand this topic.

That makes two of us then.

> There are protocols with encryption schemes built into them. Email is not one of those.

Again, this is an unhelpful observation. HTTP is a protocol that doesn't have encryption schemes built into it, but we didn't decide to throw it away in order to make the web secure. Similarly we don't need to throw away all existing email protocols and clients in order to have secure messaging.

> That is in contrast to Signal Protocol[1], where all clients' E2EE are compatible with each other as long as they're using the same protocol.

No, email is exactly the same as the Signal Protocol in that regard, since all email clients' E2EE are compatible with each other as long as they're using the same (encryption) protocol. The fact that an SMTP server doesn't reject an email that isn't PGP encrypted is a feature, not a bug.
dane-pgp
·5 năm trước·discuss
Agreed. In fact, if consistent E2E encryption could be assumed, then the proxies could be implemented as simply a dedicated address on each server.

For example, suppose alice@example wants to send an encrypted message to bob@server. Alice's client could wrap the message to Bob as an encrypted payload to a message addressed to switchboard@server, so that her provider doesn't learn Bob's address, and her provider could replace her metadata with switchboard@example before sending it to Bob's, so that it doesn't learn Alice's address.
dane-pgp
·5 năm trước·discuss
> Email is not decentralized. It relies on the central authority of domain registries.

By that definition, almost every chat app is centralized, especially if you include the step of downloading it over HTTPS. In any case, it would be possible to further enhance email using something like SMTorP so that .onion addresses are used instead.[0]

> And then if you do decide that whatever encryption scheme you've chosen is right for you, there's no guarantee any significant mass of people supports it.

The same is true of any system which is proposed as an alternative to email. Admittedly it will be difficult for a UI to convey the security properties of messages when you are interacting with users whose email clients don't support the recommended extensions, but there is always the risk that a recipient will copy-paste the plaintext of your securely sent message into an unsecured channel.

[0] https://github.com/mailpile/Mailpile/wiki/SMTorP
dane-pgp
·6 năm trước·discuss
Yes, but to maintain the conceit of chess being like a battlefield, it is nicer to think of knight pieces as being jumping cavalry (however unrealistic that is) rather than ghosts or owning a portal gun.

I suppose the actually intended analogy is that by riding a horse, the character is more evasive and can slip past another unit without being blocked. Also, I suppose that rooks must have wheels on, and a door that a king can only walk through in rare circumstances.
dane-pgp
·6 năm trước·discuss
I think that's called "Nothing personnel, kid".

https://knowyourmeme.com/memes/teleports-behind-you-nothing-...