Notices by lj·rk (ljrk@todon.eu)

@dalias @khm @ambiguous_yelp @sammi @joelanman I'm not saying that there's a lot of marketing bs, you don't need to repeat that in front of me.

But there /has/ been quite some development in QC on a hardware level, denying that is seriously denying reality. Even more, there /has/ been increased velocity in the development.

The only question is whether you consider this "relevant" or "much" or not. And while I don't think it's anywhere near to be done, I find the development worrying enough to think about this scenario in *some very select* contexts. Not as a threat now, but as something to consider and better protect against rather than not doing anything

Like we should've done something against the climate crisis in the 1920 already, even though the impact was quite far off, but signs where there. It's quantum resilience not "the big scary quantum is coming".

@dalias @khm @ambiguous_yelp @sammi @joelanman I disagree, we had quite some development in the recent years and while this is no guarantee, a lot more progress has been made than earlier. In other terms, it's not the same velocity of development but has accelerated.

But: There are still real problems to be solved and at any given point we may run into a wall. And one real problem could also be that we have WW3 before any QC get's successfully constructed, whelp.

But regardless, that's really no helpful debate and I'd rather not bet on that for some stuff and rather be safe (hybrid schemes) than sorry.

@khm @ambiguous_yelp @dalias @sammi @joelanman While I agree that it's nowhere "close", the "Harvest Now, Decrypt Later" is a tangible threat -- even if they're 10 years out.

However, I wouldn't bring that up for Signal since that'd require a *lot* of Harvesting, a *lot* of cracking and we'd only get some of the data to decrypt a whole Signal interaction since only the KEX would be affected and things like PFS etc. help against a lot of simpler attacks.

This *is* a threat for, say, secret govt. documents where deciphering has a big impact even 20 yrs later and the computing requirements (given you have access to quantum computers) are comparatively acceptable.

@ainmosni @dalias @hipsterelectron Tbf, I've seen many constructions that are insecure even though the primitives where fine. They were just misused. Those primitives ranged from wrong application of SHA2, to PBKDF2 to just using GPG wrongly...

But yes, learning things and trying to do new things with crypto is absolutely fine. But *please* ask a cryptographer latest when you are dealing with data from other people.

@jwildeboer I’d recommend not necessarily using your name… as long as you’re not 100% sure it might change 0:-)

@dalias @whitequark @glyph @mcc You have not encountered normies using Google Chrome? And you may argue that it's a single platform authority, but the statement is then widely misleading as you can use very different systems beneath. But idc, the reality is that people use it, you like it or not.

And yes, iCloud is not synced to Windows. But you said, I quote:

> Even on Apple's walled garden ecosystem

and to my knowledge Windows is not part of the Apple walled garden. Regardless though, Apple Passwords syncs to Chrome and Edge (~80% market share, much higher if you restrict to Windows only for your example) just fine...

@dalias @whitequark @glyph @mcc

> They absolutely are not. There is no such thing by default, only if all your devices are from a single platform authority (Apple, Google, or Microsoft) and you trust them. Most people do not fit it that category.

Okay, you *are* widely out of touch. Chrome alone has about 68% market share and has a built-in E2E password manager that works on Linux/macOS/Windows/Android + syncs with the Android keystore for use outside of the browser. I wouldn't call that "single platform authority" but either way, *a lot* of users use this. We may not like it but that's how it *is*.

> Even on Apple's walled garden ecosystem it's hard af to get this magical transfer to new device to work.

*if* you are in Apple's walled garden it's just in iCloud and transparently on all your devices.

> Only critical passwords like your email actually have to be written down. Everything else you just do a reset via email.

That's one solution. Which, you know, will work with passkeys too, so you've just invalidated your whole fucking point.

(Besides: I'd love to rip out email from this too in the future because it undermines the whole security but that's outside of the scope of this discussion.)

@dalias @whitequark @glyph @mcc Through transparent E2E and synchronization b/w devices. This mythological technology that they are... you know... widely using already.

Also: You yourself brought up password managers and generated unique passwords. Which have literally the same problem: If you lose access to it, you lose access to the sites you've logged in to. And the high # of log ins make it unrealistic to memorize or write the passwords down. If you really think that's what they're do then you're widely out of touch with the general user's reality.

@dalias @whitequark @glyph @mcc What, no, @whitequark didnt say anything about a separate device and the point still stands stands. It’s just pub/private crypto vs shared secrets. It’s one reason why we use SSH keys instead of passwords despite passwords being possible to generate uniquely and strongly.

For sure, this problem has been “solved” in the sense that you (and me) just use a password manager, tweak its generator when websites want some different “secure” password requirement and know how to deal with the PITA if the passwords are shared across domains etc. Possibly even monitor HIBP and rotate the password in that case.

But all this is something that requires domain knowledge and we should admit that. We failed to make computers useable by end users. Which would be fine if we wouldn’t require them to that.

If Passkeys were implemented correctly the above problems wouldn’t appear, Phishing would almost completely be gone and it would even be easier for users. And “losing credentials” neither.

I’m honestly surprised about this pushback by you. We’re effectively unrestricting FIDO2 which has been our go-to advice for ages and make the keys copyable like SSH keys are … and suddenly it’s all evil

Very enraged about the missed opportunity to put Freddie on the Queen card…

ADHD is just being cat-brained

@mekkaokereke @semitones @tillshadeisgone Thank you for taking the time to explain! For me it's hard to wrap my head around, and while I'm all for believing the victims in their description – I think trying to understand the situation by thinking it through enables me a better "ally", defend PoC better, etc.

If you still have the energy, there's a bit more of questions I have: I think understand what you describe with your point about racism being worse than other discriminations. My closest experience is (white) cis women, who, while not per se marginalized, are discriminated against, use the "power" vetted into them by progressive parts of society to counter this, to hate against trans people. And it's incredibly hard to argue against them because you then feed the trans-women-are-just-mysogynist-men-in-dress stereotype. Similar situations with the LGB-Alliance, Lesbians/Gays/Bis speaking "against the T". I find this phenomenon where marginalized people get at each others throats sad but also very common in all directions. What is unique here w.r.t. Black people?

1/x

@mekkaokereke @semitones @tillshadeisgone

The second question for me is: How this relates to the Fedi in particular? IME the Fedi is uniquely positioned to address this imbalance through its federation system. E.g., while we agree on what racism is and how it constitutes (I just try to understand your view point better and hence talk to you than my bubble), I think it's unlikely to get this view as a consensus on most platforms soon. Neither, do we get trans acceptance that's really more than empty words of "diversity". As such, the Fedi is doing the opposite pf creating a safe space by marginalized people for themselves through their own servers. Mind you, not the whole Fedi becomes safe (I mean, even truth.social exists), but that's not the goal. And once marginalized people can be active in the Fedi through their own servers, they can also shift the window of the discourse and have an impact of the Fedi on the whole. This is what happened with Fedi, while it was queer from the get-go, this queerness was well-hidden and the policies weren't friendly to open queer people. And nowadays thing's have changed a lot. Why isn't that a realistic path for Black people?

2/3

@mekkaokereke @semitones @tillshadeisgone

After all BlueSky (in my view) follows a similar approach but instead of using a community moderation system of the server, you have tagging algorithms and crowd-sourced custom modules. But in the end, you are allowed to look at humanity's worst, if you want to.

I'm sorry if I come of as dismissive, that's not my intention. I try to understand by relating to your experience, my intention is not question it for questioning's sake.

@tillshadeisgone Thank you for taking the time to answer! I know it's very much emotionally taxing and I appreciate your effort.

Foremost, I believe you. However I'd love to do more than believe. Because in the end, if I don't understand the problem space, I'm just gonna perpetuate solutions that don't work. Of course I can parrot that this is what Black folx say, but this doesn't help with building something better. And whilst, of course, the root issue is that white racism exists – we can't change that soon. And also that's not what BlueSky did.

Their moderation system is working better for you. And I want to understand why this is. Or: Why the Fedi moderation system doesn't work for you. Because if we want to build better we need to understand the points of failure.

And it baffles me that people get harrassed til they leave. I mean: Not that this harassing is something that exists, but how it passes the layers of moderation. How does this happen when it doesn't for white queer folx? There's a lot that's unique to racism, but what property of it is it, that makes it bypass moderation instantiated by Black folx themselves?

Or w.r.t. BlueSky: What is it about their system that gets the job done better. Again, I totally believe you that it does, but I want to understand why :/

@tillshadeisgone @mekkaokereke I understand that, but I don't understand how that's a reason why the solution wouldn't work.

Specifically, this was the same for non-queer-aligned servers in the fedi as well. While the fedi is generally more queer than maybe some other platforms, many mods used to be cis-het and the policies often didn't recognize queerphobia much. That's why "we" did our own servers. This has both provided us with a safe-space as well as pushed the entire fedi slightly more queer because it provided reason for influx of (white) queer people.

And I just don't understand why this approach does not work for the BIPoC community as well :(

@semitones @tillshadeisgone @mekkaokereke That's something specific to Mastodon but not AP in general, I'd say. Specifically, many queer instances use a Misskey fork that have Quote-Posts for that reason (amongst others).

What I'm saying is: I totally agree that the "standard" Mastodon on a somewhat "apolitical" instance is bad for the BIPoC community... as it is for *any* discriminated-against group indeed. But the beauty of the Fedi is that we can build our community and do *not* need to depend on 3rd party white cis savior-type dudes to help us.

(Side note: A lot of resistance against QP came from the trans community because we've seen QP weaponized for targeted harassment. Mastodon often prioritizes this kind of safety over features. A proposed solution was to add a permission-system for QP. But I think this went no-where for Mastodon itself.)

@mekkaokereke I do notice it, and I understand somewhat of the why – I just don't understand why the solution that worked for me doesn't work for them because the problems superficially resemble mine, a white queer person.

On mastodon.social I had similar problems w.r.t. moderation etc., other people getting shit moderated away which left me alone reading transphobic comments. On my new instance not anymore.

@mekkaokereke I still don't get it honestly. I know that my situation is different, I'm white. But I had very similar experiences with Mastodon... on servers that promptly moderate/filter/block transphobes. I would expect similar things from servers which have a focus in racism. Catch-all servers are a problem for the Fediverse because they combine the hard problem of moderating a platform with the lacking cross-federation moderation.

What is different here/makes the situation uniqe? I've been reading a lot of your posts over the last months but I honestly don't get why the solution the queer community did (lots of queer aligned servers) don't work for Black people :/

#Punsexual pride flag

(Attracted to anyone who endures my puns, regardless of gender.)