Notices by Wish the sun to stand still 🌞 (tasket@infosec.exchange)

@fun @bart Something tells me Librephone are not working within the same parameters as PostmarketOS. I'm sure the former knows what SPI flash is and how to use it.

I mean, seriously... you expect an org like FSF to not break secureboot for the sake of research? lol

What I'm reading from Librephone is they are defining a breakaway platform that they hope will have a following with the ethical hardware brands that have been popping up. They don't need the sanction of secureboot, they can create their own system.

Edit: After listening to their announcement conf call, they are not producing a whole OS. They are only using AOSP as their reference for reverse engineering closed drivers (blobs). And they expect that whole-OS projects can make use of the resulting open RE firmwares.

Why didn't they call #Wayland X12? :blobthinkingcool:

:windows: 👀 In today's twisted and weird extortionists file: #Microsoft

"Windows 10 home users who want to delay switching to Windows 11 can enroll in the Extended Security Updates (ESU) program at no additional cost using Microsoft Rewards points or enabling Windows Backup to sync their data to the cloud."

#surveillancecapitalism #windows #spyware #theywantyourdata

https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-extended-security-updates-available-using-reward-points/

@timnitGebru They vacillate between "we can escape the rabble" to "oh shit, we can't. let's find ways to get them to kill each other while we make healthcare inaccessible to them".

@tchambers Protocol handlers are basically just definitions. The ActivityPub spec at W3C should be revised to include such a definition.... choose a handler prefix such as 'apub://' and include some commentary on which server names (or "bottom-level domain") typically serve what kind of content (for example, if infosec.exchange wanted to do an images service, it could be apub://pix.infosec.exchange). I can't imagine this would take up more than 3 paragraphs. Also, this is "User-friendly Internet 101" stuff from the 90s.

@tchambers I would add having zero algorithmic mitigations for TL annoyances, the most glaring being that popular posts re-appear frequently. And if I follow someone, I will see every single message in the threads they start... maybe I only want to see the first two until I click on the thread?

I would like to see what popular posters are talking about instead of having to temp. mute them over and over to keep my TL readable.

@tchambers Not having a protocol handler for ActivityPub content is the reason users end up on "foreign" instance pages. And that bandaid, where a foreign instance is prompting you to login to your home server, is very very bad. No user base should ever be conditioned to accept that kind of interaction (a phisher's dream).

This is also the reason why news, blog, etc. sites avoid putting "Share with fedi" buttons on their pages.

Having a protocol handler registered for AP would whisk the user to their preferred fedi app or website to handle whichever kind of request they're initiating. Yes, fedi should be that much like email.

@adfichter Between Outlook 365 requiring email copies sent to MS servers and the Windows Recall misfeature, the MS stack now looks like a platform for spying on the plebes.

Assuming MS can assure institutions that any "cloud" involved in the spying will stay in the jurisdiction, then they may find it an attractive proposition.

There is also the issue that Russian hackers gain entry to MS systems and conduct major heists on a semi-regular basis. Choosing the platform that will be most vulnerable to Russian hacking should raise additional questions.

@dalias After the article says this:

"an absolute no-go for the more privacy minded among us, and honestly, it’s hard to blame them. The whole thing is pretty creepy when you think about it."

...they proceed with a video showing their repurposed unit in the original housing.

I appreciate the agency to explore and tinker, but repurposing the bag-of-glass kit for a real function is tempting fate. You think you repurposed the tractor as an ATV without realizing you still have a body-mangling tiller still attached. The people who wrote the reverse-engineered drivers don't know what's really in that silicon AND, yes, you are likely depriving FOSS-respecting hw vendors the chance to grow their business.

It is a false economy.

Putting this in context, I've been recommending routers with Mediatek chipsets because that co. maintains open source drivers for them, and they work great with OpenWRT. No one around here f*cking cares. They want to brag about how their Netgear trash fought them and they won some little victory over it, or maybe go back to the "Oh Nvidia" wailing wall for some predictable Linux commiseration. I think the stupidity is breathtaking.

Based on what I'm seeing, there will be a LOT more pain from the tech sector. None of the various flavors of big tech fetishists are going to stop it or even slow it down.

@dalias Sorry, I don't give much notice to "branch of the thread".

Software isn't going to fix everything that is wrong with a piece of hardware. And part of what's wrong is that people may notice such a surveillance device and assume you have certain intentions. And that people with tech fetishes don't (yet) take those social issues into account.

@dalias @enron @mc_lewis This is founded on the conceit that a machine will only do what you tell it, and not what others (like, hackers) tell it.

Amazing how quickly that notion insinuates itself when "open source OS" is mentioned: The illusion that you control something perfectly. You don't know what surprises are in there or in what respects the cheesy reverse-engineered drivers are lacking.

it's exactly the same situation as any PC or phone.

Just no. And the fact that brands are trying to sell these cheap un-PC-like devices en masse is the main clue. If I slice a mic out of a laptop or phone, it still functions fine when I attach a headset. Do the same on a spy-tchotchke device and its reason for being is gone. The fact that it has been physically streamlined for that role is part of the problem.

@enron @dalias @mc_lewis It is still a wireless microphone connected to the Internet, and you have little-to-no feedback on what its internal state is like (unlike a PC or phone).

Without a hardware cutout switch on the mic, its tempting fate.

@ryanc I'd say not. Reliability is far better than Ext4-on-Thin LVM, and its worst-case throughput scenarios (esp. large container disk image files) have simple workarounds.

Its still fashionable to do benchmarks comparing Btrfs with plain XFS and Ext4. IMO those comparisons only tell you that copy-on-write has a cost. If you want copy-on-write features then Btrfs performance on Linux >6.1 kernels is solid.

There are no more "out of metadata space" oopses as Btrfs will now automatically allocate more mdata space as needed.

Of course btrfs-send is brilliant (better than zfs-send) although there are other backup tools like Wyng that can achieve a similar level of efficiency using the metadata Btrfs makes available.

So let me see if I've got this straight about Bluesky:

Anyone can host their own domain, and their identity on that domain. But the Bluesky org controls the "app view" and also the "bsky.app" domain through which all links to Bluesky content are referenced.

:blobcatthinkingsmirk: :blobthinkingcool:

But.... "you control your identity". Except Bluesky corp can cut it off from the rest of the Internet because web sites must reference the content via 'bsky.app' URLs. So your identity is really '@bsky.app' no matter what screen name says.

:blobcatthinkingsmirk: :blobthinkingcool:

I must be missing something. Please someone explain it to me like I'm in grade school...
#bluesky #bsky #decentralization #techbros

@tchambers Yep, this is all we have, but only about 1M people worldwide can stomach fedi's shortcomings. Almost all of us are some type of Linux/FOSS enthusiast which ought to be a gigantic red flag that something is fundamentally wrong with UX – things I've complained about but no one with any ActivityPub expertise has acknowledged.

TL;dr We are fucked.

@rrb @Gargron Any instance with a conscience would defederate #Threads

@shalien @ErikUden @Gargron Fedi is still too rough around the edges.

For one, people start to gain traction and then it flops because why? Ans: Popular posts become super annoying, recurring in TL dozens or hundreds of times per day..... so people react by muting those users and conversations.

Little if any chance you'll see replies (to other users' threads) from people you follow show up in your TL. Great candidate for a simple "algorithm"; as it stands its just poor engagement.

Picture-only posts where most people can't view the thread, because the only place to click on such posts is a 1px tall line about 3px under the poster's avatar.

Its very sad. Years back I donated money to Mastodon, but there are still UX holes you can drive a truck through and nothing is done about it. UX isn't taken seriously here, so its mainly techies that stick around.

@Infoseepage @appleinsider Tim Cook is in the "coming out of the closet after making Billion$" club. He probably feels he's got more in common with Peter Thiel than any of us.

@rysiek Who is Starlabs? Never heard of them.

@pushcx Also, is the page content being uploaded to Google so they can decide what/where to inject? That is a potential spyware issue.