Notices by ⦺ irick 🐁🐈⚩ (irick@this.mouse.rocks)

@emilygorcenski
It's about either or not your device is in an After First Boot state or not. Android and iOS both have access to your files when your phone is in a running system your lock screen is just a method of preventing the screen from being accessed. Something that uses direct memory access can entirely bypass your password and just make use of the OS's access (easy) or even make use of the cached encryption key to dump the whole unencrypted disk image (hard).
https://securephones.io/main.pdf

@emilygorcenski
The tldr is, turn your phone off before interacting with police if you don't want them having access to it.

Otherwise, live streaming is a good option for accountability.

@emilygorcenski
While you can not be forced to provide a password without a warrant, your phone actually doesn't care. It stores the encryption key in memory in order to facilitate features such as always on notifications, and the unlock screen merely provides one way to access it. We already know that PDs use automatic unlocking devices that bypass the unlock screen to get at phones that come in powered.

The only way to prevent someone from being able to get into your phone is to turn it off.

@emilygorcenski
If your phone is not on your person, then it is likely going to require a warrant to retrieve.

This particular ruling is only useful for a warrantless random stop and frisk scenario. It enables the officer to open the phone with your biometrics. If the police have a warrant it does not matter if you are using biometric unlock or not, you can be compelled to unlock your phone.

(Cont)

@emilygorcenski
Risks are never mitigated. They are managed.
You manage risk based on a risk profile. That risk profile gives you an idea of reasonable precautions. E.g. it is reasonable for someone who has infrequent contact with adversarial actors to keep in mind their quality of life features such as biometric login can be over-ridden by rebooting their phone when they may have need to temporarily increase their security.

(Cont.)

@emilygorcenski
Likewise, it is reasonable for someone who is specifically targeted by law enforcement to not carry a smart phone at all. We meet people where they live, because people have various risk profiles and various risk tolerances.

(cont)

@emilygorcenski
"Don't use quality of life features, they are insecure." Isn't bad opsec, but it is bad general advice because people are going to use those features anyway. Unless you are enforcing that protocol with some form of mobile device management software, it is always better to meet the user where they live and instead highlight the safety features but into the quality of life features they are already using.

@emilygorcenski
O_o
I mean we developed these tools specifically to protect protesters against extrajudicial abuse but go off I suppose?
People really do be unable to hold the power button these days, damn.

@emilygorcenski
Most custom roms have a panic switch option that lets you turn your phone off from the shortcut menu. Turning your phone off forces it to require your password to unlock the first time.

We had mostly anticipated this ruling.

When I started this instance seven years ago I described by moderation policy as "Hands off". This was basically never true, but I felt that it would communicate that I wasn't always around and could be slow to act.

Things have changed a bit now. I would no longer call my moderation "hands off'. In fact, the only two hastags I have pinned are Fediblock and Mastoadmin.

Keeping up to date takes a lot of bandwith, especially with any sort of commitment to investigate the instances.

Then are we merely appealing to the logic of the corporate veil to rid ourselves if the atrocities that they may commit independant of their code contributions?

There is, I think, moral value in the use of software. It is right to protest the use of our code for atrocities. It is right to construct licences that prohibit the use of our code for violence and discrimination. But I don't think there is any moral value in calling something bloodstained code.

So this hit my feed: https://lowendbox.com/blog/the-deprecated-bloodstained-code-in-the-linux-kernel/

And it got me thinking about the dynamics around accountability in the Foss world. Is this really 'bloodstained code'? ReiserFS was never hugely popular or anything, but it was an interesting file system largely maintained by a single contributor. That contributor went to prison for a crime of violence.

I don't really know if that matters morally. If we can accept corporate contributions to the codebase (cont.)