Notices by Sarah Jamie Lewis (sarahjamielewis@mastodon.social), page 2

There are occasional ways to use VPN tech in a way that improves privacy, but they are primarily a circumvention tool - a way to get around local censorship - unless you can be sure that both the incentives of the provider and the jurisdictions involved are more favourable to your own privacy than otherwise, then be skeptical.

Hello. I am Sarah, a privacy and security researcher, focused on metadata resistant communication (via @cwtch), e-voting security, and privacy for and within marginalized communities (queer privacy).

You may know me from my work with the Open Privacy Research Society (@openprivacy) where I served as Executive Director, and now as president of the board.

Available for contract work (via @blodeuweddlabs).

Contact links and project info can be found at https://sarahjamielewis.com

#introduction

My spicy take is that auto updates are a security vulnerability best classified as "arbitrary code execution".

Some exciting news: Over the past few months I have been working on founding a new organization: Blodeuwedd Labs (@blodeuweddlabs)

We are now in a position to offer subsidized security assessments (and other services) for open source projects.

(In addition to a whole array of analysis, development, and custom research offerings for everyone else)

Announcement (and more info): https://blodeuweddlabs.com/news/open-source-review-announce/

#infosec #security #appsec #canada #opensource

Hello Everyone! I'm Sarah. Executive Director of Open Privacy (https://openprivacy.ca/) - a Canadian non-profit society dedicated to researching & building privacy enhancing tools (like https://cwtch.im) that empower people.

I spend most of my days conducting #cryptography and #privacy research, and a fair amount of time disclosing security issues in a variety of systems.

#introduction

Auto updates are one of those things that are probably a good thing when applied at a population level, but have really rough edges.

I hate them, I never want them. The software was working, and then it wasn't. stop making me jump through hoops to do the thing I was doing perfectly fine 20 minutes ago.

Working on a truly privacy preserving project continues to be one of the most rewarding and weird things I've ever done.

Q: "How many users do you have?"

A: "No idea, I know we get a trickle of anonymous contributors, people who show up and share support for a completely new language or a bug report or a feature idea or just a thank you and then they vanish forever - that could be one prolific person or a dozen different ones, I really don't know, and I think that's incredibly cool"

I owe much of my philosophy on open source project management to the writings of the late Pieter Hintjens and, apropos of other discussions, I think this blog post in particular worth revisiting.

http://hintjens.com/blog:106

Update: it seems as if there was a zombie process laying around that had an open handle to an audio device (judging by the tab title it was a few days old, I'm guessing it happened during a firefox restart/update).

Purging that, and no more freezes.

Anyone else (presumably on linux...but maybe on other systems) now seeing Firefox freezes/crashes when attempting to play more than 1 video at a time?

It began happening with the recent 131 update, and I'm trying to work out if something changed in my setup or if this is a regression.

Any analysis of Tor onions or "dark web" that exclusively focuses on port 80 or 443 is critically flawed - that is simply not where the people are or how these services are used.

People use them for p2p instant messaging (cwtch/briar/ricochet refresh), p2p routing (bitcoin nodes / bisq / IM routing), and nat busting (ssh).

Tor Onion websites are nice, but I find it really weird how much people focus on them in 2024.

I connect to tens of unique onion services on a daily basis, probably thousands over the course of a year - the number of them that are websites is close to zero.

There is a new version of @cwtch out (https://docs.cwtch.im/)

Cwtch is a privacy-only p2p messenger based on @torproject v3 onion services.

By privacy-only, we mean privacy-only.

Cwtch provides complete control over what features (groups / file sharing / image previews etc.) are enabled, and every feature which alters the default privacy risk model is explicitly opt-in.

We believe that this level of control is what is it takes to actually take your privacy seriously.

This will likely be the last major version of Cwtch for a little while as @openprivacy has had to make significant reductions in recent years / months and development has slowed as a result (as people have had to seek out other work / moved to restricted-funding projects)

If you'd like to see more active development please consider donating via Patreon (https://www.patreon.com/openprivacy) or see https://openprivacy.ca/donate for other methods.

The distinct impression I get from basically all app stores is that they really dislike distributing applications and would generally prefer apps to not exist at all.

More people should build RSS readers from scratch, make them awesome. Give them great features. Make them extensible. Integrate Activity Pub. Support blog publishing Avoid webviews.

Make it easy to publish and share stuff. While still being web-compatible.

Beachheads outside - but compatible with - the browser ecosystem.

Sadly, I don't think there is any easy answer as to "well what do we do now?"

The web is a complicated, ever-evolving stack of protocols. The CSS spec alone now spans over a dozen documents.

And those specs are being primarily moved forward by advertising companies.

It's a pay-to-play game that dominates the web complicated more by the fact that all reference implementations require constant security updates.

Forking a browser is easy. Maintaining a fork is a red queen's race.

I understand that's an older view of software, and it dates me a little.

But it shouldn't be - you should expect to be able to use your tools without them contributing a signal to the sales force of some conglomeration.

You should expect to be asked before your tooling does something unexpected and not for your exclusive benefit.

You are worth that.

Had Mozilla set out on this mission a decade ago - unburdened by years of increasingly controversial feature additions to Firefox - they might have been able to sell it - we also knew a little less about the the fundamental limitations on aggregated privacy back then, and people would have trusted Mozilla to be an honest-if-curious aggregator.

We do not live in that world any more.

I come from a world where "user agent" still has a meaning. A tool that works on my behalf, not subject to the bidding of other forces.

And a world where building such agents is still subject to a code of ethics which precludes allowing others to extract data from such a tool for their own benefit - certainly not without explicit opt-in - and even then, not without a significant upside for the actual user.