What is your opinion on Brave?
They already said "Chromium-based browsers."
Readit NewsKAMSPioneer commented on Is Mozilla trying hard to kill itself? infosec.press/brunomiguel... · Posted by u/pabs3
KAMSPioneer commented on Poor Johnny still won't encrypt bfswa.substack.com/p/poor... · Posted by u/zdw
> Proton is a notable exception.
Proton doesn't provide public APIs for retrieving the public GPG keys associated with their users' accounts, nor do they provide a way to send encrypted mail to their users' accounts without using their official apps.
Ergo, Proton is not really working to further the state of cryptography for email, they're only working to compel users to use their proprietary software (and ultimately their paid services).
If services which do automated sending of emails to their subscribers/users have no way to encrypt those emails for its users who are on proton mail, I don't understand how Proton can claim to care about encryption.
Uhm you can curl https://api.protonmail.ch/pks/lookup?op=get&search=$email_ad... for any valid $email_address and get the public key.
I have used this to send signed/encrypted mail to a ProtonMail recipient. It worked, until he responded inline without encrypting it to my private key, thereby completely defeating the point.
(Later I informed him of how to automatically sign and encrypt outgoing mails to my account, as that is possible too, but not obvious at all.)
PM should make the more obvious, but in principle the interoperability is there and works.
It’s even more amusing in some ways. A common way to refer to those from the USA in Brazil, for instance (even an official one!) is ‘Norte Americano’.
Which is all kinds of weird because - what about Mexico and Canada? And what about the ‘United states’ part?
It’s just to disambiguate from ‘Americano’ as in what others in South America sometimes use to refer to latin Americans and as a little bit of a FU to the USA, hahah.
Ahh, I forgot about that...and to be transparent, I actually have no idea what French Guyana, Haiti, or Belize typically do to differentiate between people of the American continent(s) and US persons. I should have said Hispanoamerica, but oh well.
I find your comparison not so convincing. While there is some common misidentification between the EU and Europe, I’ve never heard anyone in the world refer to “America” in a way that was not for the United States.
In my personal experience, people from Latin American countries will sometimes point out that they are American because they come from North or South America.
Which is, of course, true; however, in English conversation, it's often nothing more than pedantry. In Spanish it makes more sense, since there is a separate demonym for a US person that doesn't co-opt the term "American."
Outside of Romance language speakers born on the American continents, I agree that everyone seems fine calling US-born persons "Americans" without much confusion nor gnashing of teeth.
KAMSPioneer commented on Drilling down on Uncle Sam's proposed TP-Link ban krebsonsecurity.com/2025/... · Posted by u/todsacerdoti
Just because a company changed its headquarters to US all of a sudden they are a US company? Even if 99.9% of its decision, operation and R&D are still in elsewhere?
That is like people saying Nothing is a UK company, when all I see is a Chinese company registered in UK.
It's like saying Apple Computers is an Irish company and not a US one because of where they file their corporate taxes.
KAMSPioneer commented on Ironclad – formally verified, real-time capable, Unix-like OS kernel ironclad-os.org/... · Posted by u/vitalnodo
That make sense. I'd still be weary though, you can win in court, but the cost of getting sued isn't small. Nintendo's lawsuits come to mind.
Normally I wouldn't say anything, but since we're on the topic of mixing up two different concepts:
I suspect you meant to say "wary." Wary means "cautious," "weary" means "tired."
I charge for copies of free software I wrote, an AGPLv3+ desktop application, and earn about $2k MRR from it. Most people don't care about your choice of license, they just want software that conveniently solves their problem(s). If they want to share it, that's fine. They're giving it to people who wouldn't have bought it anyway. If those grantees ever want an official copy, with updates and support, they come back to me.
You see the same effect mirrored in illicit distribution of copyrighted works. Sharing movies increases box office revenue. Sharing albums increases music sales.
The people who get a copy for no charge weren't going to buy a copy in the first place. When you expose them to the product, some percent go on to become fans, advertising the work, and perhaps giving money to support it.
Read through my past comments from last year to find more info.
Hey, I recognize your username, I bought RCU this year because I wanted to encrypt my reMarkable without losing data. I could have used the cloud or whatever, but I found your software and chose it because it is local-only and FOSS. Also reasonably priced.
Thanks for your work! I have enjoyed RCU and now use it regularly for backups, file transfer, etc. I'm glad to hear that it seems to be sustainable.
KAMSPioneer commented on Xubuntu.org Might Be Compromised old.reddit.com/r/Ubuntu/c... · Posted by u/kekqqq
But aren't you still trusting the website for instructions about how to verify the cryptographic signatures?
The idea (outlined in the QubesOS documentation) is to clone the git repo of their website, verify the PGP commit signatures, then render the website yourself. Then you can be reasonably sure the website is legitimate, modulo a DoS attack stopping you from receiving updates to the website code, I suppose.
Getting the correct PGP public key appears to be an exercise left to the reader, but if you are already running e.g. Fedora, you can view the packaged QubesOS distro keys distributed by your current OS, cross-reference that with a second source such as a PGP keyserver, and unless you're being Mossaded upon you're probably good if they match.
> When Secure Boot is disabled, the TPM notices that and refuses to release the key, that's how you know to reënable Secure Boot or throw away your device.
But the attacker isn't trying to get the key from the TPM right now, they're trying to get the credentials from the user. It's the same thing that happens with full disk encryption and no TPM. They can't read what's on the device without the secret but they can alter it.
So they alter it to boot a compromised Windows install -- not the original one -- and prompt for your credentials, which they then capture and use to unlock the original install.
They don't need secure boot to be turned on in order to do that, the original Windows install is never booted with it turned off and they can turn it back on later after they've captured your password. Or even leave it turned on but have it boot the second, compromised Windows install to capture your credentials with secure boot enabled.
How suspicious are you going to be if you enter your credentials and the next thing that happens is that Windows reboots "for updates" (into the original install instead of the compromised one)?
So this attack is to steal my Windows password or Windows Hello credentials, but doesn't get my encryption key...? That's...not ideal, but I think you'll see it's an improvement over unencrypted disks (again, TPMs are for people who can't be bothered to set a strong password).
And again this presupposes that you can disable Secure Boot, boot a malicious OS from another drive, fool the user into entering their password, automatically reboot, enable Secure Boot, boot into the legit OS, then come back later and have the ability to boot the OS yourself and log in as the user (because again, you don't have the decryption key, you have the user's login credentials).
You are also presupposing what the TPM is bound to. I don't use Windows, but using systemd-cryptsetup I could configure a TPM to bind to the drives in the system; in this way, it will refuse to boot my legit OS while your malicious disk is installed (well, it will demand a recovery key). Again, setting off alarm bells, and if I discover the disk with my recorded credentials before you can physically access it, I can just destroy it.
If evil maid attack, and you see this prompt, you a) re-enable secure boot, if did not work b) throw away the device.
In any case data stays secure.
Edit: Hmm, you have a point, how do I know secure boot was disabled in the first place? Anyway, still works for servers and unattended reboots.
No, GP is misinterpreting Windows's message. It prompts for a recovery key because the TPM is bound to, among other things, Secure Boot == enabled. When Secure Boot is disabled, the TPM notices that and refuses to release the key, that's how you know to reënable Secure Boot or throw away your device.
The fact that Windows is compromised does not make it capable of extracting secrets from the TPM, though maybe a naïve user can be convinced to enter the recovery key anyway...