Readit News logoReadit News
Msurrow commented on Stop Breaking TLS   markround.com/blog/2025/1... · Posted by u/todsacerdoti
johncolanduoni · 5 days ago
What if your employer says “don’t access your health records on our machine”? If you put private health information in your Twitter bio, Twitter is not obligated to suddenly treat it as if they were collecting private health information. Otherwise every single user-provided field would be maximally radioactive under GDPR.
Msurrow · 5 days ago
If the employer says so and I do so anyway then that’s a employment issue. I still have to follow company rules. But the point is that the company needs to delete the collected data as soon as possible. They are still not allowed to store it.
Msurrow commented on Stop Breaking TLS   markround.com/blog/2025/1... · Posted by u/todsacerdoti
johncolanduoni · 5 days ago
Does GDPR (or similar) establish privacy rights to an employee’s use of a company-owned machine against snooping by their employer? Honest question, I hadn’t heard of that angle. Can employers not install EDR on company-owned machines for EU employees?
Msurrow · 5 days ago
Yes. GDPR covers all handling of PII that a company does. And its sort of default deny, meaning that a company is not allowed to handle (process and/or store) your data UNLESS it has a reason that makes it legal. This is where it becomes more blurry: figuring out if the company has a valid reason. Some are simple, eg. if required by law => valid reason.

GDPR does not care how the data got “in the hands of” the company; the same rules apply. Another important thing is the pricipals of GDPR. They sort of unline everything. One principal to consider here is that of data minimization. This basically means that IF you have a valid reason to handle an individuals PII, you must limit the data points you handle to exactly what you need and not more.

So - company proxy breaking TLS and logging everything? Well, the company has valid reason to handle some employee data obviously. But if I use my work laptop to access privat health records, then that is very much outside the scope of what my company is allowed handle. And logging (storing) my health data without valid reason is not GDPR compliant.

Could the company fire me for doing private stuff on a work laptop? Yes probably. Does it matter in terms of GDPR? Nope.

Edit: Also, “automatic” or “implicit” consent is not valid. So the company cannot say something like “if you access private info on you work pc the you automatically content to $company handling your data”. All consent must be specific, explicit and retractable

Msurrow commented on FFmpeg to Google: Fund us or stop sending bugs   thenewstack.io/ffmpeg-to-... · Posted by u/CrankyBear
danlitt · a month ago
> it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days

This is very far from obvious. If google doesn't feel like prioritising a critical issue, it remains irresponsible not to warn other users of the same library.

Msurrow · a month ago
If that’s the case why give the OSS project any time to fix at all before public disclosure? They should just publish immediately, no? Warn other users asap.
Msurrow commented on FFmpeg to Google: Fund us or stop sending bugs   thenewstack.io/ffmpeg-to-... · Posted by u/CrankyBear
woodruffw · a month ago
I’m an open source maintainer, so I empathize with the sentiment that large companies appear to produce labor for unpaid maintainers by disclosing security issues. But appearance is operative: a security issue is something that I (as the maintainer) would need to fix regardless of who reports it, or would otherwise need to accept the reputational hit that comes with not triaging security reports. That’s sometimes perfectly fine (it’s okay for projects to decide that security isn’t a priority!), but you can’t have it both ways.
Msurrow · a month ago
My takeaway from the article was not that the report was a problem, but a change in approach from Google that they’d disclose publicly after X days, regardless of if the project had a chance to fix it.

To me its okay to “demand” from a for profit company (eg google) to fix an issue fast. Because they have ressources. But to “demand” that an oss project fix something with a certain (possibly tight) timeframe.. well I’m sure you better than me, that that’s not who volunteering works

Msurrow commented on FFmpeg to Google: Fund us or stop sending bugs   thenewstack.io/ffmpeg-to-... · Posted by u/CrankyBear
JamesBarney · a month ago
I get the idea of publicly disclosing security issues to large well funded companies that need to be incentivized to fix them. But I think open source has a good argument that in terms of risk reward tradeoff, publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.
Msurrow · a month ago
In addition to your point, it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days. The security issue should certainly be disclosed - when its responsible to do so.

Now, if Google or whoever really feels like fixing fast is so important, then they could very well contribute by submitting a patch along with their issue report.

Then everybody wins.

Msurrow commented on End of Japanese community   support.mozilla.org/en-US... · Posted by u/phantomathkg
hazn · a month ago
Why is it condescending and patronzing? I read it as a person trying to understand the situation.
Msurrow · a month ago
The OP/article is very clear and very direct on what the problems are. The response is so typical american conflict-shy “let’s talk so we can slowly dimish your critique, and also let’s do talking instead of writing so we cant really be held accountable for specifics”. And, to me it comes across as lazy: the op/article is very specific on the problems, just get to work already, no need to “further clarifications” (obviously disable that stupid bot for the japanese community; then get to work restoring original KBs from backups. Then reach out to talk about next steps)

It’s a tonedeaf response from the staff person. Zero respect for what’s clearly many, many hours of contribured work.

Msurrow commented on AI and Copyright: Expanding copyright hurts everyone   eff.org/deeplinks/2025/02... · Posted by u/mooreds
fragmede · a month ago
http://Suno.ai is already there.
Msurrow · a month ago
Koda, the danish music copyright organisation just sued Suno.ai [1] calling it the “biggest music theft in history”.

Apparently suno can almost completely reproduce some “big” songs made by danish bands eg D-A-D, Aqua.

Edit- and from the article it seems they are doing what they can to make it a political/legislation issue.

[1]: https://koda.dk/om-koda/nyheder/koda-sagsoeger-ai-tjenesten-...

Msurrow commented on Ask HN: How to deal with long vibe-coded PRs?    · Posted by u/philippta
Yizahi · a month ago
Alternative to the reject and request rewrite approach, which may not work in the corporation environment. You schedule a really long video call with the offending person, with the agenda politely describing that for such a huge and extensive change, a collaborative meeting is required. You then notify your lead that new huge task has arrived which will take X hours from you, so if he wishes to re-prioritize tasks, he is welcome. And then if the meeting happen, you literally go line by line, demanding that author explain them to you. And if explanation or a meeting are refused, you can reject RP with a clear explanation why.
Msurrow · a month ago
See, now that’s a proper f** you in corporate-speak.
Msurrow commented on Denmark reportedly withdraws Chat Control proposal following controversy   therecord.media/demark-re... · Posted by u/layer8
tokai · a month ago
It's interesting that Peter Hummelgaard's former party comrade Henrik Sass Larsen recently got 4 months of prison for possession of child porn; 6200 pictures and 2200 videos.

So we are to believe Hummelgaard wants to protect children by enabling vast surveillance, so all the bad offenders out there can get ... 4 months in prison.

Its not really adding up. And he still hasn't presented any argument for the thing except that you are pro child abuse if you don't agree with him. I'm at the point where I hope he's corrupt and its not just all about power for him.

Msurrow · a month ago
What’s really laughable about this is that they wanted politicians to be exempt from Chat Control regulation. As if politicians never do anything wrong.

If CC were ever implemented it should have a x year trial period where ONLY policymakers should be monitored.

Jusus, what a shit show from DK government.

Msurrow commented on AWS to bare metal two years later: Answering your questions about leaving AWS   oneuptime.com/blog/post/2... · Posted by u/ndhandala
realitysballs · 2 months ago
For my org. I don’t have budget for a dedicated in-house opsec team, so if I on-prem it triggers additional salary burden for security . How would I overcome this?
Msurrow · 2 months ago
Familiarize yourself with your company’s decision process on strategic decisions like this. Ensure you have a way to submit a proposal for a decision on making the change (or find someone who has that access to sponsor your proposal), build a business case that shows cost of opsec team, hardware and everything else is lower than AWS (or if cost is higher then some other business value is gained from making the change — currently digital sovereignty could be a strong argument if you are EU based).

If you cant build a positive business case then its not the correct move. Cash is king. Sadly.

M

u/Msurrow

KarmaCake day613September 19, 2016View Original