Readit NewsStefan-H commented on Exploiting silent delivery receipts to monitor users on instant messengers arxiv.org/abs/2411.11194... · Posted by u/wakawaka28
This has been making the rounds in privacy-focused forums and whatnot and still no comment from the foundation. That doesn't inspire a lot of confidence in the Signal Foundation. If nothing else, I would expect that sending delivery receipts to invalid messages be considered a bug to fix, even if sending delivery receipts in general would be intentional.
An attacker with a privileged position on the network allowing them to eavesdrop (but not decrypt) traffic could use a bug like this to identify the device on the network associated with a phone number in Signal. Given nation state level adversaries, that seems like a significant privacy issue to me.
Obligatory https://xkcd.com/538
Cooperation under duress is still cooperation.
Referring to "suspicion" at all here is a distraction that suggests it would somehow be okay in other circumstances.
There must not be a way to backdoor user devices, under any circumstances.
Many consumer devices can be selectively targeted for updates. The entities that control the update servers are controlled by the states that they are a part of. People seem to have forgotten that companies once felt the need to invent warrant canaries to warn when they had received non-public court orders. Presumably they can also be forced not to remove the warrant canary.
Edit: My first read had me interpret backdoor as any undetected means of gaining access to a device/system. I have updated by definition to mean using a flaw in the system left intentionally to gain access. This somewhat negates the need for my previous comment, but I'll leave this for illustrative purposes.
Stefan-H commented on Disaster awaits if we don't secure IoT now spectrum.ieee.org/iot-sec... · Posted by u/mdp2021
Please read the article before commenting, because I find the proposed solution a bit worrisome.
Of course we should secure IoT, but the article is about one very particular kind of security: roots of trust. The idea is that devices shouldn't run unsigned software, so forget about custom firmwares, and generally owning the hardware.
There is a workaround, sometimes called "user override", where the owners can set their own root-of-trust so that they can install custom software. It may involves some physical action, like pushing a switch, so that it cannot be done remotely by a hacker. But the article doesn't mention that, in fact, it especially mentions that the manufacturer (not the user) is to be trusted and an appropriate response is to reset the device, making it completely unusable for the user. Note that such behavior is considered unacceptable by GPLv3.
There are some cases where it is appropriate, GPLv3 makes a distinction between hardware sold to businesses and "User Products", and I think that's fair. You probably don't want people to tinker with things like credit card terminals. But the article makes no such distinction, even implying that consumer goods are to be included.
How user antagonistic changing code on IoT devices should be is highly dependent on the threat model for the devices. I'm happy to trust home users to flash their lightbulbs and door locks (though the company might not see that as acceptable to their brand reputation if their lock is compromised nonetheless), but I would prefer not to trust the hundreds of IT departments and engineering teams to properly vet the code they are flashing onto industrial control systems when lives are at stake - centralized authority and accountability with high visibility on the code base that is flashed to the devices is what is needed there.
Stefan-H commented on Disaster awaits if we don't secure IoT now spectrum.ieee.org/iot-sec... · Posted by u/mdp2021
> Guy Fedorkow is a Connection Science Fellow at MIT, a Distinguished Engineer at Juniper Networks, and a contributor to the Trusted Computing Group.
Talk about the worst corporate doublespeak - 'trusted computing'.
It also goes by DRM, or rental hardware, or you never actually own it cause someone else retains permanent digital control.
There is NO trust here, only control and power in never actually selling anything.
And since we're talking of IoT, this goes hand in hand with proprietary corporate clouds, anti-FLOSS like Home Assistant, rental in the form of sales, forced firmware upgrades that remove previous features to gatekeep and resell what you promised.
I don't even need to read further. Anybody, and I do mean anybody, who uses the moniker 'Trusted Computing', should be ignored, blackballed, and relegated to the bin of computing.
Are you familiar with the academic field of security and the notion of trust in trusted computing? The IoT devices that is being discussed in the article are for industrial control systems, not necessarily your home lightbulb. The threat model is different. Do you want every municipal power company to be trusted to properly vet the code they are putting on these devices, or do you want to trust the device manufacturer to be the one who can put code on the devices?
Stefan-H commented on TLS certificate lifetimes will officially reduce to 47 days digicert.com/blog/tls-cer... · Posted by u/crtasm
Since you’ve thought about it a lot, in an ideal world, should CAs exist at all?
What alternatives come to mind when asking that question? Not being in the PKI world directly, web of trust is what comes to mind, but I'm curious what your question hints at.
Stefan-H commented on Are people bad at their jobs or are the jobs just bad? annehelen.substack.com/p/... · Posted by u/moonka
I'm sorry, but that is delusional. It is not possible for humans to forego emotion in favor of logic.
It's really just about giving yourself enough time to think before you respond. That's the entire difference between a reaction and a response. You can use dialectical and cognitive behavioral therapies to help develop the tolerance to do that. Mindfulness and meditative practices like those in zen buddhism have proven helpful to me as well.
Perhaps you're taking an extreme interpretation of my using the word "logic" and instead you could use "wise mind" or even just "considered thought" as the response in lieu of an emotional one.
Stefan-H commented on Are people bad at their jobs or are the jobs just bad? annehelen.substack.com/p/... · Posted by u/moonka
How do you slog through something you truly hate?
More than a decade ago I was hired as an intern at Colgate-Palmolive as a software developer. Turns out they were(are?) one of the largest SAP deployments in the US. The entire company revolved around SAP. Due to lack of college graduates knowing SAP, they took great pains to treat me extremely well and train me (a CS major) in ABAP using SAP Netweaver.
My project was more ambitious than the rest of the group because I had enough courage and bravado to be assigned a project like that. In fact I made it a point to be 'brave' and make myself look really good in front of the upper level managers. I tried to know everyones name, even in other departments and to be super polite and humble around any sort of manager there. When I finally got some tasks to do, I was so miserable that I finished multiple days without getting anything done. I felt so depressed thinking that I slogged through four years of CS for this?
In the end I managed to finish last in the cohort and Colgate took the rare(at the time)decision to not extend me a full time offer. I felt like a complete failure because I didn't put in 100% and I felt like I let my mentor down.
At the same time I know that I truly hated it. To this day seeing pictures of SAP GUI gives me anxiety and makes my stomach turn. How do you overcome something like that and push on? It does not always seem like a sure thing. I sometimes think what if I had pushed through and gotten the offer? I'd probably still be at Colgate like my mentor was.
With the benefit of hindsight I have learned to be super appreciative and thankful for them treating me so well but im glad circumstances led me to not ending up there. But really who knows if it would have been better in the long run? Whenever I see Colgate it actually evokes positive memories of that time. But the biggest thing I learned was to not bite off more than you can chew and if you don't truly love what you are doing there is another path out there.
"How do you slog through something you truly hate?" - I don't.
When signals that a role is not aligned with my needs start cropping up, I begin searching for a new role passively, and as the situation develops I speed up my search.
"I felt like a complete failure because I didn't put in 100% and I felt like I let my mentor down" - to thine own self be true. I have failed to put in 100% at some jobs, and sometimes i regret it more than others. I have narratives that legitimize my laziness or lack of commitment based on some previous slight from the company, or a missed promise on their part, but I hold myself accountable.
"How do you overcome something like that and push on? It does not always seem like a sure thing" Resilience is a wildly varying trait of folks, and depends on your emotional and mental state. "First world problems" are a great example, one when is socialized at a certain comfort level, missing that causes distress. Some working conditions are truly untenable, in which case do what you have to do, but otherwise do the best with the situation you're given.
Stefan-H commented on Are people bad at their jobs or are the jobs just bad? annehelen.substack.com/p/... · Posted by u/moonka
Where I come from, "hav[ing] all the rational reasons to be afraid" and pretending otherwise is called a delusion. I prefer to see the world as it is.
"... is called a delusion". What I am suggesting is not delusion, it is mindfulness and cutting through delusion. When one is presented with something that elicits a fear response (whether the stimulus is rational or not) the goal is to quiet all of the "lizard brain" reactions, and instead formulate a well reasoned response. "Fear is the mind-killer" - while from fiction, still rings true to me - if you react out of fear you will short-circuit internal processes that are far better at long-term reasoning even when at the expense of short-term comfort.