Pinned toot

I post about technical topics here, especially , , . My other account social.tchncs.de/@WPalant is for German-language non-technical stuff.

For reference: that's a major antivirus vendor. And there is a very obvious correct way to do this. In fact, I think it's the first time I see somebody mess this up.

Show thread

The code below is from a browser extension. Question: what does it do when executed in Firefox?

let script = document.createElement("script");
script.src = "chrome-extension://" + chrome.runtime.id + "/app/scripts/" + fileName;
head.appendChild(script);

Note that even the privacy policy on Firefox Add-ons doesn't mention why you need to generate a UUID for each user and send it along with each database update (not merely telemetry requests). Nor does it explain the impact of that telemetry setting.

Show thread

Hi @Malwarebytes@twitter.com, do you have a proper privacy policy for your Browser Guard extension? The one under addons.mozilla.org/en-US/firef is unformatted, so it is unreadable (yes, formatting is supported here). And the link from Chrome Web Store is generic info, not for the extension.

Maybe and its forks are good clients. From what I've read there should be solid end-to-end encryption enabled by default. But it's only one client on one platform. And other clients have wildly inconsistent encryption support, same issue as with .

Show thread

I did not bother installing /Psi+ any more. These messengers still try hard to imitate the ICQ client as well as contemporary IRC clients. Judging by discussions, encryption is not only not default, there are issues enabling it at all. Encrypting files is unsupported.

Show thread

Next one was which looks better but expects knowledge of things like identifiers without providing any explanation when something is wrong (yes, version 0.1). Here as well, encryption isn't the default. At least the discussions are younger. github.com/dino/dino/issues/84

Show thread

I started looking into clients with end-to-end-encryption support. First one was , with its "charming" 90s messenger style. Encryption isn't the default here however, no progress on the corresponding issue. dev.gajim.org/gajim/gajim-plug

Note that with a central server instance one has many of the same concerns - but compromising a server is a bigger hurdle than running a bunch of OpenDHT nodes, and there is also a higher chance that some irregularities will be noticed.

Show thread

That's the issue I see here: end-to-end encryption is great, but a setup where any party can start collecting metadata fairly easily probably isn't too privacy-friendly. And the issue is known of course, so devs recommend using VPN or Tor.

git.jami.net/savoirfairelinux/

Show thread

And not just that, these nodes (presumably run by the project) can see who is talking to whom as they deliver messages.

What if NSA or somebody else decided to run a dozen nodes? How much of the network graph would they see this way?

Show thread

I'm not sure what percentage of user IDs you will see passing by. Another concern is however that the majority of the OpenDHT traffic appears to be originating at OVH-hosted nodes, not actual users. These should be able to associate your user ID and IP address.

Show thread

I looked briefly into messenger and its peer-to-peer concept relying on certainly has some side-effects. Just by running an OpenDHT node one can get an idea of what users are on the network and look up their names (some chose to use their full names).

And - yes, Loki Network is not the same as Session. But they are both developed by the same startup and the former is the foundation of the latter. And if that startup "tolerates" people with racist and sexist views, we know the toxic swamps that result from that.

Show thread

Yet somehow his "dark humor" universally unloads on non-white people and women (never mind "Communists", seems to be a popular obsession in the US). And some anonymous pitched his newly developed Loki Network on 8chan, collecting some applause for creative protocol naming.

Show thread

And now Jeff's crowd discovered my Mastodon account. So they predictably defend him as merely "shitposting" and having a "dark humor." And either way, Jeff never pitched Loki Network to 8chan. And even if he did, what does that have to do with Session? Yeah, sure...

Show thread

I looked up Jeff's online presences. On Twitter he says "no fun allowed" but on his Pleroma instance he openly posts and links to racist and sexist content. He seems to be tightly embedded in the alt-right scene. So - yes, it all checks out.

Show thread

Later 8chan was deplatformed and came back on Loki Network. The article calls it "inadvertent help" but it appears to be everything but that. The CEO is cited with the words "some Loki staff may have advised 8kun administrators 'to a limited extent'."

abc.net.au/news/science/2019-1

Show thread

This German-language video shows Loki Network's main developer (Jeff/majestrate) pitch his baby on 8chan and being celebrated by the alt-right for it (at 27:46). For reference, Loki Network is the foundation of Session and developed by the same startup. media.ccc.de/v/36c3-10639-let_

Show thread
Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.