varx @varx@infosec.exchange
- pronouns
- he/they
- alts
- https://cybre.space/@varx (varx at i.write.codethat.sucks is dead)
- languages
- 📖 en, es; ✍️ en, ~es
- that cavern thing I'm always nattering about
- https://gitlab.com/timmc/cavern
Boston-area meat construct ␥ I just do what the plants tell me ␥ I'd rather be pentesting^Wsleeping^Wundermining the client-server paradigm
Joined Oct 2017
I've heard that donations don't go towards Firefox development, but rather are distributed to initiatives that Mozilla funds, internal or external. Which makes me a little confused about what they want and need, along with some other mixed signals.
I'd really rather it went towards reducing their reliance on Google.
But... I don't know if this is true.
Apparently I made a big enough donation to Mozilla last year that I am now on their "personally handled donors" list or something.
A few weeks ago I was invited to an unrecorded, invite-only conference call on Mozilla's future or something (which I had to miss, and may not have been interactive?) and today I've been asked if I want to schedule a 15 minute call to share my thoughts on how Mozilla has done this year.
I should probably do it, if only to clarify where the money *actually goes*.
varx
boosted
@greyor It's cute though the letters are more human-friendly. The fact that chmod-calculator.com could exist and be helpful indicates that the program exposed its guts to the humans in the wrong way somewhere
varx
boosted
Wow! https://sfconservancy.org/news/2020/nov/02/2020-11-hiring/
@conservancy Software Freedom Conservancy, one of the most important organizations in #FLOSS #opensource #freesoftware , is hiring a full-time employee. Remote, not limited to the United States. Really interesting, flexible job description.
Amazing team, critical mission. In an alternate universe where I was putting my consulting on hiatus and looking for a full-time job, I would be applying for this RIGHT NOW. Check it out & boost!
varx
boosted
Privacy Badger Is Changing to Protect You Better | Electronic Frontier Foundation
https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better
JFC, the web is so full of trackers and garbage that even trying to block trackers can uniquely fingerprint you for tracking.
varx
boosted
Just when we thought Microsoft would ruin Github, they had the #courage to stand up for what's right, making it absolutely clear where they stand right in their DMCA repository.
https://github.com/github/dmca/tree/416da574
varx
boosted
whoa somehow I hadn't seen the "RIAA getting GitHub to do a takedown of youtube-dl" bit https://twitter.com/xor/status/1319738279772770308
I'm seeing a lot of people getting mad at Github for a DMCA takedown.
DMCA is US law. Github is a US company. youtube-dl can be acquired elsewhere. Github cannot be expected to engage in civil disobedience or court action over this.
Here are some reasonable choices of people to get upset with:
- The US legislators who put the DMCA in place or refuse to change it
- The RIAA for filing this particular DMCA claim
varx
boosted
"I reverse engineered mcdonald's internal api and I'm currently placing an order worth $18,752 every minute at every mcdonald's in the US to figure out which locations have a broken ice cream machine"
varx
boosted
Being a senior engineer, I spend most of my time searching the web for a solution. Part of being experienced is knowing just how much you don’t know. If you are lucky, you remember coming across a problem before, which gives you a rough direction to guide the search.
RT @ashleymcnamara@twitter.com:
> It would be cool if more senior engineers would admit that they don’t have everything all figured out so the junior folks didn’t have such unrealistic expectations.
varx
boosted
Everyone else: I love the movie Hackers because of its so-bad-its-good "hacker" cyberpunk aesthetic
Me: Sorry ok here's that aesthetic but 20x
https://www.youtube.com/watch?v=bLlj_GeKniA
#PKI #brainstorming: How do you lose trust?
Presumably if someone gets hacked and their key is compromised, you want to distrust that key. But maybe you also want to distrust that server, or that *person*, for a while—at least as far as web-of-trust is concerned. (Really, distrust their client or computer.)
Maybe there's an option in the address book: "Don't trust this person's computer to vouch for other people's identities". Maybe optionally "...for X days", and a snooze/prolong button? :-)
#PKI #brainstorming: What do keys "look like"?
Users shouldn't have to care about keys, but sometimes they *have* to, like in the above situation. Base58 encoding is probably best; short, but few lookalike chars and only alphanumeric. A 32 byte public key is 44 base58 chars.
Maybe break it into groups of 4 for display, like a product key?
AAv3 quiH 5XcX 8CkE 95hU 8gRY zxT8 nKzs XvsC nZAm F2dG
I guess you could read that over the phone. People would probably ignore case. Is that OK?
#PKI #brainstorming: User experience of key trust conflicts
What should the user experience be when one friend's client says "Alice's key A rolled to key B" and another says "A rolled to C"? Is the answer different if only one out of 10 friends disagree, vs. 1-vs-1?
I think all the trust stuff should be kicked out-of-band as quickly as possible. Multi-channel verification is great; even if someone's key or server is compromised, their email might not be.
varx
boosted
This message I wrote two years ago has been being passed around lately, from when I had just quit my (half time) job to focus on Spritely fulltime and had *no* idea what I was going to do to stay funded: https://octodon.social/@cwebber/100866264755512782
So I guess the question is, how did things go over those 2 years? Well, my Patreon grew to help significantly (though not cover all expenses) and I was fortunate to get two grants. Now Spritely has grown to something interesting: https://spritelyproject.org/ (cotd)
Closed Circuit Television
Open Circuit Television
#PKI #brainstorming: Blockchain for message dates
If you get messages and key updates asynchronously, how do you know whether the message was generated when the key was still valid?
I suspect there's a way you could pin messages to a time without using a trusted timestamping authority. Maybe a (non-POW) blockchain where message IDs get incorporated to establish Not-After, and messages reference the chain head to establish Not-Before. Could use social locality to reduce chain size.
#PKI #brainstorming: Social revocation (and replacement)
You mark friends ahead of time as being trusted to revoke your key for you. Two benefits: This bootstraps on existing web of trust so that people can trust the revocation, and this makes it easy to revoke a key if you lose control of your laptop or whatever.
Your friends could also attest to the replacement key.
#PKI #brainstorming: Public key rotation
Public keys are managed like SSL certificates, expire in 2 years, and are rotated once a year. On a scheduled rotation, both keys are used to sign the rotation document, and the chain of rotations is published.
#PKI #brainstorming: Key gossip
When your client learns of a friend's key, it lets your friends' clients know of it too. Even if you use TOFU for bootstrapping trust, there's a good chance you'd encounter someone's key via gossip before you needed it. Kind of a boosted TOFU.
- pronouns
- he/they
- alts
- https://cybre.space/@varx (varx at i.write.codethat.sucks is dead)
- languages
- 📖 en, es; ✍️ en, ~es
- that cavern thing I'm always nattering about
- https://gitlab.com/timmc/cavern
Boston-area meat construct ␥ I just do what the plants tell me ␥ I'd rather be pentesting^Wsleeping^Wundermining the client-server paradigm
Joined Oct 2017
