X_Cli boosted

Things that we don't realize until it's too late in most cases: we can lose everything we write in Facebook, Twitter, or in any other corporation's run social network from night to day because of corporate decisions.

X_Cli boosted

The OpenPGP format was designed in the 90' and never really changed since then. It was documented in RFC4880 in 2008. Unfortunately, in the 90', people had really no good understanding of crypto yet, and the choices made were poor. Envelope design is poor. Some crypto algorithms are clearly outdated. Some default options are plain wrong.

Have you ever noticed that so many crypto attacks target OpenPGP and GnuPG? That's not a surprise: it's a popular crypto solution and it's a relatively easy target, comparatively to some other mainstream crypto implementations. The Go langage maintainer even deprecated the OpenPGP implementation in their crypto standard library because they think OpenPGP is dangerous

Basically, I would say that the only thing that OpenPGP has for itself is the deployed infrastructure. Or has it? Web of trust is mostly dead, since keyservers are out-of-service. And OpenPGP adoption was never really that high to begin with.

SSH keys are much more widely deployed and used that OpenPGP keys. The format is dead simple, and the crypto implementation from OpenSSH is up-to-date.

I am very happy that git made SSH signing possible; it means I can delete my OpenPGP keys for good. I just hope linux distros will make the switch soon, to a more modern crypto approach: ssh signing or minisign.

X_Cli boosted

If you're wondering about the status of the project, it hasn't gone anywhere!

We're having a little discussion about it here, if you're at all interested in helping out: github.com/writefreely/writefr

Serving your content as a git repository allows people to clone your content to keep it available. It is also easy to redistribute your work.

People can read your content while offline.

You can provide certificate of origin and assert authenticity by signing your commits/publications.

Versioning is built-in, which allows readers to reference a particular version of your work.

Permalinks are built-in.

Content addressing is built-in.

External contributions are easy to receive and accept.

Show thread

The web is volatile. HTTP URLs are doing a terrible job at keeping content accessible over time. People just stop hosting their content, lose data or interest or track about their publications to restore URLs after a migration.

I studied IPFS, but IPNS is a failure because of the crippling slowness of resolution.
I laughed at the Web3 BS.

And yet, I found that a blockchain is the solution: git. From now on, I'll write (formatted) plain text, store it in Git and serve the repository.

X_Cli boosted

slower computers, please 

I'm a computer guy, but I'm very much over fast computers. Most of your computer's resources are wasted loading ads and trackers on webpages. Video games require more and more power to deliver less interesting experiences. Don't get me started on cryptocurrency. Computers are getting increasingly complex, therefore less reliable, nearly impossible to repair, wasteful, and devastating to the environment. We need #slowcomputers and more #retrocomputing

X_Cli boosted
X_Cli boosted

A feature of email is that my inbox is an immutable copy of everything I received no-one can change.

With email, I can prove I've been harassed, sent malware, wrong links, illegal orders by my employers, the date of an event I've missed because it was wrong and I'm innocent, etc.

With Google AMP, the sender will be able to "update" those emails and deny his mistake, hide proofs, fake the history.

This technology put people at risk.

#SaveEmailFromGoogleAMP

Show thread

Potentiel de meme détecté 😂 Tout est parfait dans cette image : les 3 kakemono crypto BS, les deux stickers en overlay, le décor kitsh, le vidéo proj amateur, et l'ancien spécialiste qui a le symptome du Prix Nobel, en faisant un argument d'autorité.

X_Cli boosted
X_Cli boosted
X_Cli boosted

Super-excited to announce the highly anticipated independent audit by @LeastAuthority@twitter.com of vodozemac - our next generation native Rust reference implementation for Matrix E2EE (part funded by @gematik1@twitter.com). Read all about it: matrix.org/blog/2022/05/16/ind

X_Cli boosted

my pronouns are they/them/../../../etc/shadow

X_Cli boosted

Very good question. Thank you for asking.

To sign documents, I would recommend using signify or minisign.

To encrypt files, I guess one could use age

If you need a cryptolibrary, I would recommand nacl or sodium. In Go, I use nacl a lot. If you need to encrypt or sign very large files, I wrote a small library based on nacl.

Emails are the tricky part. It really depends on your workflow. When I was working for a gov infosec agency, we learned to never use any integrated email crypto solution. Save the blob, decrypt the blob in a secure environment. This helps significantly against leaks and against creating an oracle to the attacker's benefit.

For data containers, I would use dm-crypt and dm-verity + a signed root. But that's just me and I would probably not recommend this to other people :)

OpenPGP is rarely used in messaging protocols, but if it was I would probably advise leveraging a double ratchet library.

2022, people still ~~use~~ make new implementations of OpenPGP.

sequoia-pgp.org/blog/2022/05/1

What's wrong with these people??

X_Cli boosted

I just noticed "foreach" on npm is controlled by a single maintainer.

I also noticed they let their personal email domain expire, so I bought it before someone else did.

I now control "foreach" on NPM, and the 36826 projects that depend on it.

Show thread
X_Cli boosted
X_Cli boosted
X_Cli boosted

~Open Source Security Tool of the Day~

A new standard for signing, verifying and protecting software

sigstore.dev

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.