X_Cli boosted

Nous attaquons le #PasseSanitaire en référé devant le Conseil d'État
car il force illégalement à posséder une carte d'identité, divulgue des données de santé et ouvre la voie aux contrôles d'identité automatisés.


Nouveau coup dur : la CNIL se couche et déclare satisfaisante la protection des données apportée par le pass sanitaire, alors que le gouvernement a largement ignoré toutes les recommandations :


> Même si le délai pour examiner ces dispositifs a été "trop bref", Marie-Laure Denis (présidente de la CNIL) se félicite d'avoir été entendue sur deux points essentiels : la durée de vie limitée et la non-transmission des données personnelles.

@neil I would be interested in hearing about your results :)

X_Cli boosted

Minisign, by @jedisct1, is a dead simple tool to sign files and verify signatures; it is portable, lightweight, and uses Ed25519 public key signatures jedisct1.github.io/minisign/

@neil I think it is not possible to take into account the delay between the speaker actually speaking and the time the viewers receive the (audio) stream. It varies depending on platforms and setup. From the viewer PoV, slides would change anywhere between 10 and 60 seconds before the audio transition between those slides.
Also, it would be impossible for viewers to pause/timeshift the broadcast.

X_Cli boosted

According to Google, you’re not human if you aren’t being tracked by Google.

“…one of the ways that Google determines whether you’re a malicious user or not is whether you already have a Google cookie installed on your browser.”



X_Cli boosted

Voici une analyse technique détaillée du #PassSanitaire (le #QR_code qui va dire si vous pouvez rentrer dans la salle de spectacle).


Je note que l’argumentaire du gouvernement montre une ignorance de l’informatique. Le QR-code contient des informations de santé un peu précises, mais le gouvernement dit que l’ouvreur à l’entrée de la salle n’aura qu’une information binaire, « peut entrer / ne peut pas ». 1/3

@ledeuns @cgx Ouais... on a vu. J'ai écrit à Raphael Grably, l'auteur de l'article en question, et rédacteur en chef tech à BFM.

L'échange a été assez lunaire ; il semblait avoir beaucoup de mal à comprendre le problème. Ca s'est terminé sur "Mais TACV a besoin d'un connexion internet, non ?" J'ai répondu que "non, absolument. C'est de la crypto à clé publique" (j'ai donné plus de détails dans la réponse, évidemment, dont une version compréhensible par des non-techs).
Depuis silence radio.

I thought writing a press article during tens of hours for about 400€ was not a good time investment. But at least, you educate a lot of people.

I can now see that writing a video, filming, and editing for tens of hours, for about 50 viewers... is just depressing.

Pass sanitaire et vie privée : quels sont les risques ?


J'ai investigué sur le , avec des ami(e)s. Le résultat n'est pas bien joli à voir. Petite vidéo explicative du résultat de nos investigations.

-19 🇫🇷

JIT-ed SQL requests. That's a thing.

Why? How? When? Who thought that was a good idea?


X_Cli boosted

#GMail is harmful to e-mail ecosystem; its antispam blocking policy matches too many valid messages as spam.

It blocked LastPass email leak warning email, because it contained "a link" to a leaked site.

It blocked an e-mail from goverment agency addressed directly to me.

It discriminates all non-gmail servers, and it's pretty much impossible to own a private SMTP server these days, because GMail will classify everything as spam.

It's not how e-mail should work.

Consider dropping GMail.

Friendly reminder: if someone asks you to sign a CLA (Contributor Licence Agreement), tell them to get lost and contribute to another project instead :)

@ilyess Yes, I extend some trust to the server designated by my recipient. The thing is I already extend some trust to my recipient, so I can trust them to choose a trustworthy server as well.
Also of interest, there is a lesser chance of a single attack leaking massive amount of comm metadata (including dishonest/rogue sysadmin), since metadata is distributed on many providers.

@ilyess Even if I can self-host, I don't. Too much time investment. But I prefer to rely on trusted providers.
Regarding the hurdle of registering on a new app, and finding your friends, this has never been an issue on FB, instagram, twitter, gmail, or just about any website you use everyday. I call straw man on this argument.

@ilyess Yes, I would pick Signal over Telegram 100%. But there are valid alternatives that don't rely on believing boasts and false security claims from Signal developers. I can't trust dishonest people.

Some of the alternatives are federated. That enables self-hosting or hosting in locations of your choice, by a provider of your choice.

Federation has a price, that I am gladly willing to pay.

@QFr0sty Here is the document. I hope you will find this (understandable with the translator and) interesting ssi.gouv.fr/uploads/2017/10/ch

This was an informal study of various IM protocols, including stuff about Signal. I did not analyzed Matrix at the time. XMPP/OMEMO is still one of my favorite protocols, but Element/Matrix UX in 2021 is objectively better.

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.