Notices by Micah Lee 🔑 (micahflee@mastodon.social), page 15

Whoa mastodon has pinned toots now?

@paulfree14 @bortzmeyer but I'm really hoping they'll allow users to register with email addresses instead some day. The fact that you need a phone number is barrier to anyone who needs anonymity, and I end up writing complicated tutorials for how to get around sharing your phone number, like this: https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/

@paulfree14 @bortzmeyer

The fact that Signal requires a phone number is annoying, but I understand the decision. It remove many barriers to use.

Unlike other messaging apps, users don't have to understand they they have an account, don't need a password, etc. Contact discovery is also much simpler, no need to maintain a separate contact list for Signal. So install Signal and can immediately send encrypted texts to any other Signal user. This simplicity is why it's so popular

@paulfree14 @torproject @fdroidorg I'm very excited about peer-to-peer apps that sync with each other over onion services.

Now, I just need to find some other Android users in person who want to test it out...

@paulfree14 @torproject @fdroidorg this project looks very interesting.

Unfortunately almost all the journalists I know use iPhones, so they can't use it. Do you know if there's any plans for desktop versions, and multi-device support for the same user?

@devnull @Ocean do you have a Linux computer where your TPM will refuse to release a secret needed to unlock the luks partition unless secure boot verifies your bootloader hasn't been tampered with?

Probably not. This isn't supported in any distro yet-- there are no installer options, or packages you can install to make it happen. But it is supported in Windows and ChromeOS.

Or am I missing something?

@rysiek @mastor yeah, because the browser just handles those.

This will catch links from other software, like Thunderbird, Signal Desktop, Slack, KeepassXC (Ctrl-U opens the URL for an entry), etc.

@rysiek @mastor I wrote some software call porcupine to solve this problem: https://github.com/micahflee/porcupine

And as of a few days ago it should be packaged in fedora, too! So `dnf install porcupine`

You set porcupine as your default browser and when you click a link, it copies the URL to your clipboard, and you get to choose which AppVM to paste it into. Or, you can configure it to run a command, like `qvm-open-in-dvm %U`

@bugshiv @Wolf480pl nope I haven't, but it would be a worthwhile research project. I'd have to learn a lot more about smartphone hardware and forensics. The only phone I've left behind in untrusted places like hotel rooms has been one running Haven

@devnull @Ocean Ubuntu works with "secure boot", in that the BIOS verifies grub hasn't been tampered with before booting. But once grub has booted, it can chainload other bootloaders that have been tampered with, so it's not all that useful without TPM/luks integration

@devnull @Ocean I did not actually mean to claim that Windows is more secure. Just that Windows/Bitlocker and Chromebooks are the only desktop OSes that, out-of-the-box, use secure boot/the TPM to verify that bootloader code was not tampered with.

Except for the newest Mac Pros, Mac hardware doesn't have TPMs or other HSMs.

And there is no Linux distro where you get real secure boot benefits built-in. I have seen projects on GitHub that look promising, but that's it

@SuperLeo I'm glad you liked it!

@qbi thank you! :thinkerguns:

@bugshiv @Wolf480pl my question was more, can I detect/catch evil maids attacks?

There's a big difference between being targeted for remote attacks (over the internet, like phishing, hacking my accounts, etc.) vs physical attacks, and this research basically completely ignores remote attacks, which are probably way more common.

@nev sounds like a solid, reliable strategy

@paulfree14 thank you! I'm often not please with my interaction with WL people no matter what platform I'm on, and unfortunately they sort of follow me around these days so I'm not surprised. But I don't hold it against the fediverse of course! :blobnom: