Jonkman Microblog
  • Login
Show Navigation

  • Public

    • Public
    • Network
    • Groups
    • Popular
    • People

Notices by Micah Lee 🔑 (micahflee@mastodon.social), page 9

  1. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Thursday, 27-Sep-2018 16:07:21 EDT Micah Lee 🔑 Micah Lee 🔑
    • JoYo 라면

    @Xyc0 what do you mean minimum character length?

    In conversation Thursday, 27-Sep-2018 16:07:21 EDT from mastodon.social permalink
  2. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Thursday, 27-Sep-2018 14:42:52 EDT Micah Lee 🔑 Micah Lee 🔑

    I just published passphraseme to PyPI. It's a simple cryptographically secure script to generate high entropy passphrases using EFF's wordlists. Try it out with:

    pip3 install passphraseme

    Here's the source code: https://github.com/micahflee/passphraseme

    In conversation Thursday, 27-Sep-2018 14:42:52 EDT from mastodon.social permalink
  3. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Wednesday, 26-Sep-2018 19:27:23 EDT Micah Lee 🔑 Micah Lee 🔑
    • Jonathan S.

    @js maybe Stallman being the ultimate decider for the GNU project isn't a good thing for the free software movement

    In conversation Wednesday, 26-Sep-2018 19:27:23 EDT from mastodon.social permalink
  4. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Wednesday, 26-Sep-2018 19:26:01 EDT Micah Lee 🔑 Micah Lee 🔑
    • oshwm
    • חבֿרטע רבֿקה [χaˈvɛɾtə ˈɾɪfkə]

    @oshwm @kittybecca

    Can you explain how requiring community members to pledge to make a

    "harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation"

    will result in

    "huge amounts of pain for innocent bystanders"

    ? 🤔

    In conversation Wednesday, 26-Sep-2018 19:26:01 EDT from mastodon.social permalink
  5. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Wednesday, 26-Sep-2018 19:20:48 EDT Micah Lee 🔑 Micah Lee 🔑
    • Karl Voit ✅
    • Mx. Savanni D'Gerinel

    @publicvoit @savanni

    When projects are hostile to creating a mechanism to ban assholes, it just makes it clear to people who will likely get abused -- who often are very talented and could contribute a lot -- to steer clear of that project.

    When a bunch of white guys act like the status quo is great and we shouldn't fix what isn't broken, it kind of makes sense why diversity in open source communities is so shit https://www.wired.com/2017/06/diversity-open-source-even-worse-tech-overall/

    In conversation Wednesday, 26-Sep-2018 19:20:48 EDT from mastodon.social permalink

    Attachments

    1. Diversity in Open Source Is Even Worse Than in Tech Overall
      from WIRED
      The open source world's diversity problem could actually make the larger tech industry's entrenched imbalances worse.
  6. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Wednesday, 26-Sep-2018 19:19:07 EDT Micah Lee 🔑 Micah Lee 🔑
    • Karl Voit ✅
    • Mx. Savanni D'Gerinel

    @publicvoit @savanni

    The purpose of a CoC is for projects and communities to have a clear policy of what type of behavior is unacceptable and will get you kicked out. It's not "common sense", considering abusive behavior is so rampant -- and often the most abusive people are even celebrated (Jake Appelbaum, John Draper, etc.).

    Kindly reminding them of their manners is a joke when they can just ignore you without consequence

    In conversation Wednesday, 26-Sep-2018 19:19:07 EDT from mastodon.social permalink
  7. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Wednesday, 26-Sep-2018 18:37:44 EDT Micah Lee 🔑 Micah Lee 🔑
    • @kmicu@mastodon.social
    • JordiGH

    @JordiGH @kmicu

    I wonder if RMS is aware that Guix has a CoC. Probably not, considering he's taken a public anti-CoC stance

    In conversation Wednesday, 26-Sep-2018 18:37:44 EDT from mastodon.social permalink
  8. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Wednesday, 26-Sep-2018 01:50:59 EDT Micah Lee 🔑 Micah Lee 🔑

    I just learned that Richard Stallman doesn't like codes of conduct. Disappointing but not really surprising

    In conversation Wednesday, 26-Sep-2018 01:50:59 EDT from mastodon.social permalink
  9. Chris (brainblasted@social.libre.fi)'s status on Tuesday, 25-Sep-2018 22:27:25 EDT Chris Chris
    Apparently Stallman's said something along the lines of "no GNU project will adopt a COC", it would be absolutely delicious if GNOME adopted one.
    In conversation Tuesday, 25-Sep-2018 22:27:25 EDT from social.libre.fi permalink Repeated by micahflee
  10. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Tuesday, 25-Sep-2018 21:49:49 EDT Micah Lee 🔑 Micah Lee 🔑
    • maiki

    @maiki that's a good question, I haven't used this on Android in a long time so I'm not sure. If mobile is necessary, probably I'd use Conversations and get the other side to use an OMEMO client

    In conversation Tuesday, 25-Sep-2018 21:49:49 EDT from mastodon.social permalink
  11. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Tuesday, 25-Sep-2018 20:45:41 EDT Micah Lee 🔑 Micah Lee 🔑

    Snowden wrote an excellent profile of Malkia Cyril, founder of the Center for Media Justice and cofounder of Media Action Grassroots Network.

    Edward Snowden on Protection Activists Against Surveillance
    https://www.wired.com/story/wired25-edward-snowden-malkia-cyril-activist-surveillance/

    In conversation Tuesday, 25-Sep-2018 20:45:41 EDT from mastodon.social permalink

    Attachments

    1. Edward Snowden on Protecting Activists Against Surveillance
      from WIRED
      “Turnkey tyranny” has never been closer. For some communities, it feels like it’s already here.
  12. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Tuesday, 25-Sep-2018 20:32:45 EDT Micah Lee 🔑 Micah Lee 🔑

    Just re-read a 2015 article I wrote called Chatting in Secret While We're All Being Watched. It's about the tools and operational security involved with having an anonymous, encrypted conversation over the internet, under mass surveillance.

    After over three years, it still stands up: https://theintercept.com/2015/07/14/communicating-secret-watched/

    In conversation Tuesday, 25-Sep-2018 20:32:45 EDT from mastodon.social permalink

    Attachments

    1. Chatting in Secret While We’re All Being Watched
      from The Intercept
      How to have encrypted chats across four computing platforms — without compromising your identity or partner.
  13. Kyle Rankin (kylerankin@mastodon.social)'s status on Monday, 24-Sep-2018 13:28:17 EDT Kyle Rankin Kyle Rankin

    The thing I am most excited about with the Librem Key is its integration with Heads to make detecting tampering easy. It's something that doesn't exist anywhere else and in this deep dive post I explain the technical details. #infosec https://puri.sm/posts/the-librem-key-makes-tamper-detection-easy/

    In conversation Monday, 24-Sep-2018 13:28:17 EDT from mastodon.social permalink Repeated by micahflee

    Attachments

    1. File without filename could not get a thumbnail source.
      The Librem Key Makes Tamper Detection Easy
      from Purism
      The Librem Key Makes Tamper Detection Easy
  14. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Monday, 24-Sep-2018 11:06:04 EDT Micah Lee 🔑 Micah Lee 🔑

    United Nations accidentally exposed passwords and other sensitive information to the whole internet by making Trello boards, Google Docs, and some sensitive bugs on Jira open to the public
    https://theintercept.com/2018/09/24/united-nations-trello-jira-google-docs-passwords/

    In conversation Monday, 24-Sep-2018 11:06:04 EDT from mastodon.social permalink

    Attachments

    1. United Nations Accidentally Exposed Passwords and Sensitive Information to the Whole Internet
      from The Intercept
      A security researcher discovered private data lurking on 60 Trello boards belonging to the United Nations. Sensitive information was also found in public Google documents.
  15. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Monday, 24-Sep-2018 01:51:14 EDT Micah Lee 🔑 Micah Lee 🔑
    • Bernie

    @codewiz oh maybe he's not aware of the encryption. But still, this is a totally legit reason to distrust Chrome. Data collection is rampant, and I don't like my browser doing it. It's an anti-feature, and he's concerned it'll get worse.

    Btw, I haven't looked recently, but at least a few years ago Google was collection Android users' wifi passwords without their knowledge or explicit consent
    https://micahflee.com/2013/07/use-android-youre-probably-giving-google-all-your-wifi-passwords/

    In conversation Monday, 24-Sep-2018 01:51:14 EDT from mastodon.social permalink
  16. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Monday, 24-Sep-2018 00:41:04 EDT Micah Lee 🔑 Micah Lee 🔑
    • Bernie

    @codewiz I'm sure he knows the syncing is encrypted. It doesn't stop the fact that automatically opting you into sending data to Google is a privacy violation.

    Information that most likely is logged by not encrypted is IP and timestamp every time you open a browser, ties to your Google account. Probably considerably more, too

    In conversation Monday, 24-Sep-2018 00:41:04 EDT from mastodon.social permalink
  17. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Sunday, 23-Sep-2018 20:44:31 EDT Micah Lee 🔑 Micah Lee 🔑

    "Why I’m done with Chrome" https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/

    In conversation Sunday, 23-Sep-2018 20:44:31 EDT from mastodon.social permalink

    Attachments

    1. Why I’m done with Chrome
      By Matthew Green from A Few Thoughts on Cryptographic Engineering

      This blog is mainly reserved for cryptography, and I try to avoid filling it with random “someone is wrong on the Internet” posts. After all, that’s what Twitter is for! But from time to time something bothers me enough that I have to make an exception. Today I wanted to write specifically about Google Chrome, how much I’ve loved it in the past, and why — due to Chrome’s new user-unfriendly forced login policy — I won’t be using it going forward.

      A brief history of Chrome

      When Google launched Chrome ten years ago, it seemed like one of those rare cases where everyone wins. In 2008, the browser market was dominated by Microsoft, a company with an ugly history of using browser dominance to crush their competitors. Worse, Microsoft was making noises about getting into the search business. This posed an existential threat to Google’s internet properties.

      In this setting, Chrome was a beautiful solution. Even if the browser never produced a scrap of revenue for Google, it served its purpose just by keeping the Internet open to Google’s other products. As a benefit, the Internet community would receive a terrific open source browser with the best development team money could buy. This might be kind of sad for Mozilla (who have paid a high price due to Chrome) but overall it would be a good thing for Internet standards.

      For many years this is exactly how things played out. Sure, Google offered an optional “sign in” feature for Chrome, which presumably vacuumed up your browsing data and shipped it off to Google, but that was an option. An option you could easily ignore. If you didn’t take advantage of this option, Google’s privacy policy was clear: your data would stay on your computer where it belonged.

      What changed?

      A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you. (However, and this is important: Google developers claim this will not actually start synchronizing your data to Google — yet. See further below.)

      Your sole warning — in the event that you’re looking for it — is that your Google profile picture will appear in the upper-right hand corner of the browser window. I noticed mine the other day:

      The change hasn’t gone entirely unnoticed: it received some vigorous discussion on sites like Hacker News. But the mainstream tech press seems to have ignored it completely. This is unfortunate — and I hope it changes — because this update has huge implications for Google and the future of Chrome.

      In the rest of this post, I’m going to talk about why this matters. From my perspective, this comes down to basically four points:

      1. Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they’ve given don’t make any sense.
      2. This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.
      3. The change makes a hash out of Google’s own privacy policies for Chrome.
      4. Google needs to stop treating customer trust like it’s a renewable resource, because they’re screwing up badly.

      I warn you that this will get a bit ranty. Please read on anyway.

      Google’s stated rationale makes no sense

      The new feature that triggers this auto-login behavior is called “Identity consistency between browser and cookie jar” (HN). After conversations with two separate Chrome developers on Twitter (who will remain nameless — mostly because I don’t want them to hate me), I was given the following rationale for the change:

      To paraphrase this explanation: if you’re in a situation where you’ve already signed into Chrome and your friend shares your computer, then you can wind up accidentally having your friend’s Google cookies get uploaded into your account. This seems bad, and sure, we want to avoid that.

      But note something critical about this scenario. In order for this problem to apply to you, you already have to be signed into Chrome. There is absolutely nothing in this problem description that seems to affect users who chose not to sign into the browser in the first place.

      So if signed-in users are your problem, why would you make a change that forces unsigned–in users to become signed-in? I could waste a lot more ink wondering about the mismatch between the stated “problem” and the “fix”, but I won’t bother: because nobody on the public-facing side of the Chrome team has been able to offer an explanation that squares this circle.

      And this matters, because “sync” or not…

      The change has serious implications for privacy and trust

      The Chrome team has offered a single defense of the change. They point out that just because your browser is “signed in” does not mean it’s uploading your data to Google’s servers. Specifically:

      While Chrome will now log into your Google account without your consent (following a Gmail login), Chrome will not activate the “sync” feature that sends your data to Google. That requires an additional consent step. So in theory your data should remain local.

      This is my paraphrase. But I think it’s fair to characterize the general stance of the Chrome developers I spoke with as: without this “sync” feature, there’s nothing wrong with the change they’ve made, and everything is just fine.

      This is nuts, for several reasons.

      User consent matters. For ten years I’ve been asked a single question by the Chrome browser: “Do you want to log in with your Google account?” And for ten years I’ve said no thanks. Chrome still asks me that question — it’s just that now it doesn’t honor my decision.

      The Chrome developers want me to believe that this is fine, since (phew!) I’m still protected by one additional consent guardrail. The problem here is obvious:

      If you didn’t respect my lack of consent on the biggest user-facing privacy option in Chrome (and  didn’t even notify me that you had stopped respecting it!) why should I trust any other consent option you give me? What stops you from changing your mind on that option in a few months, when we’ve all stopped paying attention?

      The fact of the matter is that I’d never even heard of Chrome’s “sync” option — for the simple reason that up until September 2018, I had never logged into Chrome. Now I’m forced to learn these new terms, and hope that the Chrome team keeps promises to keep all of my data local as the barriers between “signed in” and “not signed in” are gradually eroded away.

      The Chrome sync UI is a dark pattern. Now that I’m forced to log into Chrome, I’m faced with a brand new menu I’ve never seen before. It looks like this:

       

      Does that big blue button indicate that I’m already synchronizing my data to Google? That’s scary! Wait, maybe it’s an invitation to synchronize! If so, what happens to my data if I click it by accident? (I won’t give it the answer away, you should go find out. Just make sure you don’t accidentally upload all your data in the process. It can happen quickly.)

      In short, Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click. This is a dark pattern. Whether intentional or not, it has the effect of making it easy for people to activate sync without knowing it, or to think they’re already syncing and thus there’s no additional cost to increasing Google’s access to their data.

      Don’t take my word for it. It even gives (former) Google people the creeps.

      Big brother doesn’t need to actually watch you. We tell things to our web browsers that we wouldn’t tell our best friends. We do this with some vague understanding that yes, the Internet spies on us. But we also believe that this spying is weak and probabilistic. It’s not like someone’s standing over our shoulder checking our driver’s license with each click.

      What happens if you take that belief away? There are numerous studies indicating that even the perception of surveillance can significantly greatly magnify the degree of self-censorship users force on themselves. Will user feel comfortable browsing for information on sensitive mental health conditions — if their real name and picture are always loaded into the corner of their browser? The Chrome development team says “yes”. I think they’re wrong.

      For all we know, the new approach has privacy implications even if sync is off. The Chrome developers claim that with “sync” off, a Chrome has no privacy implications. This might be true. But when pressed on the actual details, nobody seems quite sure.

      For example, if I have my browser logged out, then I log in and turn on “sync”, does all my past (logged-out) data get pushed to Google? What happens if I’m forced to be logged in, and then subsequently turn on “sync”? Nobody can quite tell me if the data uploaded in these conditions is the same. These differences could really matter.

      The changes make hash of the Chrome privacy policy

      The Chrome privacy policy is a remarkably simple document. Unlike most privacy policies, it was clearly written as a promise to Chrome’s users — rather than as the usual lawyer CYA. Functionally, it describes two browsing modes: “Basic browser mode” and “signed-in mode”. These modes have very different properties. Read for yourself:

      In “basic browser mode”, your data is stored locally. In “signed-in” mode, your data gets shipped to Google’s servers. This is easy to understand. If you want privacy, don’t sign in. But what happens if your browser decides to switch you from one mode to the other, all on its own?

      Technically, the privacy policy is still accurate. If you’re in basic browsing mode, your data is still stored locally. The problem is that you no longer get to decide which mode you’re in. This makes a mockery out of whatever intentions the original drafters had. Maybe Google will update the document to reflect the new “sync” distinction that the Chrome developers have shared with me. We’ll see.

      Update: After I tweeted about my concerns, I received a DM on Sunday from two different Chrome developers, each telling me the good news: Google is updating their privacy policy to reflect the new operation of Chrome. I think that’s, um, good news. But I also can’t help but note that updating a privacy policy on a weekend is an awful lot of trouble to go to for a change that… apparently doesn’t even solve a problem for signed-out users.

      Trust is not a renewable resource

      For a company that sustains itself by collecting massive amounts of user data, Google has  managed to avoid the negative privacy connotations we associate with, say, Facebook. This isn’t because Google collects less data, it’s just that Google has consistently been more circumspect and responsible with it.

      Where Facebook will routinely change privacy settings and apologize later, Google has upheld clear privacy policies that it doesn’t routinely change. Sure, when it collects, it collects gobs of data, but in the cases where Google explicitly makes user security and privacy promises — it tends to keep them. This seems to be changing.

      Google’s reputation is hard-earned, and it can be easily lost. Changes like this burn a lot of trust with users. If the change is solving an absolutely critical problem for users , then maybe a loss of trust is worth it. I wish Google could convince me that was the case.

      Conclusion

      This post has gone on more than long enough, but before I finish I want to address two common counterarguments I’ve heard from people I generally respect in this area.

      One argument is that Google already spies on you via cookies and its pervasive advertising network and partnerships, so what’s the big deal if they force your browser into a logged-in state? One individual I respect described the Chrome change as “making you wear two name tags instead of one”. I think this objection is silly both on moral grounds — just because you’re violating my privacy doesn’t make it ok to add a massive new violation — but also because it’s objectively silly. Google has spent millions of dollars adding additional tracking features to both Chrome and Android. They aren’t doing this for fun; they’re doing this because it clearly produces data they want.

      The other counterargument (if you want to call it that) goes like this: I’m a n00b for using Google products at all, and of course they were always going to do this. The extreme version holds that I ought to be using lynx+Tor and DJB’s custom search engine, and if I’m not I pretty much deserve what’s coming to me.

      I reject this argument. I think It’s entirely possible for a company like Google to make good, usable open source software that doesn’t massively violate user privacy. For ten years I believe Google Chrome did just this.

      Why they’ve decided to change, I don’t know. It makes me sad.

       

       

  18. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Monday, 17-Sep-2018 16:49:01 EDT Micah Lee 🔑 Micah Lee 🔑
    • RX-69 🍕 Gundam

    @rrix that poopfire emoji is amazing

    In conversation Monday, 17-Sep-2018 16:49:01 EDT from mastodon.social permalink
  19. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Monday, 17-Sep-2018 15:11:50 EDT Micah Lee 🔑 Micah Lee 🔑
    • RX-69 🍕 Gundam

    @rrix heh I'm not sure. I wouldn't be surprised but I hadn't heard that before

    In conversation Monday, 17-Sep-2018 15:11:50 EDT from mastodon.social permalink
  20. Micah Lee 🔑 (micahflee@mastodon.social)'s status on Wednesday, 05-Sep-2018 14:38:59 EDT Micah Lee 🔑 Micah Lee 🔑

    The Five Eyes spy agencies are starting a renewed push for forcing Silicon Valley companies to add encryption backdoors https://www.nytimes.com/2018/09/04/us/politics/government-access-encrypted-data.html

    In conversation Wednesday, 05-Sep-2018 14:38:59 EDT from mastodon.social permalink

    Attachments

    1. ‘Five Eyes’ Nations Quietly Demand Government Access to Encrypted Data
      By By DAVID E. SANGER and SHEERA FRENKEL from The New York Times
  • After
  • Before
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

Jonkman Microblog is a social network, courtesy of SOBAC Microcomputer Services. It runs on GNU social, version 1.2.0-beta5, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All Jonkman Microblog content and data are available under the Creative Commons Attribution 3.0 license.

Switch to desktop site layout.