ReversalHatchery

@ReversalHatchery@beehaw.org

Computers and the internet gave you freedom. Trusted Computing would take your freedom.
Learn why: vimeo.com/5168045

This profile is from a federated server and may be incomplete. View on remote instance

ReversalHatchery ,

It's certainly possible, if not else than with the use of FUSE. But I did not see such a project yet that can do this.

ReversalHatchery ,

It's like BIMI couldn't save you anyways. I've just read this a few days ago: https://16years.secvuln.info/

ReversalHatchery ,

Android is also linux based. Is chrome os more like Linux than that?

ReversalHatchery ,

It's the equivalent of idiots posting that wall of text on Facebook a decade or so ago saying they don't give Facebook permission to use their pictures, posts...etc.

I think it's quite different. On facebook, you have accepted a ToS telling that facebook now owns that data. Also, that "movement" was against facebook, the platform itself.
Here you haven't accepted a ToS that wants to use your submissions for whatever they please (or did you?), and also, this movement is against outside parties, not the platform provider.

ReversalHatchery ,

Did they talk about what features and improvements are planned?

ReversalHatchery ,

While I agree with you, the first step for user centric Android flavors regarding security is to support relocking the bootloader, with a custom (preferably the user's own) digital signature. As long as we dont have that, an attacker could flash or just boot a custom bootloader through fastboot that does its own thing.

However that doesn't really depend on Android system developers, I think, as the problem arises from the inferiority of almost every phone's bootloader (chain) (because most phones does not support setting up a custom signature for bootloader verification), and probably that can only be reasonably solved by device manufacturers, because as I understand, bootloaders do a lot of heavily device specific things, so there cant really be a common (primary) bootloader, and making one for each phone is a lot of work that also involves lots of reverse engineering, and maybe the early bootloaders cant even be overwritten on some phones..

ReversalHatchery ,

Theft Detection Lock is a powerful new feature that uses Google AI to sense if someone snatches your phone from your hand and tries to run, bike or drive away. If a common motion associated with theft is detected, your phone screen quickly locks – which helps keep thieves from easily accessing your data.

Why would we need AI for that? That just makes the function unpredictable. There must be a real solution to detecting this.

ReversalHatchery ,

Hmm, this is interesting, it looks like if it was a multiboot solution

ReversalHatchery ,

Telegram just claims to be private, but they can't prove it with technical means, instead they rely on the narrative that they are not data brokers. All the while they have strong connection with suspicious parties like the UAE, and from time to time publish weird announcements like the tucker carlson interview that is also said to have contained a far right dogwhistle

ReversalHatchery ,

but within five seconds of reading syncthing's install instructions even I basically just said, "yeah...no."

Install instructions: download tarball, unpack, run. Done.

Did I miss something?
Autostart at system startup can be done with the basic utilities of the OS.
Windows: scheduled tasks. Systemd/Linux: they have a basic service file that you just have to drop in the right folder, and run 2 commands (start, enable).
Piece of cake. Not telling this because I already know how these work, but because as I remember, these steps are documented.

ReversalHatchery ,

Attempts to remove datamining, disallowed from installing microsoft proprietary extensions.

ReversalHatchery ,

I don't consider myself to have a lot of tech knowledge. I'm not working in the field, and there's lots of things I want to do better than now.

If you don't yet know about what is systemd and how does it work, it's fine. The documentation of the unit files is a bit more complicated than warranted, like, it's structure is not that readable, but the syncthing documentation helps in what you need to do

ReversalHatchery ,

I'm not the one who you were responding to, but considering google's history, I don't believe anything they claim, because they have lied so many times in the past, and because every "privacy guarantee" they provide is practically unprovable. It's nothing more than wishful thinking to think that google does nothing with government data stored with them, with google classroom data of millions of children, and others. They have shown that they can't be trusted.

ReversalHatchery ,

I only have one question: how will your company find out?

ReversalHatchery ,

But there are many ways such as access logs, server monitoring etc

Which are all in the control of the company running the servers. If we trust the company, we can trust them giving honest information on these, but if we don't trust the company.. they could just redact logs or even straight out fake them

ReversalHatchery ,

Mixnets for the win!

ReversalHatchery ,

Definitely ddrescue. Unlike traditional dd, it can deal with failing drives, it's operation is resumable, and has some other features that's helpful. I would recommend using it even if your drive is fine.
What it produces is a byte for byte copy just like dd.

ReversalHatchery ,

I've been a social media hermit for the past 3 years but recently

I doubt that they have uploaded any kind of photos

ReversalHatchery ,

You're right, I misunderstood it

ReversalHatchery ,

The benefit of the higher resolution shouldn't be about the colors, but that with bigger screens the movie does not start to get blurry.

For desktop use on a desktop display, I don't see the benefit either. Even less on a phone, that is totally unnecessary.

Encrypted services Apple, Proton and Wire helped Spanish police identify activist | TechCrunch ( techcrunch.com )

By the way, the earlier posted article https://restoreprivacy.com/protonmail-discloses-user-data-leading-to-arrest-in-spain had an update starting at the paragraph with title Update: Statement from Proton and additional commentary

ReversalHatchery ,

if you need smth anonymous Proton is not for you.

Oh it is for you, but you have to be careful. Proton won't try to find out info you didn't give them, but they can't pretend that they don't have info that they actually have. They run an onion service, and account recovery is made possible without a recovery contact.

ReversalHatchery ,

Is this a joke?

Obviously, 8 wide tabs are too much. That's like defining Pi as 5.

ReversalHatchery ,

If you want to invent and maintain your wheel then go ahead.. but I think we have better things to do than maintaining half the code of an operating system.

Udisksctl has a variety of relevant features, and it works good, kind of.

ReversalHatchery ,

Secret chats only. With their own, in-house encryption, that, if I remember correctly, the apps don't use according to the specifications.

Maybe I'm mixing up mtproto 1 and 2 with that second part, though.

ReversalHatchery ,

Haven't seen it published in his channel either

ReversalHatchery ,

Hopefully it's not news to them that they have some kind of Microsoft account, let alone know the credentials to it.

ReversalHatchery ,

There's an extension that can unlock LUKS drives using the TPM, but by default it does not do that, and probably that extension isn't installed either

ReversalHatchery ,

And you slowly figure out that every photo, every document, everything critical to you is now protected from you and you can’t get it back.

How fortunate that onedrive auto uploads those to Microsoft. That is, until you run out of your quota..

ReversalHatchery , (edited )

Or if you don't trust Microsoft to begin with, just use Veracrypt, it won't upload your recovery key anywhere, but will help to make a recovery usb stick.

Additionally, the problem above was not some kind of "unhealthy paranoia", but disliking Microsoft and then still creating an account for some reason, one that they deemed to be a throwaway account. Question is why did they do that (oh, because Microsoft made it hard* to skip registering an account? That can't be! Microsoft is trustworthy and anyone thinking else is just unhealthily paranoid, right?), but also how should have the user known that this was a dangerous thing to do? Don't tell me they should have read the dozens of pages of dry legal text.

*Yes, it's hard if it's not an option in the installer. How the fuck you look it up when you don't have your computer?

ReversalHatchery ,

I don't see what that has to do with the drive dying. Every drive dies at some point, even if left in it's place

ReversalHatchery ,

If you’re at that point of not trusting a company, the best practice would be to avoid using their devices or connecting them to your network.

Yes, that would be the best practice. However there are a lot of best practices that cannot be followed for one reason or another.

SSH login without user name? ( docs.gitlab.com )

I was reading GitLab's documentation (see link) on how to write to a repository from within the CI pipeline and noticed something: The described Docker executor is able to authenticate e.g. against the Git repository with only a private SSH key, being told absolutely nothing about the user's name it is associated with....

ReversalHatchery ,

Hmm, with a similar technique one could even create git command aliases for running git with specific ssh private keys

ReversalHatchery ,

Why though? Why do you think it's good that e.g. StealLabs can make use of OBS's actively and freely (as in, StealLabs does not pay a cent to OBS) maintained code, add their own stuff, no attributions, and give it away for a price? Not even for a price.. for a fucking monthly subscription!

In the above, StealLabs is the name of StreamLabs, but the former name is more descriptive.

ReversalHatchery ,

It's GPL, they have to also provide the source. And you benefit from all the rights they do.

They don't provide the source.

This is not a new thing, it's been happening for years.

If OBS used such a license and reaped all the benefits would you still contribute to them?

Yes, I would. I'm a user, not a corporation that wants to repackage it.

ReversalHatchery ,

I think 5 out of that 10% is supplemented by OsmAnd. But it does not have public transport schedules and traffic data.

ReversalHatchery ,

Not necessarily. The data is out there. I don't think they could make it a part of the core app for legal reasons, but OsmAnd has a plugin system. Basically anyone could make it other than OsmAnd devs. Distribution could happen over an F-droid repo.

ReversalHatchery ,

But so can everybody else, and they're all going to use street B now.

In my experience that's not how it works out. It's about balancing the load, while making the driver take the least amount of detour needed.
Street B only has to handle the remaining traffic, and street A has a chance to unclog or at least be a faster route as some of its traffic does not exist anymore.

ReversalHatchery ,

That's where. But also I wouldn't be surprised if there are also other sources.

ReversalHatchery ,

Water does not think, it flows where it can.
People while driving cannot know which route isn't clogged, because cars are not flowing like water. If that would be the case all the small streets around main roads would be full too. If a street is clogged, and the driver sees it, they can decide to go on a different route, but in waze if they are using it to plan a route, it'll try actively to avoid roads that are too busy.

HDMI stream live processing?

I’m getting tired of the extremely loud ads on that don’t seem to be subject to the old TV broadcasting laws that prevent them from being blasted 10db louder than the actual content. Wondering if there’s stuff out there that would let me take the hdmi stream from my Apple TV or other streaming source, and do ad detection...

ReversalHatchery ,

in order to be able to modify the stream in real-time and send it back out...

It doesn't need to modify. What it needs is detection, and then either blacking it out, or replacing with a simple progesssbar-like screen on a black background.

ReversalHatchery ,

The point is not cheapness but that you don't care about the future of that phone. It's only a tool for the protest, if it lasts longer that's good but you expect it to get confiscated and never given back, you don't care what cops did with it if you get it back, it does not have data you need in your daily life or anything irreplaceable, and you're not really afraid that it gets destroyed by accident or maliciously.

ReversalHatchery ,

Most of that is solved by installing a ROM that's not user hostile, keeping it updated of course, and using the phone strictly as a purpose specific device.

That means you run a trusted VPN on it so HTTP/S and DNS concerns go out the window.
Sandboxed processes, blocked JS? Fine if you only install what's necessary and don't use the web browser. JS blocking is not a huge hurdle though, ublock does it with just 2 clicks.

Then if you have pegasus, the only way for security is to reflash the A/B partitions, both. Factory reset is not secure as it will keep what is already in the system partitions.

That's right but I don't think that this is enough. If the Pegasus malware (package) really is able to do that many things, it's a walk in the park for it to modify any of the partitions, including that which contains the modem, or just data like the modem's IMEI and MAC addresses.
In the cause I would either restore a backup of all partitions, or throw the phone away (not literally).

The firmware is protected and signed by the vendors, so it is likely clean.

Except if they patched the verification mechanisms of the OS.
Also, the firmware may be protected, but what about data partitions which are read by vulnerable software.

This makes them poorly pretty expensive. I think a slightly outdated GrapheneOS phone is okay though.

Are you sure? My 6 years old phone still receives LOS updates

ReversalHatchery ,

The developers are very hostile about alternative clients and networks. Also, the app does not support this in any form, so you would have to distribute modified APKs that want to use your hosted server.

ReversalHatchery ,

Not sure if VPN eliminates all risks with 2G and 3G, maybe it does.

It doesn't, but probably even on modern phones it only does if you explicitly set it to only use 4G but nothing below that.

Mull has no process isolation at all, but support for UBO and Noscript. Bad situation

If you only visit known reputable websites it's probably not really a problem, but also, I think there are chromium browsers that have addons. Not sure though if there's one that besides that also has the security patches.

These cannot be written without TPM verification or stuff

I doubt that it couldn't be written, I believe TPM can only verify its contents and make the phone refuse to boot if it doesn't agree on the authenticity of the partition contents.
However it's also a question which partitions are checked that way: only the system partition? Or more? Probably not all, because they can't verify e.g. the main user data partition, because it's ever changing contents were never signed by the manufacturer. There's a few dozens of partitions usually so this is not trivial to answer.

the verification will not be done inside the OS, that would be totally flawed.

Yes, verification is done by one of the bootloaders. At least partly, the OS and maybe other layers must be doing it too, just remember why Magisk had a feature to hide it's processes and the controlling app itself from select system services and other apps.

Reading data has nothing to do with that. They likely can, but that doesnt matter.

Didn't mean that. I meant writing data that is later being read by other important system software that is vulnerable to specially crafted quirks in that data.

ReversalHatchery ,

But what if you get it back? Or if you just keep it?

There is a chance that you have Pegasus on there, and I wouldnt want a phone without the detection of this.

You attempt to flash your full backup to it. And maybe then read it back if you can for verification that it was actually written to memory, but that probably won't be possible when using fastboot. That's all you can do that's reliable, to some extent.

ReversalHatchery ,

visiting only known websites is not a scaleable option

On the regular day to day use, that's right. But on a protest you really should be careful, more than usual.

but every other important one

Is that universally true for all phones?

ReversalHatchery ,

As far as I know that's the only thing AOSP means in the context of Android. Weird that they assume everyone in their audience already knows it.

ReversalHatchery ,

There no way even possible via the GUI to config power management for things like low/critical battery conditions /actions on Linux.

I don't think you should bash Linux for choosing an immature desktop environment.
KDE has this and I don't think it's a new feature. System settings, power management, advanced power settings to set low and critical levels and what to do at critical, and "energy saving" menu to configure everything else. The interface is better than any windows implementation of this that I have seen.

Yes I've also been frustrated by the inferiority of the default mint DEs, but saying that Linux can't do those is not true.

Every time I've installed Linux as my main OS (many, many times since I was younger), it gets to an eventual point where every single thing I want to do requires googling around to figure out problems

For me windows would be the same if I ever reinstalled it

can't wait to search for some drivers so I can get the cursor acceleration disabled. Or enabled. Or configured?

KDE, configurable in system settings gui. For ages.

Linux doesn't even use a common shell (which is a good thing in it's own way), and that's a massive barrier for users.

There's no single shell that's true, but why do you think bash is not common? All distros I have used so far (debian, ubuntu, mint, suse, arch (no I don't use it by the way)) has used bash.
After finishing the sentence, I realized you probably mean the desktop environment. Yeah there are pros and cons of all of them, I think KDE is the most suitable for most uses but for old machines maybe it's not what I would choose.

settling on a single GUI (which is arguably half of why Windows became a standard

Windows does not have a single gui. They change it roughly every 2 major OS versions, and recently they are not just changing it but turning it into a steaming hot pile of garbage, first with the settings app in 10, and now full-on in 11.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • All magazines
    •