Network Guardian Angel. Infosec.



Personal Website

You should hide scores on Lemmy. They are bad for you.

  • 14 Posts
Joined duela urte bat
Cake day: urt. 11, 2022


You can ask them in We are open to people asking honest questions.

GnuPG signature spoofing via status line injection
How many nails does that coffin need?

Yes, I knew about that and I find this an excellent feature! This is the reason why I’m asking about the “by default” behavior and not about “disabling score for everyone”. I like that this is optional. I’m asking the community their thoughts about having scores hidden by default ;)

Maybe they just like link aggregators and the classification by communities? I don’t use score-based sorting algorithms, precisely because I do not like how people vote on Lemmy.

I did not know that there are such options in Lemmy admin interface. That’s very good! Thank you for the information

Edit: According to the admin documentation, one can indeed disable downvotes but I don’t think one can hide scores for all users by default.

I checked and you are correct about beehaw. Thank you for the pointer. I’ll probably subscribe to their communities :)

Should scores be hidden by default?
Lemmy implements a scoring system allowing people to upvote or downvote posts. You know that since you are using Lemmy :) Score can be used to increase or lower visibility of posts, in particular when using some sorting algorithms (active, hot, top). This can be used to increase the visibility of good quality posts, and lower that of low quality or irrelevant posts. Yet, from what I observe, the tool is mostly used for communities to self-administer filter bubble. Some communities seem to behave like a hive mind, massively upvoting or downvoting until either the dissident is assimilated in a very Borg way, or excommunicated. Also, scores seem to be used often to convey cheap moral judgement, without having the need to expose oneself to criticism by providing arguments to sustain their opinion. Overall, I think scores are more toxic than useful, and I would be in favor of hiding them by default, so that new comers are not put out by them. What is your opinion about this? What are the advantages of having the score visible by default? Just a clarification: the question is not "should scores exist or not?". If people find value in scores, good for them. I'm not one to dictate other people preferences. :)

(I would appreciate if the down voters were able to express their disagreement with words. Maybe I’m wrong, but then, please do me the favor of explaining me how. Also, I’m not a SourceHut hater; I even give money to Drew every month, because I like the idea of SourceHut. I just think Drew is wrong on that matter)

I don’t think that a robots.txt file is the appropriate tool here.

First off, robots.txt are just hints for respectful crawlers. Go proxies are not crawlers. They are just that: caching proxies for Go modules. If all Go developers were to use direct mode, I think the SourceHut traffic would be more, not less.

Second, let’s assume that Go devs would be willing to implement something to be mindful of robots.txt or retry-after indications. Would attackers do? Of course not.

If a legitimate although quite aggressive traffic is DDoSing SourceHut, that is primarily a SourceHut issue. Returning a 503 does not have to be respected by the client because the client has nothing to respect: the server just choose to say “I don’t want to answer that request. Good Bye”. This is certainly not a response that is costly to generate. Now, if the server tries to honor all requests and is poorly optimized, then the fault is on the server, not the client.

I have not read in details the Go Proxy implementation, to be truthful. I don’t know how it would react if SourceHut was answering 503 status code every now and then, when the fetching strategy is too aggressive. I would simply guess that the server would retry later and serve the Go developers a stale version of the module.

I don’t get it. Public endpoints are public. Go proxies (there are alternatives to direct mode or using Google proxy, such as Athens) are legitimate to query these public endpoints, as aggressively as they want. That’s not polite, but that’s how the open Internet works and always has.

I don’t get why SourceHut does not have any form of DDoS protection, or rate-limiting. I mean HTTP status 503 and the retry-after header are standard HTTP. That Drew chose a public outcry over implementing basic anti-applicative DDoS seems to be a very questionnable strategy. What would happen to the Sourcehut content if tomorrow attackers launch a DDoS attack on SourceHut? Will Drew post another public outcry on their blog?

SourceHut is still in alpha. This feels like a sign that it is still not mature enough to be a prod service for anyone.

The OpenPGP format was designed in the 90’ and never really changed since then. It was documented in RFC4880 in 2008. Unfortunately, in the 90’, people had really no good understanding of crypto yet, and the choices made were poor. Envelope design is poor. Some crypto algorithms are clearly outdated. Some default options are plain wrong.

Have you ever noticed that so many crypto attacks target OpenPGP and GnuPG? That’s not a surprise: it’s a popular crypto solution and it’s a relatively easy target, comparatively to some other mainstream crypto implementations. The Go langage maintainers even deprecated the OpenPGP implementation in their crypto standard library because they think OpenPGP is dangerous

OpenPGP is incompatible with, it’s complex, fragile, and unsafe, and using it exposes applications to a dangerous ecosystem.

Basically, I would say that the only thing that OpenPGP has for itself is the deployed infrastructure. Or has it? Web of trust is mostly dead, since keyservers are out-of-service. And OpenPGP adoption was never really that high to begin with.

SSH keys are much more widely deployed and used than OpenPGP keys. The format is dead simple, and the crypto implementation from OpenSSH is up-to-date.

I am very happy that git made SSH signing possible; it means I can delete my OpenPGP keys for good. I just hope linux distros will make the switch soon, to a more modern crypto approach: ssh signing or minisign.

Very good question. Thank you for asking.

To sign documents, I would recommend using signify or minisign.

To encrypt files, I guess one could use age

If you need a cryptolibrary, I would recommend nacl or sodium. In Go, I use nacl a lot. If you need to encrypt or sign very large files, I wrote a small library based on nacl.

Emails are the tricky part. It really depends on your workflow. When I was working for a gov infosec agency, we learned to never use any integrated email crypto solution. Save the blob, decrypt the blob in a secure environment. This helps significantly against leaks and against creating an oracle to the attacker’s benefit.

For data containers, I would use dm-crypt and dm-verity + a signed root. But that’s just me and I would probably not recommend this to other people :)

OpenPGP is rarely used in messaging protocols, but if it was I would probably advise leveraging a double ratchet library.

One example of issues with OpenPGP implementations that are a direct consequence of the poor format desgin…

“sq feature comparison with gpg”
2022, people still use and make new implementations of OpenPGP. In 2015, I was already describing OpenPGP as a horror show for cryptographers. People need to move on! The format is wrong. The implementations are wrong. The mandatory ciphers are outdated. The web of trust is mostly dead since the key servers are broken.

Does anyone know if and how the private key is secured during cloud sync? Do they have access to it or is it ciphered before sync using the… user password?

Also, how is it different from Duo Push? (edit: I am talking workflow, here. I know about the FIDO part)

I don’t think this argument is valid in a world where a global observer can already distinguish Tor traffic using timing and volume analysis.

Today, the best defense a VPN has to offer, privacy-wise, is protection against observers close to the victim, on hostile local network. Self-hosted VPNs can do that as well as any paying VPN service. The only reason I’m using a paying service myself is to circumvent geo restrictions. That’s basically the only valid use-case.

You can also hide votes altogether, which is a good thing. This limits expectations and helps fighting against addictive behaviors related to social rating.

“A new standard for signing, verifying and protecting software”
cross-posted from: > (via

I agree with all of your points :)

Can you elaborate on how this is FUD, please?

Introducing socialist millionaire verification to ease fingerprint verification does not seem a bad idea.

Using phone numbers as identifiers is a well-known Signal flaw.

And while CBC is indeed less robust that GCM regarding certain types of attacks, it is true that “up-to-date” CBC implementation have no known vulnerability. Yet, would you claim that TLS1.3 is FUDing for dropping CBC support as well?

I am not promoting mesibo, which I never heard about before. I am just trying to understand how this criticism of Signal would be invalid, or FUD.

A bit old, but an amazing read. Kudos to the author!

Wow, perfect timing. I am currently struggling with efficient disk usage in my application. Thank you!

Thank you. I did not know that the state events were not encrypted. That’s very unfortunate. I think I still prefer Element/Matrix over Signal, but slightly less than before reading your message 👍

That’s a problem. But federation at least helps by giving you the choice of who will see these metadata leaks.

I would not use either of them.

Currently, a better solution, for me, is Element/Matrix, because the crypto is mostly OK and there is federation. And it is quite featureful.

Yeah, that’s what I thought. Thank you for playing 🙂

Can you provide a link to that “age signature plugin”, please?

Still bossing people around, I see. “You should not answer” “Your post belongs elsewhere”. You never change :) Your intimidation attempts are ineffective on me. You should move on.

Age plugins are not Age. Minisign is an excellent tool. It is not a replacement for Age.

Can you explain how you intend to use minisign as a replacement for age, please ? 😂

Filippo Valsorda, the author of Age, is a qualified cryptographer and I can vouch for them, being myself an applied cryptographer. And many of my cryptographer friends do as well.

Age seems good to me BUT. I don’t like streaming, and the article that you cite is on point. To me, streaming is unwise precisely because you can have truncation attacks. Or even length extension attacks. One may counter them using counters, but you will need a temporary storage until you know if the input is complete or not. And this defeats streaming.

Your application might be OK with truncation. That’s for you to determine. Which is hard. If you can’t decide, then you shoud stay away from streaming.

I wrote an article on this myself, a few weeks ago. I use that approach in production to secure some data that may be sent to me anonymously. It was reviewed by some cryptographers in my circles but I do not claim that it is a trusted library.

Does anybody know about a Linux distro that enforces strong firewall rules (that’s one of the control points of that linux distro security assessment) by default? I mean other than Tails which I expect does it. RFI vuln, such as log4shell, rely on outgoing connections. A linux distro with a strict firewall by default would have to be purposely poked to let such queries out. Sounds interesting to me.

Accept that you are wrong, defending your wrong arguments makes it worse for you, the more you answer the easier it is to humiliate you.

I take note of your explicit intent of humiliating me.

I also take note of your condescending tone:

  • we are talking about your intolerance accepting valid criticism

  • Weak argument.

  • to justify your weak and flawed logic.

  • Please stop wrongfully interpret more into it

Yelling at people, threatening them, humiliating them is not a civil conduct, and hereby ask for a moderation team intervention for violation of rule 2.

I posted that link in my company chat, where some do use Mint but most don’t (mix of Ubuntu, Manjaro, Fedora). Many were interested, and we have had a healthy discussion about some of the evaluation points, some of which we did find subjective and not very meaningful, and how Mint compared with the other distro evaluation linked at the top of the article.

Also, you are talking about firewall GUI, but it is not even one of the evaluation points. They just said that there was nothing about a firewall configuration in the configuration wizard.

Linux Mint does ask the user to enable the firewall in the graphical Welcome Wizard though.

However the evaluation points were:

[N] Is the host firewall enabled by default?

[N] Does the host firewall block all incoming/ingress traffic by default?

[N] Does the host firewall filter outgoing/egress traffic by default?

Did you actually read the article? I doubt it. If you did, you would have noticed that the article does mention the methodology, and the results for other distros, with link to them if need be. Someone using yet another distro could be interested in that methodology to improve it or post a review about their favorite distro too. Maybe that is not “Linux enough” for you. In that case, you can move on.

Thank you.

Then close other Communities, and bring this under the same argument.

otherwise we can close them and put everything under here.

When I and others post here in this community we get the same comments… post it under xyz.

So your excuse for bullying people is that you got bullied too.

Not sure what my status has to do with anything here

If a link is not to your liking, you can just skip it, or even downvote it. You don’t need to tell people what to do. Except of course if you are a mod and the post is against the rules. Then go ahead and thank you. But no.

Have a nice day as well

Considering the post also mentions a generic evaluation methodology, and provides pointers to similar studies on other distros, the stuff may actually be of interest for some people interested in Linux. Maybe not you. I am ok with that. I actually don’t care.

BTW, when did you get your mod promotion? I don’t see it. Ok bye.

Second line:

I performed the same testing on the following distros:

In that case, I would recommend Fedora Silverblue :)

What is your new user gonna do with it?

If they just want it to work and be secure, but not feel the cogs, you might be interested in looking into Chromium OS or Fedora Silverblue.

If they are a tech, you might wanna go with a flavor of Ubuntu.

If they are willing to become proficient and experienced with GNU/Linux as a distro as a tech, maybe something like Arch or Debian?

Pretty uninformed move. Or yet another marketing stunt.

Cryptocurrencies are not bad (edit: for the climate) by essence. Some are (e.g. proof-of-work based consensus ones). Some aren’t (e.g. federated bizantine agreement).

The latter does not consume a lot of energy to reach decentralized consensus. That’s why I like XLM.

Disclosure: I do not own any crypto assets (edit: and I never did in the past either). I am just an applied cryptographer.

Also, this quote neglects the fact that many contributions are authored by employees of big tech companies, like Microsoft. The author of this quote needs to learn about how to use git log --author=""

I have often used asciinema for demonstrations of my command line utilities and it is excellent. Definitely worth being in your toolbox.

Being a network security specialist, I’ll ask these basic questions:

  • what’s the universal definition of a private network?
  • does this measure make sense in IPv6 within the global scope?
  • is it the responsibility of the browser to secure against DNS rebinding?

My answers to these questions are:

  • there is no universal definition, so this approach is doomed by design
  • no
  • heck, no; that’s the job of the webserver, by avoiding the so-called default virtual host. The Host/:authority header should always be verified, and this is sufficient to counter all forms of DNS rebinding.

It doesn’t work
An inspired blogpost by Frank Denis on the depression that may be felt by FOSS maintainers

Secure large file decryption using Linux, Go and Nacl
In this article, I explain the challenges of decrypting large files that do not fit in RAM and some possible solutions leveraging Linux and a good high-level crypto library written in Go.