Kyle Rankin @kylerankin@mastodon.social

@kylerankin Imagine having 5 different web browsers you had to switch between depending on which website you wanted to visit. If these same orgs had their way, you would (and that's largely what phone apps have become).

Messaging isn't complicated. It's sending text, emojis and photos, perhaps to a group, ideally w/ e2e encryption. You have 5 incompatible messaging apps on your phone not from tech limitations, but because greed drives orgs to ignore compatibility and optimize for vendor lock-in.

I dismissed this product until I realized it's probably the only way to get work done in a modern office with an open floor plan. It's basically a cubicle for your face: https://www.neatorama.com/2018/10/18/Human-Blinders-Block-Out-Distractions/

Click, Clack, Moo is underappreciated as a subversive tale of the power of technology, collective bargaining, and boycott to shift the balance of power in favor of an oppressed, exploited group.

Google confirms it is building a censored Chinese search engine: https://www.washingtonpost.com/technology/2018/10/16/google-really-is-trying-build-censored-chinese-search-engine-its-ceo-confirms/

@kylerankin Sadly, current e2e msg apps, including Signal, built a world *worse* than CAs in this respect. If WhatsApp backdoors e2e for ad data or for govts (why not both?), to revoke trust you must convince all your friends to revoke trust, or else fall back to insecure SMS.

@kylerankin Applied to CAs, this means if a CA violates your trust, you should be able to revoke your trust in them but still be able to browse the web securely. And if you don't trust, say, Verisign's CA, you can anchor your trust in another vendor and web browsing is secure.

One of the most powerful ideas in @Moxie's convergence talk was the idea of "trust agility" https://youtu.be/UawS3_iuHoA?t=1558 the idea that trust can be revised at any time, and users can decide where to anchor their trust.

As someone who spends a lot of time working on Heads and thinking about BIOS tampering, it's interesting to read about examples of UEFI/BIOS hacking in the wild: #infosec https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

The thing I am most excited about with the Librem Key is its integration with Heads to make detecting tampering easy. It's something that doesn't exist anywhere else and in this deep dive post I explain the technical details. #infosec https://puri.sm/posts/the-librem-key-makes-tamper-detection-easy/

"Twitter bug sent user direct messages to third-party developers for over a year" #infosec #privacy https://techcrunch.com/2018/09/21/twitter-bug-sent-user-direct-messages-to-developers-for-over-a-year/

@kylerankin Put yet another way: what good is e2e encryption if your vendor has remote root onto the endpoint?

@kylerankin Put another way: a fundamental part of most #infosec compliance regimes is answering the question: "who has root on production?" So which Apple/Google employees have root on all smartphones? Have any govts forced use of those powers?

I'd be curious to know how many people within Apple and Google have this remote control power, the checks on that power, and what scenarios constitute an "emergency" to remotely take over someone's phone. https://www.cnet.com/news/10-years-later-google-still-has-the-creepy-ability-to-remotely-control-a-phone/

The next few months will be challenging to two groups: 1. Linus + team to follow through on CoC. 2. critics who won't want to forgive, even if Linus + team truly do change. Humility, repentance and forgiveness are hard, I'm rooting for both groups.

Google's China search engine features a censorship blacklist that "included terms such as “human rights,” “student protest,” and “Nobel Prize” in Mandarin." and makes it easy to link searches to individuals: https://theintercept.com/2018/09/14/google-china-prototype-links-searches-to-phone-numbers/

Looking at the current state of tech it's easy to conclude that people don't care about #privacy. I have to remind myself that people *do* care, they just feel powerless to do anything about it.