This is what you get when you trust proprietary software vendors that care more about optics and money than user safety.
Apple is the new Microsoft. They are just better at hiding their mistakes.
Thunderbird dropped Enigmail for a young alternative which dropped basic defaults like smartcard support.
Well thought out alternatives are ignored to optimize proprietary licensed code compatibility.
Politics are why encrypted email UX still sucks.
These recent efforts feel like misdirection from the fact Signal also needlessly centralizes massive amounts of phone numbers and other user data.
That said, enemy of my enemy. I hope they spend more time on things like this.
Signal 100% can turn over user data.
1. They could dump metadata encryption keys from an unpatched SGX node.
2. The next update could silently send plaintext messages to feds.
They can't gaslight courts forever.
Centralized privacy will fail.
PSA: If you maintain security critical binaries PLEASE seek the help of a security researcher with supply chain attack experience.
I do this for a living. Hit me up.
Don't be a Hashicorp and give your release signing private key to a third party automated system.
Try opening a Microsoft e-book. It breaks because they closed the DRM servers.
The books stopped working.
PS3? Wii? Same story.
The only way to get the same freedom and privacy with digital media we had with physical media, is piracy.
We got scammed.
If a state actor threatens a popular and trusted kernel contributor to slip in a subtle exploit, I now have strong reason to believe they would be successful.
The UMN researchers pointed out a very serious problem.
I have no intention of actually doing this, but the point stands.
Domains of a number of past kernel contributors have expired.
Someone could just take one of those over and submit a patch from the same email.
Email domain bans are not a solution.
I am a Linux kernel contributor and a security researcher.
Will the Linux Kernel team ban me if I too attempt to test the ability of the code review process to catch malicious commits?
Good luck figuring out which pseudonyms are mine.
Unpopular opinion: The UMN security researchers that executed a successful supply chain attack on the kernel did a public service.
Can state actors get away with this too? Did they already?
We need serious reform in open source code review.
YouTube censors millions of videos every month.
They just hosted a Freedom of Expression event to give themselves an award for free expression.
I have no words.
Everyone is whining about the Boston Dynamics robot police dog in NY.
Let it happen! We should all be demanding nonlethal robot police with provably fair behavior.
Would you rather be arrested by a human that can't tell a gun from a taser?
I told you so! You know who you are.
Companies _must_ stop trusting the security of their customers to random third party SaaS because they can't be bothered to self-host the most basic of services. It always ends badly.
Worth noting: After 5 years credit card carriers you explicitly told to stop selling your data will automatically start selling it again anyway.
Whenever possible use cash or cryptocurrency.
Credit card companies are not your friends.
All you need to know to opt someone out of their credit card usage data being sold is their card number.
It would be a public service if someone used an XSS 0day to automatically opt out all credit card numbers used on major online retailers.
Privacy Protip: Credit and Debit cards sell your transaction data by default unless you opt out.
* Security Engineer
* OSS Advocate
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!