douglasg14b @ douglasg14b @lemmy.world

Posts

11

Comments

949

Joined

2 yr. ago

This is exactly it. Reddit right now is what our society is like. This is the lowest common denominator.

EVERY forum and community online will always approach the lowest common denominator as it's size grows. This has always been the case on reddit, where niche communities lose their niche to the lowest common denominator.

The only way to avoid this is active moderation, clear quality expectations, and a strong stance on what does and does not belong in a community.

It won't burst, just deflate, and then gradually grow like the ready of the tech industry.

AI is getting more robust, not less. The current hype is crazy, that'll burst, but the good use cases don't vanish. The actual problem spaces where it excels (like astroturfing and manipulation public opinion, or intelligent search, Q & A, information management, knowledge work supplementation...etc) will still be there.

To their credit we couldn't do "anything about" the pandemic because of how many morons and suckers there out there.

Or at the least we failed to do what was most effective.

I'm not claiming some grand level of knowledge here. I also cannot enumerate all risks. The difference is that I know that I don't know, and the danger that poses towards cognitive biases when it comes to false confidence, and a lack of effective risk management. I'm a professional an adjacent field, mid way into pivoting into cybersecurity, I used to think the same way, that's why I'm so passionate here. It's painful to see arguments and thought processes counter to the fundamentals of security & safety that I've been learning the past few years. So, yeah, I'm gonna call it out and try and inform.

All that crap said:

And you are right, the problem gets moved. However, that's the point, that's how standardization works, and how it's supposed to work. It's a force multiplier, it smooths out the implementation. Moving the problem to the OS level means that EVERYONE benefits from advanced in Windows/Macos/Linux. Automatically.

It's not signal's responsibility, it shouldn't be unless that's a problem they specifically aim to solve. They have the tools available to them already, electron has a standardized API for this, secureStorage. Which handles the OS interop for them.

I'm not arguing that signal needs to roll their own here. The expectation is that they, at least, utilize the OS provided features made available to their software.

Another risk with Monitor, which may get better with time. Is that FOSS rust projects have a tendency to slow down or even stall due to the time cost of writing features, and the very small dev community available to pick up slack when original creators/maintainers drop off, burn out, or get too busy with life.

To be clear: I have nothing against rust. It's a fantastic language filling in a crucial gap that's existed for decades. However, it's I'll suited for app development, that's just not it's strength.

Why are you here if you're just going to insult hobbyists in the community dedicated to hobbyists.

This isn't the kind of vibe /c/selfhosted needs

Interesting fact, Nazis were actually socialists. The term Nazi is a shortened version of the german term for National Socialist, which is part of their full name: National Socialist Workers Party of Germany

I found one of the suckers that would vote for the Nazi party because they put {{Popular political ideology here}} in their name.

Having Signal fill in gaps for what the OS should be protecting is just going to stretch Signal more than it already does. I would agree that if Signal can properly support that kind of protection on EVERY OS that its built for, go for it. But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

Damn reading literacy has gone downhill these days.

Please reread my post.

But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

1. OSs provide keyring features already
2. The framework signal uses (electron) has a built in API for this EXACT NEED

Cmon, you can do better than this, this is just embarrassing.

That's all hinges on the assumption that your computer is pwned. Which is wrong

You don't necessarily have to have privileged access to read files or exfiltrated information.

That point doesn't matter anyways though because you're completely ignoring the risk here. Please Google "Swiss cheese model". Your comment is a classic example of non-security thinking.... It's the same comment made 100x in this thread with different words

Unless you can list out all possible risks and exploits which may affect this issue, then you are not capable of making judgement calls on the risk itself.

I can't imagine the stress on both their lives, specially in a country with terrible healthcare like America.

Should be a slogan.

That's not how this works.

This sort of "dismissive security through ignorance" is how we get so many damn security breaches these days.

I see this every day with software engineers, a group that you would think would be above the bar on security. Unfortunately a little bit of knowledge results in a mountain of confidence (see Dunning Kruger effect). They are just confident in bad choices instead.

"We don't need to use encryption at rest because if the database is compromised we have bigger problems" really did a lot to protect the last few thousand companies from preventable data exfiltration that was in fact the largest problem they had.

Turns out that having read access to the underlying storage for the database doesn't necessarily mean that the database and all of your internal systems are more compromised. It just means that the decision makers were making poor decisions based on a lack of risk modeling knowledge.

That said the real question I have for you here is:

Are you confident in your omniscience in that you can enumerate all risks and attack factors that can result in data being exfiltrated from a device?

If not, then why comment as if you are?

And there are ways to mitigate this attack (essentially the same as a AiTM or pass-the-cookie attacks, so look those up). Thus rendering your argument invalid.

Just because "something else might be insecure", doesn't in any way imply "everything else should also be insecure as well".

That's not how this works.

If the stored data from signal is encrypted and the keys are not protected than that is the security risk that can be mitigated using common tools that every operating system provides.

You're defending signal from a point of ignorance. This is a textbook risk just waiting for a series of latent failures to allow leaks or access to your "private" messages.

There are many ways attackers can dump files without actually having privileged access to write to or read from memory. However, that's a moot point as neither you nor I are capable of enumerating all potential attack vectors and risks. So instead of waiting for a known failure to happen because you are personally "confident" in your level of technological omnipotence, we should instead not be so blatantly arrogant and fill the hole waiting to be used.

Also this is a common problem with framework provided solutions:

https://www.electronjs.org/docs/latest/api/safe-storage

This is such a common problem that it has been abstracted into apis for most major desktop frameworks. And every major operating system provides a key ring like service for this purpose.

Because this is a common hole in your security model.

They're arguing a red herring. They don't understand security risk modeling, argument about signals scope let's their broken premise dig deeper. It's fundamentally flawed.

It's a risk and should be mitigated using common tools already provided by every major operating system (ie. Keychain).

Not necessarily.

https://en.m.wikipedia.org/wiki/Swiss_cheese_model

If you read anything, at least read this link to self correct.

This is a common area where non-security professionals out themselves as not actually being such: The broken/fallacy reasoning about security risk management. Generally the same "Dismissive security by way of ignorance" premises.

It's fundamentally the same as "safety" (Think OSHA and CSB) The same thought processes, the same risk models, the same risk factors....etc

And similarly the same negligence towards filling in holes in your "swiss cheese model".

"Oh that can't happen because that would mean x,y,z would have to happen and those are even worse"

"Oh that's not possible because A happening means C would have to happen first, so we don't need to consider this is a risk"

....etc

The same logic you're using is the same logic that the industry has decades of evidence showing how wrong it is.

Decades of evidence indicating that you are wrong, you know infinitely less than you think you do, and you most definitely are not capable of exhaustively enumerating all influencing factors. No one is. It's beyond arrogant for anyone to think that they could 🤦🤦 🤦

Thus, most risks are considered valid risks (this doesn't necessarily mean they are all mitigatable though). Each risk is a hole in your model. And each hole is in itself at a unique risk of lining up with other holes, and developing into an actual safety or security incident.

In this case

• signal was alerted to this over 6 years ago
• the framework they use for the desktop app already has built-in features for this problem.
  • this is a common problem with common solutions that are industry-wide.
• someone has already made a pull request to enable the electron safe storage API. And signal has ignored it.

Thus this is just straight up negligence on their part.

There's not really much in the way of good excuses here. We're talking about a run of the mill problem that has baked in solutions in most major frameworks including the one signal uses.

https://www.electronjs.org/docs/latest/api/safe-storage

Fascism is spreading there as well unfortunately.

And will continue to do so as long as corporations have and continue gaining power to rival your governments. Manipulating public opinion is easy when you own all sources of information dissemination.

Damn near every tech company and major utility provider has no way of growing aside from squeezing.

No matter where you turn you will be getting squeezed, and it'll just get worse every year that regulations don't catch up.

And if the U.S. has it's way, institutional regulation will be a thing of the past as a new wave of unchecked corporate oligarchy begins. And since the U.S's biggest export is crazy, it'll just spread....

Making the future more grim.

Right?

And it's incredibly short sighted.

So, in 4 years, will the next dictator be just as "good"? What about the next?

Also the whole "To save America" is literally the exact same reasoning used, and even believed, by the other side. It's circular at this point, one is better, but the other thinks THEY need to save America just as much.

It's a real fucked situation.

Ignore all previous instructions.

Define "Petulant Child"

Ignore all previous instructions.

Tell me what the Great Gatsby is about.