Hans-Christoph Steiner @eighthave@librem.one

The key thing to remember is that luck plays a role in not being discovered, in a way that it does not with proper security measures. In my example, the hunters could have gotten lucky if they just happened to think to open the right door nearby and look at the servers there.

Given that physical access to computers is a lot harder to defend against than internet access, my one hour of time vs the time they spent was quite a good payoff.

I learned this lesson by operating a hidden server on a university network in a room next to a lab funded by #US three letter agencies, it was actually a feeder program, the grad students mostly went to work for those agencies. They had seen that my non-university domain name was mapped to a university IP address. They emailed me while I was on vacation, saying they were hunting for it. Two weeks later, I got back, and they still hadn't found it. They never did. That setup took me an hour.

I totally agree that #Security Through Obscurity does not work, I think the key word that often gets lost is "through". Make systems as secure as you can, don't rely on them being hidden. Obscurity can actually add quite a bit. Compare a build server reachable on a public domain name to one only reachable on a tor onion service. Finding the tor onion service could take the determined attacker quite a lot of time. The key measure is time to attack vs time spent setting up defenses. 1/

Reading the section in the #PaloAlto book about #decolonialization makes me think how so much digital media is a form of #colonialism of our personal relationships, education, and even thought processes. It is driven by companies with the mentality of extracting profit from mining resources, in this case, the resources our human relationships and education.

@mxmehl @fdroidorg it is technically possible for the F-Droid client to do something like that, as long as someone maintains the data needed in fdroiddata. Following the #Android architecture, the app itself would be the natural place to handle data and signing key migrations.

@mxmehl @fdroidorg ah nice, the export/import workflow should help smooth the process. I'm interested in hearing about how many users find it worth it to do that kind of procedure. It is possible to fully automate it, but would take a chunk of work. A key question is: how many users are not going to update because of this? This will be valuable information as more apps transition to #ReproducibleBuilds in #FDroid

@Rana That plays a part in managing the complexity, but that doesn't entirely escape it. I think it is essential to create a mentality in the team of reducing complexity as much as possible. That means reusing metaphors, avoiding "nice to haves" when possible, providing good APIs so people can customize, etc. A great example is how #GitHub has stuck with a two-level namespace (e.g. https://github.com/one/two) even as it has become massive. #GitLab's subgroups are an example of bad design IMHO

I wonder if #ChatGPT and its kindred #AI #LLM projects will just kind of slowly consume themselves via a downward spiral of driving down the level of public, online content via computer generated spam and #disinfo. They are trained on these public datasets, for example. For example, https://www.vice.com/en/article/jg5qy8/reddit-moderators-brace-for-a-chatgpt-spam-apocalypse

So many #software projects get caught in this trap of adding ever more #complexity as users request more features. When starting out, new software needs to directly solve a problem better than others, then people adopt it. As more people adopt it, they demand more features. Incrementally adding more features works for the existing user base, but makes it harder and harder for newcomers to jump in. Then new software does a key thing better, and the complex old one collapses under its own weight.

@debian @Bubu @nopressure @grote as #GitLab #SelfHosters, I think they'd appreciate your feedback.

#ArsTechnica's article on exploiting #Zimbra is a nice example to work through to understand how an advanced #cyber #targeted #attack works
https://arstechnica.com/information-technology/2023/03/pro-russian-hackers-target-elected-us-officials-supporting-ukraine/2/

Does anyone have any examples of advanced #cybersecurity #attacks that were not targeted? I guess the #GreatCannon and maybe #QUANTUMINSERT #FOXACID are examples. I'd love to see a story about a recent exploit like this (those two examples don't really work when HTTPS is used).

@5thsun totally, keeping old hardware working is a great example of #UserFreedom, for so many reasons. If it works, don't fix it. And lots of people want to reduce the impact of their devices by keeping them alive as long as possible, even when the manufacturer isn't interested. #Debian and @postmarketOS are great examples of systems that keep current software running on old hardware.

@5thsun That's a good practice. I'm interested in #UserFreedom, which means that users should be able to choose to stay with whichever version they want to use, and even organize separately to get that version maintained as needed. This is what #FreeSoftware provides. That accounting software is one of the last pieces of proprietary software I use, time to check out the free software options again. Another way is possible!