Show more

Every time I do tech support for my family I get very angry about people who whine about lacking "tech literacy".

90% of the stuff I have to teach them is how to navigate manipulative software and dark patterns. This has nothing to do with tech, but with capitalism. Tech is not complicated, it is just made maximally confusing on purpose to remove agency.

Better tech ed won't fix this.

We need your help! Call your senators and tell them to vote NO on reauthorizing and expanding Section 702. eff.org/risaa

"Just search for 'Linux Foundation Events' in your app store to find our brand new [proprietary?] AI-powered app!"

- Jim Zemlin @ #OSSNA

#OSSNA24 #FDroid #hypocrisy

🕵️🔎🔎📱 The “repackaged” EU Council version of #chatcontrol still includes #MassSurveillance & serious threats to #encryption. Fortunately 🇩🇪🇵🇱🇫🇷🇦🇹🇳🇱🇪🇪🇫🇮 have acknowledged the severe concerns. We call on EU Member States to reject this dangerous position.
epicenter.works/content/open-l

Come work with us at @sovtechfund for a unique job opportunity where you'll be at the intersection of bug bounty programs and public interest.

As the BRP Manager, you'll spearhead our efforts to enhance bug resilience in FOSS projects, leveraging responsible bug bounty programs and more to make a meaningful impact in open source critical infrastructure.

Apply now at sovereigntechfund.de/jobs/bug-

(You're welcome to apply even if you don't meet 100% of the description, it's just a wishlist)

Major push to impose a U.S. site-blocking law. Nothing has changed since SOPA. Of course, lawful content would also be blocked arstechnica.com/tech-policy/20 #Quad9

Lots of hackers would love to go in an contribute to new projects. If there was a way that people could make a living doing that, we would greatly improve the ecosystem. Lots of devs want to improve the code they work on, but so many company ban employees from contributing to . One promising new model is maintenance funding from governments and foundations, like @sovtechfund and . Since 93% of codebases use , this affects the entire software ecosystem

4/4

Show thread

This also happens in companies, but the dynamic functions a bit differently. The maintainers will start quitting their jobs, reducing the number of people who know the code. In a number of companies, I've seen this happen where the end result is an essential system that no present employee understands. So no one is allowed to touch it as long as it is working. This happens at mega corps and small companies alike. I experienced it at Merrill Lynch, a wealthy bank that was always cutting costs 3/

Show thread

This can turn into a downward spiral, because it can drive away contributors, making things worse. Then only the ones who really feel responsible for their user base will continue working on it. Then ultimately they can burnout and the thing goes down in flames. The is a version of this dynamic. The maintainer was caught in that dynamic and felt he could not keep up, and was desparate for help since so many essential pieces of software rely on it.

2/

Show thread

There is a dynamic that arises when there is a growing difference between the amount of maintenance required and available developer time. The maintainers need help to keep up. Until then, they need to ensure that the essentials are maintained. That in turn makes it harder for others to contribute, because the maintainer cannot afford to take any risks that might trigger unexpected work sometime later. So the maintainers have less time to review, less time to help complete merge requests, etc 1/

just acquired and , two chat apps that work with a bunch of bridges to popular apps :

* blog.beeper.com/2024/04/09/bee
* automattic.com/2024/04/09/auto

I really hope they open source it.
Since they are going for a fee-for-service model like Wordpress, I'm optimistic. This is key for breaking the network effects that companies rely on: .

PSA: The panic button features built into F-Droid break when targeting newer Android SDK versions (e.g. #targetSdkVersion) due to new restrictions.

It might be possible to get them working again, but we currently do not have the bandwidth to maintain this. We welcome contributions to get it going again. Until then, removing the panic features looks to be our only responsible course of action. #CalyxOS includes built-in panic features like app removal, so that is a recommended replacement.

This week in #FDroid was published again.

You should read it if you're on Android 7 or older. For those on newer versions we have following tl;dr, but you're also welcome to read it all:

- 1.20 is in the making with even better repo handling
- custom Anti-Features will be on by default
- TetheredNet will be a new AF
- our website still has problems with localization
- Bunny Media Editor is new
- Secreto is now known as Sekreto
- 2 removals, 10 additions and 206 updates

f-droid.org/2024/04/04/twif.ht

Risk of socially engineered backdoors in critical software seems like an indictment of open-source projects, but it could happen anywhere, EFF’s Molly told @theintercept - in fact, this one was found only due to the project’s open nature.
theintercept.com/2024/04/03/li

This just triggered a thought: the fact that a well resourced actor spent all this time on the focused on distros because they were not able to reliably hack into GNU/Linux in general, so they had to resort to this quite expensive campaign to get access again. Yes, this is speculation and yes I'm a fanboy. But there is a lot of good evidence that the free software distro model is quite good for providing secure setups. So take this news as good news 😄

Show thread

Some thoughts about attribution in the XZ backdoor, having just wasted so many hours digging into the details.

The email addresses used for a couple of years at least by the parties involved have absolutely *zero* trace in any kind data breach or database beyond Github/Gitlab, and maybe Tukaani and Debian and a few mailing lists.

Normally when I see this, the assumption is that we're dealing with a single-use or single-purpose email address that was created either for fraud or b/c someone is super paranoid about privacy.

The people in the latter camp who do this tend to have other tells that give them away, or at least *some* trace or home base in the online world. Especially if we're talking on the order of years using that address.

Either way, very few people do opsec well, and for every year you're operating under the same name, nick, number, email, etc you dramatically increase the risk of screwing up that opsec. And almost everyone does, eventually.

To see this complete lack of presence in breached databases once or twice in the course of an investigation is rare, but to find it multiple times suggests we're dealing with an operation that was set up carefully from the beginning. And that almost certainly means a group project (state-sponsored).

Show more
image/svg+xml Librem Chat image/svg+xml