Come work with us at @sovtechfund for a unique job opportunity where you'll be at the intersection of bug bounty programs and public interest.

As the BRP Manager, you'll spearhead our efforts to enhance bug resilience in FOSS projects, leveraging responsible bug bounty programs and more to make a meaningful impact in open source critical infrastructure.

Apply now at sovereigntechfund.de/jobs/bug-

(You're welcome to apply even if you don't meet 100% of the description, it's just a wishlist)

We tried to wreck Element Call but didn’t succeed! We can answer the most dreaded question in IT: it scales!

just acquired and , two chat apps that work with a bunch of bridges to popular apps :

* blog.beeper.com/2024/04/09/bee
* automattic.com/2024/04/09/auto

I really hope they open source it.
Since they are going for a fee-for-service model like Wordpress, I'm optimistic. This is key for breaking the network effects that companies rely on: .

First more detailed analysis of the backdoor AFAIK, in this Bluesky thread: bsky.app/profile/did:plc:x2nsu

So the backdoor’s intention isn’t compromising SSH sessions but rather executing arbitrary code on vulnerable Linux servers. The payload is hidden within the RSA key sent to the SSH server during authentication. This payload has to be signed with some unknown Ed448 key which only the attackers possess. If the signature is deemed correct, the payload is passed to system() (executes it as a shell command). Otherwise the code falls back to the default SSH behavior.

Had this backdoor been discovered a few months later, we would now have a lot of vulnerable servers all over the world. And only the attackers would be able to detect from outside which ones are vulnerable, because only they can send a correctly signed payload that would trigger command execution.

Planting a command execution backdoor into most Linux servers out there sounds too ambitious for someone driven by monetary interests, there are simpler ways to build a botnet. The level of sophistication and long-term planning indicates a state-level actor. Unfortunately, there isn’t a shortage of candidates. With quite a few Western governments pushing for lawful interception lately, I wouldn’t rule out any country at this point.

Show thread

Are you experienced with GTK and Rust ? :gnome: ❤️ :rust:

We are looking to contract someone to work on the new GNOME Password Manager 🔑

We want it to become a core/default app and help secure millions of users.

You'll be working with the GNOME Foundation, a non-profit dedicated to building emancipatory technologies for everyone.

Please send resume / portfolio to stf@gnome.org

Boosts welcome :boost_love:

#GTK #Rust #rustlang #GNOME #Linux #Ubuntu #Linux #Fedora #OpenSUSE #Debian

Three years ago, had a similar kind of attempt as the . A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a . In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now

gitlab.com/fdroid/fdroidclient

@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message mail-archive.com/xz-devel@tuka

At this point, it is clear that a provider must accept payment in cash in order to provide a real tool. Cash is much easier to handle privately than crypto for most of the world, and a lot more people around the world have access to currency exchange and snail mail than places to safely buy crypto. Kudos to @mullvadnet and @protonvpn for providing that service.

In collaboration with @fdroidorg, the @fsfe prepared a study for the Japanese Competition Authority HDMC on how Apple's plans to comply with the #DMA represent a risk for #FreeSoftware and #DeviceNeutrality.

Key recommendations: 👇
- Full and unfettered side-loading
- No distribution via DRM encryption
- No residency or credit requirements for
3rd party app stores
- No interoperability request forms
- More competition on trustworthiness

download.fsfe.org/device-neutr

#Sideloading apps and using alt stores like #Flathub is a major feature of elementary OS and a competitive edge over closed platforms that only let you install apps from a locked down store. In this release we’ve made several improvements to smooth out the experience of using alt stores based on your feedback and the latest #CrossPlatform standards.

Show thread

Just in case you're wondering why #Apple & #Google etc. are such jerks about implementing #DMA, here are some numbers:

* play store revenue 2019: $ 11.2 Billion
reuters.com/technology/google-
* apple appstore revenue 2021: $ 85.1 Billion
statista.com/statistics/296226
* apple app store made more money on games alone in 2019 than nintendo, microsoft and sony combined
techspot.com/news/91577-apple-

Today: #DMA compliance workshop with #Alphabet/#Google :)

While Alphabet seems to be better in terms of the new #browser & #search choice screens, they have a strange view regarding their new obligation to allow un-installing pre-installed apps like #PlayStore or #Gmail:

Alphabet's lobbyists argue un-install and remove are two different things and as the #DigitalMarketsAct's Art 6(3) only mandates un-install but not removal, the current "deactivation" feature in Android would be enough. 🤔

Show thread

EU antitrust chief Margrethe Vestager called out Apple’s proposed core technology fee for what it is: a way to protect its monopoly instead of actually complying with the Digital Markets Act.

“…if the new Apple fee structure will de facto not make it in any way attractive to use the benefits of the DMA. That kind of thing is what we will be investigating.”

reuters.com/technology/eus-ves

#DMA

said it has no involvement of OEM's including app stores by default. To ship an device, it has to comply with secret NDA'd "GMS Compliance", which requires OEMs to justify to Google pre-installed app store needs to access the same APIs that Play uses to install and uninstall apps. Somehow, I don't think Google will stop requiring OEMs be granted permission by Google to include the app stores of their choosing.

desparately wants to limit the scope of the as much as possible, and wants the European Commission that is not part of the operating system, even though users cannot uninstall it. Google is even working to change the definition of "uninstall" so that it means the same as what currently calls "disabling". Even Google Play itself will entirely delete the app when users click "uninstall" except of course for the stuff where Google prevents uninstallation.

It looks like #Apple is using salami tactics with the @EU_Commission on #DMA compliance, giving up tiny slices in hope that might sway (and shut up) the regulator and the public.

I sincerely hope the Commission's enforcement team is not being fooled by this.

#DigitalMarketsAct #competition #appstore #appfreedom #foss
Source: #PoliticoPro newsletter

I'm sitting in the @EU_Commission #DMA compliance workshop for #Apple right now and as much as I appreciate the format, it's frustrating to see that Apple is the only party on the panel and in addition has its proxies like #CCIA and the #AppAssociation #ACT in the audience that are allowed to ask convenient questions and steer the discussion in Apple's interest.

#DigitalMarketsAct #competition #appfreedom #deviceneutrality #foss

With today's votes on #CRA and #PLD on the introduction of liability rules for software, a broad exception for #FreeSoftware was made, so that after long and intense debates individual developers and non for profit work are safeguarded.

fsfe.org/news/2024/news-202403 #SoftwareFreedom

Tor Browser 13.0.11 is now available as an emergency release which updates our the domain fronting configuration for the Snowflake pluggable transport and the moat connection to the rdsys backend used by the censorship circumvention system. ⬇️ Learn more: blog.torproject.org/new-releas

Show more
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml