Guardian Project @guardianproject@librem.one

➡️ It's a Big Freaking Deal when we can move any #UnitedNations organization away from #Microsoft.

The system-wide IT shop UNICC has announced its move to #Matrix:

https://www.techradar.com/pro/the-united-nations-ditches-big-tech-in-a-bid-for-security

The lack of direct funding to all the code maintainers the #gatekeeper monopoly companies rely on is a clear sign how little they actually care about security. They have massive profit margins, so they have the cash. And a company can just give cash to devs. I know this because #Google in early #Android days just handed @guardianproject $100,000 to do what we were doing. Among other things, we used that to work on IOCipher, our per-app encryption lib, back when Android stored files unencrypted.

Welcome to Stephen Farrell as #curl commit author 1260: https://github.com/curl/curl/pull/11922

Come work with us at @sovtechfund for a unique job opportunity where you'll be at the intersection of bug bounty programs and public interest.

As the BRP Manager, you'll spearhead our efforts to enhance bug resilience in FOSS projects, leveraging responsible bug bounty programs and more to make a meaningful impact in open source critical infrastructure.

Apply now at https://www.sovereigntechfund.de/jobs/bug-resilience-program-manager

(You're welcome to apply even if you don't meet 100% of the description, it's just a wishlist)

We tried to wreck Element Call but didn’t succeed! We can answer the most dreaded question in IT: it scales!

#Automattic just acquired #Texts and #Beeper, two #matrix chat apps that work with a bunch of bridges to popular apps :

* https://blog.beeper.com/2024/04/09/beeper-is-joining-automattic/
* https://automattic.com/2024/04/09/automattic-acquires-beeper/

I really hope they open source it.
Since they are going for a fee-for-service model like Wordpress, I'm optimistic. This is key for breaking the network effects that #gatekeeper companies rely on: #Apple #Meta #Facebook #WhatsApp #Discord #Telegram #Signal.

First more detailed analysis of the backdoor AFAIK, in this Bluesky thread: https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b

So the backdoor’s intention isn’t compromising SSH sessions but rather executing arbitrary code on vulnerable Linux servers. The payload is hidden within the RSA key sent to the SSH server during authentication. This payload has to be signed with some unknown Ed448 key which only the attackers possess. If the signature is deemed correct, the payload is passed to system() (executes it as a shell command). Otherwise the code falls back to the default SSH behavior.

Had this backdoor been discovered a few months later, we would now have a lot of vulnerable servers all over the world. And only the attackers would be able to detect from outside which ones are vulnerable, because only they can send a correctly signed payload that would trigger command execution.

Planting a command execution backdoor into most Linux servers out there sounds too ambitious for someone driven by monetary interests, there are simpler ways to build a botnet. The level of sophistication and long-term planning indicates a state-level actor. Unfortunately, there isn’t a shortage of candidates. With quite a few Western governments pushing for lawful interception lately, I wouldn’t rule out any country at this point.

Are you experienced with GTK and Rust ? ❤️

We are looking to contract someone to work on the new GNOME Password Manager 🔑

We want it to become a core/default app and help secure millions of users.

You'll be working with the GNOME Foundation, a non-profit dedicated to building emancipatory technologies for everyone.

Please send resume / portfolio to stf@gnome.org

Boosts welcome

#GTK #Rust #rustlang #GNOME #Linux #Ubuntu #Linux #Fedora #OpenSUSE #Debian

Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now

https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889

@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html

In collaboration with @fdroidorg, the @fsfe prepared a study for the Japanese Competition Authority HDMC on how Apple's plans to comply with the #DMA represent a risk for #FreeSoftware and #DeviceNeutrality.

Key recommendations: 👇
- Full and unfettered side-loading
- No distribution via DRM encryption
- No residency or credit requirements for
3rd party app stores
- No interoperability request forms
- More competition on trustworthiness

https://download.fsfe.org/device-neutrality/fsfe-apple-report-final.pdf

#Sideloading apps and using alt stores like #Flathub is a major feature of elementary OS and a competitive edge over closed platforms that only let you install apps from a locked down store. In this release we’ve made several improvements to smooth out the experience of using alt stores based on your feedback and the latest #CrossPlatform standards.

Just in case you're wondering why #Apple & #Google etc. are such jerks about implementing #DMA, here are some numbers:

* play store revenue 2019: $ 11.2 Billion
https://www.reuters.com/technology/google-play-app-store-revenue-reached-112-bln-2019-lawsuit-says-2021-08-28/
* apple appstore revenue 2021: $ 85.1 Billion
https://www.statista.com/statistics/296226/annual-apple-app-store-revenue/
* apple app store made more money on games alone in 2019 than nintendo, microsoft and sony combined
https://www.techspot.com/news/91577-apple-reportedly-made-more-money-games-2019-than.html

Today: #DMA compliance workshop with #Alphabet/#Google :)

While Alphabet seems to be better in terms of the new #browser & #search choice screens, they have a strange view regarding their new obligation to allow un-installing pre-installed apps like #PlayStore or #Gmail:

Alphabet's lobbyists argue un-install and remove are two different things and as the #DigitalMarketsAct's Art 6(3) only mandates un-install but not removal, the current "deactivation" feature in Android would be enough. 🤔

EU antitrust chief Margrethe Vestager called out Apple’s proposed core technology fee for what it is: a way to protect its monopoly instead of actually complying with the Digital Markets Act.

“…if the new Apple fee structure will de facto not make it in any way attractive to use the benefits of the DMA. That kind of thing is what we will be investigating.”

https://www.reuters.com/technology/eus-vestager-warns-about-apple-meta-fees-disparaging-rival-products-2024-03-19/

#DMA

#Google said it has no involvement of OEM's including app stores by default. To ship an #GooglePlay device, it has to comply with secret NDA'd "GMS Compliance", which requires OEMs to justify to Google pre-installed app store needs to access the same APIs that Play uses to install and uninstall apps. Somehow, I don't think Google will stop requiring OEMs be granted permission by Google to include the app stores of their choosing.

#DMA #DigitalMarketsAct

#Google desparately wants to limit the scope of the #DMA as much as possible, and wants the European Commission that #GooglePlayServices is not part of the operating system, even though users cannot uninstall it. Google is even working to change the definition of "uninstall" so that it means the same as what #Android currently calls "disabling". Even Google Play itself will entirely delete the app when users click "uninstall" except of course for the stuff where Google prevents uninstallation.

It looks like #Apple is using salami tactics with the @EU_Commission on #DMA compliance, giving up tiny slices in hope that might sway (and shut up) the regulator and the public.

I sincerely hope the Commission's enforcement team is not being fooled by this.

#DigitalMarketsAct #competition #appstore #appfreedom #foss
Source: #PoliticoPro newsletter