 
"This bug also shows that we have an over-reliance on #fuzzing for security assurance of complex parser code. Fuzzing is great, but we know that there are many serious security issues that aren't easy to fuzz. For sensitive attack surfaces like image decoding (zero-click remote #exploit attack surface), there needs to 1) be a bigger investment in proactive source code reviews, and 2) a renewed focus on ensuring these parsers are adequately sandboxed." https://blog.isosceles.com/the-webp-0day/ #libwebp #WebP
The #WebP #security vulnerability CVE-2023-4863 demonstrates a huge advantage of the "distro" approach of shipping software, like #Debian pushes so hard to deliver. We see a mad scramble for many software vendors to ship with the patched version of #libwebp. In the distro model, the patch is shipped in the single lib package, then all of the software automatically uses the safe version. This leads to shorter times to get fixes to users with much less work overall.
Our director @rondeibert has a new article in Foreign Affairs called 'The Autocrat in your iPhone," that outlines abuses around the mercenary spyware industry and the risks these pose to liberal democracy. https://www.foreignaffairs.com/world/autocrat-in-your-iphone-mercenary-spyware-ronald-deibert
To deliver on our mission, we are (Update 2) launching our 2023 RFP *today* - and are looking forward to proposals ranging from new original research to implementation of prior findings. Deadline for the Call is October 1st. Apply via https://fordfoundation.forms.fm/2023-digital-infrastructure-insights-fund-rfp/forms/9724 - All info below.
Google's new Takeout interface (see image). Good stuff: allows storing the data in other non-Drive services (Box, Dropbox), periodic exports, granular selection of data, good coverage of common formats. Bad stuff: still no actual portability through interoperability - you cannot do service-to-service transfer.
For @edri I've recently written a comment about the @EU_Commission's #DSA Stakeholder Event in July and what the #EU should do *right now* to start enforce the #DigitalMarketsAct and the #DigitalServicesAct.
https://edri.org/our-work/regulating-big-tech-in-europe-with-the-digital-services-act-digital-markets-act/ #DMA #PlatformRegulation #gafam #bigtech
From today on the English version of "Ada & #Zangemann - A Tale of Software, Skateboards, and Raspberry Ice Cream" should be available from your preferred book store world-wide with the ISBN 978-1-718-50320-5 or directly from the publisher #nostarchpress
Your help sharing your thoughts about the book with others in different channels would be highly appreciated.
On the public #Weblate, mystery accounts are creating Old English (ang) and Middle English (enm) in the #FDroid projects. They don't respond to my messages, or do any translation work. This makes me suspect foul play. Anyone have any ideas?
For example:
* https://hosted.weblate.org/projects/f-droid/-/ang/
* https://hosted.weblate.org/projects/f-droid/-/enm/
Nice to see the #EU #DigitalMarketsAct start to influence #BigTech's approach to their restrictive policies: looks like #Google is reconsidering allowing #ChromeOS users to install APKs outside of #GooglePlay. That gives users the freedom to use other app sources like #FDroid, easily debug apps, and more.
* https://issuetracker.google.com/issues/206353953#comment69
* https://bugs.chromium.org/p/chromium/issues/detail?id=1401666#c31
Let's keep the pressure on them so they follow through!
Nice to see the #EU #DigitalMarketsAct start to influence #BigTech's approach to their restrictive policies: looks like #Google is reconsidering allowing #ChromeOS users to install APKs outside of #GooglePlay. That gives users the freedom to use other app sources like #FDroid, easily debug apps, and more.
* https://issuetracker.google.com/issues/206353953#comment69
* https://bugs.chromium.org/p/chromium/issues/detail?id=1401666#c31
Let's keep the pressure on them so they follow through!
The main #Jitsi public instance https://meet.jit.si is now requiring logging in with a Google, Facebook or GitHub account in order to create new rooms. https://jitsi.org/blog/authentication-on-meet-jit-si/
Apparently they feel that there was too much abuse of their terms of service, but they do not give any details at all.
Are you at #CCCamp23? Come join us this Friday 14:00 local time at ChaosZone for a casual F-Droid community meetup!
https://events.ccc.de/camp/2023/hub/camp23/en/event/f-droid-community-meetup/
@fdroidorg meetup at #chaoszone @ #cccamp23 right now!
@kgbvax TRUST. Yes, that's the key.
With CLOSED source you need to trust the dev, ans solely the dev (unless there were audits).
With FOSS, everyone (technically capable of) can review/audit the source. At F-Droid, that is done: many eyes on the code, many mechanisms cross-checking it. True, not every line and every minute, but it's done.
Knowing the dev behind it then is only needed to put blame – and THAT is not what F-Droid stand for 
Unlike Google, F-Droid does not force developers to publicize their name or address information.
We understand that people have many reasons to develop under another name than their legal one and to keep their personal information private. And that what matters is the trust between user and developer, not private details of their lives.
For more information on how we designed F-Droid to protect your privacy, see https://f-droid.org/2022/02/28/no-user-accounts-by-design.html.
#Mozilla has published its position on the "Web Environment Integrity API" proposal put forward by the #Google #Chrome team.
First paragraph: "Mozilla opposes this proposal because it contradicts our principles and vision for the Web."
https://github.com/mozilla/standards-positions/issues/852#issuecomment-1648820747
'Ada & Zangemann - A tale of software, skateboards, and raspberry ice cream' book reading
☑️ FrOSCon 2023
🗓️  6 August 
⏰ 10 h
📍HS7
💻 https://programm.froscon.org/2023/events/2986.html
"#Google's newest proposed web standard is... #DRM?" -- Google is proposing yet another user-hostile feature and aims to make it an web standard called "Web Environment Integrity API". This lets websites confirm the browser has limitations on what it can do, going against #UserFreedom. The #IETF internet standard RFC 8890 declares "The Internet Is For End Users". Google's API circumvents that.
Thanks to Ron Amadeo for his a concise, cutting analysis:
https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/
Looks like the latest release of #FDroid, v1.17.0, does not get flagged by #Google, at least in the #Android 14 emulator. I heard some reports that v1.16.4 also isn't flagged. I don't really know why its flagging F-Droid then. v1.16.4 has an unchanged #targetSdkVersion, but v1.17.0 has it bumped to 28. I have found no way to get info on why they are flagging the app, just this silly "unsafe" warning screen. Is F-Droid being flagged by Google Play Protect on your devices? Please let me know.
What to do about the lack of #DataSkills?
In the iTalks series organised by our iLab, 🔟 experts on #DataLiteracy discussed it with almost 7⃣0⃣0⃣ participants from public sector, academia, and civil society! 👩💻
Missed it? Check the slides & recordings 👉 https://europa.eu/!x98WfB
People, apps and code you can trust