m0xEE @m0xee@librem.one

@unspeaker
But the best part was that the have released a follow-up to that collaboration right the next year. And it was just as good!
Now I dig everything he does, even if I don't like some release originally, it starts growing on me eventually — and he keeps cranking out like 4-5 of them every year. It's very rare for me to like the output of someone so prolific!
Sorry for highjacking your Homeboy Sandman thread 😋

@unspeaker
I'm not a vegetarian and maybe I just didn't like his song about beef 😜
From a later album, which is very good BTW.
In any case, he's very skilled — always a pleasure to listen to!

But right now I'm too hooked on AJ Suede. I found out about him when Fake Four made his album with Televangel available for free! In FLAC! 🤩
Check it out: https://fakefour.bandcamp.com/album/metatrons-cube
But he sounds "darker" and that might be not your thing, Homeboy Sandman sounds easygoing even when he touches serious topics 😄

@unspeaker
> from the album "Don't Feed The Monster"
Hm-m… For some reason that album sounded rather bland to me… 🤔
Maybe I should give it another spin! 😁

@voxel
…I'm not against using JS to enhance the browsing experience, but when I can't even read the text, a very basic thing really — that makes me sad.
safety.google does give you text in w3m — just checked, but websites that do not even try and just give you the "please enable JS" warning, such as crates.io, are pure evil IMO.
@leberschnitzel @protonprivacy

@voxel
In this case it kinda is. As someone who uses w3m to browse the web on a semi-regular basis, I can attest that a lot of websites work fine in such a browser. And it's not just a matter of being stubborn and keeping JS disabled — I sometimes use it on computers where starting Firefox might be heavy on the resources. Mind you.
@leberschnitzel @protonprivacy

@ackasaber@mathstodon.xyz
Normally a browser would detect that and refuse to connect giving you a warning or silently fail if such a host is only a source of scripts images, but as I have my own CA, all my computers have its cert installed, all the certificates I sign with it become trusted and it works 😁
It's just something that I realised today (well, yesterday in fact, before Durov got apprehended). There might be other caveats, I'm not a security researcher, otherwise I'd do a proper writeup.
@kravietz

@ackasaber@mathstodon.xyz
Well, Armenian company is unlikely to hold certificates issued to host names used by Telegram, with compromised CA you can do lots of interesting things. For example I hate ajax.googleapis.com so I've made a local mirror of it (you can use Decentraleyes or other such extensions, but why bother if you can have a more fundamental solution), of course I can't legitimately issue a certificate to a host name owned by Google, so it uses my own cert.
@kravietz

@robryk
It was on the news in 2022, e.g. here: https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/
In Russia it's a well known fact, maybe not so much outside of it, hence my remark
Check out https://sberbank.ru/ for example, this is one of the biggest banks in Russia and their cert expired only just recently.
@kravietz

@robryk
Yandex might be compromised and has security services representatives on board — therefore should no be trusted, but it's not officially a state-owned company — they might be exempt to these sanctions, but they still distribute their own Yandex Browser with said CA baked in. Few others might be using certs that are still valid — those didn't get revoked, they just can't renew them.
@kravietz

@Hyolobrika
Why would it be? TLS is only the first layer — some metadata probably still gets transferred over it, it's what is considered unencrypted, but on top of it at least Element and Schildi have proper cryptography module in WAsm, it works mostly the same as desktop SW would. I'm not sure how Fluffy works, but it's probably the same.
Although browser cryptography is a classic "bad idea": https://tonyarcieri.com/whats-wrong-with-webcrypto , it's not the worst of what we have to deal with now daily😅

@Hyolobrika
You can use Element in Firefox, I think you can also use Fluffy Chat and there's a desktop version of Schildi, but you need Node.js to host it, so I've never tried it myself.
If you want chats only and are fine with TUI, there's gomuks — you only need go and libolm to build it, I think you can even build it without cloning the source using "go install github.com/tulir/gomuks" — should work, but I haven't tried that myself in ages.

@Hyolobrika
Come to the Matrix side! We have "Unable to decrypt message"… too! Yeah, we have that one too 🤣

@romin
Well, at least we would get VR support this time 🤪

@kravietz
Thus communication of Russians, most of which have to have this cert installed (they still have to use banks and government-provided services) over non-E2E-encrypted messengers such as Telegram are in theory "transparent" to Russian "law enforcement". I don't know though, if Telegram apps perform any checks and give you any warning if the non-expired certificate gets replaced all of a sudden.

@kravietz
To avoid the suspiciously looking warnings they have made their own certification authority and are actively encouraging users to install this CA certificate to their systems. With this cert in the system, MITMing anything gets relatively easy.

@kravietz
> group chats can’t be end-to-end encrypted (E2EE), so their contents are readable to at least Telegram operators
Only today this came to me: little is known about it in the rest of the world, but due to sanctions, Russian enterprises and government organizations can't acquire proper security certificates recognised by most widely used browsers.

@threat
They probably can't be taking amphetamines while on duty… That's what speed dating is about, right?
@get @Doll @p @0 @FrogsAreREEEcist @sun