●● IRC: #techbytes @ Techrights IRC Network: Wednesday, December 08, 2021 ●● ● Dec 08 [01:20] *GNUmoon2 has quit (Ping timeout: 2m30s) [01:26] *u-amarsh04 has quit (Quit: Konversation terminated!) [01:26] schestowitz https://twitter.com/TheDickKnightV2/status/1468226178750324823 [01:26] -TechBytesBot/#techbytes-@TheDickKnightV2: @schestowitz I would love to hear how they plan to enforce safe storage laws. California has them and it surely hasnt been working. [01:26] schestowitz https://twitter.com/IMDibe/status/1468183100228259846 [01:26] -TechBytesBot/#techbytes-@IMDibe: @schestowitz Junk reporting. [01:26] *GNUmoon2 (~GNUmoon@9usr6fbbjhvag.irc) has joined #techbytes [01:28] *liberty_box has quit (Ping timeout: 2m30s) [01:29] *liberty_box_ has quit (Ping timeout: 2m30s) [01:33] *u-amarsh04 (~amarsh04@t25x9hgy9xhrc.irc) has joined #techbytes [01:36] schestowitz Re: Certificates on TechRights [01:36] schestowitz > Hi Roy, [01:36] schestowitz > [01:36] schestowitz > I am conversing with the author of a fairly popular site [01:36] schestowitz > ( guide) and talking about site certificates. [01:36] schestowitz > (see below) [01:36] schestowitz > Do you have any thoughts or recommend any articles on where [01:36] schestowitz > this is going? [01:36] schestowitz > [01:37] schestowitz > all good wishes, [01:37] schestowitz My answer in-line, below: [01:37] schestowitz > Date: Mon, 06 Dec 2021 13:31:56 +0000 [01:37] schestowitz > From: [01:37] schestowitz > To: [01:37] schestowitz > Subject: Re: Article on teaching cybersecurity [01:37] schestowitz > [01:37] schestowitz > You might suggest to that he add download links for his [01:37] schestowitz > podcast episodes. I almost never listen to podcasts on my computer. [01:37] schestowitz > I listen when I'm away from my computer, while doing other things. [01:37] schestowitz > [01:37] schestowitz > I would be interested to know why Roy uses a self-signed certificate. [01:37] schestowitz > I'm considering writing an article that delves into how much of [01:37] schestowitz > browser security warnings are justified and how much are not. It [01:37] schestowitz > occurs to me that websites that are HTTP only or that use self-signed [01:37] schestowitz > certificates may be the new darkweb. [01:37] schestowitz The term "darkweb" is a meaningless buzzword that should be avoided. People who say "darkweb" help the likes of BBC perpetuate ruinous myths, e.g. about a forum that requires a username/password to access. [01:37] schestowitz >I wonder if their owners want [01:37] schestowitz > their sites to be hidden, simply don't care, or their sites are [01:37] schestowitz > completely driven by word-of-mouth traffic. [01:37] schestowitz This is untrue. The site has HTTPS support, the certificate is signed, but it does not outsource trust to untrustworthy hacks: [01:37] schestowitz http://techrights.org/2020/11/07/free-privacy-lunch/ [01:37] schestowitz Aporopos: http://techrights.org/wiki/Linux_Foundation [01:37] -TechBytesBot/#techbytes-techrights.org | Lets Encrypt is Garbage, Albeit Its Disguised as Free Privacy | Techrights [01:37] -TechBytesBot/#techbytes-techrights.org | Linux Foundation - Techrights [01:37] schestowitz There are also purely technical reasons, but that's a longer debate. [01:37] schestowitz Gemini strictly requires certificates, but fully and happily supports self-signing. [01:37] schestowitz A Web that is centralised isn't worth having. [01:37] schestowitz Also: http://techrights.org/2020/03/04/lets-ask-lets-encrypt/ [01:37] schestowitz Please pass along my feedback and consider writing about it. Your article was very well received and we'd love to publish more like it. [01:37] -TechBytesBot/#techbytes-techrights.org | Techrights Urges Readers to Ask the Linux Foundations Lets Encrypt (Backed by Companies That Give the NSA Back Doors) Some Hard But Legitimate Questions | Techrights [01:37] schestowitz Kind regards, [01:38] schestowitz Fwd: AI in an IP world [01:38] schestowitz A group of colleagues at Reddie & Grose recently published a newsletter called AI in an IP world which features a collection of insights into how patents can protect AI related inventions. [01:38] schestowitz I think its worth a read: [01:38] schestowitz AI in an IP world - Intellectual Property Law - Reddie & Grose [01:38] schestowitz AI in an IP world - Intellectual Property Law - Reddie & Grose [01:38] schestowitz Reddie & Groses Artificial Intelligence (AI) newsletter, a collection of insights into how patents can protect AI related inventions, and what AI can do for the intellectual property world. [01:41] *liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes [01:41] *liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes ● Dec 08 [02:04] *u-amarsh04 has quit (Quit: Konversation terminated!) [02:13] *GNUmoon2 has quit (Ping timeout: 2m30s) [02:13] *GNUmoon2 (~GNUmoon@6ujf8e7nw8qfi.irc) has joined #techbytes [02:43] *liberty_box has quit (Ping timeout: 2m30s) [02:43] *liberty_box_ has quit (Ping timeout: 2m30s) [02:55] *liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes [02:55] *liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes ● Dec 08 [03:57] *liberty_box_ has quit (Ping timeout: 2m30s) [03:57] *liberty_box has quit (Ping timeout: 2m30s) [03:57] *techrights_guest|12 has quit (Quit: Connection closed) ● Dec 08 [04:42] *liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes [04:43] *liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes [04:51] *liberty_box_ has quit (Ping timeout: 2m30s) [04:51] *liberty_box has quit (Ping timeout: 2m30s) ● Dec 08 [05:03] *liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes [05:04] *liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes [05:41] *DaemonFC has quit (Quit: Leaving) [05:42] *liberty_box_ has quit (Ping timeout: 2m30s) [05:42] *liberty_box has quit (Ping timeout: 2m30s) ● Dec 08 [06:07] *GNUmoon2 has quit (Ping timeout: 2m30s) [06:45] *u-amarsh04 (~amarsh04@t25x9hgy9xhrc.irc) has joined #techbytes [06:53] *GNUmoon2 (~GNUmoon@6msztc2mupc3w.irc) has joined #techbytes ● Dec 08 [07:06] *liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes [07:06] *liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes ● Dec 08 [08:13] *Grass has quit (Connection closed) [08:40] *liberty_box_ has quit (Ping timeout: 2m30s) [08:40] *liberty_box has quit (Ping timeout: 2m30s) [08:40] *liberty_box (~liberty@suig26pxj59pi.irc) has joined #techbytes [08:41] *liberty_box_ (~liberty@suig26pxj59pi.irc) has joined #techbytes ● Dec 08 [09:17] schestowitz > Thanks for these good responses and article links Roy. [09:17] schestowitz > [09:17] schestowitz > I too wish we could stop outsourcing "trust" to these obviously [09:17] schestowitz > untrustworthy corporations. As I said, imho the problem lies with [09:17] schestowitz > browser developers who make "user friendly" (corporate spyware), and [09:17] schestowitz > web technology whose current level of complexity is completely broken. [09:17] schestowitz > [09:17] schestowitz > Maybe Gemini will give us back an "informative web". [09:21] schestowitz Subject: Re: Certificates on TechRights [09:21] schestowitz [sorry for the length of the reply] [09:21] schestowitz >> I would be interested to know why Roy uses a self-signed certificate. [09:21] schestowitz >> I'm considering writing an article that delves into how much of [09:21] schestowitz >> browser security warnings are justified and how much are not. It [09:21] schestowitz >> occurs to me that websites that are HTTP only or that use self-signed [09:21] schestowitz >> certificates may be the new darkweb. [09:21] schestowitz > [09:22] schestowitz > The term "darkweb" is a meaningless buzzword that should be avoided. [09:22] schestowitz > People who say "darkweb" help the likes of BBC perpetuate ruinous myths, [09:22] schestowitz > e.g. about a forum that requires a username/password to access. [09:22] schestowitz I would say that those security warnings are mostly about control and [09:22] schestowitz not about ensuring the integrity or confidentiality of communications. [09:22] schestowitz But first about Tor. The project used to have a more detailed page [09:22] schestowitz explaining its user base, but the gist remains: [09:22] schestowitz https://donate.torproject.org/donor-faq/ [09:22] -TechBytesBot/#techbytes-donate.torproject.org | Tor Project | donor-faq [09:22] schestowitz Their site has gotten much less informative and significantly wordier [09:22] schestowitz recently. Here are some of their links to some scripts, as PDF, [09:22] schestowitz carrying text about the topic: [09:22] schestowitz https://community.torproject.org/user-research/reports/ [09:22] schestowitz (For what it's worth, Tor is not the only privacy network. There are [09:22] -TechBytesBot/#techbytes-community.torproject.org | Tor Project | Reports [09:22] schestowitz I2P and Freenet, to name just two more.) [09:22] schestowitz One of the ways that TR itself uses Tor is to read news in countries [09:22] schestowitz that block outside access. Another use-case is it provides a steady [09:22] schestowitz address as well as the ability to "NAT punch" for road warriors and [09:22] schestowitz those in similar situations. [09:22] schestowitz Now about self-signed certificates, I too observe that the major web [09:22] schestowitz browsers, and allied institutions and businesses, have oriented their [09:22] schestowitz software and activities to discourage, disparage, and/or block [09:22] schestowitz self-signed certificates for web sites. Note the bad "safety" rating [09:22] schestowitz that Netcraft gives such HTTPS sites. [09:22] schestowitz However, the harm is greater and more insidious than it looks like at [09:22] schestowitz first glance: the self-signed part does not refer to the certificate [09:22] schestowitz signing itself. The self-signed part refers to the act when an [09:22] schestowitz institution (project, business, school, whatever) signs its own. Those [09:22] schestowitz discouraging self-signing are doing no less than attacking the authority [09:22] schestowitz of those institutions to be allowed to testify themselves as to the [09:22] schestowitz integrity and confidentiality of their own communications. [09:22] schestowitz At the same time as people are discouraged from trusting certificates [09:22] schestowitz the make themselves and are not from big, brand-named companies, they [09:22] schestowitz are encouraged to blindly trust all the certificates which have been [09:22] schestowitz preloaded into their Web browsers. I am not familiar enough with [09:22] schestowitz packaging to say what has come from where but in Ubuntu, for example, [09:22] schestowitz there are hundreds of such certificates: [09:22] schestowitz $ ls /etc/ssl/certs/ | wc -l [09:22] schestowitz 257 [09:22] schestowitz Any of those hundreds can MitM the communication to observe or change [09:22] schestowitz the message. See from the EFF back when it focused on its core mission: [09:23] schestowitz https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl [09:23] -TechBytesBot/#techbytes-www.eff.org | New Research Suggests That Governments May Fake SSL Certificates | Electronic Frontier Foundation [09:23] schestowitz In the case of scripts, such as PDF or Javascript, those changes means [09:23] schestowitz unprivileged access to the system, at least initially. Once local, [09:23] schestowitz there are usually many ways to pivot to privileged access if that is the [09:23] schestowitz goal. A perennial on most systems is RowhammerJS, I presume. Be that [09:23] schestowitz as it may, even unprivileged access allows monitoring of the data going [09:23] schestowitz either direction. [09:23] schestowitz tldr; It's about freedom yet again: The self-signed aspect refers to [09:23] schestowitz the act when an institution signs the very encryption keys it will [09:23] schestowitz itself use. [09:23] schestowitz xxxxxxxxxxxxxxxxxxxxxxxxxx [09:23] schestowitz ---- [09:23] schestowitz certificates are used by far more than the web. Some of these require [09:23] schestowitz certificate, for others it is optional but highly recommended: Tor, SSH, [09:23] schestowitz Gemini, SMTP, MQTT, MySQL/PostgreSQL, etc. Either way, signing an [09:23] schestowitz institutions own certificates ensures both the confidentiality and [09:23] schestowitz integrity of the communications. [09:23] schestowitz See a small subset of examples, with or without TLS, mostly with: [09:23] schestowitz https://en.wikipedia.org/wiki/National_identity_cards_in_the_European_Union#Electronic_identity_cards [09:23] -TechBytesBot/#techbytes-en.wikipedia.org | National identity cards in the European Economic Area - Wikipedia [09:23] schestowitz https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication [09:23] -TechBytesBot/#techbytes-en.wikibooks.org | OpenSSH/Cookbook/Certificate-based Authentication - Wikibooks, open books for an open world [09:23] schestowitz https://dev.mysql.com/doc/refman/8.0/en/encrypted-connections.html [09:23] -TechBytesBot/#techbytes-dev.mysql.com | MySQL :: MySQL 8.0 Reference Manual :: 6.3 Using Encrypted Connections [09:23] schestowitz https://core.telegram.org/mtproto/transports [09:23] -TechBytesBot/#techbytes-core.telegram.org | Transports [09:23] schestowitz https://signal.org/blog/certifiably-fine/ [09:23] -TechBytesBot/#techbytes-signal.org | NO TITLE [09:23] schestowitz https://www.ftptoday.com/blog/explicit-ftps-vs-implicit-ftps-what-you-need-to-know (FTP is deprecated even when mixed with TLS) [09:23] -TechBytesBot/#techbytes-www.ftptoday.com | Explicit FTPS vs. Implicit FTPS: What You Need to Know [09:23] schestowitz http://www.postfix.org/TLS_README.html [09:23] -TechBytesBot/#techbytes-www.postfix.org | Postfix TLS Support [09:23] schestowitz https://gemini.circumlunar.space/docs/tls-tutorial.gmi [09:23] -TechBytesBot/#techbytes-gemini.circumlunar.space | TLS, client certificates, TOFU, and all that jazz [09:23] schestowitz https://forums.raspberrypi.com/viewtopic.php?t=287326 [09:23] -TechBytesBot/#techbytes-forums.raspberrypi.com | Some Notes on setting up MQTT over TLS - Raspberry Pi Forums [09:23] schestowitz Note that last one has inaccuracies like most TLS guides do. [09:23] schestowitz ----- [09:23] schestowitz https://arxiv.org/abs/1507.06955 [09:23] schestowitz ----- [09:23] schestowitz If I understand the model correctly, that ability extends indefinitely [09:23] -TechBytesBot/#techbytes-arxiv.org | [1507.06955] Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript [09:23] schestowitz down the chain of certificates which can trace their trust back to many [09:23] schestowitz of those 257. Even going with the surface claims of certificate issuer, [09:23] schestowitz it looks bad: [09:23] schestowitz for c in /etc/ssl/certs/*; [09:23] schestowitz do openssl x509 -text -noout -in $c; [09:23] schestowitz done | awk '($1=$1) && $1=="Issuer:"' | sort | less [09:25] schestowitz another noteworthy aspect is: the extra complexity and risk of non-renewal (why expiry so rapid in LE?) encourages outsourcing and centralisation. Complexity like systemd, which might help sell support contracts rather than hire competent engineers in-house. [09:26] schestowitz
  • [09:26] schestowitz
    4 RSS readers every Linux user should try
    [09:26] -TechBytesBot/#techbytes- ( status 404 @ https://www.techrepublic.com/article/rss-readers-linux-users/%22%3e4 ) [09:26] schestowitz
    [09:26] schestowitz

    Standards like RSS are maybe the most underrated and underutilized feature of the modern web. RSS feeds are plain text files that every website publishes at a fixed address, with an explicit link or the common RSS icon. Those feeds are continuously rewritten with headlines, excerpts and links to the full versions of all the latest additions to that website. Then, using programs called RSS readers, or aggregators, you can [09:26] schestowitz automatically download and read as many RSS feeds you want, whenever you want, in one window. It's hard to overstate how great this is, because: [...]

  • ● Dec 08 [10:04] *tech_exorcist (~tech_exorcist@svp6nvmiuarba.irc) has joined #techbytes [10:24] *tech_exorcist has quit (connection closed) [10:56] *u-amarsh04 has quit (Quit: Konversation terminated!) ● Dec 08 [11:01] *tech_exorcist (~tech_exorcist@r7zq4q2ys63yk.irc) has joined #techbytes [11:03] *u-amarsh04 (~amarsh04@t25x9hgy9xhrc.irc) has joined #techbytes [11:10] *DaemonFC (~daemonfc@ddstkmbt93p8q.irc) has joined #techbytes [11:39] *psydroid2 (~psydroid@cqggrmwgu7gji.irc) has joined #techbytes [11:53] *screenplays (~roybsd@joseon-daa.91g.0nvsnc.IP) has joined #techbytes ● Dec 08 [12:01] *DaemonFC has quit (Quit: Leaving) [12:44] *GNUmoon2 has quit (Ping timeout: 2m30s) ● Dec 08 [13:00] *GNUmoon2 (~GNUmoon@b4jjzquhwb7y2.irc) has joined #techbytes ● Dec 08 [15:10] *tech_exorcist has quit (Quit: bbl) [15:17] *tech_exorcist (~tech_exorcist@kmujm4s8xqrtu.irc) has joined #techbytes ● Dec 08 [17:20] *DaemonFC (~daemonfc@ddstkmbt93p8q.irc) has joined #techbytes [17:31] *tech_exorcist has quit (Quit: see you tomorrow) [17:31] *tech_exorcist (~tech_exorcist@iwskee978x32q.irc) has joined #techbytes [17:32] *tech_exorcist has quit (connection closed) ● Dec 08 [18:39] *screenplays has quit (Connection closed) ● Dec 08 [19:43] *tech_exorcist (~tech_exorcist@9z833ybby7ta4.irc) has joined #techbytes [19:53] *DaemonFC has quit (Ping timeout: 2m30s) ● Dec 08 [20:17] *tech_exorcist has quit (connection closed) [20:17] *tech_exorcist (~tech_exorcist@dmw5b4ab5hxvs.irc) has joined #techbytes ● Dec 08 [21:05] *GNUmoon2 has quit (Ping timeout: 2m30s) [21:21] schestowitz https://www.fosslife.org/4-rss-readers-linux [21:21] -TechBytesBot/#techbytes-www.fosslife.org | 4 RSS Readers for Linux [21:21] schestowitz " [21:21] schestowitz RSS readers are a great way to get all the online news you want without distractions or advertising, says Marco Fioretti. [21:21] schestowitz Here are four RSS feeders focused on efficiency and privacy that you can use on your Linux-based machine. [21:21] schestowitz " [21:35] *tech_exorcist has quit (Quit: see you tomorrow) ● Dec 08 [22:12] *Yakut (~evil@joseon-6la.bbr.j4127h.IP) has joined #techbytes [22:13] *Yakut (~evil@joseon-6la.bbr.j4127h.IP) has left #techbytes ● Dec 08 [23:09] *DaemonFC (~daemonfc@fx43r9f9r7aj8.irc) has joined #techbytes