Yup either official and through an Ubuntu/Debian container, or mess up your local system with the Opensuse Repo, or just use the Flatpak that just works
This is super helpful, I may post this to infosec.exchange. Flathub makes this so much more difficult to find the reason for what looks like a real breach. I don’t use Flathub for security reasons so I don’t know if you can even isolate the PID? Anyone know?
I don’t want you to have to spend a lot of time or troubleshoot over the web but if you see anything that stands out as “wow shouldn’t be there/running” when you run these commands come back to us:
I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they’d rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)
maybe try setting up a matrix bridge if you feel confident you can secure that properly. On one hand it might increase attack surface (use only servers and bridges with End to Bridge Encryption) but what’s an attack surface on software that is so ridiculously compromised. Also you can try using an alternative client such as Flare. Though YMMV, for me the last time I’ve used it it was quite rough around the edges but I’m happy to see it’s actively maintained so might be worth checking out.
Also no, flatpak doesn’t fix this issue. Yeah it provides some isolation which can be further improved with flatseal, and other defense-in-depth methods. But unless you are willing to face the trade-offs of using Qubes, you won’t compartmentalize your entire system. The key file in question is stored in ~/.local/share. I’m not denying vulnerabilities in userland applications, but thanks to it’s wide reach, often massive codebases and use of unsafe languages like C, it’s the core system or networked software that is the most common attack vector. And that doesn’t ship and will never ship via flatpak.
The most obvious way this is exploitable is directory traversal. But not only that. Just look up “Electron $VULNERABILITY”, be it CSRF, XSS or RCE. Sandbox escape is much easier with this crap than any major browser, since contextIsolation is often intentionally disabled to access nodejs primitives instead of electron’s safer replacements. Btw Signal Desktop is also an electron app.
No, they are not. I’m in two groups. None of them are in the groups. I only use Signal for Real life friends from my Country. I never joined any random group. These people are from all over the world.
Interesting. Are there any other accounts on your phone that provide contacts? Maybe social media or other chat platforms? On Android you can see accounts in Settings > Passwords & Accounts (or somewhere similar; it varies a little between brands). You can also check inside your Contacts app by expanding the sidebar (again, varies by brand).
Just a thought. I don’t have any other contact providers on my phone so I can’t test it myself.
Please keep us posted if you get any official response or learn anything new!
Nope. And I maybe had to add (did it now) that this only appears to be a problem with Signal Desktop. My signal app on android doesn’t even show other contacts from strangers. I will update this if I get a response, of course.
Let’s not go all the way down the rabbit hole in one pill. Steps of one less person so inured (Definition: Made tough by habitual exposure), so hopelessly dependent on Google.
As far as I know, it’s just some sex hotline I found online. Nothing on the website said it’s for Gay people. So I guess you just tried to insult me with “gay” by asking if it’s my Gay agency. xD Do you actually think that “gay” is an insult? Jokes on you, I’m Bisexual. So I’m half gay, now what? xD Insulting someone with “gay” in 2023. Man, you are really fucking cringe. Try to get some actual insults. 4th graders insult better than you, maybe ask them.
This is a totally different thing, and I also don’t get what the problem of this user is. He wants to share a picture and then just like on android the list of your recent chats opens where of course the pofilepic shows to know where you want to send it to, and he somehow doesn’t want the profile pic to be there even tho this is totally normal behavior from android and iOS since… always? Or do I misunderstand his problem because I don’t use iOS? Well the most important part, it doesn’t sound like my problem at all.
The user is describing iOS’ share sheet, which Signal seems to advertise as a feature. The OS isn’t reaching in and grabbing data, Signal is providing data to the OS.
Also note that said user signaled this on the Signal-Android repo, which combined with their inability to find this info, when i don’t even own an iOS device, makes me think they aren’t the most observant user out there.
Trying to do it myself but I’m stuck with YouTube.
I mean, I need a gmail account to pay for the Premium sub. And then, most creators are still using YouTube not the few alternatives… How do you guys do?
Pihole hasn’t blocked YouTube ads in years because the ads come from the same domain. And that’s not including the new crackdown that YouTube did on ad blocking.
I’m not trying to criticize anyone here for their choices, I’m just curious about the actual effects of such a subscription.
As of now the most basic one is 14usd/month, how much of that money gets to the creators that you Want to support? As of the writing of this response I don’t know this information nor searched about It. Do we have an actual diagram or any information saying how much are you contributing for each channel you are subscribed to?
Suppose you are subscribed to 28 channels and the sub money gets distributed evenly, that’s 50 cents a Month to everyone, not much “paying their due” in my opinion.
Now if you really really want to patronize one, two or three channels, wouldn’t sending money directly to them or paying their exclusive membership be a more reasonable way to go about It?
Disclaimer: I use uBlock Origin myself, as I really don’t like being forced to see ads.
That said, I don’t think paying for content is ‘barbaric’ either. It’s a personal choice. Either you want to pay and you can, or you don’t want to, or you simply can’t. All three are fine by me.
As a teen, back in the 80s, I could not and did not pay for content (it was not online back then but copying music, books and even movies, or computer applications was a thing). Since then I got a few jobs, and the money that come with them. So, I can support the creators I like and I don’t need to spend time copying anything or searching for workarounds to access it. Be it on YT, or anywhere else. I would love to not pay Google, mind you, but since so, so many creators are still only hosted there, and since YT premium makes it so easy to pay them (a single monthly payment)…
Fair point! See my answer on the other user’s message where I talk about targeted patronization instead of overall subscription, I’d love to hear your opinion about it
I’ve read it. Since you asked my opinion, here it is ;)
As of now the most basic one is 14usd/month, how much of that money gets to the creators that you Want to support?
(to be precise:) I don’t pay 14/month to support creators. I pay 14/month to be allowed to skip the ads that support those channels while still supporting the creators and YT. That’s what I’m paying for, and that’s what’s advertised in big bold face when you look at the YT Premium sub page:
OK, that plus YT Music but I don’t care much about that forced bundle (I use Apple Music). Not a word on supporting creators… Because we know its ads that are supporting the creators, not the premium subscribers. As a premium, I just pay to skip ads. The difference is essential.
Suppose you are subscribed to 28 channels and the sub money gets distributed evenly, that’s 50 cents a Month to everyone, not much “paying their due” in my opinion.
Creators do chose to sign upon YT knowing it’s ad-revenue that will pay them, not the viewer’s money (unlike say, on LTT Floatplane). As a a viewer, YT gives me the choice to a) watch those ads (knowing a small share will go to the creator) or b) pay a Premium sub to skip them (knowing a small share of my Premium will go to the creator). I chose b).
Is it enough revenue for each creator? It’s not to me to say. Not more than it is the creator’s job to worry if I, as a viewer, earn enough money myself to be able to afford the price of the YT sub ;)
Imho, a much more interesting question to ask would be: how much money to a creator gets from YT ads versus how much does the creator gets from a Premium viewer watching the same video? I’m willing to bet they get more from a premium than from the same viewer watching ads or at the very least that they get the exact same value but, quite obviously, I have no idea at all.
In the end, it’s a simple question of offer and demand. I want to watch X creators. Most are on YT. I can skip YT ads for a fixed amount of money, knowing that if i pay that money all creators will be compensated at least the same as if I watched the ads. Win-win. If it happens those creators consider ad-revenues are not enough, it’s a whole other issue. An issue they should discuss together between creators, and with Google. Not with the viewer or… only if it is to discuss the possibility of leaving YT and see how many viewers would be OK to follow them elsewhere and to pay to support their work.
I understand your view, it’s indeed a lesser hassle to just pay the subscription and be done with It.
I can be wrong about It, but judging by how big corpos operate things most of that sub money probably will end up in the company account, not the creators (again, I can be wrong about this).
Wouldn’t you say that using an adblock and supporting creators directly (hot take here since you could want to support 50 people), be a more reasonable and better approach?
Ads are fine, but while the company is being obnoxiously intrusive and predatory towards Its customers, it’s hard to just pay to not be inconvenienced.
judging by how big corpos operate things most of that sub money probably will end up in the company account, not the creators.
Agreed. Suffice to see the valuation of those corps. It’s not the tooth fairy that gave them all their coins ;)
That said, it is YT that host the gazilion of disk space required to store the videos, it is them who manage the website and all our accounts and payments, it is them who deal with comments and moderation, it is them that finds advertisers for creators, and it is them that provide everything else I’m not even aware of. Do they dot it perfectly? Nope ;) But they do it and they too should be compensated for that. And it certainly not free: disk space cost real money, as people’s salaries, even for Google. COudl they share it more generously? I’m willing to bet yes. But it’s up to the creators, not to me the viewer (I would view them on any other platform they chose).
Wouldn’t you say that using an adblock and supporting creators directly (hot take here since you could want to support 50 people), be a more reasonable and better approach?
Better, I don’t think so: it’s the exact same money that is spend in a way or in another. It woudl also ends up costing me more. Which I probably would not agree with.
Reasonable? Well, it can. It depends your priority. Mine, as a viewer is not to have to spend too much of my free time in managing subs and payments. What I want on YT is to watch stuff and have a good time, not turn that into another job of mine (or then I should get paid, like for any job ;)
To be clear, if I had to micro-manage every single creator I like to watch, I would watch… a lot less of them. A lot. I can only think about two, maybe three.
And that would not be good thing for either the other creators and for Google/YT. As a publicly traded company, Google, needs to be perceived as successful (aka, having a lot of views at every single second) and creators themselves, they need the views in order to, well, become popular. No view, no popularity (no popularity, no sponsors). Note that I did not say they need ‘Premium/paid views’ or ‘ad-supported views’. They need all the views they can get, even the ones behind ad-blockers. Ever wondered why YT doesn’t punish users of ad-blockers by not counting their views as legit views? ;)
Ads are fine,
Not by me. I think they are not. I consider ads (and the constant profiling that comes along) a major threat to our society (very personal opinion, but mine nonetheless).
That’s why I’m happy to pay to skip them (while still using an ad-blocker and multiple browsers, to make sure tracking is really screwed). That’s also why I pay for my search engine (kagi.com: zero ads, zero tracking), that’s why I have not owned a TV set since the very early 00s (when TV ads become so prevalent in my country, France): since there was no way to skip ads on TV, I stopped watching TV (I value my time, and my peace of mind, much more than any series or show… and then I can now watch them ad-free on Netflix or anywhere else if I really want, which is not that often). That’s also why I use iOS and not stock android (less tracking less ads, less Google), that’s why I also use a GNU/Linux Debian laptop and a Mac desktop. And that’s why I will never use a Microsoft product ever again: I stopped using Microsoft the day they decided to introduce ads in their OS, making it obvious to anyone all the tracking that was going on. I refuse that. Ads in the OS, ffs…
but while the company is being obnoxiously intrusive and predatory towards Its customers, it’s hard to just pay to not be inconvenienced.
Sorry, I’m not sure I understand that sentence (I try my best to get better but my English is still so limited). Would you mind explaining it otherwise?
Try Invidious, FreeTube, NewPipe,… All allow you to watch regular youtube content without ads. You can also create instance local accounts to “create playlists” and “subscribe” to people.
In privacy i think mull is better than iceraven with its arkenfox.js and trackers removal. Extensions can be added to all these browsers by custom addon collection
OAuth? Do you mean 2FA? OAuth just requires you to be able to open a URL so all you need a browser. (see the https://en.wikipedia.org/wiki/OAuth#/media/File:Abstract-flow.png)
privacy
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.