privacy

This magazine is from a federated server and may be incomplete. Browse more on the original instance.

Supermariofan67, (edited ) in How bad is Idea of .Zip as password manager?

Zip uses very bad encryption that is vulnerable to a known plaintext attack. Do not ever use PKZIP encryption for any purpose github.com/kimci86/bkcrack

loutr,
@loutr@sh.itjust.works avatar

They added AES encryption to the spec 20 years ago. It’s pretty-well supported AFAIK.

stoy, in the encryption keys, why can't the government just sneak on them?

Asymetrical encryption solves this, here is my attempt to do an ELI5:

Adam want’s to send a chat message to Ben, but want to do it securely, so they use a special program on their computers.

When the Adam’s program first reaches out to Ben’s computer, it asks for an unlocked padlock, this is a padlock that can only be unlocked by Ben’s program.

Adam’s program takes the padlock and crafts a new special series of padlocks that only Adam’s program can unlock, which it put’s in a box and locks it with Ben’s padlock.

The box is sent to Ben’s program, the program unlocks the box and creates it’s own special series of padlocks that only Ben’s program can unlock, put them in a box and locks it with Adam’s padlocks.

The box is then sent to Adam’s program, and is unlocked.

This now means that Adam’s program can put messages to Ben in a box, lock the box with one of Ben’s special padlocks and send it on it’s way knowing that only Ben can unlock the box and read the message.

Likewise, Ben can also send messages in boxes locked with Adam’s padlocks and know that only Adam can unlock them and read the message.

Added to this is the fact that messages from Ben can be verified as having used the special padlocks Adam sent to Ben, as else Adam’s special key wouldn’t fit the padlocks given to Ben.

In reality the padlocks are keys to lock a message, and the above text describe a secure key exchange.

zaknenou, (edited )
@zaknenou@lemmy.dbzer0.com avatar

Oh! I remember these steps being explained on a youtube video before. So the point is that the padlock (that Adam received on the third paragraph) is like a program on my windows desktop, I can run it (here like Adam uses it to encrypt the date), I can copy it and send it to a friend, but I can’t read the code which is compiled through an unknown language (i.e even if snooper received the padlock he can’t figure out how to unlock it and decrypt the data)?

stoy,

Yep, if a thrid party gets the padlock they can lock the box, but can’t unlock other boxes

zaknenou,
@zaknenou@lemmy.dbzer0.com avatar

Thank you! extremely helpful answer

shortwavesurfer, in Privacy Concerns on Lemmy: A Call for More User Control

I have a feeling that you might be misunderstanding what the actual purpose of lemmy is. lemmy has taken quite a few design decisions from Reddit which is exactly the same way. Both platforms are public places where all content is shared. Anyone using them needs to be aware of that fact. Mastodon might be a better fit for you as it is more focused on individuals rather than public communities.

LWD,

Well, not exactly.

Reddit Lemmy
Content is public Content is public
API access is limited API access is limitless
Vote data is inaccessible Vote data is accessible
No email needed Email or something else often required
One privacy policy Basically no privacy policy
Zerush, in Privacy Concerns on Lemmy: A Call for More User Control
@Zerush@lemmy.ml avatar

What irritates me many times when I enter Lemmy is that instead of my Nick at the top right, someone else’s Nickname appears for a moment, before changing it to mine. This is a sign of an open account sharing channel, which is quite serious and should be fixed quickly. Security at Lemmy is apparently non-existent.

Sal,
@Sal@mander.xyz avatar

Do you see a random nickname from a stranger, or a nickname of an account that was previously logged into using the same computer?

What is an open account sharing channel?

Zerush, (edited )
@Zerush@lemmy.ml avatar

It occurres sometimes, I see a random nick from strangers. It means that my account obviously is públic and even shared. I will be attentive and I will try to take a screenshot, before the nickname changes to mine while Lemmy loads.

Sal,
@Sal@mander.xyz avatar

I will also pay close attention and see if I can catch that happening.

Zerush,
@Zerush@lemmy.ml avatar

It’s not easy to catch, because it’s only a moment when Lemmy loads and just sometimes. For now I always have my eyes to the top right corner when I enter Lemmy.

ekky, in Is there a search engine that filters out cookie wall and paywall pages ?

Filters out as in hides it from you?

Ublock origin is very good at getting rid of cookie banners, though you have to enable it in settings, not sure about pay walls.

merde,

cookie banners is not the same thing as cookie/pay walls.

ekky,

You are right, please excuse me.

merde,

deleted_by_author

  • Loading...
  • ekky, (edited )

    So it appears, though I’m unsure whether it auto-accepts required cookies, those that have no opt-out option. If it’s banners, and not walls, then UBlock blocks the banner and thereby doesn’t give permission to store any kind of cookies, including the required ones. Kinda as if you browse the site without ever interacting with the banner.

    Sadly, both need to trust that the site actually follows the rules and respects the selected/unselected cookies.

    EDIT: Scrap all that, most sites don’t respect cookies settings either way, might just get either of the above and Cookie Auto Delete or something similar.

    morrowind, in Privacy Concerns on Lemmy: A Call for More User Control
    @morrowind@lemmy.ml avatar

    I strongly agree, I wrote a post on this type of privacy and why it matters, which I’ve dubbed “casual privacy”. coship.bloggi.co/casual-privacy

    pop, (edited )

    pull requests would work a lot better than blog posts.

    morrowind,
    @morrowind@lemmy.ml avatar

    It’s not smart to make a pull request before getting developers approval

    JackGreenEarth, (edited ) in the encryption keys, why can't the government just sneak on them?

    Bh sharing, unencrypted, on Lemmy that you like watching revolutionary videos on YouTube, the government now has that data, even if Google wasn’t going to give it to them. I thought I would just add that, as everyone else has explained asymmetric encryption well.

    Also, usually it’s just the content of the website, not the URL itself that is encrypted, so anyone, not just the government, can know what YouTube videos you watch (as the video ID is in the URL) as well as the URL of any other websites you visit.

    CaptainSpaceman, (edited )

    The other 2 commenters are wrong. URLs as they appear in your web browser are NOT encrypted when sent over https protocols.

    The only data that is encrypted is POST data, and ONLY if it is sent over HTTPS.

    So for example, a website login page crafts a URL like some.example.com/login?sessionID=12345678 and when you log in to the site extra parameters like Username and Password are sent via POST data, then anyone listening to your web traffic (like the NSA or your neighbor with wireshark) will br able to see the website and the sessionID, but not the login details as they will only show up encrypted.

    However, if the site is ran by idiots who pass the data in the URL like this some.example.com/login?sessionID=12345678&use…, then ANYONE listeneing would have your credentials.

    frightful_hobgoblin, in Companies Make it Too Easy for Thieves to Impersonate Police and Steal Our Data

    Solution: don’t let police have your data

    ArbiterXero,

    Right? Like “make sure you get a warrant” isn’t a hard answer.

    library_napper, (edited )
    @library_napper@monyet.cc avatar

    They’re not asking you. They’re asking the companies

    The real solution is for companies to ask for the name of the officer, and then go to the official police website, call their non emergency number, and ask to speak with the officer. Then confirm that it was them, in fact, that sent the request.

    Bonus: then tell them to get a fucking warrant and hang up the phone.

    Darorad, in How bad is Idea of .Zip as password manager?

    I guess it would work, as long as you’re using an up to date zip implementation with AES-256 encryption. I guess my question would be why bother? Being compressed doesn’t add any real additional benefit, since just using text shouldn’t take up much space.

    Is recommend just using an actual password manager for convenience, since you aren’t really gaining any security by only storing your passwords in a file.

    itsaj26744,
    @itsaj26744@programming.dev avatar

    I was just trying to learn, I use bitwarden+Keepass 😆

    lemmyreader,

    Good choice. I like KeePassXC and Bitwarden.

    Your storing in password protected zip file is better than storing it plain text in a file on your computer but the password encryption of zip is probably not that strong. A friend of mine insists on using a disk encrypted pen drive with an office document having his passwords. I hope he has a backup drive :)

    catacomb, in the encryption keys, why can't the government just sneak on them?

    I think you’re asking if it’s possible for your government to be a man-in-the-middle? Depending on which government you live under, the answer is likely no but more importantly the answer will always be; it’s not worth their effort to find out what you’re watching.

    YouTube’s public key is signed by a certificate authority whose public key (root) is likely installed on your device from the factory. When you connect to YouTube, they send you a certificate chain which your browser will verify against that known root. In effect, it’s information both you and YouTube already share and can’t be tampered with over the wire.

    Technically, those signatures can be forged by a well resourced adversary (i.e. a government) with access to the certificate authority through subversion, coercion, etc. At the same time, it’s probably easier to subvert or coerce you or YouTube to reveal what you watch.

    zaknenou,
    @zaknenou@lemmy.dbzer0.com avatar

    The situation is just an example, I’m not actually planning a revolution. just for demonstration purpose

    algernon, in How bad is Idea of .Zip as password manager?
    @algernon@lemmy.ml avatar

    Very bad, because the usability of such a scheme would be a nightmare. If you have to unzip the files every time you need a password, that’d be a huge burden. Not to mention that unzipping it all would leave the files there, unprotected, until you delete them again (if you remember deleting them in the first place). If you do leave the plaintext files around, and only encrypt & zip for backing up, that’s worse than just using the plaintext files in the backup too, because it gives you a false sense of security. You want to minimize the amount of time passwords are in the clear.

    Just use a password manager like Bitwarden. Simpler, more practical, more secure.

    fishpen0,

    When we wrote malware in labs in college one of the first places we looked was unemptied trash. This is almost certainly a pattern that’s going to leave your crap in trash in plaintext and even the dumbest script kiddie will find it the very first time you slip and something gets in your system.

    ArbiterXero, in How bad is Idea of .Zip as password manager?

    In many unzip utilities, they use temp files that you wouldn’t be paying attention to. These temp files will contain your credentials and you won’t know where they are or if they got deleted.

    mp3, (edited )
    @mp3@lemmy.ca avatar

    And even if they’re deleted by the archive program, it’s likely a normal deletion, and not a secure delete where the original data is overwritten with random data before deleting the entry in the file system, which could be potentially recovered.

    ArbiterXero,

    Also an excellent point

    MajorHavoc, (edited ) in Privacy Concerns on Lemmy: A Call for More User Control

    It gets weird fast, because before privacy controls in the Lemmy source code mean anything, we need trusted third party verification of a server’s patch level, and security controls.

    That can be done, and I think Lemmy has a shot at getting to that point, but it’ll be awhile.

    In the meantime, I suspect the Lemmy developers are hesitant to add and advertise features that you can’t be sure are actually correctly enabled on your instance.

    But yeah, let’s not let perfect be the enemy of moving toward better.

    Edit: Assuming you completely trust your instance admin, we could start adding some basic privacy to actions taken on your home instance.

    But as soon as the user starts interacting via federation, all bets are off - because the federated instance may he malicious.

    I think we might see one or more “trusted fediverse” groups emerge in the next few years, with instance admins making commitments to security controls, moderation, code of conduct, etc.

    So, in theory, the lemmy software could start implementing privacy controls that allow users to limit their visibility to whichever part of the fediverse their instance admin has marked as highly trusted.

    But even then, there’s risks from bad actors on highly trusted instances that still allow open signups.

    Anyway, I totally agree with you. It’s just a genuinely complex problem.

    SnotFlickerman, (edited )
    @SnotFlickerman@lemmy.blahaj.zone avatar

    If all the people complaining would just contribute to the codebase this wouldn’t even be an issue.

    Often, you even see the devs coming into threads like this and making suggestions, like “make a pull request.” They want more people contributing.

    It’s tons of people whining, very few people contributing. Guess what? While at a certain point, adding developers stops increasing productivity, there’s a small window where adding developers does increase productivity.

    If I am correct, Lemmy only has four main developers. That’s well within the range to add more developers and increase the productivity, making new features and security come faster.

    So I get it, but things take time, and are complicated, which you thankfully can see.

    People whinging about it in threads does nothing to change it. Donating to Lemmy’s development costs or contributing code does.

    So much of it sounds like it sounds like its from less-technically-inclined people (some of its valid critique from experts, but they generally… write bug reports and do pull requests…) who just want it to be better but the only way they know how is to “bring awareness.” Well, all that “awareness-bringing” just amounts to spreading FUD.

    Sal,
    @Sal@mander.xyz avatar

    I think we might see one or more “trusted fediverse” groups emerge in the next few years, with instance admins making commitments to security controls, moderation, code of conduct, etc.

    There is now at least one system in place for admins to vouch for other instances being non-malicious, and to report suspected instances. It is called the fediseer: gui.fediseer.com

    MajorHavoc,

    Very cool.

    Dehydrated, in Riot Games Now Requires Kernel-Level Anti-Cheat Software for League of Legends, Following Valorant's Implementation

    Riot Games Now Requires Kernel-Level Anti-Cheat Software

    In other words, a Chinese rootkit. Wouldn’t want a Chinese backdoor in my kernel, but that’s just my personal opinion. If you want one, go ahead, install this garbage.

    kionite231,

    You already have NSA backdoors in your device.

    Grass,

    I don’t support this existing, but does the nsa collect and sell all your data to third parties and make a shitload of money doing so? Because everyone else definitely does. I don’t know how difficult it is now, but some number of years ago you could request a copy of all the data some of the social media sites have on you and it’s fucking scary especially with how much is deduced, presumably from piecing together info from your entire social network.

    Dehydrated,

    Well, if you install this Riot Games rootkit, you now also have a Chinese backdoor.

    LaSaucisseMasquee,

    What is your point exactly ?

    toastal, in Privacy Concerns on Lemmy: A Call for More User Control

    If Lemmy cared about privacy, contributing source code & opening tickets would not require opening accounts with a for-profit, US-based, closed, prorietary service owned by a publicly-traded megacorporation that has shareholders to appease & a history (as well as current) record of EEE (embrace, extend, extinguish).

    Omega_Haxors, (edited )

    that also uses your code for their AI.

    drndramrndra, (edited )

    Copilot gets trained on Dessalines’ essays and becomes a Marxist

    toastal,

    I mean it took the code production of from workers for the Commons, packaged it up, & sold it back to the workers—often in violation of the license if not the spirit of free, ethical, or similar software. All AI generations should be CC0 / 0BSD licensed.

    toastal,

    Choosing proprietary tools and services for your free software project ultimately sends a message to downstream developers and users of your project that freedom of all users—developers included—is not a priority.

    —Matt Lee, www.linuxjournal.com/…/opinion-github-vs-gitlab

  • All
  • Subscribed
  • Moderated
  • Favorites
  • privacy@lemmy.ml
  • localhost
  • All magazines
  • Loading…
    Loading the web debug toolbar…
    Attempt #