The third option is to use the native secret vault. MacOS has its Keychain, Windows has DPAPI, Linux has has non-standardized options available depending on your distro and setup.

Full disk encryption does not help you against data exfil, it only helps if an attacker gains physical access to your drive without your decryption key (e.g. stolen device or attempt to access it without your presence).

Even assuming that your device is compromised by an attacker, using safer storage mechanisms at least gives you time to react to the attack.

Yes, in your head, and in your second factor, if possible, keeping derived secrets always encrypted at rest, decrypting at the latest possible moment and not storing (decrypted) secrets in-memory for longer than absolutely necessary at use.

Been a few days since using electron, but AFAIK electron can’t be used as a wrapper for android apps, or can it? Or is their android app a web app wrapped into a “native” android app too?

Also, since this seems to be an issue since 2018, 6 years should be plenty to rewrite using a native secure storage…

Kinda expected the SSH key argument. The difference is the average user group.

The average dude with a SSH key that’s used for more than their RPi knows a bit about security, encryption and opsec. They would have a passphrase and/or hardening mechanisms for their system and network in place. They know their risks and potential attack vectors.

The average dude who downloads a desktop app for a messenger that advertises to be secure and E2EE encrypted probably won’t assume that any process might just wire tap their whole “encrypted” communications.

Let’s not forget that the threat model has changed by a lot in the last years, and a lot of effort went into providing additional security measures and best practices. Using a secure credential store, additional encryption and not storing plaintext secrets are a few simple ones of those. And sure, on Linux the SSH key is still a plaintext file. But it’s a deliberate decision of you to keep it as plaintext. You can at least encrypt with a passphrase. You can use the actual working file permission model of Linux and SSH will refuse to use your key with loose permissions. You would do the same on Windows and Mac and use a credential store and an agent to securely store and use your keys.

Just because your SSH key is a plaintext file and the presumption of a secure home dir, you still wouldn’t do a ~/passwords.txt.

How in the fuck are people actually defending signal for this, and with stupid arguments such as windows is compromised out of the box?

You. Don’t. Store. Secrets. In. Plaintext.

There is no circumstance where an app should store its secrets in plaintext, and there is no secret which should be stored in plaintext. Especially since this is not some random dudes random project, but a messenger claiming to be secure.

Edit: “If you got malware then this is a problem anyway and not only for signal” - no, because if secure means to store secrets are used, than they are encrypted or not easily accessible to the malware, and require way more resources to obtain. In this case, someone would only need to start a process on your machine. No further exploits, no malicious signatures, no privilege escalations.

“you need device access to exploit this” - There is no exploiting, just reading a file.

So, the “license to kill” is fine, as long it’s non US citizens?

Your definition of democracy and basic human rights is fucking unhinged.

These were casual, mutual conversations that sometimes leaned too much in the direction of being inappropriate, but nothing more. Nothing illegal happened, no pictures were shared, no crimes were committed, I never even met the individual. […] That’s on me as an adult, a husband and a father.

Jesus fucking christ. If you, as a father, are “leaning too much in the direction of being inappropriate” with a minor, you’re a fucking pedophile. There is nothing to discuss that’s leaning into being inappropriate with a minor, except if you’re a pedophile. Trying to make it sound less of an issue just because there weren’t pictures sent, is a pathetic attempt of an excuse for being a pedophile.

For being so real and no filter, there’s a fucking lot of sugarcoating for admitting the fact that he sexted with a minor.

I specifically don’t get how you can do that as a father, and even being the complete asshole that he is, not even once thinking that the victim could be his own child. I really wonder what he would say about such a tweet in this case.

Absolutely fucking disgusting.

It might be, but to be fair, that’s what the glorified autocompletion is actually good for, if it’s actually used a supporting tool, and not to pump out quantity over quality.

Man, the disclaimer at the bottom that Business Insider is partnered with OpenAI to allow them to train on their articles is really the cherry on top.

Check your blocklist and keep in mind that YouTube is testing server side ads muxed into the media streams, which will not be blocked by traditional adblocking techniques.

If you can not install anything, your only choice is probably to set up a pihole or something similar on your network.

Edit: Some models seem to have advanced settings, where you can change the DNS - you could try to use adguard dns servers, or any DNS adblocker you want to use.

deleted by creator

deleted by creator

Or you can just use vscodium.

If you use a dockerized environment, that will only work better on Linux. .NET8 is AFAIK natively supported on Linux, so there shouldn’t be too much of an issue apart from the usual clunkyness. Visual Studio will probably be more of a problem. The “easiest” way would probably be to switch to jet brains or vscode. If you are hardstuck on VS for whatever reasons, you probably should be able to do some voodoo with running it in docker and using the container as a remote desktop, but this will be PITA to setup and maintain.

Because lowering the amount they’re charging or increasing the amount of aid will cost more than measly 25 million and doesn’t make such good headlines.

The Hamas-led murderous rampage into southern Israel was the deadliest terror attack in Israel’s history, killing at least 1,200 people and abducting more than 250 others. Israeli attacks on Gaza have since killed at least 33,634 Palestinians and injured another 76,214 people, according to the Ministry of Health there.

Jesus fuck, Germany is paying symbolic money to roughly as many genocide survivors in Israel as people have been murdered and injured by Israel committing genocide.

The current German government is an absolute fucking joke, and they are doing everything to actually show it.

Again, you may quote the FSF, but there are too many users of open source, as well as developers, who got into it for the reasons I stated. I can assure you that they are not doing it so that corporations can profit off their software without giving back.

If you are developing open source, you are not necessarily developing FOSS. If you are developing FOSS, you are also developing open source.

FOSS is well defined by the FSF, and it has been for ages, and to be frank, therefore no one cares for anyone’s personal definition of it.

What I am against is having the cake and eating it, as it’s being proposed with this licensing. Either you do FOSS, or you don’t. Either you do open source, or you don’t. Either you do proprietary software, or you don’t. It’s really that simple, because depending on your project, you take the terms that you see fitting and live with the consequences. The whole goal of this proposal was to be taken more serious as open source developers and projects, and to ensure funding for further development. Cherry picking the best parts of every model, and making irrational demands does not achieve that.

As I said, I’m absolutely on board that open source licensing and open source development being taken for profit by corpos absolutely sucks, and the usual licensing models have not aged well with the much wider adoption and usage of open source, and there is a need for change - as it’s being done e.g. by elastic, redis and others with their dual licensing.

It doesn’t matter how hard you want to call it FOSS, but with this licensing terms you describe it is not FOSS, period. And to be honest, you calling out various people for not getting what FOSS is, while you fully ignore the agreed on definition by people who are actually doing FOSS is you discrediting yourself.

You haven’t found a license like this, because your model is flawed: A licensing like this will disqualify you from any kind of usage in an actual FOSS licensed environment. Personal users, which will not be providing revenue, will not be really affected by this, and are irrelevant for your point. Corporate users, which you will mostly target by this new license probably won’t be able to use your funky new license because they will need to check with legal, and your software will need to have a lot of USPs for someone to bother with that. A 1% corpo-richness-tax will not be approved by any kind of bigger company, because it’s a ridiculous amount from the perspective of your potential customers.

You’re taking yourself way to important. Open source software is not replaceable as a whole, but individual projects are. If you want to earn money with your project, that’s good on you, license it accordingly, but do not try to upsell it as FOSS.

And I fully get your point, and I’m currently working on the same problem in my in-development project, and I’m not sure yet whether to dual-license it, for similar reasons you stated, and live with the consequences of providing OSS, but non-FOSS software, or do FOSS and provide it for actually free.

Edit: Also, the xz backdoor has nothing to do with funding. Any long time maintainer (as in not just a random person contributing pull requests) going rogue can happen in funded scenarios as well.

Das ist der normale Modus Operandi der BSI. Solange die technische Richtlinie erfüllt ist, ist alles tiptop, egal was passiert.