Well, supplementing vitamin D surely is cheaper than dealing with accelerated skin aging and cancer. Unless your doctor is a vampire, I presume they didn't mean to imply you should never go outside, but rather avoid any direct sunlight. I suspect the shade and sunscreen wasn't the issue.
As long as you are not auditing every bit of code you run yourself AND are sufficiently knowledgeable to detect even obfuscated malicious code, you need some basis of trust.
Evident world views far off reason, reality, compassion and pragmatic self-regulation, don't speak for a stable, predictable and reasonable personality.
If a person thinks some humans deserve less rights than others, how could you trust any update to not reflect this world view?
Additionally you may be becoming technologically dependent on a person whose actions may be detrimental to your safety or wellbeing in other parts of your life.
You may also just don't like to promote this person's work.
It's fair to inform others about the person behind the software they are running. Everybody can make their own informed choices.
And the appropriate basis of trust in the technology world would be source code audits, not scraping some individual's Twitter posts.
If the users' communications are encrypted — which they are — there is no way for the creator to "reflect his world view", whatever it might be, in the form of undermining the security or privacy for some part of the user base.
I like your point that if a developer is a vocal neo nazi then only people capable of regularly conducting their own thorough code reviews should rely on the products that they make. I agree with you that regular folks that can’t do code audits should not trust neo nazis with their private communications. It is good to know that we’re on the same page about not implicitly trusting the simplex code
This is not my point. Trusting someone else's code audit is infinitely more valuable than trusting any "vibe check", since it touches the actual subject matter.
Anyway, since we're talking concrete software, could you point to such code reviews from vibe-independent auditors for continuous verifiable simplex builds targeting common communication platforms?
If not, your point is moot for the subject at hand. Decisions have to be made on the basis of reality not cozy fantasies.
I am not sure I run a single piece of software where this is done. Sporadic audits tend to bring evidence of soundness and security, not continuous absence of malicious functionality.
> I am not sure I run a single piece of software where this is done.
And yet you run it. Have you vibe-checked every such software? Did that bring you enough information about individuals creating it? If not, if there are no readily available signs, have you vetted their own, private beliefs otherwise — in order to ensure they don't clash with your own?
What if Linus Torvalds turned out to be secretly a Nazi pedophile for the whole time? Would that make you stop using Linux?
You are moving the goalpost. There is no constructive discussion possible, if you can't concede weak arguments.
But yes, I vibe checked the software projects I use. They are mostly large enough, where single individual failings are of no consequence and unhinged people are usually removed from executive control through various means. But it's trust based on feelings and the information I got. Most people involved in these projects are mature and controlled enough to not mix politics with their work. It's not a good sign to not be in control of such impulses.
And I rather take a chance with the unknown bad, than rationalize the known. Luckily most people with a collectivist FOSS mindset don't turn out to be monsters. Who could have predicted that?!
I was just asking to know your thought process, but this discussion probably won't lead to anything anyway — in my view a person's stance on vaccines, gay rights, what have you, doesn't make you any worse developer. If the technology is sound — which I can vibe-check (by a glimpse on how the code is maintained, documented etc.) — I have no reason to peek into one's private views. Your opinion is different, I still don't fully understand it, but we'll just have to agree to disagree.
We are not talking private opinions, we're talking public ones. Lol.
If you fail to understand why human rights and state repression stances don't matter evaluating trust in secure and private communication means, we indeed don't need to discuss any further. It is a bit silly tho.
>could you point to such code reviews from vibe-independent auditors for continuous verifiable simplex builds targeting common communication platforms?
and sandblast has written a lot of words that indicate “no”, so they’ve been pretty consistently arguing not to use simplex.
This makes sense. Trusting a stranger’s code is bad but trusting a stranger’s opinions about code is good.
Unless you mean that only users personally capable of walking through the code line by line and their immediate friends and family should run code written by neo nazis
If I wanted to make a honeypot that undermines users' privacy and anonymity, I would make sure to be as nice to everyone as possible. The "vibe check" is irrelevant, the false positives are far too common.
Hm. I think, you are confusing general privacy with confidentiality. Observing who I am talking to definitely falls into the privacy domain.
Eg. you are talking to an HIV medical specialist. This inherently has privacy implications, if observable. Likewise, you wouldn't say DNS has no privacy implications.
Anonymity rather means, you don't/can't know who exactly you are talking to.
Since you are talking about proprietary software, I assume you mean fixing bugs by the corpo devs themselves.
Well, this would imply broken software. You already payed for the software, now you are required to pay to get bugs fixed? Bad optics, although not beyond contemporary sentiments... Inherently shady incentives: https://en.wikipedia.org/wiki/Perverse_incentive
This kinda only works best for FOSS, incentivizing external devs IMO.
Every time I manually touched the "fingerprinting" about:config settings, my entropy went up. I used the EFF site to test: https://coveryourtracks.eff.org/
AFAIK some of these options are there to be used by the Tor browser, which comes with strict configuration assumptions, and it doesn't translate well to normal Firefox usage. Especially if you change the window size on a non-standardized device. Mind you, the goal is not to block fingerprinting, but to not stand out. Safari on a macbook is probably harder to fingerprint than Firefox on your soldering iron.
However, judging by the fact that every data hungry website seemingly has a huge problem with VPN usage, I'd presume they are pretty effective and fingerprinting is not.
I've had good success with tracking tool tests and resistFingerprinting. Granted, I usually use it with uMatrix/NoScript most of the time which cuts down on the available data a lot and maybe makes it an unfair test.
One issue, I expect, is simply not enough people using resist fingerprinting to add variation to the mix. Since it's off by default, and only a small % of users use Firefox and an even tinier percentage use resistFingerprinting, unlike your example of Tor where probably most people on the tor network use the tor browser, it's likely that simply blocking things is a fingerprint all on its own.
The solution there would be to get more people using it :)
I will say one downside to using it is far more bot detection websites freaking out over generic information being returned to them, causing some sites to break (some of their settings breaking webgl games too due to low values). Using a different profile avoids this, or explicitly whitelisting certain sites in privacy.resistFingerprinting.exemptedDomains - obviously if a site is using a generic tracking service for bot detection, that kills a fair amount of the benefit of the flag, so a separate profile might be best. I wish firefox had a container option for this.
... and. not too sure what you mean by changing window size on a non-standardised device. They do try to ensure the window sizes are at standard intervals, as if they were fullscreened at typical widths to reduce fingerprinting, but surely that applies to using Tor too? I mean, people don't use Tor on dedicated monitors at standard sizes.
Oh, and a bit of followup. I tried the EFF cover your tracks on a Firefox profile with resist fingerprinting, and almost all the bits of identifying information came from the window size (which EFF considers "brittle") and the UA (I was testing in Firefox Nightly).
Apparently you need to add the hidden pref:
firefox.resistFingerprinting.letterboxing
Enabling letterboxing knocked off 5 bits of identifying information. Apparently my 1800px wide letterbox was still pretty identifiable, but, an improvement.
Setting a chrome user agent string using a user agent string manager dropped that one from 12ish bits to <4 bits. 'course, that has disadvantage of reducing firefox visibility online further, and probably being more recognisable with the other values (like mozilla in the webgl info). Using firefox stable for windows was <5bits, so probably best to use that if on linux. Although, it might conflict with the font list unless a windows font list was pulled in.
Well, plants famously don't eat much more than sun light, water and carbon dioxide. Otherwise they just need phosphorus, nitrogen and some trace elements.
Moss has already adapted to barren environments. Its niche is growing where nothing else grows. Like, on top of rock. It's not having roots, not mingling with modern temptations in the soil. Most mosses actually aren't doing well in competitive, complex ecosystems full of nutrients and such.
I mean, it's obviously ineffective for the stated goal of proving authenticity to other users, so using a VPN must really be quite effective at tainting Twitter's data collection to let them go to such lows. And it's not just Twitter... VPNs seemingly really piss off a lot of data businesses. Quite the advertisement. And ironically going "bareback" now feels way more compromising than ever before.
I'm quite impressed with Europeans' entitled attitudes towards the US security umbrella.
First of all, none of this should be "unexpected"--Obama famously announced a pivot to Asia well over a decade ago. What exactly did Europeans think that meant?
Second, European military intransigence has dramatically escalated the risk of a devastating war affecting both US and Europe, and the US is simply overextended. The US cannot bring sufficient military power to bear to defend the Pacific, European, and Arctic theaters simultaneously. European NATO members simply must pull their own weight now; reaffirming European luxury beliefs like "we don't need to prepare for war because Uncle Sam has got us covered" would be doing both US and Europe a dis-service. Many presidents have tried more polite pleading and cajoling in less critical times, with evidently poor results.
Finally, the asymmetry of expectations is remarkable. Europeans clearly expect the US not just to fight Russia with them, but to fight Russia for them. Yet no Americans expect European forces to come to the US's rescue in the Pacific--and European commenters online make very clear that that expectation is correct. Consequently, many Americans are skeptical of the value NATO membership brings, while seeing clearly its risks and costs.
If you want America to remain engaged in European security, y'all need to get much more serious about fielding an effective military force and clearly commit to helping the US against China in every way possible. And if you don't want America to remain engaged in European security, y'all need to get even more serious about fielding an effective military force.
So put your heads down, get to work, and quit it with the hyperbolic butthurt comments about "unexpectedly" being "blown off".
I realize I was probably too oblique before, so let me be more specific.
The US has pivoted from traditional AWACS to the proliferated warfighter space architecture, the idea being hundreds of LEO satellites can provide a cheaper and much more survivable (not to mention persistent) air moving-target indicator capability. There is substantial project risk, but the US is resource constrained and cannot afford to fund everything under the sun.
European NATO nations don't currently need something so fancy and without the US, E-7's per-unit costs would be too high. But the US now prioritizes its needs in the Pacific theater (where those E-7s would not be survivable) over Europe's security interests (cheap, capable traditional AWACS). That's the pivot to Asia in action.
I don't even think that this outcome is bad for Europe. It's a reminder that Europe's needs are not America's priority, which helps to light a sorely-needed fire under European asses. Europe will buy GlobalEye or some Airbus platform, and the US will have a decent alternative available if the PWSA doesn't work out. It's also a potential opportunity for European NATO countries to contribute to PWSA, Starshield, and/or Golden Dome and more visibly and tangibly contribute to NATO's mutual defense.
It is worth pointing out that US' potential adversary in the Pacific region is known for boasting its "robust" anti-satellite capabilities, so it is difficult to see this move as anything but wasteful and potentially dangerous to other LEO satellites.
Dude, it's a joke about Boeing doors getting lost mid flight.
You know, the thing that happened recently and made quite some news?
Maaaybe you should introspect a bit about how a single thoughtless sentence on some web forum could possibly inspire you to write an essay about European entitlement. Is this American vulnerability?
