Privacy

Thought this belonged here. The not so comfortable truth about verifying your identity to a company that purchases their verification services from a third party.

cross-posted from: https://lemmy.ca/post/62536902

The ongoing discussions about age-verification and changes in Free and Open-Source Software and GNU Linux and related OSs made me realize a gross misunderstanding on my part. I think many other users may have the same misunderstanding (seeing many comments using the word "traitors"), and it's important that we become aware of it. We must understand that using or saying “FOSS” or “Linux” does not automatically mean to stand up for human rights like privacy, for the community, against corporations, and similar goals and values.

If we read the comments in those age-verification discussions we can see that many developers and possibly also users make statements like “the developers have no obligation towards the community”, “the law is the law, no matter what the community wants”, “we must comply”, and similar. It’s important to realize that many developers work on FOSS not out of consideration for the community, or for human rights, or against corporations. For them it’s just one kind of software development. We may have projects that are FOSS and pro-corporations or pro-surveillance. The "F" in FOSS stands for freedom to modify and distribute the software by/to anyone in the community. It doesn’t stand for “software that promotes / stands up for general human freedom and human rights". But of course there are also developers that work with FOSS because of such values.

So for anyone who, like me, wants to use and promote software as an assertion of, and a stand for, human rights and against corporations, it’s necessary not to stop at “FOSS” or “Linux” but apply more scrutiny and more careful choices. Probably it's always been like this, but the present times require extra awareness.

I wish there was an acronym or other word that made this moral aspect of some FOSS development clear. This would help users to recognize software projects that share their values, and also those FOSS developers who do work for those values. Is there such a term already out there?

The fools at YouTube have been hard at work circumventing adblock to make our lives miserable so they can make 3 more cents per view. Hopefully ublock catches up.

Fuck these people.

cross-posted from: https://lemmy.world/post/44753763

Apple Support page

I give vpns maybe another 2 years before they're banned, for sure in the US but I'm sure elsewhere too. What do we do then?

I got tired of every messenger asking for a phone number before letting you talk to anyone. Most privacy-focused messengers make you choose between convenience and privacy — either you get a polished experience with questionable data practices, or you get strong privacy with a painful setup. I tried to find the balance between the two. The result is ONYX. I want to be upfront about what it does and doesn't do privacy-wise — because "private messenger" is a claim that deserves scrutiny.

What the server actually knows about you

• Your username (not tied to phone, email, or anything real-world)
• That your devices exist (but not their private keys)
• Your IP address when connected (unavoidable)
• Message content in groups and channels — these are not E2EE encrypted, that's a real limitation

What it doesn't know:

• Your phone number or email — never collected
• Content of private chats — server only sees ciphertext
• Your favorites — stored locally only, server has no knowledge of them

How the E2EE actually works

Private chats use X25519 ECDH for key exchange (ephemeral per session) and HKDF-SHA256 for key derivation. I chose XChaCha20-Poly1305 over AES-GCM because it runs in constant time without AES-NI hardware acceleration — relevant for mobile devices — and has a 192-bit nonce vs 96-bit in GCM, which reduces collision risk in long sessions. LAN mode uses AES-GCM-256 — sessions are short-lived and never leave the local network.

Packet format (internet):

E2EEv1:[base64 JSON envelope: {eph pubkey 32B, nonce 24B, ciphertext, mac 16B}]

Packet format (LAN):

[pubkey 32B] [nonce 12B] [ciphertext] [mac 16B]

Multi-device works without the server touching your keys — new device sends an auth request to an existing trusted device, which must explicitly approve it before any key exchange happens.

The honest limitations

• Groups and channels have no E2EE — the only way to get full control over group communication is to self-host your own instance, so at least no third party has access to the data.
• Only incoming messages sync across devices — outgoing stay on the sending device only
• The server knows your IP when you're connected

LAN mode

There's a mode that works with no server and no internet at all — devices discover each other via UDP broadcast on the local network, exchange X25519 public keys in the broadcast packet itself, and communicate directly encrypted. Just hold the "Send" button in a private chat to choose this mode. Useful if you don't want any data leaving your network.

Self-hosted groups and channels

If you don't want to rely on the central ONYX server at all, you can run your own. There's a separate server software written in Rust — you download it, run it, and host your own groups or channels for your community or just a small group of friends. No web interface, runs entirely from the command line. Available for both Windows and Linux.

https://github.com/wardcore-dev/onyx-server/releases

Registration and account deletion

Username and password only. No phone, no email. Accounts can be deleted at any time and take all server-side data and media with them.

The project is still in early beta — rough edges are expected. If you run into any bugs or weird behavior, feel free to reach out directly to @support in ONYX. Just write your issue there and I'll look into it.

Available for Windows, Linux, macOS, and Android: https://github.com/wardcore-dev/onyx/releases

Disclaimer: I'm not from US, I know little about US laws and how this age verification will look.

So if anyone needs from me the verification that I am who I am in my day-to-day life (in a bank, at bureau, ...) it's usually handled via the Notary office. It might sound old school but it's really great actually - do you have a printed document and you need a proof that you actually signed it? Notary. Do you need a copy and you need a proof that it's actually 1-to-1 copy of the original? Notary. etc. And it costs like 2-5 € where I live.

So if someone would ask me to prove that I'm older than 18 years old and I'd like to keep my anonymity in the process ... notary. I'd of course not send my ID to any corporation, I'd go to notary with a document: "User of platform XYZ identified by their ID 123 is more than 18 years old". I'd just need to prove to notary that I actually am user 123 but I can do that in their office. Not to mention that we could find a way to anonymize platform completely in this process using some hash.

Is this possible for these age verification laws? Or is there some flaw in my thinking?

cross-posted from: https://lemmy.ca/post/62278765

Software changes for compliance with age-verification laws are being pushed a bit everywhere in Linux-development; for example:

• In Systemd, already merged.

• In xdg.desktop.portal (a portal frontend service for Flatpak and other desktop containment frameworks), still open.

• In Arch Linux, still open.

• In Freedesktop.org, still open.

It's interesting that it's the same small group of people behind these pull requests, and that discussion threads in them have been locked owing to a great amount of negative criticisms.

They say "we have to comply with the law". Which also means that if "the law" in the future will require proper verification, handling to 3rd-parties, or whatnot, then they will comply.

Well, it's their right to. They don't owe anything to anyone, and are under no obligation to report to users or to the community, nor to pay heed to anybody's wishes.

If things proceed in this direction, we users may at some point have to choose between privacy-friendly Linux distributions or legal Linux distributions. People who, like me, are worried, need to start thinking about concrete actions to take before it's too late: where to develop such distros? which channels to download and distribute them from? And so on. (And of course, more generally we need to write and protest to politicians, organize protest marches, go on strike, refuse to comply...)

It's good to remind to those who keep on repeating the words "legal" and "illegal" that for example Nelson Mandela was, technically speaking, a criminal who did and promoted illegal activity. This happens when laws become immoral.

https://grapheneos.social/@GrapheneOS/116261301913660830

XMPP and Matrix are very similar protocols that aim to accomplish roughly the same things. I'm looking to install a server on my (quite powerful) home server in order to communicate with my tech-savy friends and my girlfriend.

I would like to use the "perfect" one between the two, but I can't come to a decision.

Pros of Matrix

• Has more functionalities (albeit as far as I know XMPP can do pretty much the same with its extensions)
• It is JSON-based which helps reduce overhead, not by much, but it's free lunch
• I can't set cryptography wrong since it's built-in
• Messages and conversations can be synchronized from other servers if mine goes down for a short while. Its state seems generally stronger than XMPP's

Pros of XMPP

• More lightweight
• Less metadata leaks and supports aliases in public MUCs
• It's more "open" (less centralized)

Which one would you pick? We don't need to shield ourselves against the CIA but I'm a privacy freak so I'd like to pretend we do. Thank you.

it was bothering me for at least two weeks now with "nova launcher can't open network connection". today it finally presented this shitty ad dialog with missing reject all option where you can either accept all, or dive into few dozens of separate section, each of them containing few dozens sliders, all of them enabled by default.

let this be warning to others and you can deal with it before it surprises you when you are somewhere outside.

what privacy concious launchers do you people use? i have tried kiss launcher, but that doesn't seem to be for me.

i want classic launcher where i have icons on desktop where i put them and i can manipulate them blindfolded, not something that is trying to reinvent the wheel.

Soon after I joined Lemmy a few years ago, I searched for communities based on my interests and subscribed to the ones with the highest numbers of users to ensure they are active. Sometimes I joined multiple, but then saw that some people post the same thing to more than one, cluttering my feed, so I left the smaller ones.

It's only after my community ban from !games@hexbear.net for disagreeing about Ukraine that I was told about MeanwhileOnGrad, learning exactly what "the tankie triad" means and why big Lemmy instances have defederated from those. Lemmy.ml, where the ML probably stands for Marxist-Leninist, seems to have been defederated by fewer, possibly because it's run by the creator of Lemmy, Dessalines. Nevertheless, there is evidence of Dessalines holding the same authoritarian communist views as the rest.

Recently, there were two posts on !privacy@lemmy.ml about Signal, but then in both cases, admin davel (who is known on MoG for seeing CIA's hand in running Ukraine, among other things) and Dessalines linked (1, 2, 3) the same article by Dessalines, which not only argues Signal could be a CIA honeypot (as if it matters when proper e2ee is used), but also manages to shoehorn China even into that, claiming its government "prefers autonomy". This sort of portrayal of totalitarianism as sovereignty is the reason I unsubscribed from the community. As it has been said by others, ML is not a neutral instance but a means of pushing authoritarian views onto unsuspecting users.

Edit: Made the post title clearer.

cross-posted from: https://lemmy.wtf/post/39686444

Per the very first reply on their thread discussing it in their forums, which I linked directly to for the post title:

We'll NEVER require any verification or identification from the user.

However, what's gonna happen should the attempts to age-gate the XDG portal screw over alt-init distros like Artix too? My guess is maybe they start blocking regions which force age gating like Arch Linux 32 is doing.

cross-posted from: https://lemmy.blahaj.zone/post/40170883

What’s at stake is whether “protecting children” becomes a legal pretext for embedding government control over the internet to enforce specific moral and religious judgments—judgments that deny marginalized people access to speech, community, history, and truth—into law.