Notices by Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)
-
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 16-Sep-2019 02:23:10 UTC 
Mike Gerwitz
Mischaracterization of an individual is an injustice regardless of your differences. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Thursday, 29-Aug-2019 04:14:03 UTC
Mike Gerwitz
I'm really pleased to see this, @lxoliva! Congrats! -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 10-Jun-2019 02:14:53 UTC
Mike Gerwitz
cnet: "Amazon's helping police build a surveillance network with Ring doorbells"
https://www.cnet.com/features/amazons-helping-police-build-a-surveillance-network-with-ring-doorbells/ -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Tuesday, 14-May-2019 09:01:28 UTC
Mike Gerwitz
@cwebber @lxoliva Certainly we need to trust it as well. But if you're installing software on your system, there are generally other, more effective ways to compromise the user than resorting to side-channels.
But ensuring your software is signed and reproducible also helps to mitigate targeted attacks---if you're running the same software that everyone else is running, then the risk is very high for someone to do something malicious and tarnish their reputation.
Many users just `curl foo | sudo sh` the latest hot thing as they're instructed. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 13-May-2019 02:51:25 UTC
Mike Gerwitz
@lxoliva had some compelling words about this at LP2019:
https://media.libreplanet.org/u/libreplanet/m/who-s-afraid-of-spectre-and-meltdown/
I don't know if your comment related at all to Spectre, but---if all the software running on your system is free software, what is there to fear? And I agree.
The biggest trouble is that people often run non-free and untrusted code all of the time in their web browsers, and don't see it as a software freedom or security issue. It's important to recognize it for what it is---untrusted, unsigned, ephemeral software---if you're going to consider security tradeoffs when it comes to certain mitigations. I personally don't run JS at all, even if it's free, with very few exceptions, because it's unsigned. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Friday, 10-May-2019 02:15:30 UTC
Mike Gerwitz
Video for my #LibrePlanet 2019 talk "Computational Symbiosis: Methods That Meld Mind and Machine" is now available, and includes the slides:
https://social.mikegerwitz.com/url/74281
The PIP does slightly cover some slide contents. PDF of the slides is here:
http://mikegerwitz.com/talks/cs4m.pdf
Errata posted here:
https://social.mikegerwitz.com/conversation/177288#notice-260018 -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Thursday, 04-Apr-2019 01:45:05 UTC
Mike Gerwitz
EFF applauds WhatsApp fixing a group chat bug:
https://www.eff.org/deeplinks/2019/04/fixed-whatsapp-rolls-out-group-privacy-settings
I get it, a lot of people use WhatsApp. But this doesn't deserve applause---WhatsApp deserves condemnation. It is a proprietary, centralized service. There are better ways to go about your communication with others where you don't have to put up with company inaction by completely relinquishing control of your communications to a third party.
I wrote about this and more back in February in response to the GHCQ Ghost proposal:
https://mikegerwitz.com/2019/02/ghcq-exceptional-access-e2ee-decentralization-reproducible -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Saturday, 30-Mar-2019 03:00:49 UTC
Mike Gerwitz
GNU Guix Blog, "Connecting reproducible deployment to a long-term source code archive":
https://social.mikegerwitz.com/url/73241 -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Tuesday, 26-Mar-2019 02:19:28 UTC
Mike Gerwitz
@mala Re: The LibrePlanet panel you were on about Australia's terrible decryption law:
I asked the first questions just before rms. I had about an hour's worth of questions but had to give others a turn. I did talk to Isa a little bit after specifically about concerns with Tor, but wasn't able to find you free. That panel made a lot of people very uncomfortable. ;)
In particular, I'm curious if you know of any prior precedent in the United States (not necessarily with regards to technology) for the aid in enforcement of laws of other countries that violate the rights of US citizens under the constitution, as they might apply in this situation.
For example, I brought up the issue of compelled speech, so one example may be a case where another country has forced the extradition of a US citizen for exercising free speech rights that aren't permissible in that country. A couple of examples as it pertains to the Australian law would be: refusing to implement a backdoor, and creating a canary.
Or, do you feel that this Australian law is such that the free speech rights established by Bernstein v. United States might be able to be subverted?
I'm asking this as someone who has never visited Australia and has no dealings there. Obviously if you have operations within Australia's jurisdiction then it's a different story. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 25-Mar-2019 16:44:48 UTC
Mike Gerwitz
As an errata of sorts to my #LibrePlanet2019 talk---I think I said "GNU/Linux running on the proprietary Windows kernel", when Linux isn't involved---it's GNU/kWindows. Microsoft wrote a compatibility layer that translates Linux syscalls, so programs compiled _for_ GNU/Linux run atop of the Windows kernel. See https://mikegerwitz.com/2016/04/gnu-kwindows for more information.
I also forgot to mention for the 2FA password manager example that storing long-term secrets using asymmetric ciphers isn't a good idea; you should use symmetric keys for that. Fortunately, pass{words,phrases} (as I demonstrated in the talk) aren't long-term secrets---they're easily changed. But you can easily do _both_ asymmetric for 2FA with a smartcard and symmetric by adding another GPG invocation to the pipeline.
More to come (including repository of the source code for the slides, as well as notes) within the next day or so. Slides are at https://mikegerwitz.com/talks/cs4m.pdf. Thanks to all those who attended and watched online. Feedback/criticism welcome. I simplified my talk a lot in case the audience wasn't technical but I also didn't want to simplify it too much in case the audience was full of hackers. The intent was to just provide some exposure to the concepts for further research by attendees. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Saturday, 23-Mar-2019 23:21:16 UTC
Mike Gerwitz
Congratulations to Deb Nicholson and Open Street Map as recipients of the free software awards! -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Saturday, 23-Mar-2019 11:50:55 UTC
Mike Gerwitz
Since I'm on hotel Wifi, a reminder to travelers: consider using a VPN or Tor. I use the latter, both for my web browsing and for SSH to my home server, for privacy reasons.
It's not just about data collection on guests by the hotel or network operator---some networks, like my hotel, aren't even encrypted, so any non-encrypted traffic can be sniffed. There's a lot of metadata that can be sniffed even from encrypted connections, including domains that you're accessing, and traffic analysis can get a pretty good idea of what it is you're looking at depending on the sites you're visiting. So any guest or anyone else within range (or any users of long-range antennas, even) could sniff data from guest connections.
Be safe!
#LibrePlanet2019 #privacy -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Saturday, 09-Mar-2019 02:01:33 UTC
Mike Gerwitz
This is interesting, and I'll be curious to see it presented:
"From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic"
https://social.mikegerwitz.com/url/72535
I used to stare at the little hole in the tops of the HDD enclosures when I was younger and wonder how slight of pressure variances could be detected by the hardware, wondering how loud I'd have to scream at it (or if I'd have to put my lips on it and hum) to have a detectable level of vibration. I guess that answers my question.
The bottom of the article links to a video of prior research on the topic, but I don't have the time to look at it right now. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Tuesday, 05-Mar-2019 03:26:47 UTC
Mike Gerwitz
My sons and I also enjoy using Minetest for 3d home modelling, though it's a bit less precise. ;)
But I agree with Sweet Home 3D! I used it with my wife for some remodelling ideas when we first bought our home (...and sadly one that we almost bought but lost the bid on). -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Tuesday, 05-Mar-2019 02:48:51 UTC
Mike Gerwitz
ACLU: "Student Surveillance Versus Gun Control: The School Safety Discussion We Aren’t Having"
https://social.mikegerwitz.com/url/72405 -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Thursday, 28-Feb-2019 03:53:58 UTC
Mike Gerwitz
"It’s Time to Make Sure Our Kids Are No Longer Bound, Shackled, or Locked Away When They’re at School"
https://social.mikegerwitz.com/url/72240
Issues like these take on a whole new light when you're a parent. In all the things in my life that are important to me, including all of my activism, the only thing that triggers instant, deep, almost irrational emotion is the thought of someone harming one of my children. And that's something I would have never been capable of understanding before becoming a parent.
I haven't had a chance to review the proposed bill or even the cases that it references. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Wednesday, 27-Feb-2019 02:52:34 UTC
Mike Gerwitz
"ETS Isn't TLS and You Shouldn't Use It":
https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-shouldnt-use-it -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Friday, 22-Feb-2019 04:02:23 UTC
Mike Gerwitz
Finally received word: #LibrePlanet2019 will once again be held in the Stata Center at MIT in Boston, MA.
I'm excited to see everyone there, and I'll be speaking. Who here on the fediverse is attending? -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Tuesday, 19-Feb-2019 05:17:37 UTC
Mike Gerwitz
@cwebber Good stuff!
Re: encryption "shelf life": would the URI scheme support multiple encryption?
Barring weaknesses in the actual ciphers (and the various other ways to undermine encryption), it's unlikely that data encrypted with modern ciphers at sufficient keysizes will ever be able to be decrypted without the key (Bremermann's limit, with the optimal brute-force post-quantum attack against symmetric ciphers being Grover's algorithm, which is mitigated by doubling the keysize).
So one option to mitigate the compromise of a cipher due to some sort of cryptanalytic attack is to use multiple ciphers, each with different keys.
Of course, if Alice is communicating an ephemeral symmetric key to Bob using a asymmetrically encrypted channel, the robustness of the symmetric algorithms won't matter much if attacker that can monitor network traffic between Alice or Bob may be able to decrypt that key exhcnage in the future. But that exchange could take place over a more trusted connection that is not available to the public, unlike the e.g. IPFS-stored encrypted messages themselves (though it may still be available to e.g. the NSA/GHCQ/etc). So there is still value in hardening the symmetrically encrypted message as much as Alice and Bob desire based on their threat model. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Monday, 18-Feb-2019 06:20:56 UTC
Mike Gerwitz
GHCQ’s “Exceptional Access”, End-To-End Encryption, Decentralization, and Reproducible Builds
https://mikegerwitz.com/2019/02/ghcq-exceptional-access-e2ee-decentralization-reproducible
My contribution to the debate to address what I felt was missing from mainstream discussions.
All Bobinas P4G content and data are available under the