today on horseshit written by a clueless Security Man......
Conversation
Notices
-
witch hat hacker π spooky ver (haskal@cybre.space)'s status on Wednesday, 02-Mar-2022 14:27:28 UTC 
witch hat hacker π spooky ver
- Santa Claes πΈπͺππ°π likes this.
-
mvgorcum@mastodon.technology's status on Wednesday, 02-Mar-2022 14:27:28 UTC
mvgorcum
@haskal I also love he went on a long rant about fdroid signing keys, meaning they could technically change the apps. And then he goes on to say:
"As for apps concerned by Play App Signing, while Google could technically introduce their own code like Amazon, they wouldnβt do that without telling about it since this will be easily noticeable by the developer and more globally researchers."
So you can't trust fdroid to not secretly change apps, but you can trust Google with this power?Santa Claes πΈπͺππ°π likes this. -
witch hat hacker π spooky ver (haskal@cybre.space)'s status on Wednesday, 02-Mar-2022 14:31:08 UTC
witch hat hacker π spooky ver
you need to define your threat model
you need to define your threat model
you need to define your threat model
you need to define your threat modelSanta Claes πΈπͺππ°π likes this. -
witch hat hacker π spooky ver (haskal@cybre.space)'s status on Wednesday, 02-Mar-2022 14:31:23 UTC
witch hat hacker π spooky ver
every security man that tells me something is "insecure" without actually defining a threat model automatically owes me $20
cash acceptedSanta Claes πΈπͺππ°π likes this. -
witch hat hacker π spooky ver (haskal@cybre.space)'s status on Wednesday, 02-Mar-2022 14:31:25 UTC
witch hat hacker π spooky ver
why would you put your wallet in your pocket when i can just pickpocket you and steal your cash :3 clearly you are insecure
Santa Claes πΈπͺππ°π likes this. -
witch hat hacker π spooky ver (haskal@cybre.space)'s status on Wednesday, 02-Mar-2022 14:31:34 UTC
witch hat hacker π spooky ver
fun fact that security people don't seem to get that is kind of foundational to the entire field
everything is insecure
there's a way to hack anything you like
"security" is always relative to a specific threat model
Santa Claes πΈπͺππ°π likes this. -
witch hat hacker π spooky ver (haskal@cybre.space)'s status on Wednesday, 02-Mar-2022 14:31:35 UTC
witch hat hacker π spooky ver
actually wait shit this still defines a threat model
your wallet in your pocket is insecure
because i said so :) -
Be (be@fosstodon.org)'s status on Wednesday, 02-Mar-2022 14:32:23 UTC
Be
@haskal Proprietary software written by Google is threatening, so yeah... I'll keep using F-Droid, thanks.
-
Haelwenn /ΡΠ»Π²ΡΠ½/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 02-Mar-2022 14:32:23 UTC 
Haelwenn /ΡΠ»Π²ΡΠ½/ :triskell:
@be @haskal I'll probably keep using a feature phone which doesn't gets firmware updates here.
Only data it has is data which was already transmitted.
It can't store a lot of SMS so old ones get deleted.
I don't have messaging apps but those tend to have even worse centralisation than the telephone network.
It doesn't have internet, this is a feature.Santa Claes πΈπͺππ°π likes this. -
witch hat hacker π spooky ver (haskal@cybre.space)'s status on Wednesday, 02-Mar-2022 14:32:24 UTC
witch hat hacker π spooky ver
>Itβs up to your threat model, and of course your personal preferences. Most likely, your phone wonβt turn into a nuclear weapon if you install F-Droid on it - and this is far from the point that this article is trying to make. Still, I believe the information presented will be valuable for anyone who values a practical approach to privacy (rather than an ideological one).
you listed a bunch of literal non-issues so idk what exactly is "practical" about this -- in fact it seems rather ideological
Santa Claes πΈπͺππ°π repeated this. -
witch hat hacker π spooky ver (haskal@cybre.space)'s status on Wednesday, 02-Mar-2022 14:32:33 UTC
witch hat hacker π spooky ver
f-droid's de facto complete lack of any sort of malware is literally more important than any theoretical concern imo
is it possible to sneak malware in if you really tried? yes
is there malware? no absolutely not
you go on google play and download a flashlight app and the top 20 results are all malware lol
sure f-droid has some pretty shit apps but none of them will infect your phone, and to be fair f-droid also has a handful of extremely high quality apps that you would have trouble finding otherwise
so idk, for the average user f-droid is just de facto higher quality apps, and confers more security just by being a little more tightly controlled by forcing apps to be open source (malware people will typically not want to make their shit open source. that's usually how it works)Santa Claes πΈπͺππ°π likes this. -
Be (be@fosstodon.org)'s status on Wednesday, 02-Mar-2022 14:33:03 UTC
Be
@haskal Trusting signed binaries instead of signed source code is a conspiracy by Google, Apple, and Microsoft to sell proprietary software.
Santa Claes πΈπͺππ°π likes this. -
Be (be@fosstodon.org)'s status on Wednesday, 02-Mar-2022 14:33:43 UTC
Be
@haskal Security Man says forced obsolescence is about Security. Who cares that it means people need to buy way more hardware? I mean, those lazy application developers need to upgrade their shit. Nonono, don't blame Google for forking the shit out of Linux and encouraging rampant GPL violation by their hardware partners. Google's boots taste too good for Security Man!
-
Be (be@fosstodon.org)'s status on Wednesday, 02-Mar-2022 14:34:35 UTC
Be
@haskal Come to think of it, aren't all technological security measures technological solutions to social problems?
Santa Claes πΈπͺππ°π likes this. -
Be (be@fosstodon.org)'s status on Wednesday, 02-Mar-2022 14:34:36 UTC
Be
@haskal "open-source apps arenβt necessarily more private or secure. Instead, you should rely on the strong security and privacy guarantees provided by a modern operating system with a robust sandboxing/permission model, namely modern Android, GrapheneOS and iOS."
So, trust your proprietary operating system (bad idea) to deal with your lack of trust in the developers of the applications you use... instead of, you know, just trusting the application developers?? π
-
Be (be@fosstodon.org)'s status on Wednesday, 02-Mar-2022 14:34:36 UTC
Be
@haskal Don't get me wrong, sandboxing applications is generally good. But relying on that in lieu of trusting application developers is a technological solution to a social problem.
-
segebodo@chaos.social's status on Wednesday, 02-Mar-2022 14:35:03 UTC
Segebodo
@be @haskal
"Backward compatibility is often the enemy of security, and while thereβs a middle-ground for convenience and obsolescence, it shouldnβt be exaggerated. (...) the main repository of F-Droid is filled with obsolete apps from another era (...). Letβs not make the same mistake as the desktop platforms: instead, complain to your vendors for selling devices with no decent OS/firmware support.""instead, complain to your vendors"
WTF. How naive can a person be?
Santa Claes πΈπͺππ°π likes this. -
Vals Plat (operand@todon.nl)'s status on Wednesday, 02-Mar-2022 14:35:53 UTC
Vals Plat
@haskal it i wanted to take a 'practical' approach to privacy on my phone i would probably use the app store where there are no ads and any proprietary third-party services an app uses are clearly listed.
Santa Claes πΈπͺππ°π likes this. -
moparisthebest (moparisthebest@moparisthe.best)'s status on Wednesday, 02-Mar-2022 14:36:29 UTC
moparisthebest
@haskal Great rebuttal, that article looked like a pure FUD hit piece until I got to the bottom to "sponsored by GrapheneOS" which explains it, they seem to have something against f-droid? They threatened to ban f-droid devs from their GitHub a few days ago and when called out on it deleted the issue... Santa Claes πΈπͺππ°π likes this. -
Waweic (waweic@chaos.social)'s status on Wednesday, 02-Mar-2022 14:38:52 UTC 
Waweic
@jr Basically, not at all. Should have marked it with /s.
In the case of Google, it at least ensures that Google doesn't tamper with the APKs
-
Santa Claes πΈπͺππ°π (clacke@libranet.de)'s status on Wednesday, 02-Mar-2022 14:38:52 UTC 
Santa Claes πΈπͺππ°π
@waweic @jr These days you have to give your private keys to Google to participate in their latest coolest packaging mode.
I am not kidding, there is no hyperbole, I am literally saying what I am saying.
It's a complete charade at that point. -
j.r (jr@social.anoxinon.de)'s status on Wednesday, 02-Mar-2022 14:38:58 UTC
j.r
-
j.r (jr@social.anoxinon.de)'s status on Wednesday, 02-Mar-2022 14:38:59 UTC
j.r
@waweic @haskal yeah that's exactly the single point it helps for... whoever owns the keys can update the app, others can't, nothing else...
-
Waweic (waweic@chaos.social)'s status on Wednesday, 02-Mar-2022 14:38:59 UTC
Waweic
-
Waweic (waweic@chaos.social)'s status on Wednesday, 02-Mar-2022 14:39:00 UTC
Waweic
@haskal Why do the signatures even matter? Practically, they only mean that an app that's already installed can't be "updated" by a different / malicious developer, don't they?
-
Santa Claes πΈπͺππ°π (clacke@libranet.de)'s status on Wednesday, 02-Mar-2022 14:43:24 UTC
Santa Claes πΈπͺππ°π
@waweic @jr We didn't think combining convenience with security was possible, but it turns out all you have to do is just give everything to Google! -
Waweic (waweic@chaos.social)'s status on Wednesday, 02-Mar-2022 14:43:25 UTC
Waweic
-
Santa Claes πΈπͺππ°π (clacke@libranet.de)'s status on Wednesday, 02-Mar-2022 14:43:26 UTC
Santa Claes πΈπͺππ°π
"When you use Play App Signing, your keys are stored on the same secure infrastructure that Google uses to store its own keys. Keys are protected by Google's Key Management Service."
support.google.com/googleplay/β¦ -
j.r (jr@social.anoxinon.de)'s status on Wednesday, 02-Mar-2022 14:44:06 UTC
j.r
@clacke @waweic yeah actually Google could easily tamper apps submitted in the last few months because they now force devs to upload their keys
Santa Claes πΈπͺππ°π likes this. -
Santa Claes πΈπͺππ°π (clacke@libranet.de)'s status on Wednesday, 02-Mar-2022 14:49:32 UTC
Santa Claes πΈπͺππ°π
@jr @waweic Imagine being the team who worked on the app signing framework, making sure you could combine centralized distribution with decentralized signatures by using Trust On First Use and always deleting all user data if you uninstall so you can uninstall from a different signature source ...
and then one day their manager just "anyway, so we're forcing everyone to give us their keys" and suddenly the last decade of your worklife was just wasted effort. -
Sandra (sandra@idiomdrottning.org)'s status on Wednesday, 02-Mar-2022 15:08:57 UTC
Sandra
@haskal I wish iOS had an F-droid equivalent because their app store also has a lot of malware. -
easrng@cybre.space's status on Wednesday, 02-Mar-2022 15:08:57 UTC
easrng
@Sandra @haskal There's Cydia/Sileo/Zebra/etc but you need to be jailbroken and many tweaks/apps are closed source.
Santa Claes πΈπͺππ°π likes this. -
Sandra (sandra@idiomdrottning.org)'s status on Wednesday, 02-Mar-2022 15:09:01 UTC
Sandra
@haskal @easrng Oh, I was specifically looking for open source apps! I've got a friend with Xcode who compiles some stuff for me but it's difficult to find good open source apps. Maybe there is an "awesome" list out there. -
Be (be@fosstodon.org)'s status on Wednesday, 02-Mar-2022 15:09:01 UTC
Be
@Sandra @easrng @haskal That's because Apple is actively hostile to it. You can't publish GPL licensed applications on the iOS App Store without every contributor to the code agreeing to a special exception to the GPL. Apple's terms explicitly say you can't distribute the application outside of their app store among other ridiculous restrictions which are incompatible with the GPL.
Santa Claes πΈπͺππ°π likes this. -
Sandra (sandra@idiomdrottning.org)'s status on Wednesday, 02-Mar-2022 15:09:01 UTC
Sandra
@be
"Apple's terms explicitly say you can't distribute the application outside of their app store" But there are some apps that do have git repos up.Santa Claes πΈπͺππ°π likes this. -
Be (be@fosstodon.org)'s status on Wednesday, 02-Mar-2022 15:09:09 UTC
Be
@Sandra It's questionable whether that's legal.
Santa Claes πΈπͺππ°π likes this.
All Chirp! content and data are available under the