fosdem.org/2019/schedule/event

#FOSDEM2019 Keynote

Quote: "Today FLOSS software is everywhere. In some ways the dream of 20 years ago has been realized. FLOSS software is the norm, GitHub is mainstream."

Hmmm, thank you Mitchell. Do you know that Github was bought by Microsoft?

I'm glad "FLOSS is about freedom." This is reassuring. But I'm concerned that Mozilla remains the last bastion of it, and that someone like Steve Klabnik is leaving Mozilla (words.steveklabnik.com/thank-u) maybe for... Google...

#FOSDEM2019 Keynotes

OK, I think that after removing L for Libre from FLOSS in FOSDEM we might as well remove the E for Europe, as all 4 keynote speakers are U.S.Americans.

Or don't we have European Free Software developers?

@how

We could remove the F too...
(except that OSDEM looks too much something related to #osdev) becayse #Mozilla is not a bastion of #freedom anymore: bugzilla.mozilla.org/show_bug.

Since their outraged reaction to that bug report, I realized that Mozilla is just the #geek friendly #PR department of #Google. But they are more an #US thing than a Google one: after all they want to hends your data to #CloudFlare too... and defend most abusive #SiliconValley's #BusinessModel, while pretending to not.

@Shamar Line 2615 of the script reproduced in

pastebin.com/embed_iframe/2VH5

mentions: o = ["acunetix", "beef", "burp", "zap", "fiddler", "netsparker", "sleepypuppy", "sonar", "xbackdoor", "xenotix", "dominator", "littleDoctor"],

To me it looks like a script detector that will tell (someone) that the visiting browser has been compromised.

@how

No: as the following lines show, it's an implementation of the attack I described at dev.to/shamar/the-meltdown-of- and rain-1 polished and extended at rain-1.github.io/in-browser-lo to detect some tools running on the machine of the visiting browser (tunneling through the #browser behind the #firewall and #proxy).

Those are network security tools, and it's weird that the Russian Government want a db of IP/people using them.. but it's way worse when you realize that those specific tools...

1/

@how

...can be used to detect a #JavaScript attack despite the #HTTP trick I described in the #Mozilla #Firefox bug report.

So they are building a db of people to NOT attack with an undetectable remote execution attack that Mozilla and #Chromium refused to mitigate.

Now ask yourself: why a Government can need such a database?

And why they couldn't make the attack itself undetectable?

And what if #Google, #Facebook or #Cloudflare did the same?
Would they face the same that same issue?

(No)

@Shamar I'm reading dev.to/shamar/the-meltdown-of-

The argument that the Web is broken strikes a sensitive chord in me. Yesterday still I was having this conversation: what browser do we have left? None. Maybe we should definitely drop usage of the Web entirely.

Back to #P2P yes... Still the transition from Web to P2P is not ready, it looks more like a blind dive than a toboggan.

But I digress.

@how

It strikes sensitive chords in everybody: dev.to/shamar/i-have-been-bann

But if we hide our heads in the sand, it won't get better by itself.

Can we fix it?

I think so.
But the process is going to be... difficult... even dangerous, I'm afraid.

It's not just matter of economical interests (that make people refuse to open their eyes for the hope to get rich with some online game deducing valuable people's health data), but of militar ones that were smartly tied to them: medium.com/@giacomo_59737/the-

@adfeno @how @mikegerwitz

Progressive enhancement is the best possible use of Javascript, but it's just as unsecure as any other JavaScript.

However you are right that, by spreading opt-in JS and proper mitigations, progressive enhancement would spread too...till the advent of @alcinnz's #Memex browser.

@shamar @adfeno Ironically, the ezine link you posted greets me with:

"It appears that you are using Tor anonymizing software

No Problem! We just need you to enter a Captcha so we can confirm that you are a person and not a bot."

Which is non-functional for me, presumably because I'm not running JS. I just loaded via the Internet Archive.

Some sites use CAPTCHAs even for read-only pages, presumably to try to thwart scraping, DOS attacks, and the like. (I fundamentally disagree with this practice.)

There are many other JS practices that need to change as well, both for security and user freedom. I highlighted what I perceive as many of the major issues a few years ago at LibrePlanet:

https://media.libreplanet.org/u/libreplanet/collection/restore-online-freedom/

In particular, I'm really hoping that someone will take up the issue of code signing and the ability to replace specific scripts with user-defined scripts (the latter may be best implemented in LibreJs considering the level of granularity it offers in script detection).
Sign in to participate in the conversation
Ecologia Digital

Mastodon da Ecologia Digital.

Construindo o ambiente digital público ~ comum ~, em prol de um ‘movimento ambiental para a rede [Internet]” -> #ecodigital

"Tal como o meio-ambiente, o domínio público (ou comum) precisa ser 'inventado' antes de ser salvo." - James Boyle, criador do ‘ambientalismo para a rede