#Cybersecurity#Privacy#Encryption#HumanRights: "In summary [80], the Court concluded that the retention and unrestricted state access to internet communication data, coupled with decryption requirements, cannot be regarded as necessary in a democratic society, and are thus unlawful. It emphasized that a direct access of authorities to user data on a generalized basis and without sufficient safeguards impairs the very essence of the right to private life under the Convention. The Court also highlighted briefs filed by the European Information Society Institute (EISI) and Privacy International, which provided insight into the workings of end-to-end encryption and explained why mandated backdoors represent an illegal and disproportionate measure." https://www.eff.org/deeplinks/2024/03/european-court-human-rights-confirms-undermining-encryption-violates-fundamental
do you have a handy #usb or #sdcard you usually travel with? they are small, light, cheap... convenient.
it's not that you store there Top Secrets (maybe!) but in case it was lost or stolen you will feel more relaxed if the drive was securely encrypted. LUKS
#LUKS implements a platform-independent standard on-disk format for use in various tools. This facilitates compatibility and interoperability among different programs and operating systems[...]
I was to write a blogpost about it, but there are plenty of them available to use LUKS encryption in any platform. Just three here:
and How to backup or restore LUKS header by @milosz ⚠️ Do this just after creating your encrypted drive and save the header in another (safe) storage. Use a password manager to create/store safe pass-phrasses (recomended for usb-luks as you most likely will have to hand write it) and passwords.
My usb-luks are automatically detected and mounted (after pass-phrase prompt) in both #archlinux :archLinux: and #debian :debian: 🥳
"Abdullah Atta is the founder of Notesnook, an open source and end-to-end encrypted note-taking app with cross-device syncing.
Abdullah is obsessed with privacy, promising no spying and no tracking, and has designed many features to ensure your information is only accessible to who you want it to."
Today, a district court in Nevada is hearing a case about whether Meta should have to comply with the state AG’s demand for a temporary restraining order to stop Meta from offering end-to-end #encryption (#E2EE) on Facebook’s Messenger for children in Nevada under the age of 18.
"This is a full-on attack on encryption. If Nevada succeeds here, then it’s opening up courts across the country to outlaw #encryption entirely. This is a massive, dangerous attack on security and deserves much more attention."
I'm trying to get my head round HTTP Signatures as they're used extensively in the Fediverse. Conceptually, they're relatively straightforward. You send me a normal HTTP request. For example, you want to POST something to https://example.com/data You send me these headers: POST /data Host: example.com Date: Sa…
I'm trying to get my head round HTTP Signatures as they're used extensively in the Fediverse.
Conceptually, they're relatively straightforward.
You send me a normal HTTP request. For example, you want to POST something to https://example.com/data
You send me these headers:
POST /dataHost: example.comDate: Sat, 24 Feb 2024 14:43:48 GMTAccept-Encoding: gzipDigest: SHA-256=aaC57TDzM0Wq+50We2TkCsdMDvdqON92edg7KI+Hk8M=Content-Type: application/activity+jsonSignature: keyId="https://your_website.biz/publicKey",algorithm="rsa-sha256",headers="(request-target) host date digest content-type",signature="JGQ53kEoIiMWRp9By9jajVGCOCu4n7XBeiA1uY5xLcnAxL2Y1GIgU/...=="Connection: Keep-AliveContent-Length: 751
In order to verify the contents of the message, I need to do three things:
Check the SHA-256 hash of the message matches the content of the "Digest" header.
Check the timestamp is somewhat fresh.
Check the signature matches.
The first is simple: base64_encode( hash( "sha256", $request_body, true ) ).
The second is a matter of opinion. I might be happy to receive messages from the distant past or far in the future. For the sake of a little clock drift, let's allow 60 seconds either way.
The third gets complicated.
First, I need to get the public key published at keyId="https://your_website.biz/publicKey".
Next, I need to know which algorithm is being used to sign the headers: algorithm="rsa-sha256"
Then, I need to know which headers - and in what order - are being signed: headers="(request-target) host date digest content-type"
So I create a string using the received details which matches those headers in that specific order:
(request-target) POST /dataHost: example.comDate: Sat, 24 Feb 2024 14:43:48 GMTDigest: SHA-256=aaC57TDzM0Wq+50We2TkCsdMDvdqON92edg7KI+Hk8M=Content-Type: application/activity+json
I can verify if the signature - signature="JGQ53kEoIiMWRp9By9jajVGCOCu4n7XBeiA1uY5xLcnAxL2Y1GIgU/...==" matches by:
Which means your server will need to validate my signature by obtaining my public key. Which it will get by signing a request and sending it to me. Which, before I return my public key, I will need to validate your signature by obtaining your public key. Which I will get by signing a request... and so on.
This deadlock loop is documented. The usual way around it is either for the sending server to use an instance-specific signature which can be retrieved by an unsigned request, or to allow any unsigned request to access a user's public key.
I get why things happen this way - I just wish it were easier to implement!
If you believe the good guys need to have a way to get around encryption, you either haven’t thought about it enough, or you’re not one of the good guys.
That is IT. FUCK GOOGLE. If you’re not going to provide technical support with a real live person then fuck you I’m going somewhere else. I’ve had this account for over a decade and now I can’t get into it on my new phone because YOUR STUFF IS BROKEN. And there’s no way to contact a real person in real time for help with any of the products!!
I’m so mad and I’m so frustrated with this whole phone upgrade. So fuck Apple too.
⚡ Apple's #iMessage is getting a major security upgrade with PQ3, a new post-quantum cryptography protocol that protects against future attacks from quantum computers.
iMessage quantum security arrives with iOS 17.4 - @9to5Mac
This would have been the perfect article to remind people that all of this E2EE doesn’t matter if you backup your iMessages in iCloud, where they will be backed up clear-text to Apple/NSA, unless both parties turn on Advanced Data Protection
#CyberSecurity#Privacy#Surveillance#Encryption: "Shrugging about the dangers of surveillance can seem reasonable when that surveillance isn’t very impactful on our lives. But for many, fighting for privacy isn't a choice, it is a means to survive. Privacy inequity is real; increasingly, money buys additional privacy protections. And if privacy is available for some, then it can exist for all. But we should not accept that some people will have privacy and others will not. This is why digital privacy legislation is digital rights legislation, and why EFF is opposed to data dividends and pay-for-privacy schemes.
Privacy increases for all of us when it increases for each of us. It is much easier for a repressive government to ban end-to-end encrypted messengers when only journalists and activists use them. It is easier to know who is an activist or a journalist when they are the only ones using privacy-protecting services or methods. As the number of people demanding privacy increases, the safer we all are. Sacrificing others because you don't feel the impact of surveillance is a fool's bargain."