The Unclear Impact

Kristóf Marussy | @kristof@pleroma.marussy.com

I'm a PhD student working on the extra-functional requirements and formal verification of cyber-physical system architectures.
I also like free (as in liberty) software, privacy enhancing technologies, and cryptography.
My pronouns are he/him.

re: EU_politics + encryption + privacy
@fredl99 I'm unsure what's the relationship between the petitions to the EU Parliament and European Citizens' Initiatives like https://reclaimyourface.eu/ . The latter seems to require providing government ID in addition to your nationality and name, so it's even more explicitly for citizens only.

On the other hand, people supporting the rejection of 12143/1/20 REV 1 should also think about supporting the Reclaim Your Face ECI, which seeks to ban biometric mass surveillance (i.e., invasive surveillance in the physical space, as opposed to invasive surveillance in the virtual space by limiting encryption), provided they are comfortable providing the requisite personal details to the ECI.

re: EU_politics + encryption + privacy
@fredl99 Nationality was indeed required for registration. When you select a nationality from the dropdown, a piece of JS adds it to the textarea below (minus points for relying on JS!), so registration just threw an error for me when I tried without JS despite selecting mine.

It makes sense that the nationality is required _if_ this is for petitions to the EU Parliament from EU citizens only. It's also conceivable that one would lose/gain nationality of an EU country, so allowing it to be edited also makes sense.

There's of course the much broader question about democracy whether it's acceptable to restrict participation to EU citizens, or should residents, or even everyone potentially affected by a decision be able to tell their opinion.

re: EU_politics + encryption + privacy
@fredl99 If anyone else is having trouble with registration, it seems that it requires Javascript to be able to enter your nationality. Also, there's a hidden requirement of no special characters in the password (but a 50 character password is), although they are allowed in the security answer.

EU_politics + encryption + privacy

The EU Council has approved a resolution to undermine encrypted communications for EU citicens:
https://data.consilium.europa.eu/doc/document/ST-13084-2020-REV-1/en/pdf

A petition to declining this resolution and to keep citicens' privacy is online at the EU parliament:
https://www.europarl.europa.eu/petitions/en/petition/content/1222%252F2020/html/Keep+Encryption

As of today at 14:59 CET this petition has been signed by 15 supporters
----------------------------------------------------------

I'm now pretty happy with where I am with blocking javascript as a default, the web is usable again :)

https://wordsmith.social/sotolf/surfing-with-javascript-blocked

@aral I'm mostly clueless about ESM, but do previous version of the dataset (with a different ?update= date) hang around in some kind of cache, or is ESM smarter about that?

I see you can explicitly delete the cache entry in CommonJS, but I'm wondering whether ESM supports anything like that. (Although I guess with your 227 MB dataset, memory leaks would be pretty apparent.)

shitpost, pol, `ld`
Static linking to own the libs

Created new profiles for ungoogled-chromium, Firefox and Pale Moon with separate data and cache directories. Then I contained them with new firejail profiles that don’t have internet access but can see localhost (my usual profiles don’t have access to localhost and the local network). I styled Firefox and Pale Moon with chrome/userChrome.css and $XDG_CONFIG_HOME/gtk-3.0/gtk.css to have dimensions as close to ungoogled-chromium as possible (I can’t easily style Chromium, so this was the best option).

Now it’s only a matter of setting the dev console to the exactly same width in the three browsers and I can easily cycle between them to check rendering quirks.

#webdev #css

Webpage rendered in ungoogled-chromium Webpage rendered in Firefox Webpage rendered in Pale Moon Webpage rendered in Lynx

@robby @GNUxeava @absturztaube @kura @sean

Sadly, I'm only 2/5 out of this: tiling vm (sway) and arch. Although maybe having a custom script that remaps a bunch key events (to create a multi-language layout and macros for sway) counts as a weird keyboard layout? My colleagues probably aren't able to type on it, at least. 😄​ Also, I was trying to learn Colemak, but haven't managed yet.

A split keyboard sounds nice for programming! But I'm afraid it'd be quite annoying for drawing things (one hand on mouse/stylus, other hand for hotkeys). Maybe having one with lots of buttons on the left side that can be remapped would help? But that kinda defeats the purpose of having it split.

@sev Dropping in from my federated timeline to say that this looks eerily like something randomly generated by Dwarf Fortress.

@aral Also worrying is the lack of subresource integrity for resources like fonts included from CSS.

https://github.com/w3c/webappsec-subresource-integrity/issues/40

While straight up injecting unauthenticated JS code is of course easier to exploit, font rendering is a big can of worms and arbitrary code execution with carefully crafted web fonts wasn't unprecedented (although, fortunately, modern browsers have much better sandboxes than IE circa 2011).

https://yomuds.blogspot.com/2012/11/cve-2011-3402-and-cool-exploit-kit_28.html

https://cve.circl.lu/cve/CVE-2011-3402

Very interesting, I didn’t realise that subresource integrity was entirely missing from the ESM spec. So what this would mean is that, with ESM, any code loaded from any CDN could contain a potential government backdoor. How is this not a bigger issue?

https://github.com/skypackjs/skypack-cdn/issues/135

(I’m saying a government backdoor because it would most likely take a state-level actor to force a CDN company to do that but it could, of course, be a disgruntled employee or cracker.)

There's certainly something fishy with my TOR Browser installation and subresource integrity: my stylesheet loads in TOR Browser 10.0, but doesn't load in 10.0.10. However, it loads in (clearweb) Firefox 85.0.2 and ungoogled-chromium 88. I'll have to investigate when I'll have the time.

Either there's something fishy with TOR Browser and subresource integrity, or I can't configure my web server. Admittedly, the latter is far more likely.

@robby @Novimatrem Crazy idea: periodically kill any process with --type=renderer in its command line 😄​​.

Pros: surely makes any Electron instance useless.

Con: also makes any Chromium instance useless. But I’d count that as a pro for browser diversity.

(Disclaimer: that’s a useful way to find rogue Electron instances. But killing them outright is probably counter-productive.)

@victoria Thanks, this is pretty cool! I was wanting to set up Dendrite on my VPS, but never got my head around the configuration.

I gather from this that Dendrite needs its own TLS certs (and it’s not enough to put a TLS reverse proxy in front of it). Or you’re using a different (self-signed) TLS cert in Dendrite, and one from Let’s Encrypt for Nginx?

Is there an unjetbrainsed-intellij-idea? Most of our students prefer IntelliJ over Eclipse, but I’m not that comfortable normalizing it by depicting it in learning materials — it’s way too close to being proprietary software for my taste. Plus, it does weird stuff like auto-downloading Amazon Corretto instead of using the perfectly good OpenJDK I installed in the course virtual machine 🙄​.

university, plague
"It is possible that you'll be under lockdown until the end of your studies" may very well be true, but is a bit brutal thing to say at the start of their first lecture to first-year MSc students (with a 2-year long MSc program).

In light of the recents events with Signal, I'm going to also delete my Signal account later today.

For those who don't know what happened, see this: https://github.com/net4people/bbs/issues/63 (Archive: https://web.archive.org/web/20210209133109/https://github.com/net4people/bbs/issues/63).

@kura @mangeurdenuage Firefox is definitely better than anything chromium based. It's the last independent browser. If Firefox dies, Google would have full control over the web. So keep supporting Firefox

»