> - They assume their hard-to-program but faster architecture will get figured out by devs. It won't.
Or it will get figured out in the niche fields where people are willing to figure out really hard stuff to squeeze out max performance (PE, hedge funds, intelligence)
Either way agree, it's hard to get mass adoption without the software ecosystem feeding back in
…you’re free to use other editors? People like Zed. They like IntelliJ. They like VSCode. If you have an aesthetic preference against all professionally maintained IDEs, I think you’re in the minority.
The issue is with social features you might be forced to use it, like Slack instead of Email. I've already had cases where I've been forced to use VSCode to collaborate at work.
I've had numerous encounters where doctors (and dentists) attempt to charge me for services they've already been reimbursed for from the insurance company.
It's only after hours of scouring my EOBs and being on the phone with my insurance that I then come back to the practice's office with evidence in hand, and they dismiss the charges.
I'm pretty sure this is just a racket because they expect most people not to put up a fight and just pay, or get sent to collections hell.
The amount of work you need to do as a patient in our health system is so dumb.
QGIS is the shit. I absolutely love it, great for visualizing GeoJSON, GeoTIFF files, open data feeds, etc. My one gripe is that their macOS installers have been out of date for ages now, the best way I've found is to actually install from Conda Forge directly:
> brew install micromamba
> mamba install qgis
It's really crazy the number of open geospatial data feeds that exist out there from NASA, NOAA, and ESA. If you're interested in checking any of this stuff out, I highly encourage following Mark Litwinchik's blog, this guy is a legend and he does most of his work with open tools like QGIS and DuckDB
Strongly recommend apple silicon Mac (if using a Mac) and the Mac ports path. I have an m4 MacBook Pro and the Rosetta powered binary was almost unusable. Mac ports wasn’t too hard for me to figure out though the install (mostly compiling) took several hours. I have had no issues with coexistence of Mac ports and homebrew. Don’t attempt this is you are using beta builds of tahoe - Mac ports isn’t released for Tahoe yet.
Believe it or not, this is how the Linux Foundation organizes itself. It's more legwork than something simpler like Apache Foundation.
Basically in the US you need a legally recognized entity to hold intellectual property. "Donating" the project involves setting up a "Series LLC" that is nested underneath the top-level Linux Foundation corporation, and donating the IP into it.
So you might still be able to do an "intellectual property transfer" to them and use it as a tax write-off. The "LF Projects LLC" is then the new owner, only the operating company who has the ongoing hosting contracts for the websites.
Edit: Not sure if a donation to 501(c)(6) can be used as write-off without using some other legal loopholes. Quick AI search told me that only 501(c)(3) can do the donation tax write-off thing.
I'm sure there are some good tax lawyers behind this, who am I to understand it as a mere mortal I am just jealous.
The motivation is to move the IP and trademark into a separate organization so it's no longer owned by Spiral. This means we can't re-license it later, we'd have to fork it, because the Vortex trademark and all that is controlled by LF.
Just wanted to advertise that the EFF recently released an open source tool for detecting cell-site simulators. The hardware is like $20 and it's pretty easy to setup yourself. Worth having around to stay aware of what's out there, especially if you live in one of the places recently targeted by the administration.
I wouldn't put it past the US to coerce Microsoft into injecting malicious payloads into these types of projects. EFF is putting complete trust in Microsoft's infrastructure: there's no out-of-band verification not served up by Microsoft itself (is there? It's just GitHub.com's TLS, and in-band SHA-1 hashes stored in the repo itself, which Microsoft controls; it can serve whatever bytes it wants, or different bytes on different requests...)
Microsoft has billions of dollars in US intelligence-cloud contracts and should leap at a chance to get an edge in on those. They've done things like this before; they provided incredible (and illegal!) cooperation with the NSA back at the time of the Snowden Leaks[0].
> I wouldn't put it past the US to coerce Microsoft into injecting malicious payloads into these types of projects. EFF is putting complete trust in Microsoft's infrastructure: there's no out-of-band verification not served up by Microsoft itself
Isn't a git commit trail basically a Merkle tree of checksums? If any developer tried to do a pull or fetch they'd suddenly get a bunch of strange commit messages, wouldn't they?
I think GP is talking about a scenario where Microsoft would serve either malicious source tree or binaries to just one user, not all of them. that would be fairly hard to detect. but in such scenarios we'd also have to start asking questions about the state of the entire CA ecosystem.
Or detected easily with package builders like Arg Linux's makepkg that ship a hash along with the source URL. As soon as one user gets a different file, he has an alert and the compromised package for later analysis
It'd be a lot of trouble to interfere with the source, yes.
I think the release files is the place they could most easily tamper - generally they're stored on Github infra so the files could be changed, and the checksum on the download page also altered (or different files and different checksums provided to different people if targeted).
Unless the builds are totally reproducible it'd be tricky to catch.
Possible, yes, but pretty damming to Microsoft's reputation if proof that their infrastructure has been compromised and anyone realizes it's happening. This sort of thing killed Sourceforge when they started shipping adware bundled into installers of the programs they distributed.
To that end, I started a project last month so that code signing can be done in multiple geographical locations at once: https://github.com/soatok/freeon
I don't know why you'd trust a checksum structure your adversary has complete control over.
That Merkle tree prevents the naive case where the adversary tries to serve a version of a repo, to a client who already has an older version, differing in a part the client already has. (The part the client has local checksums for). They shouldn't do that. The git client tells the server what commits it doesn't have, so this is simple to check.
Code signing could be a safeguard if people did it, but here they don't so it's moot. I found no mention of a signing key in this repo's docs.
The checksum tree could be a useful audit if there were a transparency log somewhere that git tools automatically checked against, but there isn't so it's moot. We put full trust in Microsoft's versions.
Lots of things could be helpful, but here and now in front of us is a source tree fully in Microsoft's control, with no visible safeguards against Microsoft doing something evil to it. Just like countless others. It's the default state of trust today.
Lots of things could be helpful, but here and now in front of us is a source tree fully in Microsoft's control, with no visible safeguards against Microsoft doing something evil to it. Just like countless others
> The git client tells the server what commits it doesn't have, so this is simple to check.
That won't work. The first thing the client does is ask the server for list of references with their oids (ls-refs). It only asks for oids and reports what oids it has after the server responds.
You'd need another way to identify that the client asking for references was the same one you vended the tampered source tree to, otherwise, you'd need to respond with the refs' real oids and the fetch would fail since there's no way to get from the oid the user has to the real one.
Because GitHub can serve different bytes to different people. You log in as one of the project's devs, you get your own consistent, correct view of your project; some other people get malware instead. How do you reconcile the full picture? No one distrusts GitHub. There's no public log which git tools generically check against to see if GitHub is attempting something evil, the way they do with certificate transparency. GitHub is the public log.
Git may be designed as a distributed VCS; and it'd be a different situation if it were used that way in practice. For many projects, GitHub has a full MITM. They could even—forget about the checksums—bifurcate the views in between devs—accept commits from one dev, send over those commits with translated Merkle trees to another dev who has a corrupted history, and they'd never figure it out.
Not so. GitHub would remember who you are; advertise to you and to you only a set of fake checksums consistent with your fake view of the repo. Your git client would see nothing amiss—your local fake checksums are consistent with the fake checksums the server sent you. Having accepted your push, the server would ignore the fake checksums, extract the content of your patch, apply it to the genuine repo, and compute a new set of checksums, extending the other checksum tree as if you had pushed directly to it. That's what an MITM is.
> I don't know why you'd trust a checksum structure your adversary has complete control over.
I think the point is they don't have complete control over it. Sure, they have complete control over the version that is on GitHub. But git is distributed, and the developers will have their own local copies. If Microsoft screwed with the checksums, and git checks them. The next developer pull or push would blow up.
> "The next developer pull or push would blow up."
If they're pushing or pulling to/from GitHub, then GitHub has a total MITM and is able to dynamically translate checksum trees in between devs' incompatible views of the repo.
I don't understand. Can you explain how that would work? I thought the checksums are calculated on the contents, so how can they translate checksum trees that remain valid without changing the content (or vice versa)? This is my naive understanding, so I might be completely wrong, hence I ask.
That they'd change the content is the point—offer malware content for select targets, with corresponding malware checksums that are consistent with that malware and its entire history.
Those checksums would seem valid to the victims, as they're a self-consistent history of checksum trees they got directly from GitHub. The devs would be working with different checksum trees. GitHub would maintain both versions, serving different content and different checksums depending on who asks.
This seems to boil down to them keeping two repositories - presenting one to the logged in dev, and one to the public.
That might work for a while if dev isn't active. He would, for example have to not notice there was a new release, with an incremented version number that triggers updates. Even that doesn't work forever. Down stream dev's often look at the changes - for example a Debian maintainer usually runs his eye over the changes.
But if the dev is active this is going to be noticed pretty quickly. The branches will diverge, commit messages, feature announcements, bug reports, line numbers not matching up. It would require a skilled operator to keep them loosely in sync, and that's the best they could do.
Either way, sooner or later Microsoft's subterfuge would be discovered, and that is the death knell for this scenario. The outrage here and elsewhere would boil over. Open source would leave github en masse, Microsoft's reputation would be destroyed, they would lose top engineers. I don't have a high opinion of Microsoft's technical skills and leadership as they have been consistently demonstrated themselves to be inconsistent and unreliable. But the company too large and too successful to be psychotic. The shareholders, customers, and lawyers would have someones guts for garters if they pulled a stunt like that.
I don't think there are many options to host sourcecode and binaries in a way that is safe against an adversary like the US, and especially in such a way that technically illiterate users are protected. Because you'd have to assume that CAs are not off-limits either then.
I don’t know why your cellphone can’t do this. For example, It “knows” which towers are around your home. If all the sudden there’s a new one, pop up an alert.
Sadly, it's only available in the Google/Apple stores (if anyone knows of a similar tool that's available elsewhere, I'd love to hear about it!)
It allows me to locate the "cell towers" I'm connecting to and that are nearby, as well as the devices around me, and will map them for me.
In fact, several years ago, I noted a brand spanking new "cell tower a block or so away (this is in NYC) that appeared to be in the street(!). It stayed there for a couple weeks and then was gone. It sure seemed like it was an IMSI catcher[1].
It's not directly the feature set you suggest, but can certainly be used to identify the towers near you -- and any new ones that might "pop up."
An enthusiastic and muddle-headed person might get inspired by disposable Internet chatter, and then go and get themselves sent to federal prison (or worse).
Also, I suspect that an attack like that would only justify (or be used as a pretext for) additional actions that are undesirable to the perpetrator.
Maybe best not to even reply to such jokes. An enthusiastic and muddle-headed person might be a contrarian and might get challenged by disposable Internet chatter to not do something and still do that and get themselves in trouble. Staying silent is the timeless strategy of having no effect on the world
PSA: Things have indeed gotten pretty bad, which is also why were are discussing tech to detect (and some are discussing the possibility of countering) elements of the forces doing the disappearances.
Is running a fake cell tower technically against FCC regulations? Any possibility of just reporting them to the FCC and causing them to incur fines or take them down?
The people at FCC are just government officials. They'd be foolish to antagonize the leadership of the executive branch based on just principles (I know how unscrupulous this sounds. But such are times). Besides, they are up against one of the most heavily funded rogue forces in the world that is also known to go after people outside their jurisdiction (citizens) with impunity.
If you have any precedent or ruling indicating that it is illegal for Americans to check for the presence of surveillance, please present it. Otherwise, I'm not aware of any duty of private citizens to remain willfully blind to their government's actions.
Sure, not directly. But most of that is imaging and communications payloads, and the vast majority there is being purchased by militaries and intelligence agencies.
Or it will get figured out in the niche fields where people are willing to figure out really hard stuff to squeeze out max performance (PE, hedge funds, intelligence)
Either way agree, it's hard to get mass adoption without the software ecosystem feeding back in
reply