sarahjamielewis

sarahjamielewis, 18 hours ago to random

Perhaps I have simply outgrown some kind of naive idealism, and perhaps some of it is the tendency to view the past through a more generous filter.

But wow is it hard to -find stuff- now. Even stuff I know exists. Hell, even stuff I know I wrote and put out there.

Lost in an ocean of empty words.

sarahjamielewis, 18 hours ago to random

Getting to the root of it, I think the thing I miss the most about the old internet was the unstated assumption that the people on the other end of the wire were...people who shared similar interests and just wanted to connect.

I think of all the friends I made, the experiences I had that branched from IRC channels / forums / and even twitter in the later days.

Now the main question I find myself asking of anything that comes across my screen is "what is this trying to sell me?"

sarahjamielewis, 2 days ago to random

"Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers."

The computer, however, will stop you from recording DRM'd content.

Find it fascinating that when faced with drawing safety and security boundaries, the primary beneficiary is not the owner of the device, or the person using it, but random corporations who control the intellectual property rights.

The system doesn't work for you.

sarahjamielewis, 1 day ago to random

I spent large portions of my early career rearranging binary sequences on a chalkboard, and writing assembler for obscure architectures.

There are parts of my brain hard wired to recognize and align protocol stacks from a visual representation of a signal dump.

It's cute that you think you have to explain how computers work to me.

sarahjamielewis, 2 days ago to random

Software request: I'm looking for a tool I can use to manipulate nodes in a graph. Specifically I would like to be able to:

• Add new nodes to the graph (not a tree)
• Create multiple distinct edge relationships between nodes (bonus if the tool lets me formalize these edge types)
• Have nodes contain notes, perhaps be typed
• Export the graph to a reasonable (text) file format for external processing
• Explicitly not an image editor or diagram tool.
• Run on linux / be open source (flexible)

sarahjamielewis, 11 days ago to random

Lately I've been engaging in low-frequency, in-depth, long form email exchanges with a few people regarding our shared research interests.

Most of these happened organically, but I've got so much joy and utility out of them that I would like to extend an invitation to anyone who would like the same:

If we share research topics (privacy/security/decentralization/search/e-voting etc.) and you would like to send/receive long detailed emails about problems/ideas on your mind then please reach out.

sarahjamielewis, 13 days ago to random

There is not much I can say that has not already been said, but I wanted to share these exposures I took last night, and some notes on the experience.

Definitely one of the most amazing things I have ever witnessed.

Aurora: https://sarahjamielewis.com/entry/aurora.html

#aurora

A long exposure of the aurora as seen from British Columbia, Canada. A bright pink light in the sky with streaks of green emanating from a radiant point. The big dipper/ursa major constellation can be seen on the right hand side with it's tip towards the radiant point.

sarahjamielewis, 17 days ago to random

I'm somewhat perplexed by the new SecureDrop protocol - https://securedrop.org/news/introducing-securedrop-protocol/

Specifically: "The server is “untrusted” in the sense [it] learn[s] nothing about users & messages besides what is inherently observable from its pattern of requests, and it should not have access to sensitive metadata, or sender or receiver information"

Seems like a very weak definition of "untrusted", especially when two comparison techniques explicitly attempt to restrict knowledge derived from access patterns.

sarahjamielewis, 28 days ago to random

I had a chance to sit down and read Tor: From the Dark Web to the Future of Privacy by Ben Collier (@susansegfault) - https://mitpress.mit.edu/9780262548182/tor/

I highly recommend it. I think it captures the history beautifully and its a nice reminder of how these projects play out over decades.

It can be very easy to get caught up in the day-by-day/week-by-week rush/drama/critiques/effort and having a history like this puts that nicely in perspective.

Go read it.

sarahjamielewis, 29 days ago to random

Please steal these project ideas: https://sarahjamielewis.com/entry/privacy-projects.html

A list of research/project ideas that I have no time to pursue fully, but which I would be very interested in helping out/mentoring. If any of these sound interesting then please get in touch.

sarahjamielewis, 29 days ago to random

People have a right to access and use secure tooling that enables them to leverage modern cryptography.

The alternative is absurd. A demand to deliberately subvert foundational economic infrastructure. A position that should be laughed out of any sensible room.

sarahjamielewis, 1 month ago to random

For a while now I've been thinking about where microblogging/blogging fits in my life.

After various experiments over the years, I settled on going back to writing my website in a text editor, without regard for consistency or categories.

But inspired by @molly0xfff Activity feed, I spent this evening implementing one for my own personal site: https://sarahjamielewis.com/feed.html

A place for me to microblog, collect thoughts, post links, document updates, new papers etc. all in one place.

sarahjamielewis, 1 month ago to random

On reviewing privacy preserving tools:

This is not a new discipline.

We have mathematical and engineering tools to do analysis.

We have decades on decades of research literature, rooted in cryptographic analysis, statistical methods, probability theory, and computer science detailing how privacy preserving system are broken.

Just how one can tell that a badly engineered bridge will collapse before it is built, one can assess that a "privacy preserving" tool will not preserve privacy.

sarahjamielewis, 1 month ago to random

I really, really don't want to be calling out specific people or projects, I don't think it's a useful thing to do - but it makes me so sad to see people, whose work I deeply respect, volunteering/writing/promoting a tool whose privacy claims are fundamentally unsound.

Privacy tools that a metadata resistant are essential, but please technically vet the projects you a promoting.

sarahjamielewis, 1 month ago to random

A topic I would love to read a deep analysis on is how certain actions e.g. blocking, moderation/filtering, "self-deleting" messages etc. transform from passive server-side actions to client active actions in decentralized systems and if/how that breaks down against existing ingrained metaphors and expectations.

sarahjamielewis, 1 month ago to random

I would really appreciate, and be willing to pay for, a news source that restricted itself to covering legislative, judicial, and corporate machinations at the local/regional/national level while staying away from reporting on press conferences / inane social media statements / speculation / punditry.

i.e. reports on what people are doing, rather than what they are saying.

Would appreciate recommendations along these lines.

sarahjamielewis, 1 month ago to random

Something that does trouble me is that most people who try out @cwtch try out the Android version - it is the way of the world that mobile computers are far more numerous than others.

But this does give a terrible first impression because as much as we have invested into Android over the years it still does not come close to the stability and usefulness of the desktop versions.

Metadata resistant communication is hard. Metadata resistant communication on mobile is harder.

sarahjamielewis, 1 month ago to random

It's a mistake to confuse the attack vector for the core vulnerability.

No amount of incentive engineering fixes the cold truth that neither security nor privacy are considered desirable economic outputs; unlike vulnerabilities and surveillance for which the market is broad and deep.

One is backed by volunteers and donations, the other by billion dollar contracts.

No amount of procedure, policy, or technical design beats that level of imbalance.

sarahjamielewis, 2 months ago to random

Every complicated system can be broken down into a set of solutions to problems that plagued an earlier, simpler system.

The only way to understand any system is to understand that sequence of problems.

Occasionally, in the process you discover one of those problems is no longer relevant - requirements and environments change over time.

Sometimes, you find one adjustment supersedes another without removing the resulting complication.

The monument, as it stands, rarely reveals its purpose.

sarahjamielewis, 2 months ago to random

At some point my name was put on a list of "potential ethics reviewers for compsci conferences" and for the last few cycles I've received a constant stream of invites to various committees for legit conferences.

I find the whole situation weird for a whole host of reasons; primary that I am more qualified to review papers on technical merits rather than ethical ones; and secondly that I have no interest or incentive in that kind of unpaid academic grind - especially in the name of "ethics".

sarahjamielewis, 2 months ago to random

I report a lot of security issues. I took a break for a while but recently because of the kind of research I've been doing I decided to put aside my reservations and start again.

As of writing this post I know of 4 security-sensitive applications that have had security vulnerabilities of varying degrees reported to them in the last 180 days that have not disclosed those issues to their users publicly (despite fixes being available) - and as far as I can tell, don't intend to.

shrug

sarahjamielewis, 2 months ago to random

So, it is far from perfect, but the latest version of @cwtch (1.14.7 https://mastodon.social/@cwtch@fosstodon.org/112006026093186593) contains some big improvements in Android stability.

If you've tried cwtch on Android but kept losing connections / being forced offline - then please give this new version a try.

Anecdotally: with the new build the profile on my phone has been constantly connected for many days now - we will be quantifying this with more robust testing soon, but are excited for much better mobile support.

sarahjamielewis, 3 months ago to random

It took me a long time but I finally understand that "python" isn't a language, "python" is a superposition of a dozen or so different languages.

For success with "python" you have to be ultra careful with ensuring that if the person who wrote the script used "python 3.9" that you also run it with "python 3.9" - if you don't you will be faced with hundreds of exceptions that have no relation to actual reality.

Never rely on distro packaging, always build from source. Use venvs liberally.

sarahjamielewis, 3 months ago to random

Really uncomfortable with (otherwise cool) organizations using the presence of cryptography to back up a security/privacy claim that is 100% policy based.

Just because they don't do a thing doesn't mean they can't do a thing.

"We don't know who you talk to" (because we don't log that information as it passes through our servers)

is a very different claim than...

"We don't know who you talk to" (because we physically and computationally will never have access to that information)

sarahjamielewis, 3 months ago to random

The majority of conversations I see around AI is centered on the outputs of one-off generations of (mostly) proprietary models.

That, I think, does the whole conversation a disservice and leads to people talking past each other.

What is very clear is that even discounting the advances made by the corporations investing in colossal models, there has been a ridiculous jump in what's practically achievable with a single graphics card over the last year.