@sarahjamielewis@mastodon.social
@sarahjamielewis@mastodon.social avatar

sarahjamielewis

@sarahjamielewis@mastodon.social

Cryptography and Privacy Researcher. Executive Director @ Open Privacy Research Society (https://hachyderm.io/@openprivacy).

Founder @ Blodeuwedd Labs (https://mastodon.social/@blodeuweddlabs)

Building free and open source, privacy-enhancing, surveillance-resisting tech like Cwtch (https://fosstodon.org/@cwtch)

This profile is from a federated server and may be incomplete. Browse more on the original instance.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

I really, really don't want to be calling out specific people or projects, I don't think it's a useful thing to do - but it makes me so sad to see people, whose work I deeply respect, volunteering/writing/promoting a tool whose privacy claims are fundamentally unsound.

Privacy tools that a metadata resistant are essential, but please technically vet the projects you a promoting.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

I feel like the one major lesson I learned from the crypto-hype era is that most people don't care about technical arguments, at all.

There are projects tackling hard problems using sound methodologies, there are projects talking about hard problems and selling a story (either intentionally, or because they don't know any better).

There is a difference between those two kinds of projects and I wish more people cared about that.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

I don't want to "name and 'shame' such projects because it doesn't work, they thrive on the attention and few listen to the actual arguments anyway.

The system I see people promoting is "not-even wrong", it cannot do what it claims to do because that is not how the universe works. The key claims rest on axioms that are not practically possible.

I too could claim miraculous system properties if I could assume everyone magically and securely exchanged key material before using my system.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

A topic I would love to read a deep analysis on is how certain actions e.g. blocking, moderation/filtering, "self-deleting" messages etc. transform from passive server-side actions to client active actions in decentralized systems and if/how that breaks down against existing ingrained metaphors and expectations.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

I have frequent conversations that fit under this topic; typically either attempting to clarify user expectation or debating implementation in light of that expectation.

My general speculation is that our current nomenclature is insufficient and too rooted in, and shaped by, existing, centralized systems.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

Something that does trouble me is that most people who try out @cwtch try out the Android version - it is the way of the world that mobile computers are far more numerous than others.

But this does give a terrible first impression because as much as we have invested into Android over the years it still does not come close to the stability and usefulness of the desktop versions.

Metadata resistant communication is hard. Metadata resistant communication on mobile is harder.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

Our team has used Cwtch for our daily communication for years now. I've used it for communicated with many others during the same time. And I am aware of others who use it for similar purposes.

Enough to say that it is stable, it is useable. Albeit with some rough edges which we are slowly sanding down despite very limited funding and a complex deployment space.

Even on Android we've made significant improvements as recently as 1.14 in February. https://docs.cwtch.im/blog/cwtch-1-14

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

We do listen to all feedback, earnestly. Out mission has always been to make metadata resistant communication usable & accessible to as many people as possible.

On Android, that mission is progressing far slower. And on iOS I'm skeptical it will ever come.

Fundamentally, we've adopted the tenet that we will never weaken Cwtch in the name of performance/usability - many of the features considered table-stakes in other messengers are, and will always be, gated behind security settings in Cwtch.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

And that approach also means that communication will likely always have strong limitations like both parties being online at the same time, dealing with the latency of onion services, and the need to run background services - the latter being a particular challenge on mobile devices.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

And while I understand all of this, I am also disheartened.

I've poured my soul in Cwtch these last few years because I fundamentally believe that that is how an application should be - locked down by default, open to extension, free and open source, based on sound cryptography, no centralized servers or magic peers or any other surveillance chokepoint.

And it's hard to see Cwtch failing in comparisons because those things are not features, they are limitations.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

I also tend to bite my tongue these days because the space is filled with messengers who make similar promises regarding metadata resistance while also offering real-time video chat and transparent offline messaging - feats which, if true, I would hail as academic breakthroughs.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

Clearly I need to do a better job at distinguishing what makes @cwtch good - and I wish we had the budget to really try and solve some more of the harder problems in the space.

Cwtch needs more champions, and more volunteers. People who can tackle those problems, and to bug me to focus on fixing specific issues.

The code is here: https://git.openprivacy.ca/cwtch.im/cwtch-ui

The user/security/dev handbooks are here https://docs.cwtch.im/

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

If you would like to get involved, then please reach out to me (details in profile or on my website) I will happily help find you some way to contribute (see also https://docs.cwtch.im/docs/category/contribute).

I really, deeply believe that the world needs metadata resistant applications - not just chat, but everything. The push for end-to-end encryption was a great start, but we need stronger security models for all kinds of communication.

Help us build that in the open.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

Lastly, I saw a few comments today in the vein of "not much progress has been made recently" and I would like to refute that.

While @openprivacy had to make some significantly cut backs in recent years due to a decline in funding, everyone on the Cwtch team has contributed so much over the last few years.

We have put out a new version on average every 6-8 weeks, consistently for the last 2.5 years while making major improvements to all aspects of Cwtch (see the devlog https://docs.cwtch.im/blog)

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

I would really appreciate, and be willing to pay for, a news source that restricted itself to covering legislative, judicial, and corporate machinations at the local/regional/national level while staying away from reporting on press conferences / inane social media statements / speculation / punditry.

i.e. reports on what people are doing, rather than what they are saying.

Would appreciate recommendations along these lines.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

I'm also growing rather tired of wading through undisclosed advertorials from pretty much every outlet.

It used to be that journalists limited themselves to a few of those a year, taking a corporation up on their offer of an interview with an "expert" or a field trip to see some "innovation", or a celebrity on how they discovered some health concern "just in time" after a trip to some private screening clinic.

Maybe it's frequency illusion, but I feel like those articles are everywhere now.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

It's a mistake to confuse the attack vector for the core vulnerability.

No amount of incentive engineering fixes the cold truth that neither security nor privacy are considered desirable economic outputs; unlike vulnerabilities and surveillance for which the market is broad and deep.

One is backed by volunteers and donations, the other by billion dollar contracts.

No amount of procedure, policy, or technical design beats that level of imbalance.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

Every complicated system can be broken down into a set of solutions to problems that plagued an earlier, simpler system.

The only way to understand any system is to understand that sequence of problems.

Occasionally, in the process you discover one of those problems is no longer relevant - requirements and environments change over time.

Sometimes, you find one adjustment supersedes another without removing the resulting complication.

The monument, as it stands, rarely reveals its purpose.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

Premade solutions to problems are, by their very nature, complicated because they have been progressively made to solve everyone's problems.

This makes them, from the perspective of your problem, bloated and in need of excessive supporting infrastructure.

Sometimes, the associated cost (whether procurement, maintenance, or otherwise) is worth it to solve your problem.

But, too often, such solutions are deployed without understand either the problem to be solved nor the off-the-shelf solution.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

If I have any generational fear, it can be attributed to the tendency of software systems to abstract away layers of complexity without ever questioning what lies beneath and why.

Building, and rebuilding, foundational solutions is necessary because you can never truly blackbox away a set of problems - requirements and environments change.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

At some point my name was put on a list of "potential ethics reviewers for compsci conferences" and for the last few cycles I've received a constant stream of invites to various committees for legit conferences.

I find the whole situation weird for a whole host of reasons; primary that I am more qualified to review papers on technical merits rather than ethical ones; and secondly that I have no interest or incentive in that kind of unpaid academic grind - especially in the name of "ethics".

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

Search sucks and I'm not really convinced LLMs will save us there, so...Is anyone working on (or dreaming about) a decentralized search engine?

I have some ideas, and I've been tinkering with a prototype based on lightweight shareable indexes (e.g. to allow someone to curate a crawl of interesting sites and produce a relatively small index that they could distribute and others could plug that into their local engine)

Interested in talking with people who are also wandering in that direction.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

I report a lot of security issues. I took a break for a while but recently because of the kind of research I've been doing I decided to put aside my reservations and start again.

As of writing this post I know of 4 security-sensitive applications that have had security vulnerabilities of varying degrees reported to them in the last 180 days that have not disclosed those issues to their users publicly (despite fixes being available) - and as far as I can tell, don't intend to.

shrug

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

So, it is far from perfect, but the latest version of @cwtch (1.14.7 https://mastodon.social/@cwtch@fosstodon.org/112006026093186593) contains some big improvements in Android stability.

If you've tried cwtch on Android but kept losing connections / being forced offline - then please give this new version a try.

Anecdotally: with the new build the profile on my phone has been constantly connected for many days now - we will be quantifying this with more robust testing soon, but are excited for much better mobile support.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

It took me a long time but I finally understand that "python" isn't a language, "python" is a superposition of a dozen or so different languages.

For success with "python" you have to be ultra careful with ensuring that if the person who wrote the script used "python 3.9" that you also run it with "python 3.9" - if you don't you will be faced with hundreds of exceptions that have no relation to actual reality.

Never rely on distro packaging, always build from source. Use venvs liberally.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

I still don't fully understand why if I have python 3.11 and I run something written in python 3.10 that it will just randomly throw exceptions...why seemingly minor versions seem to be completely incompatible,,,but I have grown to accept that it's just better to not question such things.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • tacticalgear
  • DreamBathrooms
  • InstantRegret
  • magazineikmin
  • Youngstown
  • everett
  • anitta
  • slotface
  • GTA5RPClips
  • rosin
  • thenastyranch
  • kavyap
  • mdbf
  • Leos
  • modclub
  • osvaldo12
  • Durango
  • khanakhh
  • provamag3
  • cisconetworking
  • ngwrru68w68
  • cubers
  • tester
  • ethstaker
  • megavids
  • normalnudes
  • lostlight
  • All magazines
    •