@sarahjamielewis@mastodon.social
@sarahjamielewis@mastodon.social avatar

sarahjamielewis

@sarahjamielewis@mastodon.social

Cryptography and Privacy Researcher. Executive Director @ Open Privacy Research Society (https://hachyderm.io/@openprivacy).

Founder @ Blodeuwedd Labs (https://mastodon.social/@blodeuweddlabs)

Building free and open source, privacy-enhancing, surveillance-resisting tech like Cwtch (https://fosstodon.org/@cwtch)

This profile is from a federated server and may be incomplete. Browse more on the original instance.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

Really uncomfortable with (otherwise cool) organizations using the presence of cryptography to back up a security/privacy claim that is 100% policy based.

Just because they don't do a thing doesn't mean they can't do a thing.

"We don't know who you talk to" (because we don't log that information as it passes through our servers)

is a very different claim than...

"We don't know who you talk to" (because we physically and computationally will never have access to that information)

Daojoan, to random
@Daojoan@mastodon.social avatar

Is it possible to build and operate a DAO (Decentralised Autonomous Organisation) without crypto / blockchain? How would you do it?

Keen for ideas!

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

@Daojoan I think the answer depends on what aspects of DAOs are you interested in replicating?

The shared management of resources is a little tricky, but could be accomplished with a legal entities whose bylaws bind executives to decisions signed by some proportion of participants.

The commodification of the underlying stake can be likewise accomplished by tying an ownership stake in the organization to a registered signing key in the scheme.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

@jrconlin @Daojoan

Depending on jurisdiction DAOs are either technically unregistered partnerships w/ strictly unlimited liability, or a distinct kind of entity (e.g. DAO LLCs in Wyoming).

Without a 3rd party providing de-facto escrow & distribution of resources (i.e. a ledger) in order to qualify for that second category you would need a substitute entity that is bound by similar restrictions.

The exact legal distinction between a smart contract * some form of threshold MPC is indetermined.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

@Daojoan Definitely possible, but highly dependent on goals and motivation for the DAO.

Ledger based DAOs are attractive because smart contracts can directly modify the state of the global ledger.

Without that ledger, there is an open question of what are some actions you would like the DAO to do?

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

Forever seeking a system/tool/technology/philosophy that fits between day-to-day getting things done, and long term goal planning.

Day-to-day I use a bullet journal for both task management and habit tracking - I've been doing it for years and it works great for any task or project whose state can be easily captured, and works as well for tracking long term progress of particular projects/goals.

But it's a terrible medium for e.g. managing research where the structure is far less defined.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

I feel that out there, somewhere, there is a lightweight project management philosophy that understands this particular niche.

Ideally it would allow me to structure a project such that I would be able to look at a single <thing> and understand where I was at the last time I was deep into the project.

Emphasizing that this is much more about context than the tasks themselves (I have no problem actually doing the tasks)

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

As an example: Over the last few years I have written an uncountable number of formal modelling tools - experimenting with various approaches, systems, forms of analysis etc.

I have a few ideas for a new tool I want to build.

I have lists of ideas, actions, research associated with the project, which I've put together over the last few months. And when I have time to work on it, those are useful in loading the context back into my brain.

But as it grows so does the time it takes to load...

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

And that creates a barrier to working on the project and limits the time I have to work on it.

To counter that I break off "Quick Win" and "Next Step" tasks for each project which are defined to be small enough that that can be tackled by my normal processes. But I can burn through those faster than I can define them - and then I'm back to the underlying problem of large context loading.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

On another fun note regarding clone sites: If you search for the Cwtch messenger on Bing or Duckduckgo the top results for some searches will provide you with clone sites that are not run by the @cwtch team or Open Privacy.

In fact neither cwtch.im nor openprivacy.ca appear to surface in Bing or DDG at all (despite exact clones of the official cwtch site surfacing high up)

The reasons are unclear, but it is deeply concerning that people are being directed to potential malware sites.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

It comes across as incredibly foolish to actively deprive anyone of knowledge of how infinitely complex and beautiful the universe actually is - to want to package it down into an over-simplified narrative to fit some distorted idea of "normal".

Between the anger, and the fear, and the sadness there is always kernel of pity; that those cursed by such distortions experience the universe in far lower resolution, bound to a philosophy that forbids any greater definition or understanding.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

Hi all!

@blodeuweddlabs is starting to look for a Business Development Specialist (remote w/ preference for B.C. / Canada).

While we have ideas & expectations, the exact nature very much open to being defined - as is the compensation structure (be it fixed contract, equity, base + commission, or some combination - we anticipate base compensation will be in the range of 5k-10k / month).

If you are / know someone who might be interested please get in touch (email: sarah@blodeuweddlabs.com )

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

A security/crypto meta-topic for my sanity:

  1. In any context where it could possibly matter, cryptographic deniability doesn't hold any weight.

  2. Any party trusted with delivering OS updates can (be coerced to) compromise that device/app.

  3. The actual utility of properties like forward secrecy in a world with (2) depend on contorting adversaries into unrealistic shapes.

  4. While useful, many have too much faith in honor-system security ("self-destructing messages" / "no screenshot flags")

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

In my experience there is very little appetite for really digging into these topics.

After all, OS updates are an essential part of modern security practice, and everyone understands the importance of guarding network traffic from future compromises. And so what if certain features technically can be broken or undermined...they at least help keep honest people honest.

We learned from the mistakes of the past and definitely won't stumble into them again...right?

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

I'm sure your friends and associates don't run patched app/devices/linux. Your self destructing messages are safe.

And don't you worry, those protocols provide both sender & message repudiation. A court would definitely not just accept a printed screenshot as evidence.

And I'm sure that your messages are much more secure from mass surveillance in iMessage or Signal than they were in IRQ or Messenger or Facebook.

It's not like they can go ask Apple. Unthinkable. We live in a society.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

To postscript, a better summary.

I have a deep concern that the techniques we have used to raise average security levels have created an ecosystem that lowers the bar for targeted attacks.

I am additionally troubled by the trust that people invest in the most visible security features they interact with - whose effectiveness is often overstated and/or misunderstood.

The combination of both of these things makes it difficult to talk/ write about security work, especially for a broad audience.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

There was a time in the early 2000s when Firefox triggered a browser renascence and there was a lot of excitement about what a "browser" could be...feeds, blogging integration, collective tagging, open comments....

The original spirit that the web should be as writable as it was readable, extended to shareable.

And in some way, shaped by economics and technology, we got an approximation of that vision..shrinkwraped and sanitized.

sarahjamielewis, to privacy
@sarahjamielewis@mastodon.social avatar

2023 was somewhat of a Red Queen's Race for , ,

At the end of it I feel like we had to run much faster just to stay in the same place.

Much like the rest of the space, funding for @openprivacy and @cwtch took a hit, and we have to continue to squeeze ever more out of the amazing support we do get.

When I look at where Cwtch is now compared to a few years ago I couldn't be prouder.

So much more to do, so many better worlds to build.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

Ultimately the fight for privacy, security, and thus freedom of expression and association will be won't be won in a courtroom or a legislature.

It will be won my people making a choice that those values are worth actively protecting.

Every time someone localizes cwtch for a new language, or submits an anonymous bug report, or simply reaches out over ephemeral wires to say hi, I remember why we continue to do this work.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

That is to say, Happy New Year!

Wherever you are, whatever race you are running, I hope the next revolution around the massive inferno that provides life to our tiny rock is kind to you.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

Canadian Christmas Canon is a little bit of a mess. In 2013 the Harper government granted Santa and Mrs Claus a set of e-passports establishing in the press release (https://www.canada.ca/en/news/archive/2013/12/all-santa-wants-christmas-is-an-epassport-805089.html) that they were Canadian Citizens.

This year, the Minister of Immigration announced he had granted "a temporary resident visa to a foreign national" widely attributed to be Santa - implying that at some point in the last decade Santa had lost his Canadian Citizenship or that the visa was granted in error.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

My "Year of Focus" is coming to close. Overall I am very happy with how this year went.

My intent was to drill down on the projects that mattered most, and give them my attention.

And to that end I:

  • shipped Cwtch stable (which is a small way of summing up months of features, testing, and documentation)
  • founded Blodeuwedd Labs (security consulting) and already had the opportunity to work on some amazing projects there.
  • finally became a Canadian citizen

Among many other small victories.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

My 2024 theme will be "Year of Form".

In looking back at that this year, there is little I want to add or remove from my life at the moment, but there are plenty of areas I want to reshape to better suit.

This is first going to start with tools and spaces, but I want room to expand it to all aspects of my life.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

Meta: I highly recommend yearly themes as an alternative to resolutions. There is a nice short introduction to the concept here (https://www.youtube.com/watch?v=NVGuFdX5guE)

I've been theming my years since 2016 and I have found the process very beneficial.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

Looking for recommendations under the very broad category of "experts (people/organizations) who write/talk about the things that they do"

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

Small disclosure: A few months ago we (@blodeuweddlabs) found a UI Redressing issue in Signal Desktop.

This low severity issue meant that html pasted into the input box could break out of that context and overlay other UI elements.

In lieu of a thorough analysis, and because this could potentially be used in combination with some additional electron issue, we made the decision to report this privately to Security@Signal.

This issue has now been fixed.

Full details: https://blodeuweddlabs.com/news/signal-desktop-ui-redressing-issue

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • thenastyranch
  • magazineikmin
  • ethstaker
  • khanakhh
  • rosin
  • Youngstown
  • everett
  • slotface
  • ngwrru68w68
  • mdbf
  • GTA5RPClips
  • kavyap
  • DreamBathrooms
  • provamag3
  • cisconetworking
  • cubers
  • Leos
  • InstantRegret
  • Durango
  • tacticalgear
  • tester
  • osvaldo12
  • normalnudes
  • anitta
  • modclub
  • megavids
  • lostlight
  • All magazines
    •