@sarahjamielewis@mastodon.social
@sarahjamielewis@mastodon.social avatar

sarahjamielewis

@sarahjamielewis@mastodon.social

Cryptography and Privacy Researcher. Executive Director @ Open Privacy Research Society (https://hachyderm.io/@openprivacy).

Founder @ Blodeuwedd Labs (https://mastodon.social/@blodeuweddlabs)

Building free and open source, privacy-enhancing, surveillance-resisting tech like Cwtch (https://fosstodon.org/@cwtch)

This profile is from a federated server and may be incomplete. Browse more on the original instance.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

There is lots of discussion about Electron / webp and - as someone who would never ever use electron for anything remotely approaching a security sensitive context - I do think it misses the mark.

Electron is bad because it shares an attack surface with the most attackable surface, but then extends it with all the functionality that was deliberately removed / never implemented because security.

(While giving developers very few tools to actually lock down that context in a meaningful way)

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

I don't think I've ever seriously audited an electron app and not found a critical vulnerability related to the fact it was an electron app.

The webp vuln impacted basically anything that touched webp files - which includes a lot of things that are not browser engines.

It's an argument for stronger vetting of new file formats - especially those implemented in unsafe languages - separate from not using electron (though you should also probably not use electron)

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

Ultimately the biggest problem is there is little investment in cross-platform UI tooling that isn't coming from the the browser space.

Small teams can't afford to build an application for every given platform stack, so they pick the path of least resistance. As a result machines and people are increasingly vulnerable as applications are absorbed into the web context.

There us nothing on the horizon that changes that fundamental economic consideration.

sarahjamielewis,
@sarahjamielewis@mastodon.social avatar

@wtwagg I haven't, but I believe the very first CVE registered for Signal desktop was trivial javascript code execution because the rendering context wasn't locked down.

Since then the Signal Foundation have received a lot of funding so I imagine they have the budget and staff to very carefully audit new features to ensure the risk of those kinds of things happening is minimal.

But the thing with Electron is, it only takes a single mistake in that auditing.

sarahjamielewis, to random
@sarahjamielewis@mastodon.social avatar

Today we are releasing @cwtch 1.13!

It's been over five years since we we announced Cwtch & the first alpha prototypes. We have spent the last two years publishing beta releases - refining/adding new features, tweaking the design, building security tooling and so much more.

We have now reached a major milestone. The first Cwtch Stable release candidate, and a point where we are willing to make certain commitments about baseline functionality and risk-limited features.

https://docs.cwtch.im/blog/cwtch-1-13/

yawnbox, to Introvert
@yawnbox@disobey.net avatar

deleted_by_author

    •
    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar

    @yawnbox I would kindly suggest not using this for anything where security or privacy is in anyway desired.

    sarahjamielewis, to random
    @sarahjamielewis@mastodon.social avatar

    A party that has shown they are ready to unilaterally change terms as soon as they believe they have the power to do so, will continue to adopt that position.

    Sunk costs suck, nostalgia and inertia are powerful forces, but I will never understand the willingness of so many people to give a corporation another chance when they catastrophically fail to monopolize their position. 2023 has had so many.

    People can change; organizations, fundamentally, can't.

    Respect yourself more than that.

    sarahjamielewis, to random
    @sarahjamielewis@mastodon.social avatar

    The reality on the ground is that as soon as the UK's Online Safety bill becomes law then the de-facto assumption must be that any service provider with significant exposure to the UK might be under a notice that mandates the compromise of the security and/or privacy of that service.

    The statement made today - explicitly designed to defuse any tension that might have held up the bill - only re-enforces that position.

    The framing that this is a "win" for online privacy is deeply disingenuous.

    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar

    I get that some organizations need to save-face.

    They made a big show of saying they will pull out of the UK if this law passes...well this law is going to pass, as is, with no concessions.

    The draft text hasn't changed, how the regulations will be written and implemented hasn't changed.

    They got a pinky promise that the law will only be used when it can be used.

    "A notice can only be issued where technically feasible"

    sarahjamielewis, to random
    @sarahjamielewis@mastodon.social avatar

    Integrated some fancy local llm magic into my custom IDE project and now I can request arbitrary code reviews.

    Sometimes the reviews are not great, but they also don't tend to be terribly off base (and occasionally point towards an actual issue).

    And this is without many of the techniques to squeeze even greater performance / context awareness (I am really interested in playing around with some ast-aware / grammar-driven sampling)

    sarahjamielewis, to random
    @sarahjamielewis@mastodon.social avatar

    Since people asked, some opinions about the Rust ecosystem:

    1. I like the language. It's my default.
    2. So much dependency bloat. Almost as bad as Python. Almost.
    3. A general feeling that unmaintained libs will slowly cease to compile. (There was a time when many useful features in libs were nightly only...and the unmaintained ones don't build anymore)
    4. I've built some personal tooling for Rust and the sheer complexity of some introspection components makes me weary of ever trusting it.
    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar
    1. Tooling cpu usage. I don't know if this is an IDE problem or language server problem or both. But certain rust projects cause my IDE to burn cpu cycles in a way that other languages simply cannot.
    2. A sense that the community has grown to a point that it is starting to naturally fragment and any of the ideals I had associated with that community no longer apply. (Regardless of whether those values were ever there to begin with).
    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar

    Rust is still my default, though it is no longer separated from the pack.

    I've spent more time programming in C this year than any point in the last decade. A kind of re-evaluation of what I value in a solution.

    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar

    There is a through-line in these opinions that goes something like: "dependency management is hell no matter the context" and that is definitely a big part of it.

    I can, and do, use Rust per se. Benefit from the benefits, and avoid everything else.

    But then you might ask questions like...can I get 80% of those benefits another way...and...maybe I should just write a compiler...and then your week off vanishes into oblivion...but that's for another time.

    sarahjamielewis, to random
    @sarahjamielewis@mastodon.social avatar

    Starting to mentally bucket the Rust ecosystem in the same place I bucket the Python ecosystem i.e. "I'll only use it if I have no other practical option, isolated from as much as possible".

    Trying to work out if this is just the end of a long-honeymoon, or if things have actually gotten that much worse.

    sarahjamielewis, to random
    @sarahjamielewis@mastodon.social avatar

    8 months into my time tracking experiment this year. Some additional observations:

    1. My intuition of how much time I'm spending on each project lines up pretty well with the data.

    2. My ability to work on something for long stretches is completely uncorrelated with the actual work. Context switches have outsized impact.

    3. Feeling much better about the mapping of engaged work time to wall-clock work time.

    4. Finding the second-derivative (change in offset-from-ideal) more helpful as metric.

    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar

    Definitely feel I absorbed most of the benefit from tracking in the first 90-days. If only because it confirmed what I already knew - that I have weeks where I will be deeply focused, and weeks where I will have a harder time getting into the work. This is cyclic and the ebb-and-flow and pretty obvious when graphed out.

    What I get done on any given day or week doesn't correlate to what gets done in the course of a month or season.

    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar

    Disclaimer: Time tracking is often lauded as a productivity tool - and if you are struggling with focus on projects that you otherwise consider important it might help.

    However, I am someone that generally does not struggle with not-working (quite the opposite), I've mainly been using it as a check on myself, overwork, and making sure that my mind lines up with reality.

    sarahjamielewis, to random
    @sarahjamielewis@mastodon.social avatar

    Experience has shown me that there is no real way to combat "not even wrong" claims about privacy and security in the secure communications space.

    Demonstrating critical issues results in hostility and a quick patch that does nothing to fix the underlying systemic issue (at best).

    Yes I find myself growing tired of holding my tongue while these apps are promoted or, somewhat more dispiriting, held up as models of good privacy engineering.

    Caveat Emptor?

    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar

    I really want to get across that this is not a risk model critique.

    Privacy is hard, trust is nuanced, risk models are diverse, there is room for a diversity of tactics in secure communication.

    Metadata privacy in particular is one of those points where I think it's possible for well intentioned people to have different opinions on usability/security/safety trade-off.

    I obviously have very strong opinions in that regard.

    Some of my good friends are Signal users etc.

    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar

    And yet...there are fundamental truths in privacy like "trust has to be motivated to be justified" - trust isn't faerie dust you can sprinkle on a system and have it magically become secure and private.

    Even motivated trust has limits. There are certain properties that simply cannot be achieved if the security of the system is predicated on a trusted third party - no matter how much you dress up that third party.

    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar

    Finally, because I need to say it.

    At some point in the common tongue, privacy become synonymous with "identifiers". And then identifiers was scoped to be so narrow as to be useless even in that context.

    Privacy, technical privacy, the actual thing that is to be conserved, has absolutely nothing, to do with where, how, and what you call the identifiers within your system.

    Mass multi-source correlation engines have been commodities for 40+ years. Your risk model is not even wrong.

    sarahjamielewis, to random
    @sarahjamielewis@mastodon.social avatar

    Definitely a few issues that need to be resolved, but I now have a rough cut of a functional cwtch@fosstodon.org build for Whonix - will aim to get these changes and instructions out in the next nightly!

    (sorry it took so long to get to this)

    sarahjamielewis, to random
    @sarahjamielewis@mastodon.social avatar

    Now seems like a good time put it out there that I am available for consulting work, or potentially something more permanent.

    So, If anyone is looking for a security/software engineer then please get in touch.

    I have many years of experience in many things from taming legacy systems to reviewing modern cryptographic protocols.

    I have certified the security of critical systems at top tech companies, and designed new software for startups.

    Contact information can be found in mastodon bio.

    neil, to random

    If my wife wants to do something "computer-y" - pretty much anything - she'll reach for her phone.

    If I want to do something "computer-y", I reach for my computer, for pretty much anything other than reading a short message or quick, casual browsing.

    Yes, everyone is different, but I much prefer a larger screen and a physical keyboard for anything but the most trivial of tasks.

    Are you a computer-first person, or a phone-first person?

    sarahjamielewis,
    @sarahjamielewis@mastodon.social avatar

    @neil I have a phone, the battery rarely has charge. I carry it with me sporadically.

    I have a tablet that I used for casual reading and as a control for other devices (usually via a shell) - mostly I use that when travelling or when doing something in-the-field like controlling the computer attached to a telescope.

    Anything else, computer.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • normalnudes
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • ethstaker
  • osvaldo12
  • Youngstown
  • mdbf
  • slotface
  • rosin
  • ngwrru68w68
  • kavyap
  • GTA5RPClips
  • provamag3
  • cisconetworking
  • InstantRegret
  • khanakhh
  • cubers
  • everett
  • Durango
  • tacticalgear
  • anitta
  • modclub
  • Leos
  • tester
  • megavids
  • lostlight
  • All magazines
    •