cypherpunks

cypherpunks, 4 days ago

Hi, I’m an admin on lemmy.ml. The account of the one existing mod of the session community here has apparently been deleted.

I’ve heard there are some bugs with moderation of remote communities, but, I just made you a mod there anyway. I don’t know the state of those bugs; it might work better if you made an account on this instance.

Btw, I recommend against using Session for a variety of reasons including the one I posted in your thread here.

cypherpunks, 4 days ago (edited 2 days ago)

I just skimmed that audit (from 2021) and hit ctrl-f for “forward secret” (no results) and then “ratchet”… which found this:

Even though there is no ratchet mechanism as in Signal, no correlation exists between ciphering keys over time. This observation is made on the basis that crypto_box_seal creates a new key pair for each message, and attaches the public key to the ciphertext. crypto_box_seal creates an ephemeral keypair and uses the secret part with the recipient public key to craft a symmetric key in charge of ciphering messages. The recipient will extract the ephemeral public key from the ciphered message and will use their private key to regenerate the ephemeral symmetric key for this message.

Having an ephemeral DH public key included with each message does not make the symmetric key ephemeral and thus does not make the protocol forward secret, because the other side of the DH is the recipient’s long-term key. So, an adversary who records some ciphertexts and then compromises the recipient’s long-term private key years later can easily decrypt all of the old ciphertexts they collected.

There are several other reasons I wouldn’t recommend Session, but the lack of forward secrecy is a big one.

I haven’t read the rest of the audit but the fact that they gloss over the lack of forward secrecy and strongly imply that crypto_box_seal with one ephemeral key and one long-term key makes the symmetric key somehow “ephemeral” casts doubt on the credibility of the auditors.

I would recommend simplex.chat instead. There is a lemmy community for it at /c/simplex@lemmy.ml

cypherpunks, 4 days ago (edited 2 days ago)

Thank you. I have read that the Session is not yet using quantum-resistant cryptographic algorithm. It is using X25519 which is an elliptic curve algorithm widely used for key agreement in TLS today. As a layman, I do not expect this to be a problem for a regular user (who is no target of the US three letter agencies) in the near future.

The lack of forward secrecy and lack of post-quantum encryption are orthogonal deficiencies. The development of a cryptanalytically-relevant quantum computer is only one of the ways that a long-term key could be compromised in the future, and forward secrecy without some PQ crypto does not actually even protect against that.

The reason to have forward secrecy (even if you don’t have PQ) is that long-term keys can be compromised in the future by malware or device seizure. See the forward secrecy wikipedia article i linked in my previous comment for more information.

According to www.securemessagingapps.com Session uses: X25519 / XSalsa20 256 / Poly1305

These are good cryptographic choices, albeit not PQ. The problem is that they aren’t being combined in a forward secret manner. It is very possible to build a forward secret protocol from these primitives (as many other projects have done) but Session opted not to. They actually were originally using Signal’s forward secret ratchet, but if i understand correctly it was too difficult for them so they just gave up on forward secrecy at some point and replaced it with this thing they have now.

While Simplex uses: Curve25519 / XSalsa20 256 / Poly1305

SimpleX actually added Streamlined NTRU Prime recently for quantum resistance. (And it was forward secret from the beginning, as one would expect of any protocol designed in the last 15 years or so…)

and Simplex does not provide transparency report

Actually they do, here: simplex.chat/transparency/index.html

and logs timestamps/IP addresses

Huh? I don’t think so… what makes you say that?

cypherpunks, 5 days ago

shoutout to the person who reported this post with “Reason: Bot meme, you can’t even read it. whoever replies is a bot too” 😂

cypherpunks, 4 days ago

i guess maybe if you’re using a device with a tiny screen and a lemmy client that doesn’t let you zoom in on images

cypherpunks, 6 days ago

aptronymic!

cypherpunks, 6 days ago

You may not like it, but this is what peak performance looks like.screenshot of Apple’s System 7.5.3 from 1995, with “System Folder” open and partially obscured by the “About This Macintosh” window which shows that 2.9 MB of the system’s 16 MB of RAM are in use. The startup disk is titled “Mac System 7.5.3” and has 70.2 MB used and 28.1 MB free. A disk containing the game Escape Velocity is mounted. The control strip is expanded. The time is 7:48 PM.

cypherpunks, 6 days ago

cropped image of the “If Those Kids Could Read They’d Be Very Upset” King of the Hill meme template, without any text

cypherpunks, 6 days ago

en.wikipedia.org/wiki/Chad_Bianco

cypherpunks, 13 days ago (edited 2 days ago)

gif animation of Jack Nicholson smiling and nodding.

cypherpunks, 15 days ago

This doesn’t include the vehicle in the post, but has some similar ones like this:

black and white photo of a steam powered track-drive vehicle

The Hornsby steam crawler: 1910

This machine was shipped to Canada from England in 1910, being sold to the Northern Light Power & Coal Company for use hauling coal to the Klondike gold fields in the Yukon, where it worked until 1927. This was the only sale, and the Hornsby company became disillusioned with their "chain track"and sold the patent rights to the Holt Manufacturing Company in 1914.

see also en.wikipedia.org/wiki/Traction_engine

cypherpunks, 15 days ago

Why is it a subway sandwich?

“dudes be like” meme format with text “dudes be like these memes strayed so far from the original text, my brother in christ, that is the point of the meme”

knowyourmeme.com/…/dudes-be-like-subway-sucks

cypherpunks, 16 days ago (edited 13 days ago)

preferring instant to fresh coffee is the more popular opinion in much of the world, but it’s mostly in the same places where people would rather be drinking tea anyway:

world map of coffee vs tea preference by country

world map of instant vs fresh coffee preference by country. (it is a very similar map.)

(source)

cypherpunks, 16 days ago

/r/shittyaskreddit wasn’t supposed to be an instruction manual 🙄

cypherpunks, 17 days ago

np, you’re actually early

cypherpunks, 17 days ago (edited 13 days ago)

It’s better to run it as not root, which you can presumably do on Linux Mint by adding yourself (or another user account) to the wireshark group after installing the package. See wiki.wireshark.org/…/CapturePrivileges and gitlab.com/wireshark/wireshark/-/…/README.Debian for details.

cypherpunks, 17 days ago

related

cypherpunks, 17 days ago (edited 13 days ago)

yeah, they aren’t very active, but (presumably due to federation bugs) there is more there than your instance is showing you: from my perspective the most recent post on the mander community is from one month ago and the lemmy.ml community has three posts including one that isn’t from a mod.

you might be able to pull those posts into your instance by searching for their permalinks there (which you can find from the fediverse icons on each post in the web view of those communities on another instance).

cypherpunks, 17 days ago

E: old thinkpad gang input: take the time to reapply thermal grease to the cpu at some point. It makes a huge difference.

What’s a “gang input”?

😂 it’s an input to this discussion from a member of the group of people (“gang”) who have experience with old thinkpads. and yes, if your old thinkpad (or other laptop) is overheating and crashing, reapplying the thermal paste is a good next step after cleaning the fans.