They/Them
Network Guardian Angel. Infosec.
Antispeciesist.
Anarchist.
You should hide scores on Lemmy. They are bad for you.
Alors que l'Assemblée nationale avait supprimé un recours possible au pass sanitaire du projet de loi, le Sénat l'a rétabli, mais dans une version très limitée.
Depuis quelques semaines, le nombre de contaminations ne cesse de grimper. De quoi laisser planer la mise en place de nouvelles mesures. Un texte de loi est prévu à cet effet.
Covid-19 : le Parlement va-t-il voter pour la prolongation du passe vaccinal ?
Ce pourrait être le premier texte examiné par la nouvelle Assemblée nationale et par le Sénat. Un projet de loi visant à prolonger, après le 31 juillet, la possibilité d'avoir recours au passe vaccinal est en préparation. Mais privé de majorité absolue, l’exécutif semble se diriger vers une version ...
Should scores be hidden by default?
Lemmy implements a scoring system allowing people to upvote or downvote posts. You know that since you are using Lemmy :)
Score can be used to increase or lower visibility of posts, in particular when using some sorting algorithms (active, hot, top).
This can be used to increase the visibility of good quality posts, and lower that of low quality or irrelevant posts.
Yet, from what I observe, the tool is mostly used for communities to self-administer filter bubble. Some communities seem to behave like a hive mind, massively upvoting or downvoting until either the dissident is assimilated in a very Borg way, or excommunicated.
Also, scores seem to be used often to convey cheap moral judgement, without having the need to expose oneself to criticism by providing arguments to sustain their opinion.
Overall, I think scores are more toxic than useful, and I would be in favor of hiding them by default, so that new comers are not put out by them.
What is your opinion about this? What are the advantages of having the score visible by default?
Just a clarification: the question is not "should scores exist or not?". If people find value in scores, good for them. I'm not one to dictate other people preferences. :)
Book: Ethics Into Action
Henry Spira's extraordinary life as an activist shows t…
A excellent book for all vegan activists to improve their strategy, their communication and their actual impact on animal rights, and well-being.
Go 1.18 will ignore CipherSuite ordering provided by the user
We now have a (well, two, depending on AES hardware support) universal cipher suite preference order, based on their security and performance. Peer and application lists are now treated as filters ...
cross-posted from: https://lemmy.ml/post/171118
> On the account that "we are better equipped", Go will now ignore the order of the CipherSuite option, starting with Go 1.18, due this month. > > The [sorting logic](https://github.com/golang/go/commit/9d0819b27ca248f9949e7cf6bf7cb9fe7cf574e8#diff-fa1ebabc009bcc9a9f27168612adf5b4d56f9f40d613a62f86830861acb85803R215-R270 > ) is detailed in the code. > > Several choices seem strange to me: > * "SHA-256 variants of the CBC ciphersuites don't implement any Lucky13 countermeasures." leading to CBC-SHA1 being favored over CBC-SHA256. > * "AES comes before ChaCha20", on the account that AES-NI is faster. They use heuristics to determine whether both ends support AES-NI and whether to prefer ChaCha20 over AES. > * "AES-128 comes before AES-256", on the account that AES-256 is slower. > > The static nature of the sorting algorithm also leads to security conundrums such as the fact that updating the Go library and recompiling programs will be required if a vulnerability is found in an algorithm implementation (e.g. Lucky13 for the CBC-SHA256 Go implementation); you won't be able to just reduce its priority by updating a config file. > > What's your take on this? Can you explain some of the choices that feel strange to me?
Go 1.18 will ignore CipherSuite ordering provided by the user
We now have a (well, two, depending on AES hardware support) universal cipher suite preference order, based on their security and performance. Peer and application lists are now treated as filters ...
On the account that "we are better equipped", Go will now ignore the order of the CipherSuite option, starting with Go 1.18, due this month.
The sorting logic is detailed in the code.
Several choices seem strange to me:
- "SHA-256 variants of the CBC ciphersuites don't implement any Lucky13 countermeasures." leading to CBC-SHA1 being favored over CBC-SHA256.
- "AES comes before ChaCha20", on the account that AES-NI is faster. They use heuristics to determine whether both ends support AES-NI and whether to prefer ChaCha20 over AES.
- "AES-128 comes before AES-256", on the account that AES-256 is slower.
The static nature of the sorting algorithm also leads to security conundrums such as the fact that updating the Go library and recompiling programs will be required if a vulnerability is found in an algorithm implementation (e.g. Lucky13 for the CBC-SHA256 Go implementation); you won't be able to just reduce its priority by updating a config file.
What's your take on this? Can you explain some of the choices that feel strange to me?
Edit: the Github issue of the proposal
Good article. Thank you. You make some excellent points.
I agree that source access is not sufficient to get a secure software and that the many-eyes argument is often wrong. However, I am convinced that transparency is a requirement for secure software. As a consequence, I disagree with some points and especially that one:
It is certainly possible to notice a vulnerability in source code. Excluding low-hanging fruit, it’s just not the main way they’re found nowadays.
In my experience as a developer, the vast majority of vulnerabilities are caught by linters, source code static analysis, source-wise fuzzers and peer reviews. What is caught by blackbox (dynamic, static, and negative) testing, and scanners is the remaining bugs/vulnerabilities that were not caught during the development process. When using a closed source software, you have no idea if the developers did use these tools (software and internal validation) and so yeah: you may get excellent results with the blackbox testing. But that may just be the sign that they did not accomplish their due diligence during the development phase.
As an ex-pentester, I can assure you that having a blackbox security tools returning no findings is not a sign that the software is secure at all. Those may fail to spot a flawed logic leading to a disaster, for instance.
And yeah, I agree that static analysis has its limits, and that running the damn code is necessarry because UT, integrations tests and load tests can only get you so far. That's why big companies also do blue/green deployments etc.
But I believe this is not an argument for saying that a closed-source software may be secure if tested that way. Dynamic analysis is just one tool in the defense-in-depth strategy. It is a required one, but certainly not a sufficient one.
Again, great article, but I believe that you may not be paranoid enough 😁 Which might be a good thing for you 😆 Working in security is bad for one's mental health 😂
Combat de normes autour de la vérification d'identité
La loi sur le passe vaccinal est entrée en application aujourd’hui. Le texte autorise des personnes privées à vérifier les passes mais aussi à en contrôler la concordance avec les pièces d’identité. Le député Philippe Latombe avai...
Background On January 8, 2020, the Centers for Disease Control and Prevention officially announced a new virus in Wuhan, China. The first novel coronavirus (COVID-19) case was discovered on December 1, 2019, implying that the disease was spreading quietly and quickly in the community before reaching...
Décision n° 2022-835 DC du 21 janvier 2022
Loi renforçant les outils de gestion de la crise sanitaire et modifiant le code de la santé publique
"Passe vaccinal : nous saisissons le Conseil constitutionnel" - Conférence de presse sur le recours de certains députés
YouTube Video
Click to view this content.
Des éléments ajoutés au code de TousAntiCovid-Verif laissent penser que la date de mise en place du pass vaccinal y serait déjà inscrite. Le projet de
Le pass vaccinal définitivement adopté par le Parlement
Reste à savoir quand le texte entrera en vigueur. La France insoumise a annoncé avoir rassemblé suffisamment de parlementaires pour saisir le Conseil constitutionnel.