he wouldn’t be able to inject backdoors even if he wanted to, since the source code is open
Jia Tan has entered the chat
he wouldn’t be able to inject backdoors even if he wanted to, since the source code is open
Jia Tan has entered the chat
democracy dies in dark mode
Regarding your browser-based thing: what are the specific capabilities of the "threat agents" (in your threat model's terminology) which your e2ee is intended to protect against?
It seems like the e2ee is not needed against an attacker who (a) cannot circumvent HTTPS and (b) cannot compromise the server; HTTPS and an honest server will prevent them from seeing plaintext. But, if an attacker can do one of those things, does your e2ee actually stop them?
The purpose of e2ee is to protect against a malicious server, but, re-fetching JavaScript from the server each time they use the thing means that users must actually rely on the server's honesty (and HTTPS) completely. There is no way (in a normal web browser) for users to verify that the JavaScript they're executing is the correct JavaScript.
If you run a browser-based e2ee service like this and it becomes popular, you should be prepared that somebody might eventually try to compel you to serve malicious JavaScript to specific users. Search "lavabit" or "hushmail" for some well-documented cases where this has happened.
What a confused image.
If you use systemd's DHCP client, since version 235 you can set Anonymize=true
in your network config to stop sending unique identifiers as per RFC 7844 Anonymity Profiles for DHCP Clients. (Don't forget to also set MACAddressPolicy=random
.)
They only do that if you are a threat.
Lmao. Even CBP does not claim that. On the contrary, they say (and courts have so far agreed) that they can perform these types of border searches without any probable cause, and even without reasonable suspicion (a weaker legal standard than probable cause).
In practice they routinely do it to people who are friends with someone (or recently interacted with someone on social media) who they think could be a threat, as well as to people who have a name similar to someone else they're interested in for whatever reason, or if the CBP officer just feels like it - often because of what the person looks like.
It's nice for you that you feel confident that you won't be subjected to this kind of thing, but you shouldn't assume OP and other people don't need to be prepared for it.
If they ask for a device's password and you decline to give it to them, they will "detain" the device. See this comment for some links on the subject.
I’m pretty sure that immigration in the US can just confiscate your devices if you are not a citizen .
CBP can and does "detain" travelers' devices at (or near) the border, without a warrant or any stated cause, even if they are US citizens.
Here is part of the notice they give people when they do:
Or just removing my biometrics?
Ultimately you shouldn't cross the US border carrying devices or encrypted data which you aren't prepared to unlock for DHS/CBP, unless you're willing to lose the hardware and/or be denied entry if/when you refuse to comply.
If they decide to, you'll be handed this: "You are receiving this document because CBP intends to conduct a border search of your electronic device(s). This may include copying and retaining data contained in the device(s). [...] Failure to assist CBP in accessing the electronic device and its contents for examination may result in the detention of the device in order to complete the inspection."
Device searches were happening a few hundred times each month circa 2009 (the most recent data i could find in a quick search) but, given other CBP trends, presumably they've become more frequent since then.
In 2016 they began asking some visa applicants for social media usernames, and then expanded it to most applicants in 2019, and the new administration has continued that policy. I haven't found any numbers about how often they actually deny people entry for failing to disclose a social media account.
In 2017 they proposed adding the authority to also demand social media passwords but at least that doesn't appear to have been implemented.
If copyright holders want to take action, their complaints will go to the ISP subscriber.
So, that would either be the entity operating the public wifi, or yourself (if your mobile data plan is associated with your name).
If you're in a country where downloading copyrighted material can have legal consequences (eg, the USA and many EU countries), in my opinion doing it on public wifi can be rather anti-social: if it's a small business offering you free wifi, you risk causing them actual harm, and if it is a big business with open wifi you could be contributing to them deciding to stop having open wifi in the future.
So, use a VPN, or use wifi provided by a large entity you don't mind causing potential legal hassles for.
Note that if your name is somehow associated with your use of a wifi network, that can come back to haunt you: for example, at big hotels it is common that each customer gets a unique password; in cases like that your copyright-infringing network activity could potentially be linked to you even months or years later.
Note also that for more serious privacy threat models than copyright enforcement, your other network activities on even a completely open network can also be linked to identify you, but for the copyright case you probably don't need to worry about that (currently).