fosdem.org/2019/schedule/event

Keynote

Quote: "Today FLOSS software is everywhere. In some ways the dream of 20 years ago has been realized. FLOSS software is the norm, GitHub is mainstream."

Hmmm, thank you Mitchell. Do you know that Github was bought by Microsoft?

I'm glad "FLOSS is about freedom." This is reassuring. But I'm concerned that Mozilla remains the last bastion of it, and that someone like Steve Klabnik is leaving Mozilla (words.steveklabnik.com/thank-u) maybe for... Google...

Follow

Keynotes

OK, I think that after removing L for Libre from FLOSS in FOSDEM we might as well remove the E for Europe, as all 4 keynote speakers are U.S.Americans.

Or don't we have European Free Software developers?

@how You do, but some of them are boycotting USOSSDEM ;)

Time for a no bullshit European ethical technology event not sponsored by or teeming with surveillance capitalists who happen to work on some open source projects.

@how (PS. Watch this space on that one, I want to get the first one up and running this year. Talking to some folks now.)

@aral Actually we're strongly thinking about making an alternative event for free software developers & designers & users that is actually about free technologies production.

@how I’ll keep you in the loop with ours; see if we can combine our efforts.

@aral @how Not CopyleftConf then, a new conference in Brussels the day after FOSDEM with Google as platinum sponsor.

A conference with copyleft in it's name and Google as a sponsor, don't know whether to laugh or be sad.

2019.copyleftconf.org/

@desikn @aral Oh, OK, so that's it. Bradley Kuhn and Karen Sandler come to keynote FOSDEM on "how the resistance failed" and "how volunteer developers can optimize their action" -- and their travel is paid for by Google, then they stay a bit more to evangelize Yurpins about Copyleft in an EU capital.

Interesting. We can ask them why Google...

@desikn @aral

This is a sad day for free software. These companies must rejoice to have stepped over software freedom and demonstrated once more that capitalism can phagocyte anything.

@desikn @aral @how Well, MS has some kind of open-source spree lately (github, VS Code, built-in linux support, ...)

@aral @how Why don't we start that event? Seems like the right time to do so :)

@how

We could remove the F too...
(except that OSDEM looks too much something related to #osdev) becayse #Mozilla is not a bastion of #freedom anymore: bugzilla.mozilla.org/show_bug.

Since their outraged reaction to that bug report, I realized that Mozilla is just the #geek friendly #PR department of #Google. But they are more an #US thing than a Google one: after all they want to hends your data to #CloudFlare too... and defend most abusive #SiliconValley's #BusinessModel, while pretending to not.

@Shamar Line 2615 of the script reproduced in

pastebin.com/embed_iframe/2VH5

mentions: o = ["acunetix", "beef", "burp", "zap", "fiddler", "netsparker", "sleepypuppy", "sonar", "xbackdoor", "xenotix", "dominator", "littleDoctor"],

To me it looks like a script detector that will tell (someone) that the visiting browser has been compromised.

@how

No: as the following lines show, it's an implementation of the attack I described at dev.to/shamar/the-meltdown-of- and rain-1 polished and extended at rain-1.github.io/in-browser-lo to detect some tools running on the machine of the visiting browser (tunneling through the #browser behind the #firewall and #proxy).

Those are network security tools, and it's weird that the Russian Government want a db of IP/people using them.. but it's way worse when you realize that those specific tools...

1/

@how

...can be used to detect a #JavaScript attack despite the #HTTP trick I described in the #Mozilla #Firefox bug report.

So they are building a db of people to NOT attack with an undetectable remote execution attack that Mozilla and #Chromium refused to mitigate.

Now ask yourself: why a Government can need such a database?

And why they couldn't make the attack itself undetectable?

And what if #Google, #Facebook or #Cloudflare did the same?
Would they face the same that same issue?

(No)

@Shamar I'm reading dev.to/shamar/the-meltdown-of-

The argument that the Web is broken strikes a sensitive chord in me. Yesterday still I was having this conversation: what browser do we have left? None. Maybe we should definitely drop usage of the Web entirely.

Back to yes... Still the transition from Web to P2P is not ready, it looks more like a blind dive than a toboggan.

But I digress.

@how

It strikes sensitive chords in everybody: dev.to/shamar/i-have-been-bann

But if we hide our heads in the sand, it won't get better by itself.

Can we fix it?

I think so.
But the process is going to be... difficult... even dangerous, I'm afraid.

It's not just matter of economical interests (that make people refuse to open their eyes for the hope to get rich with some online game deducing valuable people's health data), but of militar ones that were smartly tied to them: medium.com/@giacomo_59737/the-

@adfeno @how @mikegerwitz

Progressive enhancement is the best possible use of Javascript, but it's just as unsecure as any other JavaScript.

However you are right that, by spreading opt-in JS and proper mitigations, progressive enhancement would spread too...till the advent of @alcinnz's #Memex browser.

@Shamar @how So is there any setting which can turn off local address access from javascript? I know Tor browser doesn't usually allow this, but maybe that's something different.

@bob @how

#Tor doesn't allow those specific attacks, but if you authenticate to a service through it, and your identity is leaked (or simply available) with an association to a Tor exit node IP, there's no need for that to know that "you have something to hide".

OTOH Tor let #JavaScript enabled by default, even in it's default #NoScript configuration, so it's just matter of fantasy, skills and zero days to attack somebody through Tor and #JS.

Idk the undetectable part through...

1/

@bob @how

I have no idea about how the Tor network interact with browser cache and HTTP cache control headers.

@bob @how

> is there any setting which can turn off local address access from javascript?

This is a good question from a technical point of view (but totally beyond people skills).

I guess that there are interesting hack one could try:
- run Firefox through a virtual machine that can only go outside
- replace the 127.0.0.1 in the kernel with an existing IP you don't care to visit (say a russian government site 😉), but I guess it's a strong assumption in many userspace programs.

Sign in to participate in the conversation
Une fois pour TOOT! A Mastodon in Brussels

Une fois pour TOOT !

This instance is provided by Petites Singularités ASBL for like-minded people in Brussels and elsewhere.

We speak English, French, Dutch.

P.S.: works with free software and grassroots activists across disciplines, ranging from agro-ecology to cartography, libre aesthetics & ethics, (self-)organization & policy.

Discuss this on ps.zoethical.com.

Support this instance

Donate using Liberapay

Send donations to IBAN BE16 3630 1548 4674 (Petites Singularités ASBL) with mention ps.s10y.eu (and your name if and only if you want to be credited): we publish donations as we receive them, and expenses. Yearly service is expected to cost ~ 150 € (without sysadmin expenses.)


“We've got to fight the government, fight the oligarchy, fight capitalism, be internationalist and fight the empire because it's the best hope to enrich hundreds of millions of lives, and build towards a truly equitable future.”
— Abby Martin