Peter Makholm is a user on mastodon.technology. You can follow them or interact with them if you have an account anywhere in the fediverse.

Peter Makholm @pmakholm@mastodon.technology

I never get used to Maven telling me that it needs to download some code from the internet before it can clean my project…

Can I have good old make(1) back, pretty please?

Apparently I am a early adopter…

Explain it like I am a king!

Daniel Stenberg explains cURL in video show at ceremony where he received a medal from the King of Sweden…

youtube.com/watch?v=SMsfOtU8KZ

best answer to that Wired article on #efail, by Peter Sunde Kolmisoppi:

"Dear @wired. I love @signalapp and yes PGP sucks, but suggesting to people to ditch a decentralised protocol (e-mail) for any centralised protocol (even if it's Signal) is just not the way forward. All eggs in one basket is worse than flawy PGP."

And some communication workflows requires "large datagrams of text" (a.k.a. mails) over "a stream of smal text messages" (a.k.a. chat) and many of the "alternatives" seems to focus on the chat workflow.

Yes, e-mail is a pain.

But I really prefers "protocols with interoperable implementations" over "Use our product and hope that we don't break your workflow in our next update" even if it is followed with a "but you're welcome to fork our code base".

Forget about remote content blocking for a moment. direct exfiltration can also be used for social engineering:

"I can read your private mail, here is the proof. You don't want me to make the juicy bits public, do you..."

One of the useful parts of the paper is the compendium of 40 ways to bypass remote content blocking.

efail.de/efail-attack-paper.pd

* SQL NULL, which exists to break logic, because NULL != NULL but IS NULL (NULL) == True

* "" and 0, the empty string and zero

* IEEE floating point's NaN, which is Not a Number and certainly is not Zero but is probably also not Null, or is it?

* whatever the truth value of 'this statement is false' is

* _|_ (robo-butt), which is theoretically what you get when you try to evaluate an infinitely recursing function but what you actually get is Stack Overflow Exception which is diferent

The reason nulls annoy me is we have so many of them:

* Lisp's Nil, which is not really a null but sometimes used as one

* C's Null, which exists to cause an error when dereferenced, but also wasn't hardcore null enough so they added Void

* Javascript's separate Null and Undefined values, but Undefined gets coerced to Null when you output to JSON, so do we really need both? (plus an infinite set of distinguishable {} and [] objects which are not Null)

* whatever you get when you do ,, in CSV

– MIME and HTML emails are a broken, but we new that.

– Using to scare users away from PGP to the product preferred by

It's pretty telling when the first reaction someone has to do with a security flaw is go to the press with it and raise alarms.  They're someone else's useful idiot.  This was obviously intended to get people to stop using GPG stuff, but the problem is that most people using it are probably technologically-savvy enough to see through the obvious fearmongering.
"Yeah. It is starting to look like a mistake in assessment and handling on the part of the EFF. Not necessarily quite a firing offense but within the realm where a resignation would not be out of the question." -friend on #eff and the #pgp #gpg #gnupg FUD of this morning.

Worst things about #Efail are the substandard disclosure practices exhibited by the paper authors and the apparent collaborations with #EFF and media outlets, only aimed at publicity.

Also, EFF recommending #Signal instead? Really? Almost seems like a concerted effort. You cannot use Signal on the desktop for now (because of the #Electron disaster) and it's not a tool for professional communication anyway. Maybe if you live in Silicon Valley it is, but nowhere else really 😘

Regarding : Is it correct that the CBC/CFB Gadget attack is previously known?

Does anyone have a more expanded explanation than the one on efail.de (without going full style academic paper)?