Another risk with Monitor, which may get better with time. Is that FOSS rust projects have a tendency to slow down or even stall due to the time cost of writing features, and the very small dev community available to pick up slack when original creators/maintainers drop off, burn out, or get too busy with life.

To be clear: I have nothing against rust. It’s a fantastic language filling in a crucial gap that’s existed for decades. However, it’s I’ll suited for app development, that’s just not it’s strength.

Why are you here if you’re just going to insult hobbyists in the community dedicated to hobbyists.

This isn’t the kind of vibe /c/selfhosted needs

Interesting fact, Nazis were actually socialists. The term Nazi is a shortened version of the german term for National Socialist, which is part of their full name: National Socialist Workers Party of Germany

I found one of the suckers that would vote for the Nazi party because they put {{Popular political ideology here}} in their name.

Having Signal fill in gaps for what the OS should be protecting is just going to stretch Signal more than it already does. I would agree that if Signal can properly support that kind of protection on EVERY OS that its built for, go for it. But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

Damn reading literacy has gone downhill these days.

Please reread my post.

But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

1. OSs provide keyring features already
2. The framework signal uses (electron) has a built in API for this EXACT NEED

Cmon, you can do better than this, this is just embarrassing.

That’s all hinges on the assumption that your computer is pwned. Which is wrong

You don’t necessarily have to have privileged access to read files or exfiltrated information.

That point doesn’t matter anyways though because you’re completely ignoring the risk here. Please Google “Swiss cheese model”. Your comment is a classic example of non-security thinking… It’s the same comment made 100x in this thread with different words

Unless you can list out all possible risks and exploits which may affect this issue, then you are not capable of making judgement calls on the risk itself.

I can’t imagine the stress on both their lives, specially in a country with terrible healthcare like America.

Should be a slogan.

They’re looking to manufacture outrage by the sounds of it.

That’s not how this works.

This sort of “dismissive security through ignorance” is how we get so many damn security breaches these days.

I see this every day with software engineers, a group that you would think would be above the bar on security. Unfortunately a little bit of knowledge results in a mountain of confidence (see Dunning Kruger effect). They are just confident in bad choices instead.

“We don’t need to use encryption at rest because if the database is compromised we have bigger problems” really did a lot to protect the last few thousand companies from preventable data exfiltration that was in fact the largest problem they had.

Turns out that having read access to the underlying storage for the database doesn’t necessarily mean that the database and all of your internal systems are more compromised. It just means that the decision makers were making poor decisions based on a lack of risk modeling knowledge.

That said the real question I have for you here is:

Are you confident in your omniscience in that you can enumerate all risks and attack factors that can result in data being exfiltrated from a device?

If not, then why comment as if you are?

And there are ways to mitigate this attack (essentially the same as a AiTM or pass-the-cookie attacks, so look those up). Thus rendering your argument invalid.

Just because “something else might be insecure”, doesn’t in any way imply “everything else should also be insecure as well”.

That’s not how this works.

If the stored data from signal is encrypted and the keys are not protected than that is the security risk that can be mitigated using common tools that every operating system provides.

You’re defending signal from a point of ignorance. This is a textbook risk just waiting for a series of latent failures to allow leaks or access to your “private” messages.

There are many ways attackers can dump files without actually having privileged access to write to or read from memory. However, that’s a moot point as neither you nor I are capable of enumerating all potential attack vectors and risks. So instead of waiting for a known failure to happen because you are personally “confident” in your level of technological omnipotence, we should instead not be so blatantly arrogant and fill the hole waiting to be used.

Also this is a common problem with framework provided solutions:

https://www.electronjs.org/docs/latest/api/safe-storage

This is such a common problem that it has been abstracted into apis for most major desktop frameworks. And every major operating system provides a key ring like service for this purpose.

Because this is a common hole in your security model.

They’re arguing a red herring. They don’t understand security risk modeling, argument about signals scope let’s their broken premise dig deeper. It’s fundamentally flawed.

It’s a risk and should be mitigated using common tools already provided by every major operating system (ie. Keychain).

Not necessarily.

https://en.m.wikipedia.org/wiki/Swiss_cheese_model

If you read anything, at least read this link to self correct.

This is a common area where non-security professionals out themselves as not actually being such: The broken/fallacy reasoning about security risk management. Generally the same “Dismissive security by way of ignorance” premises.

It’s fundamentally the same as “safety” (Think OSHA and CSB) The same thought processes, the same risk models, the same risk factors…etc

And similarly the same negligence towards filling in holes in your “swiss cheese model”.

“Oh that can’t happen because that would mean x,y,z would have to happen and those are even worse”

“Oh that’s not possible because A happening means C would have to happen first, so we don’t need to consider this is a risk”

…etc

The same logic you’re using is the same logic that the industry has decades of evidence showing how wrong it is.

Decades of evidence indicating that you are wrong, you know infinitely less than you think you do, and you most definitely are not capable of exhaustively enumerating all influencing factors. No one is. It’s beyond arrogant for anyone to think that they could 🤦🤦 🤦

Thus, most risks are considered valid risks (this doesn’t necessarily mean they are all mitigatable though). Each risk is a hole in your model. And each hole is in itself at a unique risk of lining up with other holes, and developing into an actual safety or security incident.

In this case

• signal was alerted to this over 6 years ago
• the framework they use for the desktop app already has built-in features for this problem.
  • this is a common problem with common solutions that are industry-wide.
• someone has already made a pull request to enable the electron safe storage API. And signal has ignored it.

Thus this is just straight up negligence on their part.

There’s not really much in the way of good excuses here. We’re talking about a run of the mill problem that has baked in solutions in most major frameworks including the one signal uses.

https://www.electronjs.org/docs/latest/api/safe-storage

That’s the joke.

Fascism is spreading there as well unfortunately.

And will continue to do so as long as corporations have and continue gaining power to rival your governments. Manipulating public opinion is easy when you own all sources of information dissemination.

Damn near every tech company and major utility provider has no way of growing aside from squeezing.

No matter where you turn you will be getting squeezed, and it’ll just get worse every year that regulations don’t catch up.

And if the U.S. has it’s way, institutional regulation will be a thing of the past as a new wave of unchecked corporate oligarchy begins. And since the U.S’s biggest export is crazy, it’ll just spread…

Making the future more grim.

It also goes rancid…

Yep, pretty standard practice when doing a lot of painting. Do this with rollers mostly.

This ruins brushes though since the paint closer to the bottom of the brush tends to dry out and stick.

Not supposedly, that’s a fundamental function of rechargeable batteries, and largely for chemistry. Heat typically increases reactivity, and vice versa.

Warm batteries/room temperature batteries degrade significantly faster when at full charge. And most people keep their batteries at full charge.

Lowering the temperature slows the degradation down.

Refrigerating bread slows down mold growth…

This increasing the shelf life.

You don’t have to refrigerate bread. But you can with clear reason.

Ah, a classic false dichotomy.