Posts by mjg59@nondeterministic.computer
(DIR) Post #B2fZjNbDF2s7lUQD3Y by mjg59@nondeterministic.computer
2026-01-26T04:51:30Z
2 likes, 0 repeats
Frankly: binaries are the thing that executes on your system and embody the truth of software behaviour, and with modern technology it's often *easier* to determine that truth through the binary than through the source code (throw the "login" app from Reflections on Trusting Trust into Ghidra and you'd learn the truth even if the source code wouldn't tell you that)
(DIR) Post #B2fZjWhDQ61NyiIdA8 by mjg59@nondeterministic.computer
2026-01-26T04:53:50Z
1 likes, 0 repeats
I believe that free software is vital. People should have control over everything that executes on their system. But let's not kid ourselves - even someone running linux-libre on a machine with open firmware on a custom fabbed RISC-V with no microcode hasn't verified every line of code they execute, and nor has the community as a whole
(DIR) Post #B2fZjfVqdjHBK43BC4 by mjg59@nondeterministic.computer
2026-01-26T04:57:06Z
0 likes, 0 repeats
At some point we have to trust that other humans won't just lie to us - and that's true whether the software is free or proprietary. Debian could modify mirrors to push a backdoored package to a specific IP address, but the people wit the ability to do that are well known to the community and we trust that they wouldn't. That's not a function of Debian being free software - that's a function of an open community
(DIR) Post #B2fZjnvfLcgJQSBuXw by mjg59@nondeterministic.computer
2026-01-26T04:58:30Z
2 likes, 0 repeats
Build communities. Find people you trust and place more faith in their recommendations. Don't trust anyone who says there's a magical solution here.
(DIR) Post #B2fZjwXXKhjC8DyGga by mjg59@nondeterministic.computer
2026-01-26T05:00:11Z
1 likes, 0 repeats
(And for the love of God ignore anyone who's telling you not to use Signal right now, every alternative is meaningfully worse for the vast majority of people)
(DIR) Post #B2fjua5S9TndDpXwLw by mjg59@nondeterministic.computer
2026-01-26T05:25:30Z
0 likes, 0 repeats
Let's workshop a scenario a little. Bad things happen. People are afraid. People buy one of the small number of phones that is almost entirely free software, and organise resistance that way. The resistance are now disproportionately using devices that have IMEIs from specific ranges, and which can be geolocated through tower records. What do you think happens next?
(DIR) Post #B2fjublftzAQR4JAno by mjg59@nondeterministic.computer
2026-01-26T05:31:15Z
0 likes, 0 repeats
If you're in the US and you want to reduce the risk the vendor will fuck you over on behalf of the government without looking suspicious? Much as it pains me to say it, Apple's track record in refusing to assist the FBI in the San Bernardino case is a strong signal there
(DIR) Post #B2fkJchNZwJAYtE8wK by mjg59@nondeterministic.computer
2026-01-26T09:18:46Z
0 likes, 0 repeats
@publicvoit Ok, so first, the track record of Apple publishing detailed descriptions of their security practices outstrips every even vaguely comparable vendor (including Google). But that's not really the point - most people are going to trust a giant international megacorp. The only evidence you have is past behaviour. Do you pick one who has clearly stood up in the past, or one who hasn't?
(DIR) Post #B2fkeWXFgmGfWmSM5I by mjg59@nondeterministic.computer
2026-01-26T08:56:56Z
0 likes, 0 repeats
Fucking hell given the state of my replies free software advocacy is going to get people killed at some point
(DIR) Post #B2fkeXfRToPh2TIPUO by mjg59@nondeterministic.computer
2026-01-26T08:59:38Z
0 likes, 0 repeats
(Not directed at the majority of free software advocates who are sensible human beings and who I am strongly aligned with, but free software fundamentalism with no regard for the actual reality of the situation people are dealing with is a recipe for poorly understood threat models ending up deployed in inappropriate ways and given where the US is at the moment there's a real risk that's going to end up going extremely poorly)
(DIR) Post #B2fktb7Mvw7m5GXO3E by mjg59@nondeterministic.computer
2026-01-26T09:23:28Z
0 likes, 0 repeats
@Suiseiseki Ah yes it is well known that the majority of people murdered by the state are proprietary software developers
(DIR) Post #B2fliMbIfSxVpPkE7M by mjg59@nondeterministic.computer
2026-01-26T09:32:37Z
0 likes, 0 repeats
@Suiseiseki Huh sorry I hadn't realised you were a parody account
(DIR) Post #B2flwdd09nAggyLa8e by mjg59@nondeterministic.computer
2026-01-26T09:35:45Z
0 likes, 0 repeats
@Suiseiseki Which software?
(DIR) Post #B2fmd7TrYWwDROKTaK by mjg59@nondeterministic.computer
2026-01-26T09:42:56Z
0 likes, 0 repeats
@Suiseiseki Oh, and that connects to the cellular network?
(DIR) Post #B2fmzXPfovV6Ev3l2G by mjg59@nondeterministic.computer
2026-01-26T09:46:51Z
0 likes, 0 repeats
@Suiseiseki Ah, yes, you're not serious. Good to know.
(DIR) Post #B2fnea3KuWpMIdBM3M by mjg59@nondeterministic.computer
2026-01-26T09:21:31Z
0 likes, 0 repeats
@publicvoit "Buy a second hand Pixel 8 and jump through these hoops to reflash it" is great advice for someone like me and terrible advice for most people who are now going to end up with a phone that doesn't do everything they expect it to. Before making that recommendation, describe your threat model.
(DIR) Post #B2fx5tqgJjaV6MMfdw by mjg59@nondeterministic.computer
2026-01-26T11:16:58Z
0 likes, 0 repeats
Just to check on something: whomst amongst you would genuinely say you would have spotted the libxz backdoor by examination rather than by beaviour
(DIR) Post #B2fx5wFZOAgUY81ZiK by mjg59@nondeterministic.computer
2026-01-26T11:29:42Z
0 likes, 0 repeats
@mvgorcum It was in the packaged source, but not in git
(DIR) Post #B2fxjvKaE2fnHYR5CS by mjg59@nondeterministic.computer
2026-01-26T08:56:14Z
0 likes, 0 repeats
@lil5 Cool what do you think people on the street are carrying because it's not a fucking laptop
(DIR) Post #B2fxrIb27kNBSueAmu by mjg59@nondeterministic.computer
2026-01-26T11:48:40Z
1 likes, 0 repeats
@ignaloidas @mvgorcum The binary test data that contained the binary was, the configure file that turned that into code wasn't