Dark Arc

That’s not what this means at all. Security by obscurity is referencing software that itself has secret pieces that are (to the software authors) “security features” which are only secure so long as their implementation details remain secret.

Software using a key is not security by obscurity, knowing that a key is used by the software does not result in the application being compromised.

Software that uses one secret key for all users embedded in the binary is security by obscurity.

It’s called Voyager now

In a selfish way… I’d like for the UK to do this and for it to go horribly horribly wrong for them. Maybe that would finally get the US reps to get their heads out of their butts so l don’t have to keep signing petitions and writing essays about why weakening encryption is a horrible idea.

I’m curious - does this kind of report make people less likely to go with an AMD cpu?

For me, nah. This is well within the vein of “normal” problems for a CPU these days (neither AMD nor Intel seem to be able to avoid this sort of thing 100%)… and this particular issue seems to be fixed in hardware already for their Zen 3 chips (Nov 2020-Sept 2022) and Zen 4 chips (Sept 2022 - Present).

and that it’s owned by Google.

I mean yes, but it’s patent irrevocably royalty free (so long as you don’t sue people claiming WebM/P as your own/partially your own work), so it’s effectively owned by the public.

Google hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer implementations of the WebM Specifications, where such license applies only to those patent claims, both currently owned by Google and acquired in the future, licensable by Google that are necessarily infringed by implementation of the WebM Specifications. If You or your agent or exclusive licensee institute or order or agree to the institution of patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that any implementation of the WebM Specifications constitutes direct or contributory patent infringement, or inducement of patent infringement, then any rights granted to You under the License for the WebM Specifications shall terminate as of the date such litigation is filed. “WebM Specifications” means the specifications to the WebM codecs as embodied in the source code to the WebM codecs or any written description of such specifications, in either case as distributed by Google.

Source: https://www.webmproject.org/license/bitstream/

(But Dark, that’s WebM not WebP! – they share the same license: https://groups.google.com/a/webmproject.org/g/webp-discuss/c/W4_j7Tlofv8)

This is definitely top 10 Linux memes of all time for me.

I mean… if you’re running millions of sites on one box, and that itself isn’t an issue, I’d assume your port saturation/traffic is pretty low.

I don’t know anything about Netbird, but I’ll link you to my ZeroTier pitch the last time I noticed someone talking about Tailscale: https://lemmy.world/comment/1058287.

Yeah, it would be nice if they let people buy storage at a reasonable rate.

I use Bitwarden for passwords, but I think Proton Pass is an honorable mention. It’s possibly more secure, but still new.

s/iOS/MacOS/ :)

And … yeah TBH things haven’t changed. MacOS still doesn’t support Vulkan or DirectX which immediately puts it in a niche space, and Proton also doesn’t work for MacOS, so MacOS is arguably well behind Linux in gaming (though there are a few good native ports of a few serious games – e.g., No Man’s Sky).

From what I’m gathering, they have very different pronunciations in British English as well. I’m not sure about this shower thought, it seems like OP might be the one that’s mistaken?

I’m using one for myself and one for my grandpa (who gets tons of landline spam calls).

I haven’t noticed a lot that’s different for either of us. I think the real reason to use one of these sites is if you want your contact information to be a bit harder to find.

What did they improve about it that excites you?

That only stands true when the issue is not being actively exploited.

If you send these files over SSH, you’re good as that’s encrypted by ZeroTier and then encrypted again inside the SSH connection (and SSH does have perfect forward security).

See their cryptography section of their docs for more info.

You can read more here about what they’re working on:

• https://www.zerotier.com/blog/research-notes-on-2-x-cryptography/
• https://www.zerotier.com/blog/research-notes-aes-gmac-ctr-siv/

It’s been to long since I’ve read that to give anything more than a condensed “they’re improving their crypto significantly with ZeroTier 2” (not to mention memory safety via Rust).

I think it’s pretty secure and it will be getting better soon. In reality, I think it’s much more secure than what most people will end up with otherwise.

ZeroTier is open source, long running without incident, and the traffic is encrypted between peers.

The threat model is basically two fold though, in theory someone who has control of the ZeroTier roots (if you’re not using your own controller, if you’re using your own, then s/their roots/your roots/) could add routes to your devices, and add/remove devices that are part of your confirmation.

The encryption also doesn’t currently have perfect forward security, so if there’s a compromise in one of your connections, in theory some past state of that connection could be decrypted. In practice, I’m not sure this matters as traffic at a higher level for most sensitive things uses its own encryption and perfect forward security (but hey maybe you have some software that doesn’t).

The other thing I will note about that last point is that they’re working on a rust rewrite that will have updated crypto, including perfect forward security.

FOSS just means the software is open source. As I said, you can self host ZeroTier and not involve their servers (if you’re not doing things commercially, you pay for the license but still run your own controllers, or you use an older version which has been automatically relicensed by the change date to Apache 2.0).

That said, the traffic is peer-to-peer, in the majority of use cases there servers are acting as a bit more than syncthing’s servers (acting to facilitate the connection between two devices that want to talk together). See the other comment for some more thoughts here.

You got it right, lots of drama, not really anything to worry about unless you’re very fringe and have people you email via PGP with “super secure” PGP keys (and honestly I’d trust Proton more than I’d trust most people to roll their own PGP… it’s hard stuff to get PGP right).

I’ll pitch ZeroTier instead, it’s the same concept, but it’s more FOSS friendly, older, doesn’t have the non-networking “feature bloat” of Tailscale, and can handle some really niche cases like Ethernet bridging (should you ever care).

Just:

1. Go to their website, create an account, and create a network
2. Add ZeroTier to the devices you need to connect
3. Enter your network ID on those devices
4. Approve the devices in the web control panel

If you want to go full self hosting, you can do that too but you will need something with a static IP to control everything (https://docs.zerotier.com/self-hosting/network-controllers/?utm_source=ztp) this would replace the web panel parts.

You can also do a LAN routing based solution pretty easily using something like a Raspberry Pi (or really any Linux computer).