Matthew Green with a brilliant write up on Signal’s “Secure Value Recovery” backup system (and decision to force users to choose PIN codes)

(blog.cryptographyengineering.com)

Signal’s Secure Value Recovery (SVR) is a cloud-based system that allows users to store encrypted data on Signal’s servers — such that even Signal cannot access it — without the usability headaches that come from traditional encryption key management. At the moment, SVR is being used to store users’ contact lists and not message content, although that data may be on the menu for backup in the future.

The challenge in storing encrypted backup data is that strong encryption requires strong (or “high entropy”) cryptographic keys and passwords. Since most of us are terrible at selecting, let alone remembering strong passwords, this poses a challenging problem. Moreover, these keys can’t just be stored on your device — since the whole point of backup is to deal with lost devices.

If an attacker is able to dump the memory space of a running Signal SGX enclave, they’ll be able to expose secret seed values as well as user password hashes. With those values in hand, attackers can run a basic offline dictionary attack to recover the user’s backup keys and passphrase. The difficulty of completing this attack depends entirely on the strength of a user’s password. If it’s a BIP39 phrase, you’ll be fine. If it’s a 4-digit PIN, as strongly encouraged by the UI of the Signal app, you will not be.

This makes me and a lot of people concerned and I hope they address this and quickly.

The big Facebook crash of 2020 and the problem of third-party SDK creep

(rambo.codes)

Even if you don’t sign in with Facebook in a particular app, the app will run Facebook’s code in the background just for having the SDK included. You don’t need a Facebook account for it to track you either, they can track people very well without one.

Fact is, you can't escape Facebook.

Hence this morning when a lot of mainstream apps like Spotify and Pinterest crashed due to the SDK

For those who haven't subscribed to the XMPP newsletter yet, you should.

(xmpp.org)

Gajim 1.2.0 has been released. More than a year after the release of Gajim 1.1.3, it is finally time for Gajim 1.2. A year put at use to develop new features, clean up old code, and fix bugs. Highlights of this release are (amongst others): improved group chat system, completely rewritten network code, and a new account creation assistant. And there is much more to discover. Gajim Development News: June already brought Gajim 1.2, python-nbxmpp 1.0, and many plugin updates. But there is more: Blind Trust Before Verification for OMEMO, drag and drop improvements, and a new translation service for Gajim.

Here's their latest issue.

James Beckwith made a time lapse map of each Covid-19 death.

(kottke.org)

Each country is represented by a tone and an expanding blip on the map when a death from Covid-19 is recorded. Each day is 4 seconds long, and at the top of the screen is the date and a counter showing the total numbers of deaths. Every country that has had a fatality is included.

Must watch video.

Your next BMW might only have heated seats for 3 months

(www.cnet.com)

This "vehicle as a platform" approach may indeed save some consumers money, particularly in the lease-heavy luxury sedan space where average ownership intervals are measured in months, not years. Also, this approach could open the door even further into letting consumers get exactly the specification they want, instead of bundling discrete options into packages in the name of streamlining manufacturing processes.

However, the potential downsides are troubling, particularly when it comes to used car sales. BMW representatives indicated that upgraded features will apply to the car, not the user, but indicated that all the details on used car sales are still being worked out. Again, there are some positives here, like being able to have a better-equipped second-hand car than the original owner, but it's hard to not see this as simply another shot of revenue for BMW in a transaction that might otherwise not involve the company at all.

If this trend in the auto industry catches on, I'll never buy a new car ever again. There's plenty of classic and slightly used cars there that doesn't have this shit.

Kongregate is no longer accepting new games and their forums will shut down.

(www.polygon.com)

No more user-submitted video games can be added to Kongregate, the company announced Wednesday. The website as players knew it will change as the company shifts its focus toward “internal game development and acquisitions,” a spokesperson said in a statement to Polygon.

Adobe will drop Flash support at the end of the year. Kongregate and other Flash-heavy websites have been working on preserving their Flash titles — by converting to HTML5 or using emulators. Even then, though, Kongregate has to change. The company said its 128,000 current games will remain playable as normal, with developers able to update their titles. Social features, like some forums and chat rooms, will be closed.

They along with Newgrounds, they were the pillars of the Flash game community and now all of that history will soon vanish. A true end of an era.

A new strain of flu that has the potential to become a pandemic has been identified in China by scientists.

(www.bbc.com)

The virus, which the researchers call G4 EA H1N1, can grow and multiply in the cells that line the human airways.

They found evidence of recent infection in people who worked in abattoirs and the swine industry in China when they looked at data from 2011 to 2018.

Current flu vaccines do not appear to protect against it, although they could be adapted to do so if needed.

We may be in for another totally different disaster.

What happens when you update your DNS?

(jvns.ca)

I've seen a lot of people get confused about updating their site's DNS records to change the IP address. Why is it slow? Do you really have to wait 2 days for everything to update? Why do some people see the new IP and some people see the old IP? What's happening? So I wanted to write a quick exploration of what's happening behind the scenes when you update a DNS record.

Here's a great exploration of what’s happening behind the scenes when you update a DNS record.

It's official: the EU will ban US travelers when their borders open July 1 due to their catastrophic failures to curb COVID-19.

(nyti.ms)

E.U. officials first disclosed on Tuesday that the United States, which has reported more coronavirus deaths and infections than any other country, was highly unlikely to make the final list.

The exclusion of the United States, an important source of tourism to the European Union, represented a stinging rebuke to the Trump administration’s management of the coronavirus scourge.

And let's be honest, the US actually deserved this due to our incompetent governments on all levels. I guarantee Asia will follow suit.

Leaked Microsoft document hints at a cheaper and less powerful Xbox console, designed to provide key improvements in Xbox Series X at a lower price point

(www.theverge.com)

The leaked document also mentions a Lockhart profiling mode. Sources familiar with Microsoft’s Xbox plans tell The Verge that this special Lockhart mode is part of the Xbox Series X developer kit. The devkit, codenamed Dante, allows game developers to enable a special Lockhart mode that has a profile of the performance that Microsoft wants to hit with this second console. We understand that includes 7.5 GB of usable RAM, a slightly underclocked CPU speed, and around 4 teraflops of GPU performance. The Xbox Series X includes 13.5 GB of usable RAM, and targets 12 teraflops of GPU performance.

That's gimping the whole experience. This is NOT the next-gen Xbox version you want to buy since it's a joke.