NovaCustom launches privacy SHIFTphone (degoogled with iodéOS and hardware kill switches) by maltfield in c/android@lemmy.world
[-] maltfield@lemmy.ml 1 points 4 weeks ago

Would also be cool if they had an aux jack

Oh wow, there's no aux jack!?! Thanks for pointing that out. That kills this for me.

NovaCustom launches privacy SHIFTphone (degoogled with iodéOS and hardware kill switches) by maltfield in c/android@lemmy.world
[-] maltfield@lemmy.ml 1 points 4 weeks ago

I am guessing they don’t have an IP protection for liquid/dust.

The product page's specification's section lists it as having "IP66 certification: Splash proof and dust resistant"

NovaCustom launches privacy SHIFTphone (degoogled with iodéOS and hardware kill switches) by maltfield in c/privacy@lemmy.ml
[-] maltfield@lemmy.ml 1 points 1 month ago* (last edited 1 month ago)

Yeah, small dutch company that has a good history. They've been making highly customizable laptops for the EU market since 2015. And since 2021, they've been focusing on security and right-to-repair. You can watch an interview with the NovaCustom founder (Wessel Klein Snakenborg) here:

They're one of very few laptop manufacturers that sell QubesOS certified laptops. And that come with coreboot.

9
NovaCustom launches privacy SHIFTphone (degoogled with iodéOS and hardware kill switches) (novacustom.com)
submitted 1 month ago by maltfield@lemmy.ml to c/android@lemmy.world
9 comments fedilink

After extensive testing, it's finally here: the new SHIFTphone 8.1 with iodéOS is now available at NovaCustom! It's a privacy-friendly phone that's not only user-friendly and secure, but also sustainable and fully modular. This smartphone stands for privacy, security, freedom of choice, and repairability: values that perfectly align with NovaCustom's mission.

Why NovaCustom and SHIFTphone are the perfect match

At NovaCustom, we believe that users should have control over their own hardware and software. The SHIFTphone is perfect for this in terms of hardware: it has a modular design and is easy to repair. In terms of software, the original product is less than ideal: it comes with Google software as standard. NovaCustom replaces that software with iodéOS by default. This is an operating system without Google services (only microG, but it can also work without it!). This gives you a privacy-friendly phone with maximum control over your data.

Fully modular and customizable

Modular Smartphone
NovaCustom launches the SHIFTphone 8.1

Whether you want to replace a screen, insert a new battery, or simply tinker with your smartphone yourself, the SHIFTphone makes it possible. No glue, no frustration, just pure freedom. NovaCustom has been supporting this principle for years with configurable laptops, and now we are bringing that same idea to smartphones.

34
NovaCustom launches privacy SHIFTphone (degoogled with iodéOS and hardware kill switches) (novacustom.com)
submitted 1 month ago* (last edited 1 month ago) by maltfield@lemmy.ml to c/privacy@lemmy.ml
17 comments fedilink

After extensive testing, it's finally here: the new SHIFTphone 8.1 with iodéOS is now available at NovaCustom! It's a privacy-friendly phone that's not only user-friendly and secure, but also sustainable and fully modular. This smartphone stands for privacy, security, freedom of choice, and repairability: values that perfectly align with NovaCustom's mission.

Why NovaCustom and SHIFTphone are the perfect match

At NovaCustom, we believe that users should have control over their own hardware and software. The SHIFTphone is perfect for this in terms of hardware: it has a modular design and is easy to repair. In terms of software, the original product is less than ideal: it comes with Google software as standard. NovaCustom replaces that software with iodéOS by default. This is an operating system without Google services (only microG, but it can also work without it!). This gives you a privacy-friendly phone with maximum control over your data.

Fully modular and customizable

Modular Smartphone
NovaCustom launches the SHIFTphone 8.1

Whether you want to replace a screen, insert a new battery, or simply tinker with your smartphone yourself, the SHIFTphone makes it possible. No glue, no frustration, just pure freedom. NovaCustom has been supporting this principle for years with configurable laptops, and now we are bringing that same idea to smartphones.

Why OAuth MUST share access token with 3rd party?!? by maltfield in c/security@lemmy.ml
[-] maltfield@lemmy.ml 1 points 8 months ago

That's bad.

OAuth supports several types of flows. If I'm not mistaken (I've learned a bit more about OAuth since yesterday) you're describing the Authorization Code Flow -- as documented in RFC 6749 (The OAuth 2.0 Authorization Framework), Section 4.1 (Authorization Code Grant):

That RFC defines many other types of flows that do not require sharing the access keys with a third party, such as the Client Credentials Flow, as documented in RFC 6749 Section 4.4 (Client Credentials Grant):

The only reason you'd want to use the Authorization Code Flow is if the third party needs your access token for some reason, or if you want to hide the access key from the user agent.

The problem here is that Stripe is using the wrong flow (the third party doesn't need the access token, as they claim they never save it anyway). And if keyCloak only supports that one flow, that's would be a problem too (in this case).

Why OAuth MUST share access token with 3rd party?!? by maltfield in c/security@lemmy.ml
[-] maltfield@lemmy.ml 1 points 8 months ago

Stripe Connect does not support Client Credentials flow.

Can you please tell me what is the name of the "flow" that Stripe Connect is using here?

Why OAuth MUST share access token with 3rd party?!? by maltfield in c/security@lemmy.ml
[-] maltfield@lemmy.ml 1 points 8 months ago* (last edited 8 months ago)

It’s called the Client Credentials flow (RFC 6749, Section 4.4).

Finally someone directs me to the actual RFC. Except that section is titled "Client Credentials Grant"

Why do I see this sometimes called a "Grant" and sometimes called a "Flow"?

What's the definition and difference of each?

4
Why OAuth MUST share access token with 3rd party?!? (lemmy.ml)
submitted 8 months ago by maltfield@lemmy.ml to c/security@lemmy.ml
7 comments fedilink

Why does Stripe require OAuth tokens to pass through a third party server?

Can someone who understands OAuth better than me explain to me why Stripe REQUIRES that their OAuth Access Keys get shared with a third party?

I've tried RTFM, but my biggest hangup is that the OAuth docs appear describe a very different situation than mine. They usually describe a user agent (web browser) as the client. And they talk about "your users" as if I have a bunch of users that I'm going to be fetching access keys for.

Nah, this is server <--> server. I have a server. Stripe has a server. I am one user. All I need is ONE API key for ONE account. But I'm forced to use OAuth. It doesn't seem appropriate, and it's especially concerning that the "flow" requires the (non-expiring!) Access Token to be shared with a third party server. Why?!?

I recently learned that Stripe has been pushing OAuth (branded as "Stripe Connect") to its integration apps as the "more secure" solution, compared to Restricted API Keys. In fact, we've found that most integrations we've encountered that use Stripe Connect are less secure than using Restricted API Keys because the (private!) tokens are shared with a third party!

I've been using Stripe to handle credit card payments on my e-commerce website for years. Recently, we updated our wordpress e-commerce website and all its plugins. And then we discovered that all credit card payments were broken because our Stripe Payment Gateway plugin stopped allowing use of Restricted API Keys. Instead they only support "Stripe Connect" (which, afaict, is a marketing term for OAuth). This change forced us to do a security audit to make sure that the new authentication method met our org's security requirements. What we found was shocking.

So far we've started auditing two woocommerce plugins for Stripe, and both have admitted that the OAuth tokens are shared with their (the developer's) servers!

One of them is a "Stripe Verified Partner", and they told us that they're contractually obligated by Stripe to use only "Stripe Connect" (OAuth) -- they are not allowed to use good-'ol API Keys.

They also told us that Stripe REQUIRED them to include them in the OAuth flow, such that their servers are given our (very secret!) OAuth Access Keys!

The benefit of normal API Keys, of course, is that they're more secure than this OAuth setup for (at least) two reasons:

  1. I generate the API keys myself, and I can restrict the scope of the keys permissions

  2. I store the key myself on my own server. It's never transmitted-to nor stored-on any third party servers. Only my server and Stripe's servers ever see it.

Can someone shine a light onto this darkpattern? I understand that standardization is good. OAuth Refresh Keys add security (this service doesn't use them). But why-oh-why would you FORCE OAuth flows that share the (non-expiring) Access Tokens with a third party? And why would you claim that's more secure than good-ol-API-keys?

Does OAuth somehow not support server<-->server flows? Or is it a library issue?

What am I missing?

2
Intro Guide to Lemmy (tech.michaelaltfield.net)
submitted 2 years ago* (last edited 2 years ago) by maltfield@lemmy.ml to c/lemmy@lemmy.ml
0 comments fedilink

I wrote a guide to help users with their migration to Lemmy

This guide will help new lemmy users find and subscribe-to (remote) lemmy ~~subreddits~~ communities

1
BusKill Warrant Canary for 2023 H2 🕵️ (buskill.in)
submitted 2 years ago by maltfield@lemmy.ml to c/security@lemmy.ml
0 comments fedilink

We just published our #WarrantCanary for 2023 H2 🕵️

https://buskill.in/canary-006/

Warrant Canaries are a means for us to (not) inform you of (not being) breached if served with a State-issued, secret subpoena (gag order) #infosec

1
BusKill Warrant Canary for 2023 H2 🕵️ (buskill.in)
submitted 2 years ago by maltfield@lemmy.ml to c/privacy@lemmy.ml
0 comments fedilink

We just published our #WarrantCanary for 2023 H2 🕵️

https://buskill.in/canary-006/

Warrant Canaries are a means for us to (not) inform you of (not being) breached if served with a State-issued, secret subpoena (gag order) #infosec

Comparison of Lemmy Instances by maltfield in c/lemmy@lemmy.ml
[-] maltfield@lemmy.ml 1 points 2 years ago* (last edited 2 years ago)

You mean like https://mastodon.world and https://lemmy.world? Do you have other examples?

Comparison of Lemmy Instances by maltfield in c/lemmy@lemmy.ml
[-] maltfield@lemmy.ml 1 points 2 years ago* (last edited 2 years ago)

I think at the top, just above the "Recommended" add:

For a more detailed comparison of Lemmy instances, see:

<ul>
<li><a href="https://github.com/maltfield/awesome-lemmy-instances">Awesome-Lemmy-Instances on GitHub</a></li>
<li><a href="https://the-federation.info/platform/73">the-federation.info Lemmy Instances Page</a></li>
<li><a href="https://lemmymap.feddit.de/">Feddit's Lemmymap</a></li>
</ul>

After you create an account, you can find communites across all instances using <a href="https://browse.feddit.de/">Feddit's Lemmy Community Browser</a>

<h2>Recommended</h2>
...
Comparison of Lemmy Instances by maltfield in c/lemmy@lemmy.ml
[-] maltfield@lemmy.ml 1 points 2 years ago

oh shit I wish I knew that existed before XD

Comparison of Lemmy Instances by maltfield in c/lemmy@lemmy.ml
[-] maltfield@lemmy.ml 1 points 2 years ago

I'm literally just asking the instance's API how many users it has:

Check the users_active_month field. How your instance calculates that is a question for the lemmy devs ;D

Comparison of Lemmy Instances by maltfield in c/lemmy@lemmy.ml
[-] maltfield@lemmy.ml 1 points 2 years ago* (last edited 2 years ago)

I see TypeScript and get scared. Personally, I do think that the join-lemmy.org/instances page should link to:

  1. My table comparison https://github.com/maltfield/awesome-lemmy-instances
  2. The Lemmy Community Browser (to find communities across all instances) https://browse.feddit.de/
  3. The Lemmy Map https://lemmymap.feddit.de/
  4. The federation's lemmy page (with another table comparing instances) https://the-federation.info/platform/73

Can anyone with TypeScript experience make this PR for us? Here's the relevant file:

0
Comparison of Lemmy Instances (github.com)
submitted 2 years ago* (last edited 2 years ago) by maltfield@lemmy.ml to c/lemmy@lemmy.ml
24 comments fedilink

I created a repo on GitHub that has a table comparing all the known lemmy instances

Why?

When I joined lemmy, I had to join a few different instances before I realized that:

  1. Some instances didn't allow you to create new communities
  2. Some instances were setup with an allowlist so that you couldn't subscribe/participate with communities on (most) other instances
  3. Some instances disabled important features like downvotes
  4. Some instances have profanity filters or don't allow NSFW content

I couldn't find an easy way to see how each instance was configured, so I used lemmy-stats-crawler and GitHub actions to discover all the Lemmy Instances, query their API, and dump the information into a data table for quick at-a-glance comparison.

I hope this helps others with a smooth migration to lemmy. Enjoy :)

What open source project(s) are you working on? by maltfield in c/opensource@lemmy.ml
[-] maltfield@lemmy.ml 1 points 2 years ago* (last edited 2 years ago)

Hi Lemmy!

I make BusKill laptop kill cords that make your computer lock, shutdown, or self-destruct if the device is physically separated from you.

This protects your (encrypted) data from theft, which can be useful for digital nomads and cryptotraders working in cafes/coworking spaces. But our target audience is journalists, activists, and human rights workers in oppressive regimes.

Both the hardware and the software are open-source (CC-BY-SA, GPLv3). We manufacture the hardware with injection molding, but if you have a 3D-printer, then you can take a stab at our 3D-printable prototype.

...And apparently I'm doing (minor) contributions to lemmy these days too

1
3D-Printable BusKill (USB Dead Man Switch) Prototype (www.buskill.in)
submitted 2 years ago by maltfield@lemmy.ml to c/3dprinting@lemmy.ml
0 comments fedilink

This article is about a new 3d-printable prototype version of the BusKill cable.

The BusKill cable is a laptop kill cord. If you're still struggling to understand what is a BusKill cable and why you'd need a laptop kill cord, there's a 2-minute explainer video that makes this clear:

Enjoy and happy printing :)

view more: next ›

maltfield

joined 2 years ago