I want this but as a Linux distribution.
-
@mcc Vaultwarden bundle a custom version of the web client but it's basically the official one with stuffs renamed around at best.
So yeah in my case, I would fork the client, make a new one or audit the client changes each time I update the server side...
(For reference, most of my services are not exposed on the internet so I can limit the downfall of most things by pinning and audit things when updating even if it's not really practical)
-
@mcc Vaultwarden bundle a custom version of the web client but it's basically the official one with stuffs renamed around at best.
So yeah in my case, I would fork the client, make a new one or audit the client changes each time I update the server side...
(For reference, most of my services are not exposed on the internet so I can limit the downfall of most things by pinning and audit things when updating even if it's not really practical)
@mary Still trying to figure out what a pure open source version of React Native would look like. Writing React Native apps currently seems to require using something called "expo" which is theoretically open source but it refuses to run unless you sign up for a specific online service and sign a terms & conditions with questionable terms
-
@mcc Vaultwarden bundle a custom version of the web client but it's basically the official one with stuffs renamed around at best.
So yeah in my case, I would fork the client, make a new one or audit the client changes each time I update the server side...
(For reference, most of my services are not exposed on the internet so I can limit the downfall of most things by pinning and audit things when updating even if it's not really practical)
@mcc I do think we (as a comunmity) should build a database of public repos that have any genAI related commits/config files, that would be a good start to flag thoses.
-
R relay@relay.infosec.exchange shared this topic
-
@mcc I do think we (as a comunmity) should build a database of public repos that have any genAI related commits/config files, that would be a good start to flag thoses.
@mary yeah. right now by the time you find out a project has an LLM infection you don't know which commit you even want to fork from
-
@WideEyedCurious @Lingmops @mcc There was a time I used an AES encrypted ZIP file for passwords, and when I wanted one out, I would decrypt it to the console
-
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@mcc Let me tell you something more scary: These projects accept code contributions from random people they don't know, they never meet. Nobody knows these contributors' skill level, their mental health status, the acutal intend. They might be sloppy coders introducing bugs every other line. They could be maniacs. They could be evil nations' agents trying to implement backdoors.
Why doesn't this scare you?
-
R relay@relay.publicsquare.global shared this topicR relay@relay.an.exchange shared this topic
-
RE: https://wellduck.me/@greyduck/116110983001607000
I would like the answer to this question as well.
@mcc I had a look along those lines a while ago - I'm no longer using keepassxc, but there are independent implementations using the file format which I do use. What I really want is password-age with a good Android support though.
серафими многоꙮчитїи (@djm62@beige.party)
Content warning: password manager PSA (keepassxc)
beige.party (beige.party)
-
@mary Still trying to figure out what a pure open source version of React Native would look like. Writing React Native apps currently seems to require using something called "expo" which is theoretically open source but it refuses to run unless you sign up for a specific online service and sign a terms & conditions with questionable terms
@mcc I personally haven't used React Native but this seems to track with what I heard about Expo on the "develop and deploy your dev app on Android and iOS" but I think it's possible to build everything locally too even if it's maybe tedious? Anyway something that need digging and testing with dev app instead https://docs.expo.dev/guides/local-app-production/
-
@mcc I personally haven't used React Native but this seems to track with what I heard about Expo on the "develop and deploy your dev app on Android and iOS" but I think it's possible to build everything locally too even if it's maybe tedious? Anyway something that need digging and testing with dev app instead https://docs.expo.dev/guides/local-app-production/
@mary yeah, but if a build and deploy means making and deploying an apk then there's some question why you're using react native at all.
i think it ought to be possible to do all this by just forking expo/expoapp and removing the arbitrary dependency on the web service.
-
RE: https://wellduck.me/@greyduck/116110983001607000
I would like the answer to this question as well.
@mcc KeePass 2 is clean.
-
@mcc oh yikes wtf please not bitwarden
-
@mcc I do think we (as a comunmity) should build a database of public repos that have any genAI related commits/config files, that would be a good start to flag thoses.
@mary@chaos.social someone did this and people immediately started using it as a list of people to start targeted harassment campaigns against
-
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@mcc Excuse an undereducated question from a long term 1password user who is going to move from it now: is the issue with “random code generators” that random passwords generated by these apps are easy to crack?
I’m looking at moving to Keepassium and as I understand it each of these apps in this family have different code to do password generating and are thus all different.
-
@mary@chaos.social someone did this and people immediately started using it as a list of people to start targeted harassment campaigns against
@leo urgh I hate this
-
@mcc Excuse an undereducated question from a long term 1password user who is going to move from it now: is the issue with “random code generators” that random passwords generated by these apps are easy to crack?
I’m looking at moving to Keepassium and as I understand it each of these apps in this family have different code to do password generating and are thus all different.
@johnlehet Software is a chaotic system. A small change in one part of a program can have unpredictable effects on other parts of the program. "Large language models" are statistical systems which create asemic strings designed to fool a human into believing they're looking at real text.
In other words a mistake introduced by an LLM may be significant, a human may not catch the error, and security flaws could result. This is BEFORE getting into the ethical issues with running the system at all
-
My understanding is that Bitwarden and KeePassXC, the two open source password managers, are *both* using random code generators at this point, which is terrifying as those are the exact tools where a small error could have the largest negative impact, and also tools that once you've committed to using it you can't quickly back out if they enter a code quality decline
@mcc I'd argue that password managers are very easy to jump between. They tend to have good export and import functions. I've transitioned from keepass to dashlane to bitwarden to vaultwarden with little effort.
-
@ariadne I am, in a flippant and general way, saying I want to eradicate all code with "AI code assistant" contributions from my computer and VPSes, but I do not currently know a way to do so. I keep having programs I previously installed add the poison after the fact without public notice. https://mastodon.social/@mcc/116110912928005524
Perhaps in future I will have to use Alpine Linux if that's how I get my code audited for no "AI" contributions.
@mcc to be clear the proposed anti-AI policy only applies to the alpine project itself.
-
@mcc I'd argue that password managers are very easy to jump between. They tend to have good export and import functions. I've transitioned from keepass to dashlane to bitwarden to vaultwarden with little effort.
@LovesTha if i can export between password managers, but both password managers are infected with the same problem, does this help? what's dashlane? is it good?
-
@mcc to be clear the proposed anti-AI policy only applies to the alpine project itself.
@ariadne okay. when i said "linux distribution" i was thinking "a collection of all the software you need to run a computer system" as that's what a distribution traditionally meant. (the existence of flathub somewhat complicates what i want, but like I said, I was being vague and flippant)
-
@johnlehet Software is a chaotic system. A small change in one part of a program can have unpredictable effects on other parts of the program. "Large language models" are statistical systems which create asemic strings designed to fool a human into believing they're looking at real text.
In other words a mistake introduced by an LLM may be significant, a human may not catch the error, and security flaws could result. This is BEFORE getting into the ethical issues with running the system at all
@mcc Yes. I get that. So when you say “random code generators” you mean various LLMS inputting into the code base? Damn. I thought you meant that AIs were involved in the password generation, which as I understand it would also suck badly.
