Github has made it impossible to create an account when using a VPN and a privacy browser with fully spoofed hardware identifiers. (Use Firefox or Firefox-based Privacy Browser, VPN, install Canvasblocker to test this.) I create an account with Google or Apple (both requiring hardware identifiers and numbers and birthdates) or I can use an email. When I use an email, it comes back with this horrible test, and even if I do it completely correctly, it tells me after I didn’t do the test right, gaslighting me with a picture of what I chose (which I didn’t choose) and showing me the correct picture (which I did choose and it claims I didn’t select).
It’s fucking bullshit and it’s more corporate control of open source software. For people who have their discussion or issue tracker, I can’t even participate without hardware identifiers likely linked to me some other way and phone numbers. It’s fucking bullshit. If anyone from Microsoft is reading this, FUCK YOU!!!
I am so tired of this bullshit. I just want to post an issue about a piece of software. You don’t need my fingerprint, hardware or personal, or biometric shit. This is a slippery slope. Fuck them.
I really hope more developers just get the fuck off Github. Honestly, if you are developing privacy-oriented software and using github, there’s a mistmatch and it’s bullshit, and I know it’s time consuming and annoying to move, but please do. This is fucking bullshit and it’s not like it’s going to become LESS annoying over time. FUCK THIS.
Codeberg for the win.
What about GitLab? When Microsoft bought GitHub, people got angry, and migrated their code to GitLab. When that happened, GitLab was all over the headlines for a while, but I haven’t read much about it ever since.
They seem to be going for IPO so codeberg it is.
Playing devil’s advocate, it’s probably more about blocking bots from creating accounts than it is about blocking privacy minded users. You just end up being collateral damage.
Obviously that still sucks, I’m just saying it’s not that simple
Gitlab.com has similar problems, sadly. Meanwhile, I haven’t ever heard of Codeberg doing somethign similar, but who knows I guess.
I’m wondering if you could have any version of this—assuming best intentions and smartest people—which did not demand very similar countermeasures past a certain equivalent growth threshold.
I unfortunately have to imagine Codeberg is like Lemmy and flies under the radar from spammers.
…for now.
LLMs all but guarantee a future of oppressive noise to signal ratios. I imagine IRL connections, or at least numbers saved in your phone, will become pretty important there. So then I think up in-person local-community-vibe verification schemes but they all end with dirty marketers or operators inducing members of the public to astroturf or lease their accounts…
There is literally the following post on the home page right now:
https://lemmy.world/post/43670862
Because it is posted from a Mastodon instance for sewing software and they have posted the same link many, many times, it could be a scam.
I heard Codeberg already struggles with spammers, so I get that. But letting big surveillence data companies like the credit card companies solve this, seems like one of the worst ideas. I’ve seen e.g. discourse use a gradual trust system, there likely are other ways.
Use Librewolf with a mobile data connection on a PAYG SIM, then go to Settings > Librewolf and turn off IPV6 to ensure you are behind CGNAT then turn off resistFingerprinting and enable WebGL.
Then install Jshelter and create a profile with the following settings:
Time precision: High
Locally rendered images: Little lies
Locally generated audio: Little lies
Graphic card information: Unprotected for highest chance of success or Little lies for best privacy
WebAssembley speed-up: enabled
Then make sure that all other options in Jshelter are turned off including Fingerprint Detector as Cloudflare Turnstile fails with it on.
turn off IPV6
This is not a fix for anything.
I can’t figure out if Free software projects don’t know or don’t care that GitHub is run by Microslop.
It was bought by Microsoft after becoming established. Most free software projects don’t care enough to move if they don’t self host.
Tangential to the main point you’re going for: when you say fingerprint or biometrics I think you’re referring to passkeys.
Passkeys don’t share any of your fingerprint or other biometric identifiers with anyone.https://www.eff.org/deeplinks/2023/10/passkeys-and-privacy
One of the major design criteria of their creation was to be an increase in security without sacrificing privacy. It’s made them more finicky to get working but there’s a very good reason they’re very popular with security professionals.
They are not referring to passkeys. They’re referring to deterministic algorithms for uniquely labeling a particular device or person, despite any privacy enhancing features that device or person employed. It can be as simple as sampling various hardware specs, hashing the result, and using that as an ID for the person. So, if you switch browsers, they know it’s still you. More complex techniques exist, obviously.
I know how device fingerprinting works, thank you though.
You don’t need my fingerprint, hardware or personal, or biometric shit.
To me that sounds like hardware identifiers, but also quite specifically the things passkeys use. Hence I mentioned it as aside from their main point, which was “don’t track me”, because the biometrics GitHub or any website is going to ask you to use can’t be used for that.
Yeah, I see what you’re saying. As far as I am aware, passkeys issue a one-time-token derived from a private key stored on the device. You can only access the private key via your devices own security (i.e., typically biometric). GitHub can only access the resulting one-time token, and it can verify that the token was derived from the private key using some cryptography. So, agreed. It’s not much different from a tracking perspective than just tracking password-based logins.
Though, I got the impression OP was talking about something else. Maybe I misunderstood them.
That’s close enough for a privacy perspective. There’s also limitations on domains that can request the auth, specifically ”only the one the credential is for", and there’s a different key per domain and user typically.
It’s also implemented in a way where if the user doesn’t choose to disclose their account to the service, the service can’t know.Caring about privacy and caring about the details of a security protocol are distinct. You’d be surprised how many people who care about privacy are deeply wary of passkeys because of the biometric factor, which is unfortunate because the way it authenticates is a lot harder to track across domains by design.
I understood they had a lot of concerns, one of which was biometrics via passkeys since GitHub was a very early adopter due to the supply chain risk they pose.
Passkeys seem to be advertised in ways that puts people off (edit: not saying that makes them bad):
-
TPMs, Secure Enclaves, etc. are deeply closed-source and security by obscurity. Until there is an open TPM implementation available, many users may prefer not to rely on them. It seems like KeepassXC allows circumventing TPM for Passkeys, but most people probably don’t know that.
-
Too much “trust me bro, my cloud is safe” advertising from big Passkey advocates like Google to try to get people to use their invasive services.
-
A classic hardware key may be indistinguishable from a normal password being entered. But Google has announced they want to push passkeys against user’s wishes here: “Is opting-into passkey mandatory? No, […]. However, over time, as users become more accustomed to passkeys, we might limit where we allow passwords to be used because they’re less secure than passkeys.” Again, not a great look.
-
Collecting biometric data is always dangerous, too many attack vectors during processing. I’m aware that Passkeys can be used without that, but many people may be put off by that push.
I think that’s why Passkeys have poor adoption among privacy advocates, even though most problems seem fixable.
Caring about privacy and caring about the details of a security protocol are distinct. You’d be surprised how many people who care about privacy are deeply wary of passkeys because of the biometric factor, which is unfortunat
I’m not seeing anything that’s not a great look about requiring strong authentication for access to sensitive portions of a users account. What you’re saying is akin to calling it a bad look that they force users to use complex passwords against user wishes.
I’m not sure what “trust me bro, my cloud is safe” has to do with anything. Passkeys live on your device. There are ways of facilitating device to device migrations of the keys if you want. You don’t need to use them to use passkeys. And at least on Android you don’t need to even use Google to manage the keys.
Most semiconductors are closed source. The processor, ram, and radio are also more than likely closed. The software interfaces to all of them have open specification and implementation. There’s like, six for Linux. Microsoft open sourced theirs.
Tpms are not security through obscurity. They are obscure, but that’s not a critical component to their security model.What they do isn’t really what “collecting biometrics” implies. They’re storing key points in a hashed fashion that allows similarities to be compared. Even if it wasn’t encrypted in a non-exportable way you still can’t do anything with it beyond checking for a similarity score.
You’ve done a good job explaining what I said previously: there’s sometimes a disjoint between privacy and security concern, and so sometimes people don’t understand something about security.
I wasn’t arguing against Passkeys, just pointing out how they are often perceived.
I was definitely arguing against TPMs, however. https://gist.github.com/osy/45e612345376a65c56d0678834535166 https://pluralistic.net/2024/01/18/descartes-delenda-est/#self-destruct-sequence-initiated https://www.elevenforum.com/t/tpm-2-0-is-a-must-they-said-it-will-improve-windows-security-they-said.13222/ https://scispace.com/pdf/tpm-2-0-uefi-and-their-impact-on-security-and-users-freedom-2e1ldhodqq.pdf https://www.gnu.org/philosophy/can-you-trust.en.html (But Passkeys apparently don’t need them, see my KeepassXC mention before.)
-
