@orangepillapp mentioned the following:
don't be sad, open source is security theatre
— #897416
Now I wonder if I should show them that you can’t hide the important parts of your source code since you’re shipping the compiled version to every device which can be reverse engineered.
So I believe that it’s the other way around: hiding your source code is security theatre. If you hide your source code, I’m going to assume you have something to hide in there.
What do you think? Should I do it?
🤔🤔🤔
Unless you're outside of and not dependent on US/CA/EU (and adjacent)/UK and not going there, are truly untraceably anon or have an unlimited supply of
small-metal-objects-that-can-be-ejected-from-a-bigger-metal-object-at-high-velocity(and training), it'd be best to not talk about disassembly.That doesn't mean you can't do it. Just don't talk about it...
Thanks for your advice! I would say I considered what you're trying to say before posting.
TBH: I simply remember getting verbally beat up by lawyers every time I did something stupid very, very clearly lol
Security through obscurity, Mr. Bond.
I will have some fun with the APK tonight
Let us know what you find!
How should I contact you in private if I find something?
You don't have a Github repository where I can create a security advisory and I don't see something here like we have here (see https://securitytxt.org/).
Is a mail to hello@orangepillapp.com good enough? I don't know if that mail might be read by the wrong employees.
you can email us at hello@orangepillapp.com anytime
He also counts his custodial wallets database updates as making up half of all lightning transactions. Red flags.
do you have a source for that?
how can one even tell how many lightning transactions there are globally?
/cc @orangepillapp
Hard to tell for sure, but we talked to all the major LN infrastructure providers and they all told us it’s 100-200k a day on avg.
Nostr does ~8k a day
https://xcancel.com/matteopelleg/status/1902139558306967711
🚩🚩🚩
I also think this is wrong:
— #897466
Reproducible builds fix this. You can't verify the code that runs on a server but afaik, you can verify if the app you downloaded is what you would get if you build it yourself from the source code.
This. It just requires a massive build environment setup and a ton of work. Probably not worth it. But it can be done where it makes sense.
Does it in this case though? I'm not convinced.
it's just an app that talks to a server
Yeah. Meaning the interesting thing from a privacy perspective that you'd hunt for in the source code is:
When I edit apks (always do) the main effort is replacing data collection stuff with stubs and removing callbacks to googly goog, bugsnag or other data brokers.
I wonder if ideas from zero knowledge proofs can be used to verify what code a server is running without having to reveal the entire source code of the server. I'm talking way out of my league here, but it was just a thought.
I'm sure you can express anything in lattices but do you really want to do this if you can just use nostr and extend that with an interactive ZK protocol? Lotta years of frustrating work vs just half a year of work.
You are just giving them what they crave the most - attention. Clearly their comments are misaligned and/or ignorant with the community and they use every opportunity to pump their chest so giving them more attention just fuels that
mhh, interesting opinion
Yes. Absolutely
nice try fed
deleted by author
yes, maybe I appreciated this reply!
forgot to submit my reply when I read it
deleted by author
deleted by author