Share with Care: Breaking E2EE in Nextcloud
https://eprint.iacr.org/2024/546
> Nextcloud is a leading cloud storage platform with more than 20 million users.
Nextcloud offers an end-to-end encryption (E2EE) feature that is claimed to be able “to keep extremely sensitive data fully secure even in case of a full server breach”. They also claim that the Nextcloud server “has Zero Knowledge, that is, never has access to any of the data or keys in unencrypted form”. This is achieved by having encryption and decryption operations that are done using file keys that are only available to Nextcloud clients, with those file keys being protected by a key hierarchy that ultimately relies on long passphrases known exclusively to the users.
Proton picks up Standard Notes to deepen its pro-privacy portfolio
https://techcrunch.com/2024/04/10/proton-standard-notes/
> Switzerland-based Proton, the privacy-focused firm behind end-to-end encrypted (E2EE) webmail ProtonMail and other apps, has acquired Standard Notes, a note-taking app founded back in 2017. It offers the same kind of robust privacy promise to its 300,000+ users by also applying E2EE. In a press release announcing the move, Proton emphasized the pair’s “shared values,” including the use of E2EE; a commitment to open source technology; and how neither has relied upon venture capital to drive growth. E2EE is considered the gold standard of security technology, as service providers don’t hold encryption keys. This means they’re technically unable to decrypt user data, safeguarding users’ content behind a “zero knowledge” architecture. Put another way, you don’t have to trust the service provider not to snoop. By adding Standard Notes to its portfolio of apps, Proton will deepen its reach with an engaged community of pro-privacy users, layering on additional cross-selling opportunities as well as boosting the utility of its app ecosystem. The note-taking app fills an obvious gap in Proton’s current lineup.
Linux 6.9-rc5 Released: The Diffstat "Looks A Bit Wonky" But Not Bad
https://www.phoronix.com/news/Linux-6.9-rc5-Released
> The fifth weekly release candidate of Linux 6.9 is now available as the kernel cycle looks to get wrapped up by mid-May. This week brought yet more Bcachefs fixes and recovery improvements for this experimental copy-on-write file-system that has shown promising capabilities. Linux 6.9-rc5 also lands BHI mitigation fixes and other x86/urgent material that was on my radar. Much of the rest of the work this week is the usual bug/regression fixing churn. The Linux 6.9 kernel features are great and the performance benchmarks I've been carrying out so far are in good shape. Linux 6.9 stable should be out by mid-May depending upon how the rest of the release cycle plays out.
Our Response to Hashicorp's Cease and Desist Letter
https://opentofu.org/blog/our-response-to-hashicorps-cease-and-desist/
> On April 3rd, we received a Cease and Desist letter from HashiCorp regarding our implementation of the "removed" block in OpenTofu, claiming copyright infringement on the part of one of our core developers. We were also made aware of an article posted that same day with the same accusations. We have investigated these claims and are publishing the C&D letter, our response and the source code origin document resulting from our investigation. The OpenTofu team vehemently disagrees with any suggestion that it misappropriated, mis-sourced, or otherwise misused HashiCorp’s BSL code. All such statements have zero basis in facts. HashiCorp has made claims of copyright infringement in a cease & desist letter. These claims are completely unsubstantiated. The code in question can be clearly shown to have been copied from older code under the MPL-2.0 license. HashiCorp seems to have copied the same code itself when they implemented their version of this feature. All of this is easily visible in our detailed SCO analysis, as well as their own comments which indicate this.
