Sam Black

It looks like an automation script for their Fedora hardening guide, and I don’t understand why they don’t refer to it in their script instead of telling you to ask an AI.

From a cursory read of the code I can’t see anything malicious, but the red flags are requiring root to run, being over 6400 lines long, vibe coded and some dubious coding decisions (like re-reading /etc/passwd multiple times, munging separate checks together in functions) - I wouldn’t run it myself on anything important, even if it looks like it could be handy.

Yeah countries and states are relatively happy with the non-privacy systems as they “work”.

My principle problem is I cannot see this system “working” to the satisfaction of the seemingly incessant voices who don’t want a child to see something that they shouldn’t, where “something” is nebulous and seems to change with who you ask and at regular intervals.

I’m probably very jaded - I’d love to be proven wrong and this system works as a least worst option, but I’m in the UK and we recently seem hell bent on choosing the worst option offered.

I thought similarly that a minimally privacy invasive set up like sending a “I’m over/under 18” signal that didn’t require verifying government ID/live face scans/AI “age approximation” would be a good idea, but I now think that this system would fall over very quickly due to the client and server not being able to trust each other in this environment.

The client app, be it browser, chat, game etc, can’t trust that the server it is communicating with isn’t acting nefariously, or is just collecting more data to be used for profiling.

An example would be a phishing advert that required a user to “Verify their Discord account”, gets the username and age bracket signal and dumps it into a list that is made available to groomers [1].

Conversely, the server can’t trust that the client is sending accurate information. [2]

Even in the proposal linked, it’s a DBUS service that “can be implemented by arbitrary applications as a distro sees fit” - there would be nothing to stop such a DBUS service returning differing age brackets based on the user’s preference or intention.

This lack of trust would land us effectively back to “I’m over 18, honest” click throughs that “aren’t enough” for lawmakers currently, and I think there would be a requirement in short order to have “effective age verification at account creation for the age bracket signal” with all the privacy invasive steps we all hate, and securing these client apps to prevent tampering.

At best, services wouldn’t trust the age bracket signal and still use those privacy invasive steps, joining the “Do Not Track” header and chocolate teapot for usefulness, and at worst “non verified clients/servers” (ie not Microsoft/Apple/Goolge/Meta/Amazon created) would be prevented from connecting.

The allure of the simplicity and minimal impact of the laws is what’s giving this traction, and I think the proposals are just propelling us toward a massive patch of black ice, sloped or otherwise.

Having said that, I can’t blame the devs for making an effort here, as it is a law, regardless of how lacking it is.

[1] I realise “Won’t someone think of the children!” is massively overused by authoritarians, give me some slack with my example :) [2] Whilst the California/Colorado laws seem to make allowance for “people lie”, this is going to get re-implemented elsewhere without these exemptions.

I’ve had that with any CryFS vault >400MB (definitely over 1GB).

gocryptfs vaults haven’t had this issue, so you might have better luck with it.