The first amendment does apply to the rioter with the flag but it also does to the people watching this. The watchers will get inflamed by (a) the vandalism and (b) the spectacle of the Mexican (or any foreign) flag associated with the vandalism. They absolutely have a right to get angry.
I recently naturalized as a US citizen. It took ~15 years (permanent residency + citizenship). That was after spending a decade (multiple programs) here as a student. No one should suffer and live in fear in an ideal world. At the same time, it is galling to see the left support illegal immigration because (a) someone "contributes" to the economy, (b) they are paying taxes (how is this known by anyone except the payer and the IRS?), (c) they are good people.
The reaction of my extreme-left wing friends is to say "well, you got to come here. They deserve the same opportunity." I am the first one to admit I have had some advantages. At the same time, every legal immigrant goes through a relatively rigorous process. Any whiff of a criminal record has the potential to derail the process, as should be the case. Just apply the law equally to everyone. That's one of the promises of our constitution. I mean this both for liberals and conservatives. If a law is unjust, we have mechanisms in place to overturn them. But to ignore the law is a long-term danger to this country. This is one of the reasons there is a lot of support for this type of action. It is borne out of frustration. Lastly, the idea that people supporting deportation are racists is an easy cop-out to not have to explain how we got to the current state (saying this as a non-white person although I also disagree with the left's assertion that only white people can be racist).
It's weird that you won't come out and say what you think is "going on" though. I've given the explanation that the vast majority of people waving Mexican flags in LA would give: they are expressing that they're proud to be Mexican, or of Mexican heritage, and are sick of being treated like they're less than other people because of that heritage.
What is your explanation? I suspect that it's something along the lines of: "people waving foreign flags are signaling their intention to invade the US", but that you don't want to say it overtly because it's obviously a racist talking point from right-wing media.
Your concerns about a majority oppressing a minority are well-founded, but a system where people vote for career politicians don't seem to be moderating this problem - if anything it's exaggerating it.
If you trust the general population to vote a marginalized person into office in order to push legislation which benefits that marginalized community, why wouldn't you trust the general population to pass that legislation directly?
The only explanation I can think of is that you think that professional political representatives will have better ideas than the general population.
Your problem statement is effectively "I want to share access to my documents very informally with people who don't care to have any security practices, but still keep them secure"
There's another way of sharing in cryptpad though, which is for each user to create an identity/account.
Once those you're collaborating with have accounts, documents and folders can be shared by granting access within cryptpad's UI. No secrets have to be circulated.
> Your problem statement is effectively "I want to share access to my documents very informally with people who don't care to have any security practices, but still keep them secure"
Well, that's certainly what tools like CryptPad and Signal target: privacy for the non expert.
OP' points are right, and I hope they get addressed at some point.
I've worked with a few orgs which have used cryptpad, and I'm sorry, but Cryptpad doesn't make it possible to share documents securely unless again, everyone in the org is able to follow security protocol to an exceptionally rare degree.
Even you seem to think sharing via identity somehow bypasses the problem, when in fact this just sends them a "notification" with a share link containing the same secret URL (not to mention, as far as I can tell, there's no way for them to add the document to their own drive, so if they want to access it later they either need to save the share link or find it in their notification panel under "notification history" which is super unintuitive).
And again, those secrets are stored in your browser history. In a group I was involved with, the workflow was to create documents and share them with others, or put the share link in a Signal group. Even if one were to try to tell everyone in the group that the link should only be opened in a browser that doesn't share its history with its vendor, clicking the link in Signal will happily just open it in which ever browser is configured as your system default anyway.
Cryptpad effectively gives you the rope and then ties it into the noose around your neck for you, while you're not looking.
Security theater is at best mildly dangerous in a more typical scenario where it's constructed around an application that isn't billed as a secure communication platform. When a tool advertised as user-friendly and privacy-enhancing is the subject of such theatrics, it's even more actively harmful because it instills a false sense of confidence. It would be like a safety helmet that explodes when the user grazes their head.
So to recap, if you care about big tech companies gaining access to your secure documents, the only way to use cryptpad in a remotely secure manner, in a group, is either by password protecting all documents with a strong password, or ensuring no one in your org ever opens a document in a browser with history syncing. And honestly, expecting the latter from 99% of groups that might use cryptpad is unreasonable, which is why I'm saying it's irresponsible of Cryptpad to even allow password-less document creation (without so much as showing users a glaring red danger notice beforehand).
The users are not primarily to blame for incorrect use of a software that's billed as privacy-preserving, when that software drops them off at the happy path and neglects to tell them, "by the way, we've booby-trapped the door to fire a footgun when opened unless you also turn the smaller knob on the far side with your other hand as you open it."
I realize the data exfiltration issues I mentioned are non-trivial to address (though by no means an immense project either), but I can't interpret the link situation as anything other than willful negligence, or worse, a honeypot; consider that users whose adversaries might include nation-state actors (for example, undocumented immigrants sharing resources with one another on how to access services while staying under the radar) are perhaps more exposed, because data brokers are more likely to deny state requests for data that can be seen as overly broad, whereas one specific type of data (browser history) on one domain becomes a pretty tightly scoped request.
Your last paragraph is quite insulting to the work we do, suggesting intention to trap people ? Did I read this right ?
I'm not really sure i want to continue the conversation unless you retract this. Our team is working hard on many fronts and does not deserve to be treated like that.
If you believe it's critical that the "link situation" be resolved, where is the pull request, or even the specification of the necessary change ?
I think the work you've done with cryptpad, while impressive on many levels and, I'm assuming, motivated by a desire to make secure document collaboration more accessible, is actually putting people at increased risk due to how bad this issue with the share URLs is.
I attempted to disclose the issue responsibly (in other words, not as a github issue), and urged you to make passwords mandatory for documents, or at least default with a prominent warning displayed for users foregoing the password. The response I received indicated that Cryptpad didn't consider this to be a vulnerability, but that you'd welcome changes to improve documentation.
You asked where my PR was: I gladly would submit one if I didn't expect it to be closed based on the response I had received prior, but I don't think documentation changes would cut it.
I wasn't intending to make this personal and I definitely wasn't saying that you (or your team's) motivations were unambiguously malicious or deceptive. My last paragraph was perhaps overly dramatic, but my impression is that Cryptpad positions itself as a general-purpose e2ee document collaboration suite, and one of the use cases I associate with that positioning, one of the less strict ones if I'm honest, would be something like:
> empower laypeople to collaborate on documents with reasonable confidence that nation-state actors won't be able to passively surveil those documents.
which is a much softer use case to satisfy than, say, providing halfway-decent protection from active, targeted surveillance (the space I believe Signal to be in, and also the space I'd love Cryptpad to be in)
So if those aren't among the kinds of things y'all think about when designing Cryptpad, then I'd appreciate if you made your overall project goals and use cases more explicit. Of course there are other valid reasons to desire document security, they're just not ones I tend to spend as much time thinking about.
Disclaimer: I'm the CEO of the company doing CryptPad.
The problem I have, is that you say the word "vulnerability" for CryptPad when we never promised to protect you from a badly configured computer.
If there is a vulnerability, it's unsecured browser syncing which would be exposing your browsing history to Google. Google Docs has anonymous links which are in that history too.
BTW I could not find any info about browser companies exposing the synced browser history. As far as I know It's encrypted on Chrome and Firefox. But maybe I'm wrong as I believe if people want to be sure why would they use browser sync ?
Note that in addition to passwords there are also Access configs where the server can block access to documents to specific users. This is an additional security which mitigates the issue of links that would be opened on a bad browser. Sharing links through CryptPad as also the recommended way to never have URLs opened by your browser.
When I mentioned PR, you could also fork and run your server with higher security settings.
If a team does not respond to your vision, you can indeed bitch about that team, or you can come and give more proof of your vision. Documentation also help ? Why not document that browser syncing would be risky for activists ?
So take this as a call to be constructive. Make a github issue and propose something that helps. Maybe indeed add a message and a link to more documentation about good and bad ways to use shared links.
About "> empower laypeople to collaborate on documents with reasonable confidence that nation-state actors won't be able to passively surveil those documents", did you read our white paper ?
Seems like Microsoft and Google employees have joined the room.
They might as well complain that cryptopad isn't secure because it is connected to electricity all the time. They'll never be satisfied, fortunately they are also relatively easy to spot.
Builds are signed by the software publisher, not the Play Store. So the store alone couldn't corrupt releases, it would need collaboration by the publisher. (Google does have a service for app developers where they keep and manage your signing keys for you, but it's not required)
While the bike is stationary there's limited options for moving the bike relative to your body. While the bike is moving, you can make small steering adjustments which move the bike left or right relative to your body, which helps re-balance the body-bike stack. The faster forward you're moving, the faster these steering adjustments take effect.
When a claim is filed through content-ID, the claiming company basically gets two options: disable all ads (taking out any revenue for the uploader), or run ads and get paid out. They also get to pick how many ads to run, which means a three second segment can insert minutes of ads into a video. They can also mute audio during infringing sections, or block videos in certain countries.
Stephanie Sterling famously came up with a trick to make their videos run without ads, even when including fair use content: by intentionally including content from multiple companies, each with different preferred monetisation preferences, introducing a conflict in the Youtube content-ID system that didn't get resolved automatically. Their videos were intentionally run without ads, being supported by Patreon and all, and companies kept claiming sections for themselves and inserting ads into videos.
Bizarre that to shield oneself from content ID bullshit (like including a three second snippet of a Ninendo trailer blocking an entire video), one needs to intentionally infringe on more copyright, but that was the Youtube system of yesteryear.
I don't know if the system still works like that, but based on the seemingly random snippets included in Sterling's videos I'm guessing they're still applying this trick.
In theory one could take this further, uploading parts of one's own video to content-ID so the system hands over some partial control over the content, but I feel like Youtube wouldn't take too kindly to that method.
It has to do with the way power and incentives are configured within the project, and therefore what can be expected of the maintainers in the future.
For some people/use cases, the threat of developers rug-pulling a tool you depend on is not a big deal as long as it's good right now. But in many situations the tool which has less features but also less incentive to rug-pull wins out.
Anyone can "rug-pull" a project, whether it currently has non-free features or not. You can't retract already-published versions, but anyone can make non-free plugins or forks for existing MIT-licensed code (GitLab and Gitea are MIT).
I guess some might think that because they do non-free parts now they are likely to make more of it non-free later, is that the argument? If yes I don't really like this Minority Report approach to judging projects for what you think they might do.
> because they do non-free parts now they are likely to make more of it non-free later, is that the argument
Yes, that's one indicator of how the incentives are structured, though there are other factors to consider too - mostly regarding where the money comes from and who is involved in the decision-making.
Perhaps you find it dystopian that people make predictions about future behavior and use them to inform their decisions about who to trust. It's very common though, and is the basis for the concept of reputation.
It's both. Free software is a more efficient mode of production because it maximizes the exchange of ideas about how best to build software. It's also a more libertarian mode of consumption because it maximizes freedom of choice for users.
This is what the Tor Browser is designed to do, and it does it very well (all in userspace no less). The main drawback is that some sites don't render as nicely and occasionally a site simply doesn't work.
The most important anti-tracking feature Tor has other than IP masking is disabling JavaScript by default. That's a complete non-starter for the modern web.
I'm confused, you consider yourself quite liberal but you think it's bullshit for Mexicans in the US to celebrate their heritage?