xoron (@xoron@infosec.exchange)
Send files privately. No cloud. No trace.
I’m working towards something for #secure / #private / #simple #P2P #filetransfer. It isnt as “simple” as it could be, im still working on it, but ive got it down to:
Zero-installation as a #PWA
Zero-registration by using local-only storage
#P2P-authentication using #WebCryptoAPI
Fast #datatransfer using #WebRTC, #syncthing, #croc, #sphynctershare and countless others. the key difference in my approach is that its a #webapp thats ready to go without any "real" setup process. you just need a browser.
I’m aware there are things like #SFTP and several other established protocols and tools. I started doing this because I was learning about #WebRTC and it seems suprisingly capable. This isnt ready to replace any existing apps or services.
(Note: I know you guys are typically interested in #opensource code. this project is a spin-off from a bigger project: https://github.com/positive-intentions/chat)
Let me know what you think about the app, features and experience you would expect from a tool like this.
---
SUPER IMPORTANT NOTES TO PREVENT MISLEADING:
These projects are not ready to replace any existing apps or services.
These projects are not peer-reviewed or security audited.
The chat-app is #opensource for transparency (as linked above)... but the file-app is not open souce at all (especially spicy when not reviewed or audited.).
All projects behind positive-intentions are provided for testing and demo purposes only.
Show Original Post
blog (@blog@kaspars.net)
Notes on FAIR Package Manager
Had a deeper look at the FAIR package manager today.
Right now the WordPress integration plugin doesn’t verify package signatures. That means WordPress sites can’t yet cryptographically confirm that a downloaded plugin or theme really came from the claimed publisher.
Verification isn’t trivial either. To check a did:plc identity properly you have to walk the entire chain of signed operations all the way back to the genesis operation. That’s where the DID is anchored.
That requires some pretty heavy crypto for a WordPress host (where the client plugin is installed):
- multibase / base58 decoding
- DAG-CBOR + CID recomputation
- ECDSA (secp256k1, P-256) signature checks
Not every shared host is going to have PHP extensions for all of that. The protocol does elegantly handle key rotation but the burden of verification falls entirely on the consumer.
Just “trusting” whatever keys come back from plc.directory for each package DID identifier isn’t secure. You have to validate the full audit log yourself because otherwise you’re open to tampering.
So the standard is promising but until FAIR bakes in real signature checks, WordPress users aren’t getting the security guarantees this model could deliver.
The rest of plugin features are really nice for privacy and general data protection — you no longer report all published content to Ping-o-Matic or send every admin dashboard request to WP-org servers. Here is a report of all external calls made by standard WordPress installs.
Show Original Post
xoron (@xoron@infosec.exchange)
Selhosted P2P E2EE File Transfer & Messaging PWA
https://positive-intentions.com
* #OpenSource
* #CrossPlatform
* #PWA
* #iOS, #Android, #Desktop (self compile)
* App store, Play store (coming soon)
* Desktop
* #Windows, #MacOS, #Linux (self compile)
* run `index.html` on any modern #browser
* #Decentralized
* #Secure
* #NoCookies
* #P2P #encrypted
* No registration
* No installing
* #Messaging
* Group Messaging (coming soon)
* Text Messaging
* #Multimedia Messaging
* #Screensharing (on desktop browsers)
* Offline Messaging (in #research phase)
* #FileTransfer
* #VideoCalls
* #DataOwnership
* #SelfHosted
* GitHub pages Hosting
* #LocalOnly storage
Check them out!
(Degoogled links to the apps)
- P2P Chat: https://chat.positive-intentions.com
- P2P File: https://file.positive-intentions.com
- Encrypted drive storage: https://dim.positive-intentions.com/?path=/story/usefs--encrypted-demo
- GitHub: https://github.com/positive-intentions
IMPORTANT NOTES (PLEASE READ!):
* These are NOT products. It's for #testing and #demonstration purposes only.
* They have NOT been reviewed or audited. Do NOT use for sensitive data.
* All functionality demonstrated is experimental.
* This is NOT meant to replace robust solutions like #VeraCrypt, #Simplexchat, #Signal, #Whatsapp, #wetransfer. It's just a #proofofconcept to show what's possible with #browser #APIs.
Show Original Post
p (@p@pixelfed.de)
Musik am Aachener Dom
#aachen #musik #music #cathedral #photo #photography #urbanphotography #livemusic #mastoart #art #streetart #streetphotography #reisefotografie #fotografie #foto #fotografia #lowlightphotography #travelphotography #fotografiadeviaje #opensource #opensourcesoftware #linux #gimp
Show Original Post
xoron (@xoron@infosec.exchange)
File Encryption with JavaScript.
I've been exploring the #WebCryptoAPI and I'm impressed!
When combined with the #FileSystemAPI, it offers a seemingly secure way to #encrypt and #store files directly on your device. Think #localstorage, but with #encryption!
I know #webapps can have #security vulnerabilities since the code is served over the web, so I've #OpenSourced my demo! You can check it out, and it should even work if #selfhosted on #GitHubPages.
Live Demo: https://dim.positive-intentions.com/?path=/story/usefs--encrypted-demo
Demo Code: https://github.com/positive-intentions/dim/blob/staging/src/stories/05-Hooks-useFS.stories.js
About the Dim framework:
https://positive-intentions.com/docs/category/dim
IMPORTANT NOTES (PLEASE READ!):
* This is NOT a product. It's for #testing and #demonstration purposes only.
* It has NOT been reviewed or audited. Do NOT use for sensitive data.
* The "password encryption" currently uses a hardcoded password. This is for demonstration, not security.
* This is NOT meant to replace robust solutions like #VeraCrypt. It's just a #proofofconcept to show what's possible with #browser #APIs.
#Encryption #Cryptography #JavaScript #Frontend #Privacy #Security #WebDevelopment #Coding #Developer #Tech #FOSS #OpenSource #GitHub #MastodonDev #Programming #WebStandards #FileSystem #WebAPI #ProofOfConcept
Show Original Post
techxperts (@techxperts@mastodon.social)
Tired of overpaying for Zapier/Make.com? 💸 Activepieces is the open-source hero for builders. Unlimited tasks, built-in AI agents 🤖, and full ownership when you self-host. No more task limits or vendor lock-in! #Activepieces #SelfHosted #Automation #OpenSource
Show Original Post
edwardj_mastodon (@edwardj_mastodon@universeodon.com)
Today I learned that on GNU/Linux distribution system shell terminals, you may send a message to another user by the command `write`. Example: "write joe", enter a message to copy "Test message" and type Ctrl-D.
https://ss64.com/bash/write.html
( https://x.com/codenamed_heXa/status/1959297957527765375 )
#Communication #terminal #system #technology #IT #programming #SysAdmin #Reference #Unix #tools #digitaltools #system #utility #software #OpenSource #opensource_software #linux #SFC #FOSS
@conservancy , util-linux is under #GitHub . Can they #GiveUpGitHub ?
Show Original Post
itnewsbot (@itnewsbot@schleuss.online)
Arch Linux Faces 'Ongoing' DDoS Attack - "Some joyless ne'er-do-well has loosed a botnet on the community-driven Arch Linux... - https://linux.slashdot.org/story/25/08/23/0513229/arch-linux-faces-ongoing-ddos-attack?utm_source=rss1.0mainlinkanon&utm_medium=feed #opensource
Show Original Post
juliewebgirl (@juliewebgirl@mstdn.social)
Literally laughed out loud at this point:
Show Original Post
display (@display@friendica.world)
foss applications in linux / android repositories tend to suffer from bad descriptions
This one in f-droid makes no attempt to describe what the app actually does:
"This is a native Android application for Ruffle."
Better descriptions would be
"Ruffle is an open source flash player able to run many swf files."
or
"ruffle is an emulator intended to run adobe flash applications."
f-droid.org/packages/rs.ruffle…
#fdroid #libreSoftware #OpenSource #foss #softwarerepositories
Show Original Post
bildesheim (@bildesheim@d-64.social)
Der @Prucker hat die Tage was gebloggt: „Von Sonntagsreden und Montagsbestellungen (reloaded)“ - Und das haben wir jetzt mal gemeinsam crossgepostet 🤓 https://ogov.de/2025/08/23/von-sonntagsreden-und-montagsbestellungen-reloaded/ #OpenSource
Show Original Post
penguinreviews (@penguinreviews@mstdn.social)
Arch Linux sub atac DDoS: Ce se întâmplă și cum poți accesa repozitoriile în timpul întreruperilor
https://penguinreviewslinux.blogspot.com/2025/08/arch-linux-sub-atac-ddos-ce-se-intampla.html
Show Original Post