Annoying security warning on JOS astro site

[darkmonkey666]

This has been going on for as long as it has been up. It doesn't easily dissappear either. I have gotten it to by pressing random stuff a couple times though.

If you click yes continue it takes you to astro.com

 

[Mastermind]

I'd pay to have a version of the site that works offline.
Giving away birth place, date and time is unacceptable.

 

[darkmonkey666]

I'd pay to have a version of the site that works offline.
Giving away birth place, date and time is unacceptable.

It has been checked by Cobra and some people that know internet security as stated this is not storing this information. May be useful as a suggestion for the future though. I am sure you used astro.com or some other astrology site before this was put up so if you don't trust the JOS with this why trust them.

 

[Mastermind]

I'd pay to have a version of the site that works offline.
Giving away birth place, date and time is unacceptable.

It has been checked by Cobra and some people that know internet security as stated this is not storing this information. May be useful as a suggestion for the future though. I am sure you used astro.com or some other astrology site before this was put up so if you don't trust the JOS with this why trust them.

Why not make the code public or sell offline versions?
At least for JoS members.

 

[Soaring Eagle 666]

I'd pay to have a version of the site that works offline.
Giving away birth place, date and time is unacceptable.

It has been checked by Cobra and some people that know internet security as stated this is not storing this information. May be useful as a suggestion for the future though. I am sure you used astro.com or some other astrology site before this was put up so if you don't trust the JOS with this why trust them.

Why not make the code public or sell offline versions?
At least for JoS members.

Although I wasn't involved in that project, I suspect it involves web-server code and databases, which are not trivial to set up offline. For a portable offline app, it would probably take a lot of effort to redo the code. It is a good idea though.

Until an offline version exists, you can use a fake name with Tor and/or a VPN to enter your birth info if you're a little paranoid.

 

[Mastermind]

" post_id=322590 time=1644123948 user_id=346]

It has been checked by Cobra and some people that know internet security as stated this is not storing this information. May be useful as a suggestion for the future though. I am sure you used astro.com or some other astrology site before this was put up so if you don't trust the JOS with this why trust them.

Why not make the code public or sell offline versions?
At least for JoS members.

Although I wasn't involved in that project, I suspect it involves web-server code and databases, which are not trivial to set up offline. For a portable offline app, it would probably take a lot of effort to redo the code. It is a good idea though.

Until an offline version exists, you can use a fake name with Tor and/or a VPN to enter your birth info if you're a little paranoid.

Even if I use a fake name, given my birth date, time and place it's easy to figure out who I am because that data is unique. Nobody else was born in the same place and at the same time.
Web server code and databases are fine with me. I have plenty of websites.

 

[Soaring Eagle 666]

" post_id=322590 time=1644123948 user_id=346]

Why not make the code public or sell offline versions?
At least for JoS members.

Although I wasn't involved in that project, I suspect it involves web-server code and databases, which are not trivial to set up offline. For a portable offline app, it would probably take a lot of effort to redo the code. It is a good idea though.

Until an offline version exists, you can use a fake name with Tor and/or a VPN to enter your birth info if you're a little paranoid.

Even if I use a fake name, given my birth date, time and place it's easy to figure out who I am because that data is unique. Nobody else was born in the same place and at the same time.
Web server code and databases are fine with me. I have plenty of websites.

I suppose that's possible. Another option is to use existing offline chart generators, like Astrolog. You can double-check that it matches jos-astro using dummy data, then use it offline with your real data.

 

[Serbon]

I think your just trying to start arguments with this. No bite.

He's trying to help.

 

[Mastermind]

" post_id=335637 time=1647637232 user_id=346]
[1.] I did read it, and I had actually known about the Intel ME for years after stumbling across it while experimenting with x86 code. Yes, it has vulnerabilities, but so does everybody's software and hardware. However, it does not have a known backdoor; it's just likely. That gives people a little sense of hope (however misguided) that can dissuade people from switching to alternatives.

It's certainly not the first time that the government tried to incorporate spying into people's computers. https://en.wikipedia.org/wiki/Clipper_chip
If it wasn't a backdoor, there wouldn't be a special switch made only for the government which can disable the chip in question. The special bit is called "High Assurance Platform" mode. If it was a good thing, why would the government want to deactivate it on their computers?

" post_id=335637 time=1647637232 user_id=346]
[2.] I'm talking about connecting a person's birth info with a name here on the forums. Birth info would only tell you that so-and-so used JoS-Astro, but not that so-and-so is [name] member.

Of course but they don't need to. Once you are identified as a potential threat you are done.

" post_id=335637 time=1647637232 user_id=346]
[3.] That's a good precaution. Of course, if I were putting a backdoor into a computer chip, I would make it non-removable. There are other parts of the processor it can be hidden in, like the TEE. The bottom line is, most of the chips in our computers probably have multiple backdoors from various companies and governments.

I'm sure that there are backdoors in the other chips as well. However, as long as the CPU has IOMMU, then those other chips can't read your RAM and thus you can safely perform cryptography.
A good alternative would be to switch to FPGA and upload a CPU to it. Then you are sure that it's really doing what it's supposed to be doing.

" post_id=335637 time=1647637232 user_id=346]
[4.] I agree that anonymity is important. But the Joy of Satan is succeeding, no matter what. There will come a time when everyone on this planet knows about the Joy of Satan. And Satan does protect his followers. Not everybody is comfortable using computers and some people's situations make anonymity very difficult. We must do our best, and trust Satan to do the rest. HPS Pythia doesn't worry much about anonymity, and she has received many enemy attacks, and Satan has protected her each and every time. And she has achieved a very meaningful amount of power.

My argument is that as JoS gets more and more powerful, the attacks will get more and more intense. Just because it's succeeding today, doesn't mean that it will keep succeeding in the future (if nothing changes).

" post_id=335637 time=1647637232 user_id=346]
I agree with you that JoS-Astro would be more secure offline, but I don't think the risk of using it online is as bad as you say.

It's not just hardware threats, there's also the problem of the SSL certificate. I'm sure that the bad boys have access to any CA's private keys and can sign any certificate they want. That allows them to do MitM. At the start of the month the SSL certificate changed and nothing was said about the change. How was I supposed to know that it was not malicious?

Third problem is the physical security. Where is the server hosted? If it's at a third party then there is no security. If you are hosting it, how secure is the server? Is it being monitored? What happens during a physical breach? Are there other people that have physical access to it?

Fourth problem are the binaries that run on the machine. Have you compiled them all yourself?

Computer security is about trusting the least amount of people possible. I'm not in the business of trusting others. I'm in the business of assuming that everything is potentially malicious. Otherwise it'd be out of business.

 

[Mastermind]

" post_id=335637 time=1647637232 user_id=346]...

I talked about FPGA in my previous post. Now I'm thinking, what if the FPGA is backdoored? I'm getting into super paranoid zone now.

In that case one would have to use multiple FPGA's from different manufacturers. Have one FPGA handle the RAM and another one handle instructions. Maybe put a third FPGA in between the other two. Maybe have a fourth FPGA only for performing cryptography.

What if they are all backdoored in the same way and can communicate between eachother on every pin?

I guess there's no other solution than to build a computer out of transistors yourself...
Looks like some people are already working on it.
https://www.youtube.com/watch?v=HyznrdDSSGM&list=PLowKtXNTBypGqImE405J2565dvjafglHU

 

[Mastermind]

" post_id=335637 time=1647637232 user_id=346]...

Answer me this: why take the risk if it can be avoided? What's the rationale?
Would you send me your birth information? Do you trust me? Why should I trust you if you don't trust me?

 

[Mastermind]

" post_id=335637 time=1647637232 user_id=346]...

I got it. You are just trying to defend the indefensible to spite me. We can go on arguing forever at this point. You know that you lost the argument and there's absolutely no valid reason to not offer jos-astro offline, other than to save face. The authority said that it's fine and so it must be fine.

 

[Mastermind]

I can offer help with cybersecurity (which is me telling you when something sucks and has to be fixed). If that's taken as a challenge to the authority because authority always does things perfect, then I can't help you. I've done my part for Satan.

 

[High Priest Zevios Metathronos]

It is a test of faith? The emperor makes up an evident lie to test the faith of his followers. Is that what it's all about? Those that refuse the lie must be against the emperor and eliminated. That's how communism and dictatorships operate.
https://templeofzagan.org/2018/03/02/to-call-a-deer-a-horse/

I think that such exercise is foolish. Putting everyone's lives at risk, however small you think that risk is, for some unfounded fear or some test of faith, is just crazy.

Most of your posts constitute rather a paranoia and a need for others to appeal for this paranoia, than reasonable complaints. What if this or that goes in and does that, past a point, that constitutes only paranoia and is a theoretical security complaint, not a really dangerous one.

You can keep ranting all around the city about a potential comet that might fall, that has a 0,001% chance of falling, but that does not necessarily constitute a service, since the likelihood is very low.

This paranoia clothes itself in that it's "for safety", but one can argue all day that no digital appliance is ever safe. Throw any computer you have outside. We are as a "populace" about 15 years behind in technology, since the 70's. If you believe that if certain organizations turn their eye on you, they cannot see you, then this is the product of delusion.

You also don't seem to understand how due process takes place, ie, maybe one could watch something [the theoretical comet coming scenario], but for the actual things to take place are impossible to do. Wouldn't like to go to details here, but I think you can understand the underlying meaning here.

It appears also your extremely high understanding of cybersecurity has alerted you to certain things that might be implausible or low likelihood, yet, might look bigger as theoretical dangers than real ones. One cannot live by addressing theoretical dangers as explicit real dangers. Not sure if I cohesively explained my point here.

Going up to the emperor and telling him that he's wrong, that the risk is higher than he thinks it is, puts me at great risk of retribution. That constitutes a great service from my point of view.

There is no retribution nor anyone seeks anything negative out of you, nor Soaring or anyone. I am glad I read all these responses to understand these potentialities, even if very distant.

 

[Mastermind]

Most of your posts constitute rather a paranoia and a need for others to appeal for this paranoia, than reasonable complaints. What if this or that goes in and does that, past a point, that constitutes only paranoia and is a theoretical security complaint, not a really dangerous one.

You can keep ranting all around the city about a potential comet that might fall, that has a 0,001% chance of falling, but that does not necessarily constitute a service, since the likelihood is very low.

This paranoia clothes itself in that it's "for safety", but one can argue all day that no digital appliance is ever safe. Throw any computer you have outside. We are as a "populace" about 15 years behind in technology, since the 70's. If you believe that if certain organizations turn their eye on you, they cannot see you, then this is the product of delusion.

You also don't seem to understand how due process takes place, ie, maybe one could watch something [the theoretical comet coming scenario], but for the actual things to take place are impossible to do. Wouldn't like to go to details here, but I think you can understand the underlying meaning here.

It appears also your extremely high understanding of cybersecurity has alerted you to certain things that might be implausible or low likelihood, yet, might look bigger as theoretical dangers than real ones. One cannot live by addressing theoretical dangers as explicit real dangers. Not sure if I cohesively explained my point here.

Going up to the emperor and telling him that he's wrong, that the risk is higher than he thinks it is, puts me at great risk of retribution. That constitutes a great service from my point of view.

There is no retribution nor anyone seeks anything negative out of you, nor Soaring or anyone. I am glad I read all these responses to understand these potentialities, even if very distant.

Then everything's good. Please HPZM understand that I'm not your enemy. I'm not here to take your place as I have enough responsibilities to manage already.
I guess you have good reasons to not make jos-astro's code public and I won't go against that, as long as I'm certain that you understand the risks.

 

[Hidden Warrior [SG]]

I will write quickly just a few lines, to conclude what I have to say on my side.

As an answer to the OP, I think that the warning is due to your browser, trying to protect you from possible fake sites(in this case, astro.com is seen as the trustier one). Does it appear also from other browsers? Or from Desktop versions? Anyway I think that we cannot do much from our side.

On the project: I did the project as an online website because nowadays everything is on the web, and people are more reluctant (even lazy) to install applications rather than just visiting a website. The website has more impact than just making people install it, it creates more visibility.
Another point is that I know these technologies, so it was more easy to me to do it in this way, because I did it in my free time.

I appreciate all the points you have brought forward, but if the problem is the hardware, as you said, than you should just build your own machine, chips, and so on. Even in this way it is useless, because you would have a secure machine, but all the others no.

I don't preclude the possibility of an offline version. I look forward to it. But these things need time.