@fastfinge

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@MostlyBlindGamer I don't even know why they're doing this. If you don't have a virus scanner enabled on your computer, this will not save you. Any addon can just download remote code whenever it wants to. That is, in fact, how most addon update checkers work. So even if you audit the results, it's completely meaningless unless you also audit all the code. The only thing this does is give users a false sense of security.

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@MostlyBlindGamer It looks like it gets put there when it's uploaded to the store. But I develop addons that aren't distributed via the store, because of silly NVDA rules. So I can just put whatever I want there. And I haven't actually tested to see what happens if I upload an addon to the store with the virustotal keys already included.

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@MostlyBlindGamer I did. It could have been unrelated; there's a lot of stuff going on this network. But what would be the point of just including the URL to the results? I can just put anything I want in the manifest and say it passes. For it to mean anything, NVDA has to reach out and check. So this is either a privacy violation, or total security theatre. Not good either way.

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@saschacowley @pixelate Then why is my machine reaching out to that virustotal URL that showed up in the log snip and timing out?

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

Second update: Yes, this is pointless security theatre. Any addon can download and execute remote code. So even if you do all of the work I mentioned, unless you audit the code, you still have no idea if the addon is safe or secure. This just gives users a dangerously false sense of security. The only way it would be meaningful is if NVDA code signs all addons, disables remotely downloading files, and only allows approved addons through the store. And doing this would be far, far worse than the alternative. It would mean, for one, that Eloquence would be completely dead as an NVDA addon. NVDA doesn't allow it in the addon store, and thus wouldn't sign it.

Update: it looks like the outreach to virustotal.com in my firewall logs was unrelated to NVDA. Based on a look at: github.com/nvaccess/nvda/blob/master/source/addonStore/models/scanResults.py

NVDA just accepts whatever the addon manifest says without verification. So instead of a privacy violation, this is just pointless. I can put whatever I want there in my addons, and it'll reassure the user that no viruses were found. To actually know the truth, a user has to:
* visit the URL
* hash there addon
* compare the hashes

And only then can they know if the results in the virustotal URL they visited are the same ones for the addon they installed, and that the information in the manifest is correct based on the actual virustotal.com findings.

By the time you do all that, either Windows Defender has flagged the virus, or you're already screwed.

I guess I'd rather pointless security theatre than privacy violation, if I have to choose. But can't I have neither?

It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'

#screenreader #a11y #nvda #accessibility

9

13

4

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@douglawlor No. It doesn’t work with interactive commands. For Hermes’, grab the perspective intelligence app and connect that way.

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

This was invented for #AI. However, I'm finding it really nice for screen readers:
RTK rewrites output from chatty terminal commands that produce a lot of output, often in complex tables, in order to make the output 80 to 90 percent shorter. Just put rtk in front of the command you want to compress. So "rtk git status" instead of "git status". And you can be sure the compacted output is correct because it's just using regular expressions and deterministic rules under the hood to rewrite output from the tools it knows about. If it doesn't know about a particular command, it just passes the output on unchanged.
github.com/rtk-ai/rtk
Now I've got to figure out how to wire this up in #bash so it'll just happen without me typing rtk all the time.

#a11y #screenreader #accessibility #commandline

1

17

16

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@kellylford Take a look at Hermes agent. It lets you swap models and providers easily and uses gh cli for GitHub. You can get a subscription to nano-gpt.com for $12 a month that will give you 30 million tokens a week on glm 5.5 and kimi k2. Then get a pay as you go account at openrouter.ai for Anthropic and Google models when needed. Add nanoproxy on top to solve reliability issues with nano-gpt tool calling and your set.

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@kellylford And the way every imap server offers different extensions and folder names and so on is also no fun.

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@kellylford Fair enough. My primary worry is that the big email providers are starting to get rid of app password and require oauth. Maintaining an email client is only going to get harder. Not even mentioning read receipts and pgp and all the different formats of multipart mime. I admire but don’t envy you.

2

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@kellylford Why not thunderbird, if I may ask?

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@andrew @jscholes I'd say that the default SSH key workflow is fine, unless you need keys on multiple machines. Yubikey for SSH is way more convenient than a jumpbox, or making dozens of keys and keeping track of them all.

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@andrew @jscholes NFC is a critical feature for me. I do testing across android, IOS, mac, and Windows, and need my secure accounts available in all the places.

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@mcourcel @jaybird110127 @twynn I only have the framework laptop. Never seen the desktop.

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@mcourcel @Jage @jpellis2008 I have two. One in my pocket, and one in the safe.

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@jpellis2008 @Jage No idea, sorry.

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@jpellis2008 @Jage I have the more expensive one for work. But no reason to get it unless you need the extra features.

2

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@jpellis2008 If you search yubikey on Amazon, they're the first result. I'm Canadian, so I can't give you useful links; I just get redirected to amazon.ca. Though @Jage selling them on ATGuys might be an interesting idea.

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@jscholes @andrew No. That's the TOTP setting I mentioned. Turn that off, and now they work directly with the passcode API on windows/mac/android.

2

0

1

0

🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca

1mo

@andrew You need the management tools if you want to put PGP and SSH keys on them. Or at least, that was the quickest way I could figure out of doing it.

1

0