"uses WebAssembly" - forgive me but what? How do I know my PDF isn't going to Russia? or China? I mean, I could wireshark it but I'd like to know more about what's in the webassembly. PDF's are sensitive to some organizations. As already stated, some orgs even block online pdf tools for obvious reasons.
I'm interested in this but I would be even more so if there was source so I can audit. Since it's running locally in my browser anyway.
always ironic when ppl say this on websites hosted in the us, a country with the most documented cases of governmental organisation backdooring/spying :/
> always ironic when ppl say this on websites hosted in the us, a country with the most documented cases of governmental organisation backdooring/spying :/
That is because other countries do not let you document/publish this information. :-)
> backdooring and censorship are two very different things
Parent poster talked about backdooring being documented in the US, not comparing the two in general. I posted links about non-US governments making it illegal to document the backdooring or other things the government may worry about an unpopular reaction to. The practice of the 1st amendment in the US offers very strong, but not absolute, protections against this.
> In its release, WikiLeaks said "Marble" was used to insert foreign language text into the malware to mask viruses, trojans and hacking attacks, making it more difficult for them to be tracked to the CIA and to cause forensic investigators to falsely attribute code to the wrong nation. The source code revealed that Marble had examples in Chinese, Russian, Korean, Arabic and Persian.
The government and media pretends that attribution is a slam-dunk when it virtually never is. On the other hand, there are big career benefits to discovering the next "Chinese" malware vs. stumbling upon some US/EU script kiddy nonsense that included Chinese characters as a prank/red herring. There is incentive to misattribute & sensationalize.
I would wager that ~100% of CIA/NSA malware (or any state actor, really) has a plausible red herring cover. It would be foolish not to.
i'm even less virtuous than russia or china, yet i can't spy on you
(once again, it's a combination of current technical capability, concentration of current and early important technologies being developed in your jurisdiction, concentration of current and popular technologies being developed in your jurisdiction, etc)
What does it even mean lol. I really like how you implied that it's a problem of WebAssembly.
How is checking a web page's network connection, WebAssembly or not, harder than reading ALL the source code (if you don't read them all you can't be sure!) of a non-trivial app?
I was expecting something along the lines of pdf.js or something. WebAssembly was a shock, but I looked at the asm, saw golang, decompiled back to go and looked. all good. still... all it takes is an errant http.client call.
It's interesting that they don't just supply the source code. Are they hoping if there's enough interest then they can turn this into a service? This type of functionality is great but I don't like the black box approach.
Edit: After some consideration, maybe they're worried that someone else would create a service using their work.
I'm interested in this but I would be even more so if there was source so I can audit. Since it's running locally in my browser anyway.