Pika

ok yea, I do agree with that POV on it. A ghost key like that would be within spec, cause yea at that point it would just be another member. I wasn’t taking it as an additional group member though, since the whistleblower is stating that they can put in any user id and have access to all messages live, that would mean they would have a ghost user on all messages period regardless of if its a group chat or not.

That wouldn’t be implausible though.

So, with facebook if you lose your device, you can register a new device to the account and recover your messages using a 6 digit security pin or a recovery code.

This means that your messages are stored in decryptable format either via a private key being stored, or as a separate server encrypted form in a backup.

I just had to go through this with my grandfather a few months back.

I don’t agree that would fit the protocol of end to end, that’s a common misconception, E2E by design means that it’s encrypted from the sender to the intended recipient. When you send a message the intended recipient isn’t the server, it’s the user you are sending to. That type of system would be called an encrypt in transit or a server client encryption not E2E. If they are classifying it as E2E that would be incorrect.

A classic example of a server client or encrypt in transit would be HTTPS, the server acts as a middleman between the clients, meaning that it decrypts the message then re-encrypts the message to the designated choice.

With an e2e system, the message the server transmits is never decrypted, the server already knows the destination based off the public key

honestly, with how much my grandfather uses facebook, and how often he clicks the stupid scam ads, this might be a valid option for him that is easier.

This ofc is if they decide to launch this program for <3$ a month. If it’s anything more than that I see it flopping on entry.

edit: looking at the article, I’m seeing 4EUR/m… yea 5$ isn’t horrible, but at the same time that’s probably too high for him to even consider it. That’s 2$ less than a yt lite premium subscription, and that’s a platform where ads actually get in the way of things.

Man, you just brought back memories. I forgot qtox was even a thing. I think I still have my profile saved in my dev folder somewhere for my account

If that is the case though, its not E2E it’s client server encryption and then server client encryption back. thats just deceptive marketing at that point.

considering that you can decrypt facebook e2e encryption with a 6 digit security pin… yea Facebook at least has the private keys backed up server side.

Fully agree that in this case if the claim is true (they have had a few of these claims), it’s likely whatsapp either making itself a companion app that’s hidden, or has some form of escrow in place to allow deciphering the messages. (Considering Messenger allows decrypting e2e chats with a 6 digit security pin, I’m leaning towards an escrow)

I was just mentioning that this isn’t a fault of it being centralized, this is a design choice by the company when implementing e2e encryption, and that a properly functioning system would never give the server the ability to decipher the messages in the first place.

Just because it’s centralized doesn’t mean that it falls under this risk sector. Theoretically if the app was open sourced and was confirmed to not share your private key remotely on generation (or cross sign the key to allow a master key…), then the most the centralized server could know is your public key, the server wouldn’t have the ability to obtain the private key (which is what is needed to read the e2e encrypted messages)

This process would be repeated for the other party. The cool part of that system is you can still share your public keys via the centralized server, so you wouldn’t need to share the key externally. You just need to be able to confirm that the app itself doesn’t contain code to send your private key to the centralized server. Then checking integrity is as easy as messaging your friend to post what their public key is, and that public key would need to match the public key that the server is supplying as your contact.

The server can’t MiTM attack it because the server has no way of deciphering the message in the first place, so the most it could do is pass the message onto the proper party whom has the private key to be able to decrypt it.

Not that I have any other suggestions aside from signal though, there aren’t many centralized e2e chat services. Most use client to server encryption which would allow decryption server side.

There is also some that you just don’t want to put that type of responsibility onto either. I moved my grandfather to a password manager 5 or 6 years back. I reiterated at least 8 times do not forget this password if you do you will lose all passwords and need to do everything over again.

He lasted 3 or 4 weeks then suddenly called me saying he couldn’t remember his password period. Like he tried for a good 40 minutes to guess what he may have done and was in a pretty intense panic because he didn’t want to have to change every service he had.

Thankfully it had not been long enough for his file history backup to have deleted the file, so i just restored the last backup of his passwords.docx file and put it back where he was used to it. He lost those few weeks of new passwords but that was a lot better than losing every password.

I’m not about to try and have him use a password manager again, he has decent enough password management skills since he doesn’t reuse passwords period, but like, it was far too risky putting him on a password manager again.

I couldn’t get into matrix, but I was a huge fan of open fire. It’s interface was stupid easy for XMPP administration and for awhile I ran it no issue with my group of friends. granted we ended up just going back to discord not due to any issue with the server or protocol but because it was tedious trying to get people to switch off a platform that works for most people.

Whats dumb is this issue is very easily resolved by encrypting the users security pin or password against the bitlocker keys and then only storing that.

or better yet have the pin/password an isolated thing from the microsoft system, so when a key gets uploaded, it requests the recovery pin, and if the pin matches it uploads, otherwise it states invalid pin and offers to change it while warning that it will remove existing keys, then optionally next time a system whom contains a drive with an identifier (which wouldn’t need to be encrypted only the key) goes online, it can prompt the user “note: due to recovery pin, drive X recovery key needs to be backed up again, would you like to do so?”

This type of system would make it so the only data MS has stored is the already encrypted recovery key, and as such would mean that the data they gave law enforcement would be worthless.

yea the only way I can see confidence being stored as a string would be if the key was meant for a GUI management interface that didn’t hardcode possible values(think for private investors or untrained engineers for sugar/cosmetic reasons). In an actual system this would almost always be a number or boolean not a string.

Being said, its entierly possible that it’s also using an LLM for processing the result, which would mean they could have something like “if its rated X or higher” do Y type deal, where the LLM would then process the string and then respond whether it is or not, but that would be so inefficient. I would hope that they wouldn’t layer like that.

Not the person you asked the question to but, for me it was dogshit music selection. I dislike radio music, my forte of music is almost exclusivley EDM based. Spotifies selection for glitchstep/dubstep/chillstep was a joke when i was looking into it. Plus I heavily disliked their leaning into requiring an account to even listen.

nah that’s a separate department and they deliberately keep that book as far away from the overall study as possible.

man that sucks.

is datacenter ram really not usable on personal PC’s? I figured it was the same as consumer ram but with ECC features, but I haven’t gone out of my way to try and buy any.

I don’t use twitter either, its blocked by choice on my DNS blocker but, the majority on the platform are not a pedo, regardless of the owners of it. It’s still really the only valid mainstream option for content creators. Do you have a better option? Because I know bsky or lemmy sure as hell aint going to get the job done for them (they have already tried that and went back due to lack of usage.)

its a circle, creators aren’t going to leave the platform because consumers are there, consumers aren’t going to leave because creators are there. The only real hope of that changing is either twitter screwing up so hard that they can’t stay, or a superior alternative being made that allows both the creator and the viewer to leave at once, so far bsky has come to be the closest but has still fallen short.

edit: changed tone and wording to be less aggressive.

In the case of content creators, you go where your audience goes. Almost all of the content creators I watch went back to twitter and almost exclusively post only live notices and social updates. I don’t have one that has a good opinion of the platform but, there’s a much larger audience there so therefore they stay.

Visibility is everything, and there are many steps between following you off the platform and not engaging with your stuff. Many will not follow a creator to an alternative platform if it means having to juggle an additional network, they will just let that creator fall out of their interest group.

I know for a fact I wouldn’t be on lemmy if I still used reddit, so any content creator I followed there I dropped. It is too annoying having to juggle multiple social media platforms.

Wait did this actually happen?

I just had to look it up, that’s actually really funny as a way to try and hide latency issues. this won’t work well with bad networks though, I could see 1 or 2 frames being delayed or missing but, that’s still a funny way of trying to fix an issue that is a pipeline problem.