Just your normal everyday casual software dev. Nothing to see here.
People can share differing opinions without immediately being on the reverse side. Avoid looking at things as black and white. You can like both waffles and pancakes, just like you can hate both waffles and pancakes.
I don’t see any company jumping at the rim to implement these though, especially considering the high chance that it will just be overturned next party flip. Stuff like this needs bi-partisanship and transparency otherwise it just gets revoked when the party flips again.
it’s a waste of money until it’s clear both primary parties agree with the change, the fact it had to be done in silent/under the table says everything about the volatility of this change.
hardware I’m giving to my sister most likely. Software? well that’s definitly dying with me. I’m the only one in my family that has any form of technical skill required to keep services going. They won’t know what to do with it.
The most I’m able to share is pictures and files.
ok yea, I do agree with that POV on it. A ghost key like that would be within spec, cause yea at that point it would just be another member. I wasn’t taking it as an additional group member though, since the whistleblower is stating that they can put in any user id and have access to all messages live, that would mean they would have a ghost user on all messages period regardless of if its a group chat or not.
That wouldn’t be implausible though.
So, with facebook if you lose your device, you can register a new device to the account and recover your messages using a 6 digit security pin or a recovery code.
This means that your messages are stored in decryptable format either via a private key being stored, or as a separate server encrypted form in a backup.
I just had to go through this with my grandfather a few months back.
I don’t agree that would fit the protocol of end to end, that’s a common misconception, E2E by design means that it’s encrypted from the sender to the intended recipient. When you send a message the intended recipient isn’t the server, it’s the user you are sending to. That type of system would be called an encrypt in transit or a server client encryption not E2E. If they are classifying it as E2E that would be incorrect.
A classic example of a server client or encrypt in transit would be HTTPS, the server acts as a middleman between the clients, meaning that it decrypts the message then re-encrypts the message to the designated choice.
With an e2e system, the message the server transmits is never decrypted, the server already knows the destination based off the public key
honestly, with how much my grandfather uses facebook, and how often he clicks the stupid scam ads, this might be a valid option for him that is easier.
This ofc is if they decide to launch this program for <3$ a month. If it’s anything more than that I see it flopping on entry.
edit: looking at the article, I’m seeing 4EUR/m… yea 5$ isn’t horrible, but at the same time that’s probably too high for him to even consider it. That’s 2$ less than a yt lite premium subscription, and that’s a platform where ads actually get in the way of things.
Man, you just brought back memories. I forgot qtox was even a thing. I think I still have my profile saved in my dev folder somewhere for my account
If that is the case though, its not E2E it’s client server encryption and then server client encryption back. thats just deceptive marketing at that point.
considering that you can decrypt facebook e2e encryption with a 6 digit security pin… yea Facebook at least has the private keys backed up server side.
Fully agree that in this case if the claim is true (they have had a few of these claims), it’s likely whatsapp either making itself a companion app that’s hidden, or has some form of escrow in place to allow deciphering the messages. (Considering Messenger allows decrypting e2e chats with a 6 digit security pin, I’m leaning towards an escrow)
I was just mentioning that this isn’t a fault of it being centralized, this is a design choice by the company when implementing e2e encryption, and that a properly functioning system would never give the server the ability to decipher the messages in the first place.
Just because it’s centralized doesn’t mean that it falls under this risk sector. Theoretically if the app was open sourced and was confirmed to not share your private key remotely on generation (or cross sign the key to allow a master key…), then the most the centralized server could know is your public key, the server wouldn’t have the ability to obtain the private key (which is what is needed to read the e2e encrypted messages)
This process would be repeated for the other party. The cool part of that system is you can still share your public keys via the centralized server, so you wouldn’t need to share the key externally. You just need to be able to confirm that the app itself doesn’t contain code to send your private key to the centralized server. Then checking integrity is as easy as messaging your friend to post what their public key is, and that public key would need to match the public key that the server is supplying as your contact.
The server can’t MiTM attack it because the server has no way of deciphering the message in the first place, so the most it could do is pass the message onto the proper party whom has the private key to be able to decrypt it.
Not that I have any other suggestions aside from signal though, there aren’t many centralized e2e chat services. Most use client to server encryption which would allow decryption server side.
There is also some that you just don’t want to put that type of responsibility onto either. I moved my grandfather to a password manager 5 or 6 years back. I reiterated at least 8 times do not forget this password if you do you will lose all passwords and need to do everything over again.
He lasted 3 or 4 weeks then suddenly called me saying he couldn’t remember his password period. Like he tried for a good 40 minutes to guess what he may have done and was in a pretty intense panic because he didn’t want to have to change every service he had.
Thankfully it had not been long enough for his file history backup to have deleted the file, so i just restored the last backup of his passwords.docx file and put it back where he was used to it. He lost those few weeks of new passwords but that was a lot better than losing every password.
I’m not about to try and have him use a password manager again, he has decent enough password management skills since he doesn’t reuse passwords period, but like, it was far too risky putting him on a password manager again.
I couldn’t get into matrix, but I was a huge fan of open fire. It’s interface was stupid easy for XMPP administration and for awhile I ran it no issue with my group of friends. granted we ended up just going back to discord not due to any issue with the server or protocol but because it was tedious trying to get people to switch off a platform that works for most people.
Whats dumb is this issue is very easily resolved by encrypting the users security pin or password against the bitlocker keys and then only storing that.
or better yet have the pin/password an isolated thing from the microsoft system, so when a key gets uploaded, it requests the recovery pin, and if the pin matches it uploads, otherwise it states invalid pin and offers to change it while warning that it will remove existing keys, then optionally next time a system whom contains a drive with an identifier (which wouldn’t need to be encrypted only the key) goes online, it can prompt the user “note: due to recovery pin, drive X recovery key needs to be backed up again, would you like to do so?”
This type of system would make it so the only data MS has stored is the already encrypted recovery key, and as such would mean that the data they gave law enforcement would be worthless.
yea the only way I can see confidence being stored as a string would be if the key was meant for a GUI management interface that didn’t hardcode possible values(think for private investors or untrained engineers for sugar/cosmetic reasons). In an actual system this would almost always be a number or boolean not a string.
Being said, its entierly possible that it’s also using an LLM for processing the result, which would mean they could have something like “if its rated X or higher” do Y type deal, where the LLM would then process the string and then respond whether it is or not, but that would be so inefficient. I would hope that they wouldn’t layer like that.
Not the person you asked the question to but, for me it was dogshit music selection. I dislike radio music, my forte of music is almost exclusivley EDM based. Spotifies selection for glitchstep/dubstep/chillstep was a joke when i was looking into it. Plus I heavily disliked their leaning into requiring an account to even listen.
nah that’s a separate department and they deliberately keep that book as far away from the overall study as possible.
is datacenter ram really not usable on personal PC’s? I figured it was the same as consumer ram but with ECC features, but I haven’t gone out of my way to try and buy any.
I’m sick of everything moving to a docker image myself. I understand on a standard setup the isolation is nice, but I use Proxmox and would love to be able to actually use its isolation capabilities. The environment is already suited for the program. Just give me a standard installer for the love of tech.