cultural reviewer and dabbler in stylistic premonitions
sealed sender isn’t theater, in my view. It is a best effort attempt to mitigate one potential threat
But, what is the potential threat which is mitigated by sealed sender? Can you describe a specific attack scenario (eg, what are the attacker’s goals, and what capabilities do you assume the attacker has) which would be possible if Signal didn’t have sealed sender but which is no longer possible because sealed sender exists?
In case it wasn’t clear, I’m certainly not advocating for using WhatsApp or any other proprietary, centralized, or Facebook-operated communication systems 😂
But I do think Facebook probably really actually isn’t exploiting the content of the vast majority of whatsapp traffic (even if they do turn out to be able to exploit it for any specific users at any time, which i wouldn’t be surprised by).
“Anonymity” is a vague term which you introduced to this discussion; I’m talking about metadata privacy which is a much clearer concept.
TLS cannot prevent an observer from seeing the source and destination IPs, but it does include some actually-useful metadata mitigations such as Encrypted Client Hello, which encrypts (among other things) the Server Name Indicator. ECH a very mild mitigation, since the source and destination IPs are intrinsically out of scope for protection by TLS, but unlike Sealed Sender it is not an entirely theatrical use of cryptography: it does actually prevent an on-path observer from learning the server hostname (at least, if used alongside some DNS privacy system).
The on path part is also an important detail here: the entire world’s encrypted TLS traffic is not observable from a single choke point the way that the entire world’s Signal traffic is.
Many people have reverse-engineered and analyzed whatsapp; it’s clear that they are actually doing e2ee. It is not certain that they don’t have ways to bypass it for targeted users, and there is currently a lawsuit alleging that they do, but afaik no evidence has been presented yet.
anyone who objects to mass surveillance obviously hates puppies
Signal protocol is awesome for privacy, not anonymity
The “privacy, not anonymity” dichotomy is some weird meme that I’ve seen spreading in privacy discourse in the last few years. Why would you not care about metadata privacy if you care about privacy?
Signal is not awesome for metadata privacy, and metadata is the most valuable data for governments and corporations alike. Why do you think Facebook enabled e2ee after they bought WhatsApp? They bought it for the metadata, not the message content.
Signal pretends to mitigate the problem it created by using phone numbers and centralizing everyone’s metadata on AWS, but if you think about it for just a moment (see linked comment) the cryptography they use for that doesn’t actually negate its users’ total reliance on the server being honest and following their stated policies.
Signal is a treasure-trove of metadata of activists and other privacy-seeking people, and the fact that they invented and advertise their “sealed-sender” nonsense to pretend to blind themselves to it is an indicator that this data is actually being exploited: Signal doth protest too much, so to speak.
100% of options funded by western governments
One of their four, SimpleX, is not funded by western governments (…but it instead has some venture capital 🤡)
I don’t think anyone called those “web apps” though. I sure didn’t.
As I recall, the phrase didn’t enter common usage until the advent of AJAX, which allowed for dynamically loading data without loading or re-loading a whole page. Early webmail sites simply loaded a new page every time you clicked a link. They didn’t even need JavaScript.
The term “web app” hadn’t been coined yet but, even without AJAX I think in retrospect it’s reasonable to call things like the early versions of Hotmail and RocketMail applications - they were functional replacements for a native application, on the web, even though they did require a new page load for every click (or at least every click that required network interaction).
At some point, though, I’m pretty sure that some clicks didn’t require server connections, and those didn’t require another page load (at least if js was enabled): this is what “DHTML” originally meant: using JavaScript to modify the DOM client-side, in the era before sans-page-reload network connections were technically possible.
The term DHTML definitely predates AJAX and the existence of XMLHTTP (later XMLHttpRequest), so it’s also odd that this article writes a lot about the former while not mentioning the latter. (The article actually incorrectly defines DHTML as making possible “websites that could refresh interactive data without the need for a page reload” - that was AJAX, not DHTML.)
A cascade of satellite collisions is called Kessler syndrome and the risk of it happening is rapidly increasing due to megaconstellations like Starlink:
Kessler syndrome could be a solution to the Fermi paradox.
Weird this article doesn’t mention Hotmail and RocketMail, which both had email client web apps in 1996.
The “girls FTW” mail in that bluesky post is indeed fake, but the daily beast article linked by this post not include that one.
that screenshot is almost[1] definitely fake; unlike the ones in the dailybeast article, phrases from it do not find anything in the search.
i say only almost because there have been some documents removed from previous batches after they were released, but there are no credible reports about the one in your comment ↩︎
This one is fake
i don’t think so?
Its not one of the few occurrences of the word there
which word? i checked a couple and they’re there. eg, here is Musk planning a visit in January 2014.
daily beast is posting misinfo
it is irritating that they only provided a source link for one of the many mails they quote and have screenshots of, but i checked a few of the others and they do come up in the search.
One group- memes or something is wholly controlled by Chinese state actors.
As one of the moderators of !memes@lemmy.ml i encourage OP to look at the sort of posts i make and tell me - do you really think i’m a “Chinese state actor”?
Do you think all these posts i make in, eg, !hoch@lemmy.ml and !goodnews@lemmy.ml and !badnews@lemmy.ml and !eleven@lemmy.ml… these are all part of a carefully-crafted cover, and I’m actually being paid by China to delete totally-not-racist posts depicting their president as a yellow cartoon bear?
And for this service, to maintain my cover, they also pay me to create memes like this and this and this and this and this and this (and defending that one against less informed nerds) and this and this and this (a small sample of my OC here)?
And do you think China paid for this understandable explanation of asymmetric cryptography using high-school level math, because someone asked, deep in a thread about a service which I’d also already debunked the snake-oil privacy claims of?
Really?
good disclaimer. also, they aren’t open source, and from the tech background of the founder who self-funded it i doubt that he plans for it to ever be. in fact, among other cringe things on Issam Hijazi’s linkedin i see that he’s even worked for, enough to become an expert in the proprietary technology of, (checks notes) the very same zionist billionaire (paywall bypass) who just bought TikTok 😢
Also, one their FAQs is “Where does UpScrolled operate its servers and store data? Does it use Big Tech?”… the answer to which includes:
We do rely on some large-scale cloud providers at this stage — not because it’s our ideal, but because building fully independent infrastructure takes time. We’d rather be transparent about that than claim otherwise. Over time, we plan to reduce reliance on these providers and move toward greater independence.
… but We do rely on some is as far as their attempt at transparency took them - they aren’t actually saying which cloud providers they’re using or for what. (given the founder’s expertise i’d guess it’s probably AWS and/or Oracle.)
A few lists of javascript WTFs:
To anyone who thinks they know JS well and that its quirkiness is not a problem, let me know how you do on these quizzes:
no transcoding quality loss
is jellyfin actually transcoding when people don’t want it to?!
otherwise, “no transcoding” doesn’t sound like a feature. transcoding is very useful when you actually need it, eg watching something remotely which is stored at a higher bitrate than your network connection can stream. one way to do it with mpv is ffmpegfs, btw.
(fellow mpv user here; i’ve only used other people’s jellyfin instances… but i’d be very surprised if they’re always unnecessarily transcoding everything they watch.)
nope.
Pre sealed-sender they already claimed not to keep metadata logs, so, complying with such a subpoena[1] should already have required them to change the behavior of their server software.
If a state wanted to order them to add metadata logging in a non-sealed-sender world, wouldn’t they also probably ask them to log IPs for all client-server interactions (which would enable breaking sealed-sender through a trivial correlation)?
Note that defeating sealed sender doesn’t require any kind of high-resolution timing or costly analysis; with an adversary-controlled server (eg, one where a state adversary has compelled the operator to alter the server’s behavior via a National Security Letter or something) it is easy to simply record the IP which sent each “sealed” message and also record which account(s) are checked from which IPs at all times.
it would more likely be an NSL or some other legal instrument rather than a subpoena ↩︎