• 0 Posts
  • 1.85K Comments
Joined 2 years ago
Cake day: December 29th, 2023
  • Pup Biru@aussie.zonetoFuck AI@lemmy.worldOn familiarityEnglish
    154·
    11 hours ago

    they’re both wrong, and they’re both right

    an AI can create concept art for a writer to better visualise their world to generate ideas in a pinch, but it shouldn’t ever be what you use to show anyone else: you still need real concept art

    an AI can also create writing for their art so that they can flesh out a back story to make their visual art more detailed, but it’s not going to write anything that you’d want anyone to read as a book or act in for a movie

    both things can be used for the described purpose, and both things are inadequate for quality output

    we’ve had this juxtaposition for a while: “redneck X”… they’re scrapped together barely functional versions of the thing you’re trying to do, on the cheap, with home-made tools. you wouldn’t sell it, but it’s kinda fine for this 1 situation with many many asterisks

    professionals often don’t like when someone can hack together something functional because they know the many many places where that thing falls down when you talk about long-term, and the general case… but sometimes a hack job solves a specific problem in a specific situation for a moment for cheap and that’s all you need

    (just don’t try it with electricity or your health: the consequences of not understanding this complexity is death… of course ;p)

  • Pup Biru@aussie.zonetoEurope@feddit.orgSignal massively downloaded amid rising tensions, number one in DenmarkEnglish
    3·
    2 days ago

    susceptible to backdoors and other USA shenanigans.

    that’s pretty much the major difference here: Signal is provably not back-doored:

    • it’s frequently independently audited
    • all their code is open, so there are plenty of eyes on it to catch shenanigans
    • they have reproducible builds which means you can prove that the code that you can read is exactly the same code that produced the binary running on your device
      • if you don’t know what this means, basically every time you compile the code it produces the exact same binary result
      • there are people that do this automatically so that if there were different source code that created a binary - with a secret backdoor or something - it would be very obvious, and public
      • given that, it’s reasonable to assume that the binary running on your device was produced using the same open code everyone can read: you don’t need to do it yourself
    • whilst you can’t prove their server is the exact same as what’s in their open repos, it doesn’t really matter… the point of their architecture is that it doesn’t matter what the server is running: it could be announcing all data publicly and it’d still be secure because the encryption, security, and privacy feature are all ensured by the client

    they receive whatever Google/Apple give them which may be quite different from what’s in the source code.

    i don’t disagree: it’d be better if we all had the time, skill, and energy to invest into auditing our own systems… but realistically nobody does, let alone people that don’t really care about privacy

    with that in mind, it’s all about getting as close as possible… given signals reputation, you can be pretty sure the source code has a lot of eyes on it, and that if there were back doors found it would be news

    and given reproducible builds, as i said earlier, you can (or rather, i certainly do) assume that if there were a mismatch between the binaries and the source you’d also hear about it

    of course, that doesn’t stop targeted attacks by nation states, but that’s never what we talk about in personal security and privacy situations… it’s just not the threat model that most (i’d wager any) of us should be thinking about because that is not just a full time job: that is an entire teams full time job… we just aren’t being directly targeted like that, and if we are then tbh it’s all over. we protect against general surveillance… we can’t protect against zero days, physical device access, etc

    If they can then Signal can as well, right?

    kinda… again, reproducible builds: either of them could technically put code in their app that sends private keys to their servers somehow, but if you break it down it’s far more likely to be caught in signal than in whatsapp

    more likely Google and Apple will

    i’m not sure what you mean by this… sure, apple or google could send you an update to ios/android to extract data from apps, but again that seems much more likely a very large-scale attack… you can protect against this by running graphene etc which does similar reproducible builds, but in that case we aren’t talking about the app: signal is absolutely the app you would rely on if you’re going that far… you just wouldn’t ensure your hardware and OS integrity and then just skip the app integrity lol

    or perhaps you mean that google or apple could send you specifically a binary of signal that’s been modified? but that’s actually not really likely because apps are signed by developers: apple and google can’t actually send you something that the developer hasn’t “approved”… sure, they control the OS so they can circumvent all the restrictions, but again that’s a massive attack, and really far beyond what’s reasonable to consider for most people (and again, that applies to both whatsapp and signal so it’s not really a point in favour of whatsapp)

    But as I understand it any US company will have to store and provide metadata, logs, etc when the government agencies tell them to

    absolutely correct… the point of privacy like signal does is that they hand everything over and it’s useless: the information signal themselves can extract, even by modifying their code is completely worthless. they have your IP address, phone number, some timestamps, and encrypted blobs (AFAIK they don’t store a lot of that, but that’s not provable so we should assume that it’s stored either accidentally or because of coercion)… they can see when you messaged, but not even things like who you messaged

    if signals infra and private keys etc were literally handed over to the US government right now and they specifically wanted to target you personally, it’s highly unlikely they would be able to do anything particularly useful with any of that before it’s noticed, and then you can stop using signal before they actually intercept new communications (and old communications are protected, assuming you wipe the app and all its stored info before they can send you a poisoned update)

    and with all of this, it doesn’t really matter where signal is based: US, China, Russia, Guam, Switzerland, Iran: doesn’t matter… the structure is built in such a way that if Signal the organisation is coerced, it’s either:

    • obvious, and therefore noticed by the community at large and thus you’d hear about it
    • not useful: ie all information that Signal has is provably garbage
    • such a large scale that we globally have huge problems (and we do, but that’s not something you can solve)
    • targeted, in which case you have big problems and whilst this may be part of it, you need to have a lot more resources to detect and solve it. this just isn’t the reality for most people

    it’s about your threat model: you can’t worry about massive scale, and you can’t worry about being individually targeted… unless that is part of your threat model, in which case signal is still part of your solution (along with auditing and validating every part of the chain from hardware to OS to the apps which all require reproducibility or building from your audited source) and whatsapp fundamentally is not

  • Pup Biru@aussie.zonetoEurope@feddit.orgSignal massively downloaded amid rising tensions, number one in DenmarkEnglish
    5·
    2 days ago

    Signal punished their spec and WhatsApp re-implemented it, yes but critically only the messaging parts rather than all the other privacy parts

    the reasons to switch basically start with WhatsApp is owned by Meta, and given that these things become more important:

    • WhatsApp is closed source so it’s difficult to confirm if their implement is “correct”
    • they may have the ability to extract your keys from your device somehow
    • i’m not sure who is the ultimate key-holder for whatsapp: if it’s like apple, they hold your private keys and thus can decrypt anything they like (different to signal where devices transfer your keys between each other via qr codes etc)
    • on that last point, i can confirm that to login with whatsapp on the browser just now my process was: enter phone number, type an 8-digit code from my phone… this could be an temporary key of some kind used to e2ee between the devices to transfer my master key or something, but i’m very suspect on this being anything more than plain text verification that meta could man in the middle
    • whatsapp stores your contacts, and message metadata… that’s all i personally need to avoid it: meta doesn’t need to know who and how often i message people to add to their profile on me

    meta says whatsapp is secure exactly for this reason: people think “why switch?” when it’s really about the metadata for them… they are experts and building a profile with scraps of metadata

    writing a secure application is about more than technically rock-solid encryption and protocol

  • Pup Biru@aussie.zonetoEurope@feddit.orgSignal massively downloaded amid rising tensions, number one in DenmarkEnglish
    7·
    3 days ago

    It’s the fediverse, signal is sacred and will not be questioned nor criticiced

    you can question signal just as much as you want, but you’d better come with actual arguments rather than just conspiracy, because signal has counters to pretty much every claim that non-experts try to make

    signal was built and is run by one of the worlds foremost security researchers and privacy activists

    it uses standard encryption that is used in huge numbers of things. if there were a problem with any part of that, the world would have a much bigger problem than individual communications. the US government does not behave in a way that suggests these algorithms are compromised

    it has been repeatedly audited by 3rd parties

    the fact that it’s US-based is barely worth mentioning… why is that a problem? are you sure it’s not solely a knee-jerk reaction?

    it’s free (so you’re not supporting the US economy), the client - and server, though that’s not important because E2EE - is FOSS (so it’s auditable and extendable by anyone: AFAIK they also ensure repeatable builds), the encryption is basically as good as it gets (they even have various protections for quantum computing), their architecture means they can’t even see metadata like senders… so, again, in this case what are you giving up by having it US-based? perhaps a little bit of soft power, perhaps an acknowledgment that in this 1 case the US produced a good product counter to their governments interests

    the other guy who dared to like Telegram

    because telegram is not for security or privacy conscious people, despite their marketing: they actively muddy the waters and make people less safe

    their encryption is custom, written by mathematicians not cryptographers so doesn’t include features like perfect forward secrecy, replay protection, etc

    and their default chat mode isn’t even e2ee - only secret chats use their custom encryption, and nobody actually uses them!

    there are numerous sources documenting these problems, and plenty more

    it’s okay to like telegram: i like it as a chat app, and i use it for the features it provides… but it’s not okay to say in a privacy and security context that they’re even remotely comparable

  • Pup Biru@aussie.zonetoBuy European@feddit.ukAmericans embrace Aldi as German discounter becomes fastest-growing supermarket in USEnglish
    3·
    8 days ago

    actually from what i understand aldi isn’t an overstock kinda place: their brands are all in-house brands, but they go to big manufacturers and say you can whitelabel your product for us and get exclusive access to our shelves or we will go to your competitor

    it’s often the same brand products that are 2x the price everywhere else but without the marketing and mark up that comes with

    in australia i’ve never really had an issue with aldi not having stock of anything - unless you’re looking for brand name things, but that’s not really what aldi is about

  • Pup Biru@aussie.zonetoTechnology@lemmy.worldNvidia insists it isn’t Enron, but its AI deals are testing investor faithEnglish
    3·
    12 days ago

    openai has practically no value and that’s well known… nvidia is paying companies to buy their chips and playing bullshit shell games

    the difference is openai is a pretty well known unprofitable company, and they aren’t doing quite as much of the bullshit shell games. nvidia is selling to basically everyone, taking stakes in companies, giving weird deals… it’s bloody impossible to track how much of their sales are real and how much those real sales are actually worth, or if those sales are loss leaders for some investment then those investments look a lot like openai

    so nvidia not only is invested in a lot of very questionable AI bubble companies, but also their own sales figures are… unreliable

    they’re making billions upon billions because they’re using their own money multiple times. it’s kinda like leveraged trading with all the risk and it’s incredible arrogant at the scale that nvidia is doing it