Pup Biru

that’s the incredibly clever part

https://signal.org/blog/sealed-sender

susceptible to backdoors and other USA shenanigans.

that’s pretty much the major difference here: Signal is provably not back-doored:

• it’s frequently independently audited
• all their code is open, so there are plenty of eyes on it to catch shenanigans
• they have reproducible builds which means you can prove that the code that you can read is exactly the same code that produced the binary running on your device
  • if you don’t know what this means, basically every time you compile the code it produces the exact same binary result
  • there are people that do this automatically so that if there were different source code that created a binary - with a secret backdoor or something - it would be very obvious, and public
  • given that, it’s reasonable to assume that the binary running on your device was produced using the same open code everyone can read: you don’t need to do it yourself
• whilst you can’t prove their server is the exact same as what’s in their open repos, it doesn’t really matter… the point of their architecture is that it doesn’t matter what the server is running: it could be announcing all data publicly and it’d still be secure because the encryption, security, and privacy feature are all ensured by the client

they receive whatever Google/Apple give them which may be quite different from what’s in the source code.

i don’t disagree: it’d be better if we all had the time, skill, and energy to invest into auditing our own systems… but realistically nobody does, let alone people that don’t really care about privacy

with that in mind, it’s all about getting as close as possible… given signals reputation, you can be pretty sure the source code has a lot of eyes on it, and that if there were back doors found it would be news

and given reproducible builds, as i said earlier, you can (or rather, i certainly do) assume that if there were a mismatch between the binaries and the source you’d also hear about it

of course, that doesn’t stop targeted attacks by nation states, but that’s never what we talk about in personal security and privacy situations… it’s just not the threat model that most (i’d wager any) of us should be thinking about because that is not just a full time job: that is an entire teams full time job… we just aren’t being directly targeted like that, and if we are then tbh it’s all over. we protect against general surveillance… we can’t protect against zero days, physical device access, etc

If they can then Signal can as well, right?

kinda… again, reproducible builds: either of them could technically put code in their app that sends private keys to their servers somehow, but if you break it down it’s far more likely to be caught in signal than in whatsapp

more likely Google and Apple will

i’m not sure what you mean by this… sure, apple or google could send you an update to ios/android to extract data from apps, but again that seems much more likely a very large-scale attack… you can protect against this by running graphene etc which does similar reproducible builds, but in that case we aren’t talking about the app: signal is absolutely the app you would rely on if you’re going that far… you just wouldn’t ensure your hardware and OS integrity and then just skip the app integrity lol

or perhaps you mean that google or apple could send you specifically a binary of signal that’s been modified? but that’s actually not really likely because apps are signed by developers: apple and google can’t actually send you something that the developer hasn’t “approved”… sure, they control the OS so they can circumvent all the restrictions, but again that’s a massive attack, and really far beyond what’s reasonable to consider for most people (and again, that applies to both whatsapp and signal so it’s not really a point in favour of whatsapp)

But as I understand it any US company will have to store and provide metadata, logs, etc when the government agencies tell them to

absolutely correct… the point of privacy like signal does is that they hand everything over and it’s useless: the information signal themselves can extract, even by modifying their code is completely worthless. they have your IP address, phone number, some timestamps, and encrypted blobs (AFAIK they don’t store a lot of that, but that’s not provable so we should assume that it’s stored either accidentally or because of coercion)… they can see when you messaged, but not even things like who you messaged

if signals infra and private keys etc were literally handed over to the US government right now and they specifically wanted to target you personally, it’s highly unlikely they would be able to do anything particularly useful with any of that before it’s noticed, and then you can stop using signal before they actually intercept new communications (and old communications are protected, assuming you wipe the app and all its stored info before they can send you a poisoned update)

and with all of this, it doesn’t really matter where signal is based: US, China, Russia, Guam, Switzerland, Iran: doesn’t matter… the structure is built in such a way that if Signal the organisation is coerced, it’s either:

• obvious, and therefore noticed by the community at large and thus you’d hear about it
• not useful: ie all information that Signal has is provably garbage
• such a large scale that we globally have huge problems (and we do, but that’s not something you can solve)
• targeted, in which case you have big problems and whilst this may be part of it, you need to have a lot more resources to detect and solve it. this just isn’t the reality for most people

it’s about your threat model: you can’t worry about massive scale, and you can’t worry about being individually targeted… unless that is part of your threat model, in which case signal is still part of your solution (along with auditing and validating every part of the chain from hardware to OS to the apps which all require reproducibility or building from your audited source) and whatsapp fundamentally is not

Signal punished their spec and WhatsApp re-implemented it, yes but critically only the messaging parts rather than all the other privacy parts

the reasons to switch basically start with WhatsApp is owned by Meta, and given that these things become more important:

• WhatsApp is closed source so it’s difficult to confirm if their implement is “correct”
• they may have the ability to extract your keys from your device somehow
• i’m not sure who is the ultimate key-holder for whatsapp: if it’s like apple, they hold your private keys and thus can decrypt anything they like (different to signal where devices transfer your keys between each other via qr codes etc)
• on that last point, i can confirm that to login with whatsapp on the browser just now my process was: enter phone number, type an 8-digit code from my phone… this could be an temporary key of some kind used to e2ee between the devices to transfer my master key or something, but i’m very suspect on this being anything more than plain text verification that meta could man in the middle
• whatsapp stores your contacts, and message metadata… that’s all i personally need to avoid it: meta doesn’t need to know who and how often i message people to add to their profile on me

meta says whatsapp is secure exactly for this reason: people think “why switch?” when it’s really about the metadata for them… they are experts and building a profile with scraps of metadata

writing a secure application is about more than technically rock-solid encryption and protocol

It’s the fediverse, signal is sacred and will not be questioned nor criticiced

you can question signal just as much as you want, but you’d better come with actual arguments rather than just conspiracy, because signal has counters to pretty much every claim that non-experts try to make

signal was built and is run by one of the worlds foremost security researchers and privacy activists

it uses standard encryption that is used in huge numbers of things. if there were a problem with any part of that, the world would have a much bigger problem than individual communications. the US government does not behave in a way that suggests these algorithms are compromised

it has been repeatedly audited by 3rd parties

the fact that it’s US-based is barely worth mentioning… why is that a problem? are you sure it’s not solely a knee-jerk reaction?

it’s free (so you’re not supporting the US economy), the client - and server, though that’s not important because E2EE - is FOSS (so it’s auditable and extendable by anyone: AFAIK they also ensure repeatable builds), the encryption is basically as good as it gets (they even have various protections for quantum computing), their architecture means they can’t even see metadata like senders… so, again, in this case what are you giving up by having it US-based? perhaps a little bit of soft power, perhaps an acknowledgment that in this 1 case the US produced a good product counter to their governments interests

the other guy who dared to like Telegram

because telegram is not for security or privacy conscious people, despite their marketing: they actively muddy the waters and make people less safe

their encryption is custom, written by mathematicians not cryptographers so doesn’t include features like perfect forward secrecy, replay protection, etc

and their default chat mode isn’t even e2ee - only secret chats use their custom encryption, and nobody actually uses them!

there are numerous sources documenting these problems, and plenty more

it’s okay to like telegram: i like it as a chat app, and i use it for the features it provides… but it’s not okay to say in a privacy and security context that they’re even remotely comparable

hell even just add NATO, EU, Canada, Mexico, and Panama to the list… prevent a problem for once

absolutely! similar is true of node in v8 (though python imo is far more mature in this regard) and probably most other languages

exactly why things like numpy are so popular: yeah python is slow, but python is just the orchestrator

further to that, “demonstrably worse for the planet” i’d like to debate: considering a huge amount of climate science is done with python-based tools because they’re far easier for researchers to pick up and run with - ie just get shit done rather than write good/clean code - i’d argue the benefit of python to the planet is in the outputs it enables for significantly reduced (or in many cases, perhaps outright enabled) input costs

yeah we have a “supply charge” that’s ~$1/day on top of that base rate too, so roughly the same situation :(

we’ve got this crap because of privatisation so it’s not likely to change any time soon.

i hope your energy prices come down when energy things stabilise in europe!

just sayin’ this is still so incredibly cheap… 8c/kwh… australian electricity prices are 24-43c/kwh (obv usd vs aud but the aussie $ isn’t that weak)

most likely? he either deeply believes in them or he’s using them as a tool and id say these things are indistinguishable given his actions

redacting information is a lot harder than that. you often have to redact things that allow people to draw correlations that lead to identity… details like that should be redacted

but this is ridiculous on its own, even without the enormous blunders that prove it’s about protecting co-conspirators rather than victims

actually from what i understand aldi isn’t an overstock kinda place: their brands are all in-house brands, but they go to big manufacturers and say you can whitelabel your product for us and get exclusive access to our shelves or we will go to your competitor

it’s often the same brand products that are 2x the price everywhere else but without the marketing and mark up that comes with

in australia i’ve never really had an issue with aldi not having stock of anything - unless you’re looking for brand name things, but that’s not really what aldi is about

never mind a leg up… kids in a fucking papoose at this point

not everyone can afford to have their actions match their values aye

enron sold plenty of gas and real things too: it’s the double handling that’s the problem; not the nature of the goods or services

openai has practically no value and that’s well known… nvidia is paying companies to buy their chips and playing bullshit shell games

the difference is openai is a pretty well known unprofitable company, and they aren’t doing quite as much of the bullshit shell games. nvidia is selling to basically everyone, taking stakes in companies, giving weird deals… it’s bloody impossible to track how much of their sales are real and how much those real sales are actually worth, or if those sales are loss leaders for some investment then those investments look a lot like openai

so nvidia not only is invested in a lot of very questionable AI bubble companies, but also their own sales figures are… unreliable

they’re making billions upon billions because they’re using their own money multiple times. it’s kinda like leveraged trading with all the risk and it’s incredible arrogant at the scale that nvidia is doing it

fevers break if your immune system attacks and destroys the threat. if the infection wins, you die. if you’re immunocompromised and get a fever, it’s very very bad news

i’m not saying that the democrats are compromised and they’re the immune system in this analogy of course… no no no… im just commenting on the biology!

before i start i want to make sure that this should in no way be interpreted as a “both sides” argument: i think yall should choose the most likely to win, least bad candidate (ie defensive voting; as disgusting as it is) - which almost certainly means a democrat at this point

i think it’s important to remember that both republican and democrats are relatively symmetrical in a lot of regards (not all). there are likely a similar number of people who actively support the democrats (distinct from defensive voting) no matter what, and they’d likely be equally problematic fixing systemic issues

perhaps they’d be easier to persuade, but it’s really easy to think that people on “our side” are governed by logic alone, but study after study has said that both sides are susceptible to propaganda and other political tools to a similar degree

and both positions are wrong. nobody ever said that the ROC wasn’t imperialist in the exact same way

chinas stance towards the south china sea and taiwan is what this exaggeration for the purposes of comedy is based on