Skip Navigation

Posts
0
Comments
1391
Joined
3 yr. ago

Just your normal everyday casual software dev. Nothing to see here.

People can share differing opinions without immediately being on the reverse side. Avoid looking at things as black and white. You can like both waffles and pancakes, just like you can hate both waffles and pancakes.

been trying to lower my social presence on services as of late, may go inactive randomly as a result.

  • It does sound really weird, however, the way I see it is both countries are under obligation for defense forces anyway, and already go into each other's air space in order to do this. So, by Canada not buying the jets( Which I agree with that decision at this point because the US has heavily dropped the ball while increasing prices.) that doesn't change the fact that they were counting on those jets for coverage, which means that they need to gain that coverage from somewhere in order to uphold current agreements.

    The ambassador was just stating that they will need to attempt to alter NORAD's deal with them because if Canada isn't going to supply the coverage, then if they were to keep the same coverage, the US would have to send more jets in which he is complaining about.

    Honestly, the title of this article is clickbait to the point where I don't even think the article title itself is accurate to the article anymore. It's borderline misinformation at this point

  • Honestly, I'm a little surprised that this post wasn't locked or had a comment pin stating that the title of this post is misinformation and that the actual body isn't what the title indicates

  • ok yea, I do agree with that POV on it. A ghost key like that would be within spec, cause yea at that point it would just be another member. I wasn't taking it as an additional group member though, since the whistleblower is stating that they can put in any user id and have access to all messages live, that would mean they would have a ghost user on all messages period regardless of if its a group chat or not.

    That wouldn't be implausible though.

  • Another commenter stated (its a little ways down the thread) they abandoned that plan due to complexity. (and other instance admins getting mad they couldnt see votes)

    They ended up moving to a system where you now decide if you want your votes to federate outside the instance or not.

  • So, with facebook if you lose your device, you can register a new device to the account and recover your messages using a 6 digit security pin or a recovery code.

    This means that your messages are stored in decryptable format either via a private key being stored, or as a separate server encrypted form in a backup.

    I just had to go through this with my grandfather a few months back.

  • I don't agree that would fit the protocol of end to end, that's a common misconception, E2E by design means that it's encrypted from the sender to the intended recipient. When you send a message the intended recipient isn't the server, it's the user you are sending to. That type of system would be called an encrypt in transit or a server client encryption not E2E. If they are classifying it as E2E that would be incorrect.

    A classic example of a server client or encrypt in transit would be HTTPS, the server acts as a middleman between the clients, meaning that it decrypts the message then re-encrypts the message to the designated choice.

    With an e2e system, the message the server transmits is never decrypted, the server already knows the destination based off the public key

  • honestly, with how much my grandfather uses facebook, and how often he clicks the stupid scam ads, this might be a valid option for him that is easier.

    This ofc is if they decide to launch this program for <3$ a month. If it's anything more than that I see it flopping on entry.

    edit: looking at the article, I'm seeing 4EUR/m... yea 5$ isn't horrible, but at the same time that's probably too high for him to even consider it. That's 2$ less than a yt lite premium subscription, and that's a platform where ads actually get in the way of things.

  • Man, you just brought back memories. I forgot qtox was even a thing. I think I still have my profile saved in my dev folder somewhere for my account

  • If that is the case though, its not E2E it's client server encryption and then server client encryption back. thats just deceptive marketing at that point.

  • considering that you can decrypt facebook e2e encryption with a 6 digit security pin... yea Facebook at least has the private keys backed up server side.

  • Fully agree that in this case if the claim is true (they have had a few of these claims), it's likely whatsapp either making itself a companion app that's hidden, or has some form of escrow in place to allow deciphering the messages. (Considering Messenger allows decrypting e2e chats with a 6 digit security pin, I'm leaning towards an escrow)

    I was just mentioning that this isn't a fault of it being centralized, this is a design choice by the company when implementing e2e encryption, and that a properly functioning system would never give the server the ability to decipher the messages in the first place.

  • Just because it's centralized doesn't mean that it falls under this risk sector. Theoretically if the app was open sourced and was confirmed to not share your private key remotely on generation (or cross sign the key to allow a master key...), then the most the centralized server could know is your public key, the server wouldn't have the ability to obtain the private key (which is what is needed to read the e2e encrypted messages)

    This process would be repeated for the other party. The cool part of that system is you can still share your public keys via the centralized server, so you wouldn't need to share the key externally. You just need to be able to confirm that the app itself doesn't contain code to send your private key to the centralized server. Then checking integrity is as easy as messaging your friend to post what their public key is, and that public key would need to match the public key that the server is supplying as your contact.

    The server can't MiTM attack it because the server has no way of deciphering the message in the first place, so the most it could do is pass the message onto the proper party whom has the private key to be able to decrypt it.

    Not that I have any other suggestions aside from signal though, there aren't many centralized e2e chat services. Most use client to server encryption which would allow decryption server side.

  • There is also some that you just don't want to put that type of responsibility onto either. I moved my grandfather to a password manager 5 or 6 years back. I reiterated at least 8 times do not forget this password if you do you will lose all passwords and need to do everything over again.

    He lasted 3 or 4 weeks then suddenly called me saying he couldn't remember his password period. Like he tried for a good 40 minutes to guess what he may have done and was in a pretty intense panic because he didn't want to have to change every service he had.

    Thankfully it had not been long enough for his file history backup to have deleted the file, so i just restored the last backup of his passwords.docx file and put it back where he was used to it. He lost those few weeks of new passwords but that was a lot better than losing every password.

    I'm not about to try and have him use a password manager again, he has decent enough password management skills since he doesn't reuse passwords period, but like, it was far too risky putting him on a password manager again.

  • I couldn't get into matrix, but I was a huge fan of open fire. It's interface was stupid easy for XMPP administration and for awhile I ran it no issue with my group of friends. granted we ended up just going back to discord not due to any issue with the server or protocol but because it was tedious trying to get people to switch off a platform that works for most people.

  • I solve that issue by having down votes disabled, I don't have the capability to down vote or see negative scores. It honestly made my experience on the platform better as well, because it helps hide the hive mind mentality that the platform as a whole seems to have at times.

  • Whats dumb is this issue is very easily resolved by encrypting the users security pin or password against the bitlocker keys and then only storing that.

    or better yet have the pin/password an isolated thing from the microsoft system, so when a key gets uploaded, it requests the recovery pin, and if the pin matches it uploads, otherwise it states invalid pin and offers to change it while warning that it will remove existing keys, then optionally next time a system whom contains a drive with an identifier (which wouldn't need to be encrypted only the key) goes online, it can prompt the user "note: due to recovery pin, drive X recovery key needs to be backed up again, would you like to do so?"

    This type of system would make it so the only data MS has stored is the already encrypted recovery key, and as such would mean that the data they gave law enforcement would be worthless.

  • I watch most IT/Technical videos at 1.5-2x speed. Especially tutorial style videos. Most creators use a very long and drawn out way of speaking in order to keep the viewer on the same page, but most of the time I know the core concepts already, so I don't need the super detailed parts only the barebones.

  • Off the top of my head, the biggest one I can think of that had potential was Rumbleverse, which was an epic exclusive and got shut down. That one had a lot of potential just lacked visibility. just they didn't get the player base.

    But doing a quick google search also gave me quite a few more, such as Gigantic, which was a third-person hero shooter that used its own exclusive launcher along with the Windows Store.

    There's the Darwin Project, which launched as an Xbox Game Pass and did eventually go to Steam. However, by the time it hit Steam, the damage was done. They had lost all momentum.

    There is Rocket Arena, which was an Origin Epics game title that eventually went free to play and then closed down later.

    There was quite a few MMO-style live service games, but those have tentative life spans anyway, So I don't think that it would be fully fair to list those.

    There was Knockout City, which was exclusive to Origin and consoles and also had a lot of streamer support, and did eventually come to Steam(albeit mostly for their cdn system as stated by one of the devs of it)

    Those are just a handful of games from a Google search, the reoccurring trait across all of them which was they were decent games that people enjoyed playing. They just lacked the user base. And by the time they made it to Steam(if they made it to Steam), it was already too late and they had already lost momentum.

    It's likely that if those games had just been released day one on Steam that they would have had the momentum required to continue going. But instead they intentionally excluded the Steam user base usually due to some form of exclusivity deal.

  • Yeah, I understand that point of view as well, especially for feature expansions. I don't agree with that point of view at all for bug reports /fixes though. It's not like I'm asking for an additional feature on top of the devs' already existing code. I'm fixing a mistake that the dev added to their code that they haven't had time to fix, I don't see the need of multi week or month review processes for those.

    But at the end of the day I tell myself that if the dev wanted help with the project they would have made the system easier and I just move on with my life. or if it's too much of a blocker or if it's a small change just fork the code myself if allowed, fix it and then never bother with the hassle of submitting it upstream.

  • I don't contribute to projects most of the time strictly due to the hurdles in place for contributions. if I see an issue with something, I would like to be able to properly fix it, not have to follow a multi month process to actually get it in

    The last project I wanted to contribute to had the following system:

    1. make an account (makes sense, its a self hosted tracker)
    2. verify my identity and specify what I wanted to do in a whole different project in order to get validated to be able to open issues in the tracker
    3. open an issue stating that I found a problem
    4. state in the issue that I was willing to fix said problem
    5. agree to sign the code away if done
    6. wait for response confirming that it was ok
    7. fork the project
    8. fix the issue on your fork
    9. create test units for the project
    10. submit a merge on the main project
    11. wait weeks to months for the actual maintainer teams to review the fix and make suggestions/alterations
    12. fix any merge conflicts that was created during the time that it took to review
    13. rinse and repeat the last 2 steps until it's finally merged

    Luckily I had noticed that the timeframe of existing requests prior to doing it, and decided to pass on it.

    Don't get me wrong, a lot of those steps are necessary for proper development cycles but, it's the extra steps that are annoying. I'm looking to quickly contribute and move on. Too many steps or if the process seems like it will be a major pain in the butt = You can find and fix it yourself.

    Most projects if they have that I will at least open an issue for it so it's known as a problem... but some projects don't seem to want them reported, let alone fixed.