The quote leaves out the best part.

people have cast doubt over the quality of Telegram’s encryption, given that the company uses its own proprietary encryption algorithm, created by Durov’s brother

You’re going to think I am joking but I am not. Multiple people have sworn to me that this works for a common failure mode of HDD drives and I’ve literally never heard someone say they tried it and it failed. I’ve never tried it. Buyer beware. Don’t blame me if you fuck up your drive / your computer it’s connected to / anything else even worse by doing this:

1. Stick it in the freezer for a short while.
2. Take it out.
3. Boot it up.
4. If it works, get all the data off it as quick as you can.

I want to hear what AI experts I already think of as qualified (Yann LeCun or Rob Miles) think of this bill

@computerphile@mas.to

Or can anyone who’s still on Twitter just ask them?

Ask GPT to rewrite your configuration, check over it with diff to make sure it didn’t do something dumb, bingo bango

They reached out to her a couple days before they launched, and said hey do you want to maybe reconsider that thing where we asked you about this a couple times, and both times you told us to go fuck ourselves

And then they told the media that they were in discussions with her, when the discussions were her lawyer telling them to go fuck themselves

And then Altman tweeted “her”

And then when it launched, it was according to her so freakishly similar that her friends were weirded out by it

If it was some different actress saying hey this sounds a lot like me, that wasn’t the one that they clearly had in mind when they were making their plans about it, then I could see a pretty strong argument to say hey relax buddy sometimes different people just sound similar

I don’t really know; I’m not familiar enough with movie people to really listen to it and see what I think and I don’t care enough to investigate. But just based on the above I feel like probably she has a fairly strong case.

Yeah agreed. In particular I really like that feditest exists even if I haven’t done anything to check it out / learn about it for myself yet.

Akkoma and Pleroma are two popular “Mastodon style” Fediverse apps, I think born out of exactly this type of complaint about Mastodon, which you could get involved with if you wanted to be involved with better software without it being a one-man show.

I think it’s made needlessly difficult by how sloppy a protocol ActivityPub is, such that different Fediverse apps can’t really interoperate with each other except at a pretty rudimentary level, so you kind of have to pick one of the leading ones and imitate it, in order to be a citizen in its community and not have to build your own little community from scratch. But that’s a problem without a real easy solution, I think.

What?

I am comparing the question, is my traffic being spied on by the ISP (in practice, passed off from the ISP to the NSA for sure and in practice maybe whoever else) actively as I’m running my connection, versus is my traffic being spied on by my fellow patrons. I would describe harvesting all my traffic and giving it to the government as “malicious.” That, to me, is more likely (I mean, more or less 100% chance, within the US) than someone randomly being at the cafe acting maliciously to the point of setting up a spoof DHCP server randomly during the time that I am there.

(Part of the Snowden revelations were that the NSA had deals with more or less every major data carrier to harvest in bulk more or less everything that goes over the long-distance internet.)

What percentage of people in the world do you imagine set up spoof DHCP servers at cafes? 1%? And what percent of their time do you imagine they spend doing it? I cannot possibly make the math work out to make it make sense unless the cafe literally has at bare minimum thousands of people in it at all times. I mean, sure, it’s worth making sure your VPN is secure against it.

I don’t really want to argue continuously back and forth about this for too too long. I feel like I’ve said what I needed to say to communicate my piece about it at this point.

Okay, how much?

I can enumerate the ISPs that have will-hand-your-traffic-over-for-general-vacuuming-up deals with the American government, and the ISPs worldwide that do some form of traffic editing on behalf of differently-repressive-than-the-US regimes, and I can go to Starbucks tomorrow and we can compare that proportion of ISPs to the proportion of people I find actively tampering with my traffic from the cafe.

I have done, and friends of mine have done a lot more than that. My point is that I’m unusually nerdy and the number of people who’ve ever been subjected to it by me being near them is probably in the double digits for a few minutes over my entire life.

I will bet you any amount of money that you can go to any coffee shop and set up an insecure VPN there all day and not a single person will randomly come in, set up a malicious DHCP server, and reroute the VPN traffic through their hardware so they can spoof it and spy on your traffic.

The fact that it’s possible means it’s worth defending against, sure. If it sounds like I’m saying it’s not a big deal I am not. I’m just saying that it is not the most common threat that you need to defend against most urgently or even in the top 10 (primarily because it requires one of this little handful of people nearby to you to be a malicious actor, where most of the ones that are really commonly-encountered threats are the ones that literally any one of billions of people on the planet could at any time randomly target you with, so you’re going to run into a lot more frequently.)

For this scenario, are you imagining that a person may have physically entered the coffee shop who’s both tech savvy and malicious enough to run a malicious device there?

Or were you thinking a remote compromise of their router? That one seems moderately more probable, but eliminates anything special about the coffee shop’s router specifically as opposed to your home router or your workplace’s router.

When I use a VPN, I very rarely imagine that the coffee shop / home internet that I’m hooked up to will have a malicious actor or compromised host physically inside it. I mean, maybe. But more likely is that I’m protecting against a malicious ISP, or effectively doing an extra level of authentication to my work network before I get access to non-world-visible elements of it (that shouldn’t be exposed to anyone in the world that wants to poke at it). The “someone else at the cafe is malicious” case isn’t un-heard of, but it’s not the most common threat model. That’s my point.

From the article:

When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks.

“Deanonymize” and denial of service are very very different from hijacking the connection and rerouting destination traffic to a hostile device, which it sounds like are what’s possible on iOS and Windows.

I don’t really know the full details (e.g. what does it mean that “there’s a setting”, and is activating that setting starting this week any different in practice from applying the patch that will surely come this week for Windows and iOS). But it does sound fair to say that there’s a serious level of vulnerability that’s exclusive to Windows and iOS.

1. Sounds like it requires that your DHCP server is hostile, which is actually a very small (though nonzero, yes) number of the attack scenarios that VPNs are designed for
2. “there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android” is a very funny way of saying “in practice applies only to Windows and iOS”.

Oh crap – you’re right, yes. I thought it was a requirement for Mormons but it’s not.

I agree with that. I think the point of Mormons being forced to go door-to-door and engage with the outside world in a way that is guaranteed to create discomfort and hostility… is that they’ll learn the the outside world equals discomfort and hostility. I can’t imagine that it has any nonzero effect in terms of converting people to Mormonism at all.

I think how it works for Christians probably depends on the nonuniform details of how exactly they do the proselytizing, but I’m imagine it works mostly the same in most cases.

Do you have a source that is a little more reliable?

They are not the same thing. Facebook is bad too (and actually, a platform-neutral legal restriction based on behavior would be better), but TikTok is absolutely unique in the type of threat it poses:

1. The Chinese government treats communication networks as their personal hoovering-attachment for any data they might want. Companies are required by law to operate as an arm of Chinese intelligence, both in terms of giving information and in terms of manipulating what information people on their network are allowed to see. The FBI and NSA definitely spy on Americans too to some extent, but it’s simply not in the same league or with the same type of goals.
2. It’s not just your TikTok data. It’s photos and files on your phone, your contacts, your messages, basically anything that the app with its too-permissive permissions can get its hands on, can potentially go up to Chinese intelligence.
3. TikTok is not structured like any other app. It has features like custom-downloading and running arbitrary binaries from its central server that honestly don’t even make much sense except as spying apparatus (consistent with #1).
4. What China might do with this unprecedented level of access to everyone’s phones is malevolent in a different way than, say, Facebook’s access to everyone’s data. Like Facebook they have the ability to e.g. influence an election, but they also have the ability to try to blackmail an individual to compromise them, or do for-real torture in the real world (say by tracking down a dissident via TikTok spying and then having one of their little Chinese-police-in-America units grab them).

Citations:

1. https://thehill.com/opinion/cybersecurity/532583-for-chinese-firms-theft-of-your-data-is-now-a-legal-requirement/
2. https://www.proofpoint.com/us/blog/threat-protection/understanding-information-tiktok-gathers-and-stores
3. https://www.currentware.com/blog/block-tiktok/
4. https://www.businessinsider.com/china-hong-kong-spy-agency-official-presence-national-security-laws-report-2020-6 https://www.npr.org/2023/04/17/1170571626/fbi-arrests-2-on-charges-tied-to-chinese-outpost-in-new-york-city

Mastodon, and just turn off federation and registration maybe, and wrap the whole thing in HTTP authentication or something so you don’t have to worry about random people finding random holes into read-only access to the content?