Germany, there's a time and place for everything. This is like supporting a "sovereign citizen's " right to freedom during a murderous rampage. It's giving "blue lives matter" during George Floyd's murder.
... but worse!
What do terrorist holding hostages have to do with the indiscriminate murder, displacement and starvation of innocent women and children? Genuinely curious. Cops don't kill innocents when there's a hostage situation, why is Israel allowed to commit genocide in this situation? Can you explain?
Tangentially related, if you use iMessage, I'd recommend you switch to Signal.
text below from a hackernews comment:
Gonna repeat myself since iMessage hasn't improved one bit after four years. I also added some edits since attacks and Signal have improved.
iMessage has several problems:
a) been collecting messages in transit from the backbone, or
b) in cases where clients talk to server over forward secret connection, who has been collecting messages from the IM server
to retroactively decrypt all messages encrypted with the corresponding RSA private key. With iMessage the RSA key lasts practically forever, so one key can decrypt years worth of communication.
I've often heard people say "you're wrong, iMessage uses unique per-message key and AES which is unbreakable!" Both of these are true, but the unique AES-key is delivered right next to the message, encrypted with the public RSA-key. It's like transport of safe where the key to that safe sits in a glass box that's strapped against the safe.
To compare these key sizes, we use https://www.keylength.com/en/2/
1280-bit RSA key has 79 bits of symmetric security. 829-bit RSA key has ~68 bits of symmetric security. So compared to what has publicly been broken, iMessage RSA key is only 11 bits, or, 2048 times stronger.
The same site estimates that in an optimistic scenario, intelligence agencies can only factor about 1507-bit RSA keys in 2024. The conservative (security-consious) estimate assumes they can break 1708-bit RSA keys at the moment.
(Sidenote: Even the optimistic scenario is very close to 1536-bit DH-keys OTR-plugin uses, you might want to switch to OMEMO/Signal protocol ASAP).
Under e.g. keylength.com, no recommendation suggest using anything less than 2048 bits for RSA or classical Diffie-Hellman. iMessage is badly, badly outdated in this respect.
This means that Alice who talks to Bob can be sure received messages came from Bob, because she knows it wasn't her. But it also means she can't show the message from Bob to a third party and prove Bob wrote it, because she also has the symmetric key that in addition to verifying the message, could have been used to sign it. So Bob can deny he wrote the message.
Now, this most likely does not mean anything in court, but that is no reason not to use best practices, always.
The digital signature algorithm is ECDSA, based on NIST P-256 curve, which according to https://safecurves.cr.yp.to/ is not cryptographically safe. Most notably, it is not fully rigid, but manipulable: "the coefficients of the curve have been generated by hashing the unexplained seed c49d3608 86e70493 6a6678e1 139d26b7 819f7e90".
iMessage is proprietary: You can't be sure it doesn't contain a backdoor that allows retrieval of messages or private keys with some secret control packet from Apple server
iMessage allows undetectable man-in-the-middle attack. Even if we assume there is no backdoor that allows private key / plaintext retrieval from endpoint, it's impossible to ensure the communication is secure. Yes, the private key never leaves the device, but if you encrypt the message with a wrong public key (that you by definition need to receive over the Internet), you might be encrypting messages to wrong party.
You can NOT verify this by e.g. sitting on a park bench with your buddy, and seeing that they receive the message seemingly immediately. It's not like the attack requires that some NSA agent hears their eavesdropping phone 1 beep, and once they have read the message, they type it to eavesdropping phone 2 that then forwards the message to the recipient. The attack can be trivially automated, and is instantaneous.
So with iMessage the problem is, Apple chooses the public key for you. It sends it to your device and says: "Hey Alice, this is Bob's public key. If you send a message encrypted with this public key, only Bob can read it. Pinky promise!"
Proper messaging applications use what are called public key fingerprints that allow you to verify off-band, that the messages your phone outputs, are end-to-end encrypted with the correct public key, i.e. the one that matches the private key of your buddy's device.
EDIT: This has actually has some improvements made a month ago! Please see the discussion in replies.
When your buddy buys a new iDevice like laptop, they can use iMessage on that device. You won't get a notification about this, but what happens on the background is, that new device of your buddy generates an RSA key pair, and sends the public part to Apple's key management server. Apple will then forward the public key to your device, and when you send a message to that buddy, your device will first encrypt the message with the AES key, and it will then encrypt the AES key with public RSA key of each device of your buddy. The encrypted message and the encrypted AES-keys are then passed to Apple's message server where they sit until the buddy fetches new messages for some device.
Like I said, you will never get a notification like "Hey Alice, looks like Bob has a brand new cool laptop, I'm adding the iMessage public keys for it so they can read iMessages you send them from that device too".
This means that the government who issues a FISA court national security request (stronger form of NSL), or any attacker who hacks iMessage key management server, or any attacker that breaks the TLS-connection between you and the key management server, can send your device a packet that contains RSA-public key of the attacker, and claim that it belongs to some iDevice Bob has.
You could possibly detect this by asking Bob how many iDevices they have, and by stripping down TLS from iMessage and seeing how many encrypted AES-keys are being output. But it's also possible Apple can remove keys from your device too to keep iMessage snappy: they can very possibly replace keys in your device. Even if they can't do that, they can wait until your buddy buys a new iDevice, and only then perform the man-in-the-middle attack against that key.
To sum it up, like Matthew Green said[1]: "Fundamentally the mantra of iMessage is “keep it simple, stupid”. It’s not really designed to be an encryption system as much as it is a text message system that happens to include encryption."
Apple has great security design in many parts of its ecosystem. However, iMessage is EXTREMELY bad design, and should not be used under any circumstances that require verifiable privacy.
In comparison, Signal
Uses Diffie Hellman + Kyber, not RSA
Uses Curve25519 that is a safe curve with 128-bits of symmetric security, not 79 bits like iMessage.
Uses Kyber key exchange for post quantum security
Uses MACs instead of digital signatures
Is not just free and open source software, but has reproducible builds so you can be sure your binary matches the source code
Features public key fingerprints (called safety numbers) that allows verification that there is no MITM attack taking place
Does not allow key insertion attacks under any circumstances: You always get a notification that the encryption key changed. If you've verified the safety numbers and marked the safety numbers "verified", you won't even be able to accidentally use the inserted key without manually approving the new keys.
So do yourself a favor and switch to Signal ASAP.
[1] https://blog.cryptographyengineering.com/2015/09/09/lets-tal...
for anyone wanting to avoid giving "X", formerly known as Twitter, any traffic, here it is.
Signal > Matrix/Element > RCS > SMS.
iMessage isn't in the equation because it only works on a single platform.
for those not familiar, this basically lets you run command line tools. anything with a GUI will not work.
Because not only do you (the end user) have to go out of your way to get it, but you get spammed by Microsoft/Edge and Google/Chrome to install a "faster" and "more secure" browser. Additionally, on the mobile side, Apple is preventing all iPhone/iPad users from picking a real alternative browser that isn't just webkit re-skinned, putting half the population at a disadvantage and to their own corporate interests.
I've got my vote for the guy who thought carbon fiber would do great under pressure after being told "no" by tons of experts in the field.
If you're on Firefox on desktop/laptop, check out Bypass Paywall [0]. It was removed from the firefox add-on store due to a DMCA claim [1], but can be manually installed (and auto updates) from gitlab. The dev even provides instructions on how to add custom filters to uBlock Origin [2], so you don't have to add another extension but still get some benefit.
[0] https://gitlab.com/magnolia1234/bypass-paywalls-firefox-clean
[1] https://winaero.com/mozilla-has-silently-removed-the-bypass-paywalls-clean-add-on-from-amo/
[2] https://gitlab.com/magnolia1234/bypass-paywalls-clean-filters
maaaaaan I was ignorant of how shitty this man was. Fuck you Eric Clapton.
X? Can we collectively decide to forever call it "X, formerly known as Twitter" just to piss him off?
It’s disingenuous to act like this is some huge burden.
Having to double your software engineers, UI/UX designers, QA engineers, DevOps, and localization/accessibility specialists to handle a second browser is a HUGE burden for a non-profit.
If you don't care about quality, security, or user experience, sure you can just pass a "does it compile" test and push to prod. You'll quickly find that nobody wants to use this under resourced browser.
Or if it’s such a pain, you don’t bother and just ship the WebKit version everywhere.
This is exactly what Apple wants. They don't want to give people a real choice because they're scared of real competition.
It’s a terrible move, especially to make it default.
Subjective, but lets see what you bring to the table.
It’s just as bad a protocol as SMS in its own way: It’s still tied to a phone number/sim, so you can’t just login to the service via a browser or an app.
That's how text (SMS/RCS) messaging works. Did you expect something different? Did you expect the SMS replacement to not require a phone number?
It has lots of failures, worst of all, SILENT FAILURES, where you don’t even know your messages aren’t being sent - just look at the communities around here discussing it.
I've been using it without issue for quite a while now, but that's just one data point. If you have stats to back up your claim, I would love to see that.
There’s no common protocol here really, ...
"The GSMA’s Universal Profile is a single, industry-agreed set of features and technical enablers developed to simplify the product development and global operator deployment of RCS" Source: https://www.gsma.com/solutions-and-impact/technologies/networks/rcs/universal-profile/
lots of parts work only by decree of each host (e.g. iOS won’t have E2EE with anyone not on iOS, because that requires every cell provider to agree to the config they’re going to use.
This is how distributed/federated systems work and this is one of their cons. They won't always be 100% compatible as each component is independent but the goal is to eventually reach feature parity. See Matrix chat clients that didn't all have encryption (or other features) on day 1 or XMPP which has lots of clients, none of which support all features.
This is the 21st century, and this is the best they can do - a protocol that fails with no notice? Without standardized encryption? That’s tied to hardware?
Please post evidence of this. Again, I've had zero issues and every Android user is using RCS by default now - have heard zero complaints.
I had a better experience in 2009 running Pidgin on my phone and my laptop using XMPP. That didn’t require a phone number - I could login and see my messages in both places simultaneously… 15 years ago.
Correct! XMPP is not an SMS replacement and thus it doesn't need a phone number. In fact, you can't "text" an XMPP user, so I'm not sure what you're complaining about here?
No, RCS is a way to make the plebes think they’ve got a new and better system while still delivering garbage.
RCS vastly improves over SMS with the following features:
But keep spreading FUD and hating on something that actually moves the needle forward.
Love you downvoters that don’t know enough to argue, just drive by and downvote.
I think they're downvoting you because you're wrong - plainly wrong - and in this day and age its much easier to bury (downvote) blatantly wrong information than to reply to it. So I'm replying for everyone else but I will not be downvoting you. FUD should be fought back with evidence, but MAAN is it tiring.
ONE person had the guts to say why he disagreed with me.
It's not about guts, its about wasting time, effort, not giving a shit. I slightly give a shit and want people who are less educated on the subject to see the other side of it.
Nevermind that BorgDrone explained what’s wrong with RCS better than I care to. You drive-by downvoters can’t even be bothered to learn about RCS.
Nothing to comment on here.
RCS is garbage. Plain and simple. I will never allow it on my devices, ...
At the end of the day RCS is objectively better than what exists today in the world of carrier messenger services (SMS/MMS). Is it better than iMessage? I don't think anyone would agree, especially not if you only message other iPhone users. Is it a better out-of-the-box experience for interoperability? Absolutely! And you're being disingenuous if you disagree, but I'm happy to hear you out.
just like with Whatsapp, Facecrap, Twitter, Instagram, etc.
We can agree to these being garbage ✊
All that said, am I actively going to ask people to use RCS? Never! The same way I wouldn't ask someone to use iMessage if I had an iPhone. They're both products developed ultimately to push users into their respective ecosystem to the benefit of Google/Apple/Carriers.
I'll stick to Signal and Matrix until something better comes along.
Going from one billionaire's platform to another (Twitter/Musk > Bluesky/Dorsey) is not a smart move. There's a vast segment of the population that learns nothing and keeps making the same mistakes.
Here are a few reasons people believe:
Meaning and Purpose: Religion can offer a framework for understanding the universe and our place in it. It can provide answers to big questions about life, death, and morality.
Community and Belonging: Religious communities can provide social support, a sense of belonging, and shared values. This can be especially important during difficult times.
Comfort and Hope: Religion can offer comfort in times of grief or hardship. It can also provide hope for the afterlife or a better future.
Tradition and Identity: Religion can be a core part of a person's cultural heritage or family identity. People may feel a connection to their ancestors or cultural background through their faith.
Ethics and Morality: Many religions provide a moral code that guides people's behavior. This can be helpful in making decisions about right and wrong.
I don't believe, but I can see why people stick with it and don't look beyond it. You can get all these things without religion, its just not something that's taught/passed down in the same way as religion is. Additionally, deconstructing is very difficult. You're raised to believe something to be real and you're expected to just drop it and step out of Plato's cave? You'd look like a madman to any friends/family who aren't willing and ready to step out and look around.
what Ubuntu and Firefox are up to together is kinda what Microsoft went to court over Internet Explorer for in the 90s.
Can you elaborate on the statement? I'm not connecting the dots.
because I'm not a piece of shit and want to see my fellow Americans do better. a rising tide lifts all boats.
What's wrong with Briar? https://briarproject.org/
Censorship-resistant peer-to-peer messaging that bypasses centralized servers. Connect via Bluetooth, Wi-Fi or Tor, with privacy built-in.
I think the reason these apps don't take off is the compromises they make in order to work the way they do. When you do need them, you best hope you're able to get them and get others to use them as well.
I'm sure they'll exercise caution in this endeavor /s
And while they wait for RCS, they can just install Signal. Signal works and is funded by a non-profit who puts in more work to know as little as possible about you than any other company/org out there.
Significantly overblown. Most of the opened github issues were by the same person. Seems someone doesn't like it and is trying to spam the issue and frame it as a bigger deal than it really is.
I've gone back and my main feed is mostly posts about women asking for their "rating", weird af. don't miss it at all with lemmy and all the alternatives available.
CLI's are likely not specifically the target. I suspect the CLI is just the "low hanging fruit" and core set of software that needs to be supported before you build up to a fully functional GUI apps.
In a way yes. You're giving Google (via an increased browser market share) the power to decide the direction of the web. Their interests as a corporate organization are not aligned with yours, so they will make decisions to your detriment if they have to.
Not necessarily.
Signal has people who are experts in their field. They engineer solutions that don't exist anywhere else in the market to ensure they have as little information on you as possible while keeping you secure [0]. This in turn means high compensation + benefits. You don't want to be paying your key developers peanuts as that makes them liable to taking bribes from adversaries to "oops" a security vulnerability in the service. In addition, the higher compensation is a great way to mitigate losing talent to private organizations who can afford it.
[0] Signal has engineered the following technologies that all work to ensure your privacy and security:
This link goes straight to the video and skips the website for anyone wanting to avoid it.
https://customer-aw5py76sw8wyqzmh.cloudflarestream.com/2463f6d3e06fa29710a337f5f5389fd8/iframe
I upload any suspicious files to virustotal.com.
"A journey of a thousand miles begins with a single step."
If they're just starting this might be their moment to show off something they're picking up as they go - don't shit on that. And advertise? It's a free/open code. It's a show and tell, let them be proud. Maybe in a few year's they'll build the next open source, federated Spotify competitor. For now, let them bask in the glory of making something fun.
what universe would trump help anyone but himself? lmfaooo
I plan on making it available inside my own network, not public. This way if someone makes it past my security, I at least have something that might "catch" them in the act and disable my network so I can intervene. Just another security layer.
I've been hoping this project makes significant progress for the last few years to run GUI apps. unfortunately it's been slow as there's not as much interest in getting Mac apps to run on Linux as there is with WINE. that said, I don't fault them, it's a daunting task and wine has the benefit of three decades of progress under their belt.
browsers can currently report to be anything. which is why Google is trying to stop it.
For women in Texas, a new study says you're getting the short end of the stick. WalletHub ranked Texas among the five worst states for women to live in, with its study released Monday, February 26.
Source: https://www.mysanantonio.com/news/local/article/worst-state-for-women-texas-18690990.php
Texas is the worst state to live and work ... Factors like Texas having the highest number of uninsured residents in the nation, higher violent crime rates, a low number of primary care physicians per capita, a strict abortion ban and laws targeting LGBTQ+ people were what made Texas’ score so low
... or having episodes missing or original music removed/changed.
Correct
repeatable controlled experiments are only one aspect of evidence gathering to falsify a hypothesis. Here are a few other methods:
By combining these methods we can still falsify a hypothesis, thus allowing "science to happen".
Correct! There is no evidence for what lead to the big bang because we can't gather any data before it started. But we have mountains of evidence that all point to a "big bang" happening - down to a fraction of a second shortly after it started! [1] [2] [3] [4] [5] [6] [7] [8] .
Science is willing to discard ideas that lack evidence or aren't falsifiable. Is religion ready to stop preaching because faith, by definition, is a lack of evidence?
The difference between string theory and Spinoza's god is the falsifiable part. String Theory, being a scientific theory, makes predictions that should be able to be tested through experiments (although testing will likely be a challenge much like Astrophysics and will instead depend on other scientific methods to gather evidence for/against it). Spinoza's God is a philosophical concept and not directly falsifiable through scientific methods. Spinoza's god is the equivalent of me claiming I'm friends with a telepathic unicorn from another dimension, both useless and irrelevant.
[1] Gravitational Waves: https://www.smithsonianmag.com/science-nature/new-cosmic-discovery-could-be-closest-weve-come-beginning-time-180950109/
[2] Redshift: https://socratic.org/questions/how-does-a-redshift-give-evidence-to-the-big-bang-theory
[3] Cosmic Microwave Background Radiation: https://bigthink.com/starts-with-a-bang/cosmic-microwave-background-proves-big-bang/
[4] Abundance of Light Elements: https://map.gsfc.nasa.gov/universe/bb_tests_ele.html
[5] Expansion: https://map.gsfc.nasa.gov/universe/bb_tests_exp.html](https://www.space.com/52-the-expanding-universe-from-the-big-bang-to-today.html
[6] Olbers' Paradox: https://en.wikipedia.org/wiki/Olbers%27s_paradox
[7] Quasars Existence: https://www.astronomy.com/science/60-years-of-quasars/
[8] WMAP Survey: https://en.wikipedia.org/wiki/Wilkinson_Microwave_Anisotropy_Probe](https://www.britannica.com/topic/Wilkinson-Microwave-Anisotropy-Probe