• /home/pineapplelover@lemm.ee
    link
    fedilink
    English
    arrow-up
    95
    ·
    6 months ago

    Every time I hear “backdoor”. Shit fucking enrages me. Do you want a “backdoor” for anything secure? You want a little backdoor anybody can walk in through in your state of the art safe?

    If you have a backdoor it aint secure anymore. Piece of shit motherfuckers

    • max_dryzen@mander.xyz
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      6 months ago

      But it is secure. Secure against you the genpop end user from being able to keep secrets or pursue interests that may not align with the government’s interests

      Look at salt typhoon. The fact that 3P actors can use the exploit/bdoor too only matters to Gov to the extent that those actors can threaten its own interests by using it. Aka fuck the end user

    • ZILtoid1991@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      It’s only a matter of time until someone reverse engineers it. I wouldn’t be surprized, if Windows’es NSA backdoors were already discovered, but were patched out before hitting news. Or maybe someone is keeping it for themselves.

      If you ask me: I think it could be activated via either a magic string from a verified IP address, or a malicious update from Microsoft that just turns on some features. I also think the telemetry services might be part of that.

    • Imgonnatrythis@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      30
      ·
      6 months ago

      Are you kidding? It’s a wonderful trap still.

      “None are more hopelessly enslaved than those who falsely believe they are free,”

      • turnip@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        30
        ·
        edit-2
        6 months ago

        Definitely don’t use open source software like Signal to communicate. Use a trillion dollar corporations promise of privacy like WhatsApp instead.

        • j0ester@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          6 months ago

          Why? Maybe we’ll be invited to some new war plans. It’s like joining the lottery!

    • rottingleaf@lemmy.worldBanned
      link
      fedilink
      English
      arrow-up
      8
      ·
      6 months ago

      People disclose more when they think they are safe. Your typical Windows user from year 2009 with their collection of porn banners and botnet nodes would have their private info safer than a new Linux user of the same time. Because the Linux guy would believe he’s free now.

      I remember those manuals how to run Skype and every proprietary program from a separate user, while every client in X11 can capture the whole display and see all keystrokes. Or every schoolboy using “but I’ll be able to examine the code” in arguments. Or “but the sources are open” on the subject of OS security even by literate people, while how many people have looked at those sources? If just 3-4 times that amount of people look at Windows components’ disassembly with the same effort, they’ll probably have the same effect on security, one can conceal backdoors in source code well enough. There are so many things one can remember, but those were nice times.

      Same with “security” in the Internet. We were using ICQ and everyone knew one can spy on those messages, we were using HTTP and POP and IMAP without encryption and everyone knew one can spy on these too, but we were fine - we adjusted our behavior for that knowledge and used the Web as it should be used.

      And what’s the funniest, this “insecure” Internet was more secure, because people acted on the right premises and formed behaviors that made it secure. When you know something is unprotected and can’t be protected, you are not completely taken by surprise if it’s lost.

      Now teenage girls use centralized services as they would use private diaries, where an unclearly defined group of people can see the content of those. Many of them think it’s safe because that’s called “private messages” and they “didn’t give access” on some webpage of that service, or even just because there’s a lock sign in the browser address line.

      People think they have been given magic that obeys them, magic is different from tech in not requiring understanding to obey. There’s, obviously, no magic, only things fully understood obey their owners, and almost nobody fully understands even door locks.

      So - I think the new important kind of social advertising is teaching people to not trust security. Security is like a war victory, it’s not guaranteed and never certain enough to rely upon it. No system based on implication of functional security must be used.

      We must use only openly unreliable systems.

      That also applies to home appliances (intended) and all kinds of complex devices. When those came with schematics and detailed maintenance manuals, people dreamed of something not requiring these, and as we can see, that something is not better and doesn’t take less effort when breaks.

      Unreliability is freedom, and reliance is slavery. But at the same time unreliable systems are better than no systems. Unreliable systems are the compromise between luddism and degenerate civilization.

      • tal@lemmy.today
        link
        fedilink
        English
        arrow-up
        10
        ·
        6 months ago

        I remember those manuals how to run Skype and every proprietary program from a separate user, while every client in X11 can capture the whole display and see all keystrokes.

        I don’t know what these manuals said, but you can run an X11 software package in Xnest or Xeyphr to functionally sandbox X11. Both of those have been around for a long time. I use firejail, which will use either to isolate software if being used in an X11 environment. That might permit for clipboard snooping, have to check, but avoids the keylogging and display-dumping issues.

        It is true that X11 — not to mention most traditional desktop operating systems – were not really designed to sandbox software packages. Local stuff is trusted. Wayland improves on that a lot. But even so, Linux desktop apps in general still don’t normally run isolated. Steam games are not isolated in 2025, which is something that I’d kind of like to see.

        But I’m more optimistic than I think your comment is, think that things have generally gotten better, not worse.

        Go back a quarter century and nearly all Internet traffic was unencrypted; most is encrypted today. I’d trust Web browsers to reliably sandbox things today more than I did then. We have containers and VMs, which are a big improvement over chroot jails. My software updates are mostly cryptographically-verified. If you want a cryptographic filesystem, it’s not a big deal to set up these days. We don’t have operating systems automatically invoking binaries because they happened to live on something that looks like a CD drive that was connected. We’re using more programming languages that are more-resistant to some common memory management bugs that historically led to a lot of our security problems.

        I agree that it’s important not to falsely believe that security is present when it’s not. But I don’t think that everything is dismal, either.

        • rottingleaf@lemmy.worldBanned
          link
          fedilink
          English
          arrow-up
          3
          ·
          6 months ago

          but you can run an X11 software package in Xnest or Xeyphr to functionally sandbox X11

          I know (did that with Telegram for some time, until deciding I’ll take the insecurity with working clipboard), but those manuals would only touch upon having a separate user or a chroot.

          That might permit for clipboard snooping, have to check, but avoids the keylogging and display-dumping issues.

          Will read about firejail.

          It is true that X11 — not to mention most traditional desktop operating systems – were not really designed to sandbox software packages. Local stuff is trusted.

          It’s about philosophy - I really like p2p applications built using something like Kademlia, because they are built with the premise that everything is unreliable and that works.

          Also unreliable things don’t create vendor locks. It’s much easier to change from one unreliable thing to another.

          But I’m more optimistic than I think your comment is, think that things have generally gotten better, not worse.

          Yes, I’ll repeat my opinion that things becoming more complex and that being described as needed for them to become more secure - means just that the security theater is better now.

          Go back a quarter century and nearly all Internet traffic was unencrypted; most is encrypted today.

          Encrypted with keys decided using certificates ultimately with some approved CA as root, and the list of those trusted CAs is supplied with software. There have been plenty of cases where a CA has been compromised.

          As protection against some punks peeking upon neighbors it works, but the main threat is not some punks. The post is about E2EE and nation-states.

          I’d trust Web browsers to reliably sandbox things today more than I did then.

          Why do we have hypertext browsers running cross-platform applications? Why can’t we separate these two classes of programs? There are, say, the Gemini protocol for the former and, say, JVM for the latter.

          We have containers and VMs, which are a big improvement over chroot jails. My software updates are mostly cryptographically-verified. If you want a cryptographic filesystem, it’s not a big deal to set up these days.

          I agree about this.

          We don’t have operating systems automatically invoking binaries because they happened to live on something that looks like a CD drive that was connected.

          And this.

          We’re using more programming languages that are more-resistant to some common memory management bugs that historically led to a lot of our security problems.

          Well, yes and no, people had Perl and Tcl as popular ones back then too, ha-ha.

          agree that it’s important not to falsely believe that security is present when it’s not. But I don’t think that everything is dismal, either.

          Not dismal, I don’t mean that. It’s a lot of fantastic achievements, but they won’t work if taken for always present.

          It’s strategically wrong to expect complex unachievable to full extent things to work. People can expect landline to always work (they did at some point at least), but to expect computing to be mostly secure is nuts, and that’s what everyone is doing. Landline phones are one of a very few really reliable technologies, but most of our civilization is not like that.

          • tal@lemmy.today
            link
            fedilink
            English
            arrow-up
            2
            ·
            6 months ago

            Will read about firejail.

            It’s a single frontend to using a variety of the tools that permit for running software in isolation on a single machine. Like, you can expose only limited parts of the filesystem, have them be read-only, disallow network access, run software under Xephyr or Xnest for X11, disallow sound access, stuff like that. You set up a profile for an application, and it’ll run it with those restrictions. It comes with a very limited set of application profiles made, so it’s not just an “install it with one command and then run everything maximally sandboxed” piece of software – you gotta set up a profile for an application to choose what you want restricted.

  • tal@lemmy.today
    link
    fedilink
    English
    arrow-up
    37
    ·
    edit-2
    6 months ago

    it would require “social media platforms to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena.”

    Mmmhmm. Apparently the Threadiverse is about to become illegal in Florida.

    First, let’s generate a strong public-private GPG keypair for myself and some hypothetical other Threadiverse user, anotheruser@lemmy.today:

    $ gpg --quick-generate-key tal@lemmy.today
    $ gpg --quick-generate-key anotheruser@lemmy.today
    

    And show the tal@lemmy.today public key:

    long keyblock
    $ gpg -a --export tal@lemmy.today
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQGNBGf6kRMBDAD3qJIznSVVQZu092nTthUt8R8DNXS6eYNqgbpYHTY+6i+RSFMe
    YDDnOz0cL3drxnWpNC37l9HouJGohua/Cjx2Iju/zd4A5mZkXchIt4lfZ3bbXx2k
    p0eC1m9+B3Dc37lSLPgEpTnfPGtMfKJU4bNVBdwkFCyS9Mxc499uIrAUpjPQLmgP
    1rQ2Wk1wzGfAh3VNCxg8xsHcOHWQZqSUzsLk/PeG1QtfGTVBG44tI6msGawwQct6
    XVnVOk0DfEGmoru4dGuQDk+oZRVz/O4/wLOQzfAVCzsbv/RrCzywrcQM3WAoVBDI
    awe9UG++Y4N6Eof46UQ1KnzA2ndkHFt35KybidaqxlWM4Sslx/Is+wCgqt+FpJRN
    MPLsAet6Eg6vGB6ES3Fk/IXX5OEvtWMfKKrgSP88NwoP/VFr/BU7SsJW1Opo4Ccf
    DDPuWlgMCmsVE9xsPS1oFMzxiHbJYj8gWgH7AOtl24NgYXVi/QdetYA6SZqonU0T
    xnGmEw5JdcvWdmMAEQEAAbQPdGFsQGxlbW15LnRvZGF5iQHUBBMBCgA+FiEE7S76
    Je3x/gWVtrNsdlwPXPfD8YIFAmf6kRMCGwMFCQWjmoAFCwkIBwIGFQoJCAsCBBYC
    AwECHgECF4AACgkQdlwPXPfD8YJy+wv+JJ3MP+zZRy4pJZ+u7iiSOwVVwUboT8Pi
    kX7rxLl6TF9wGuLPjl/P8Cfy0WMsZQ2Ab0S/84cE2bIVbcISwqeqkMZ1Puk6y5Nn
    8uHK3qHrYb1n89uOwjgeBIC3XopdJpSPtaKBWHZn/s0AYQ3suqJt/BoJo+hTv4oJ
    /8Rtcs2+YKnQtoLtM/0tKO3J4Qzvqrzi0F14R1Rv6kiFzePkEPQFSPN4uIR5CPJm
    t6HuYWYcWNKhfIkKJH08GAV0jP+qrbe/yacO0tKt8gnxKBdpXLRwLePx5sDV14ch
    Ay/3n1aVa7PbUGA4m51xOSl0Ro54s6K8uwJ2fz6z5fdjpOkbvDw51tPEdxQzW0JH
    myyaC31j4h5YwzOAfGaK6lp3pAHStDFhDJXZPLYsDlcMGSPvV+qBMAh86t8mqIqd
    tBPjNj60aIbps+mImBpRlO/xRvUWjjVsm1FKqxBq7QQR5SW0MLnkwvcnUMDCbOs/
    wMN6ghyZp6RDhUXGgb9HJVSQhXLjaqf+uQGNBGf6kRMBDADFYNE00Rr2Ujm9+i7k
    LsHz49xqJUNtv3b7pHWTOZNhkSFf/OieayE45lkBMQl1ZkuY56QjmcgYZWsOf7+y
    kbrsQjdNE5lHl/hRAqGV13LUscTKPUCvTXnfFX+/p64Kgv1f74fAdfkQu663sGOM
    xbFP9/3jOQLF9dI2M8H14TPF/JDhjXDZvvoMrMBxwFlRctvwbeS6Yar+XKxKZQvh
    I63Ad2OyFc0p+pnJOnrWN3Q6iEqnAq0SA/EdsjVx3MWpqZW15YDyU0lIWrHAn/yD
    PfMaAqcgXj2LLBDziYdfm1ACBceS+WAu6w7i07xMAbdypKOsPB2cL1PlX//WEiwW
    55iBTJ7oRAW7Q0LRsk2k40mq61xfOLyOBT8gHJfEb7ked9KuSXQdBn9K2hT2SH+U
    OT2E63ShPHL9F2F1yQSbjFbHJve2klIuqrMeJ21QtDWgz+Auzp7PPWZ59SN+XCVj
    qzrueXIvzsK3Shfqf636/Buj1g5heIY3nBd3dtbq4gUBO90AEQEAAYkBtgQYAQoA
    IBYhBO0u+iXt8f4FlbazbHZcD1z3w/GCBQJn+pETAhsMAAoJEHZcD1z3w/GCzXkL
    /i1k5ra/YZPpiJgCOO61x6Iog5/hyL/APhHT/CMg1ZAYObfqCD0QT0f+n0qdZXhH
    ALGXzCMsbFqr0oxqOFFccLGQzUxv9AkyrO94HLoL726fxi3gkF+UekHjWgcxkcXQ
    PHZCOdHczxyCIGRB+mKn+tGweXpCwMNkymagdoyzOs+t+5cGUTv18ceun72Mqf1H
    4vCZ4LLb94NLkSJqGKeQuzjVhopDVCJ8t/exRuk2ra2SkeChKPCpq5zJP+OpzAx3
    hPNSL9v8xRD6D/NKQP/zYXvry1dfQaaOYUbw+GMgSxtVNsTyGMtDg2kE8ZSuvVKq
    ZIoODdjZRZvTB90+UKFRF3st1MeBXGNskvcZJhit7K1eMGhUbjykNWrq0A8aoRAN
    P0DBRg09Uumub1GNnJlHFNxAS5e0A686YHzA6AOify+lhscdrFKiv8GRFBZGK39W
    vY5YDDdpY632O6w1Te1UFIhS7pIWXsm5AfffFPDc/UJd6ZaBOcnKH45R4y2qObS2
    eA==
    =ommg
    -----END PGP PUBLIC KEY BLOCK-----
    

    And then show an example of someone else importing it, pretending that they’re anotheruser@lemmy.today (though in my case, I’ve already got the tal@lemmy.today public key in my keyring):

    another long keyblock
    $ gpg -a --import <<EOF
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQGNBGf6kRMBDAD3qJIznSVVQZu092nTthUt8R8DNXS6eYNqgbpYHTY+6i+RSFMe
    YDDnOz0cL3drxnWpNC37l9HouJGohua/Cjx2Iju/zd4A5mZkXchIt4lfZ3bbXx2k
    p0eC1m9+B3Dc37lSLPgEpTnfPGtMfKJU4bNVBdwkFCyS9Mxc499uIrAUpjPQLmgP
    1rQ2Wk1wzGfAh3VNCxg8xsHcOHWQZqSUzsLk/PeG1QtfGTVBG44tI6msGawwQct6
    XVnVOk0DfEGmoru4dGuQDk+oZRVz/O4/wLOQzfAVCzsbv/RrCzywrcQM3WAoVBDI
    awe9UG++Y4N6Eof46UQ1KnzA2ndkHFt35KybidaqxlWM4Sslx/Is+wCgqt+FpJRN
    MPLsAet6Eg6vGB6ES3Fk/IXX5OEvtWMfKKrgSP88NwoP/VFr/BU7SsJW1Opo4Ccf
    DDPuWlgMCmsVE9xsPS1oFMzxiHbJYj8gWgH7AOtl24NgYXVi/QdetYA6SZqonU0T
    xnGmEw5JdcvWdmMAEQEAAbQPdGFsQGxlbW15LnRvZGF5iQHUBBMBCgA+FiEE7S76
    Je3x/gWVtrNsdlwPXPfD8YIFAmf6kRMCGwMFCQWjmoAFCwkIBwIGFQoJCAsCBBYC
    AwECHgECF4AACgkQdlwPXPfD8YJy+wv+JJ3MP+zZRy4pJZ+u7iiSOwVVwUboT8Pi
    kX7rxLl6TF9wGuLPjl/P8Cfy0WMsZQ2Ab0S/84cE2bIVbcISwqeqkMZ1Puk6y5Nn
    8uHK3qHrYb1n89uOwjgeBIC3XopdJpSPtaKBWHZn/s0AYQ3suqJt/BoJo+hTv4oJ
    /8Rtcs2+YKnQtoLtM/0tKO3J4Qzvqrzi0F14R1Rv6kiFzePkEPQFSPN4uIR5CPJm
    t6HuYWYcWNKhfIkKJH08GAV0jP+qrbe/yacO0tKt8gnxKBdpXLRwLePx5sDV14ch
    Ay/3n1aVa7PbUGA4m51xOSl0Ro54s6K8uwJ2fz6z5fdjpOkbvDw51tPEdxQzW0JH
    myyaC31j4h5YwzOAfGaK6lp3pAHStDFhDJXZPLYsDlcMGSPvV+qBMAh86t8mqIqd
    tBPjNj60aIbps+mImBpRlO/xRvUWjjVsm1FKqxBq7QQR5SW0MLnkwvcnUMDCbOs/
    wMN6ghyZp6RDhUXGgb9HJVSQhXLjaqf+uQGNBGf6kRMBDADFYNE00Rr2Ujm9+i7k
    LsHz49xqJUNtv3b7pHWTOZNhkSFf/OieayE45lkBMQl1ZkuY56QjmcgYZWsOf7+y
    kbrsQjdNE5lHl/hRAqGV13LUscTKPUCvTXnfFX+/p64Kgv1f74fAdfkQu663sGOM
    xbFP9/3jOQLF9dI2M8H14TPF/JDhjXDZvvoMrMBxwFlRctvwbeS6Yar+XKxKZQvh
    I63Ad2OyFc0p+pnJOnrWN3Q6iEqnAq0SA/EdsjVx3MWpqZW15YDyU0lIWrHAn/yD
    PfMaAqcgXj2LLBDziYdfm1ACBceS+WAu6w7i07xMAbdypKOsPB2cL1PlX//WEiwW
    55iBTJ7oRAW7Q0LRsk2k40mq61xfOLyOBT8gHJfEb7ked9KuSXQdBn9K2hT2SH+U
    OT2E63ShPHL9F2F1yQSbjFbHJve2klIuqrMeJ21QtDWgz+Auzp7PPWZ59SN+XCVj
    qzrueXIvzsK3Shfqf636/Buj1g5heIY3nBd3dtbq4gUBO90AEQEAAYkBtgQYAQoA
    IBYhBO0u+iXt8f4FlbazbHZcD1z3w/GCBQJn+pETAhsMAAoJEHZcD1z3w/GCzXkL
    /i1k5ra/YZPpiJgCOO61x6Iog5/hyL/APhHT/CMg1ZAYObfqCD0QT0f+n0qdZXhH
    ALGXzCMsbFqr0oxqOFFccLGQzUxv9AkyrO94HLoL726fxi3gkF+UekHjWgcxkcXQ
    PHZCOdHczxyCIGRB+mKn+tGweXpCwMNkymagdoyzOs+t+5cGUTv18ceun72Mqf1H
    4vCZ4LLb94NLkSJqGKeQuzjVhopDVCJ8t/exRuk2ra2SkeChKPCpq5zJP+OpzAx3
    hPNSL9v8xRD6D/NKQP/zYXvry1dfQaaOYUbw+GMgSxtVNsTyGMtDg2kE8ZSuvVKq
    ZIoODdjZRZvTB90+UKFRF3st1MeBXGNskvcZJhit7K1eMGhUbjykNWrq0A8aoRAN
    P0DBRg09Uumub1GNnJlHFNxAS5e0A686YHzA6AOify+lhscdrFKiv8GRFBZGK39W
    vY5YDDdpY632O6w1Te1UFIhS7pIWXsm5AfffFPDc/UJd6ZaBOcnKH45R4y2qObS2
    eA==
    =ommg
    -----END PGP PUBLIC KEY BLOCK-----
    EOF
    

    And now let’s pretend we’re anotheruser@lemmy.today and use end-to-end encryption that doesn’t have a back door, using sed to prefix each line with four spaces so that we get nice blockquoted Markdown that we can paste into a Threadiverse comment or direct message to tal@lemmy.today:

    encrypting message with end-to-end encryption
    $ gpg -a -e -u anotheruser@lemmy.today -r tal@lemmy.today <<EOF |sed "s/^/    /"
    Hello there, tal@lemmy.today!  This is anotheruser@lemmy.today.  I just wanted to send you a message.
    * Florida Man cannot read this.
    * Even instance admins cannot read this.
    EOF
        -----BEGIN PGP MESSAGE-----
        
        hQGMAwk4edDpeyVkAQv+Mu6kJj1KkKs8i72YixAbAMuO+uNJDq0Vu9sz9mGUv3nG
        DibQTkFFz0h+IcK7/2xVrfBcf//6MDqYmlVnTlmpPcNOel4B1YbU4KpHus6ZELcy
        7t0WP2IX03FWTooIBdfX7jIdH9us7PPyG2s4edTX7yD69H7oRdVJiNN6qJUbtObU
        sHWfmq0oQlHoevw47FuWGjAaIbA9volFV3IotEAhmTQ8cCJs2SG8bQjiJmpGE5pO
        xBSNtqo9X49FhQ0xoouwWil/9c76nNw7MtF/4WjU2HlzzRdFIXKeReq0ZzJ8fdkU
        YENYV+7lcp3jmGm91nC+E7HYTCjwy6XmMx+6wrzpCtNnLOaOL9caC7Div6ZvBtBi
        RVTiT1Kewth+QQvLHh2ErN0XKDzFrfFqfrZq4tX3TTn3rQkM/v0UrlR+3rr+iePX
        iKPmtsQBxNa81GVNxx0IR/1r+by8ELenCCRjaq2OpzfUhckqHkn1M6ycBPrwX8yR
        uBuIf7E65Pi2QfSoDeOH0rsBR/yGwU/h8HeEp6ChYEEEs1v+INI2dQ+zxhqaimKz
        vg7gTlVNplI9rpb/VLhlk8tzjCMQ4+Dqe4KeYqtvCLLJtgPFNlujMrgOEmbDL46X
        kQ8xQTForYFqPvODnPDUo+dbmt2UlXJGw3dyztEhQRUEqoCvUan9ERcY1gJS4mT6
        WmAJKfVHfLos+UiibRZBhRzAsFCvyEPF1lOEJNVD0cz9tya2CfszNsqz+ITeHWfm
        HchPmmEq4pqHr1/a
        =PQN2
        -----END PGP MESSAGE-----
    

    And let’s have tal@lemmy.today decrypt it:

    decrypting message
    $ gpg -a -d <<EOF
    -----BEGIN PGP MESSAGE-----
    
    hQGMAwk4edDpeyVkAQv+Mu6kJj1KkKs8i72YixAbAMuO+uNJDq0Vu9sz9mGUv3nG
    DibQTkFFz0h+IcK7/2xVrfBcf//6MDqYmlVnTlmpPcNOel4B1YbU4KpHus6ZELcy
    7t0WP2IX03FWTooIBdfX7jIdH9us7PPyG2s4edTX7yD69H7oRdVJiNN6qJUbtObU
    sHWfmq0oQlHoevw47FuWGjAaIbA9volFV3IotEAhmTQ8cCJs2SG8bQjiJmpGE5pO
    xBSNtqo9X49FhQ0xoouwWil/9c76nNw7MtF/4WjU2HlzzRdFIXKeReq0ZzJ8fdkU
    YENYV+7lcp3jmGm91nC+E7HYTCjwy6XmMx+6wrzpCtNnLOaOL9caC7Div6ZvBtBi
    RVTiT1Kewth+QQvLHh2ErN0XKDzFrfFqfrZq4tX3TTn3rQkM/v0UrlR+3rr+iePX
    iKPmtsQBxNa81GVNxx0IR/1r+by8ELenCCRjaq2OpzfUhckqHkn1M6ycBPrwX8yR
    uBuIf7E65Pi2QfSoDeOH0rsBR/yGwU/h8HeEp6ChYEEEs1v+INI2dQ+zxhqaimKz
    vg7gTlVNplI9rpb/VLhlk8tzjCMQ4+Dqe4KeYqtvCLLJtgPFNlujMrgOEmbDL46X
    kQ8xQTForYFqPvODnPDUo+dbmt2UlXJGw3dyztEhQRUEqoCvUan9ERcY1gJS4mT6
    WmAJKfVHfLos+UiibRZBhRzAsFCvyEPF1lOEJNVD0cz9tya2CfszNsqz+ITeHWfm
    HchPmmEq4pqHr1/a
    =PQN2
    -----END PGP MESSAGE-----
    EOF
    gpg: encrypted with 3072-bit RSA key, ID 093879D0E97B2564, created 2025-04-12
          "tal@lemmy.today"
    Hello there, tal@lemmy.today!  This is anotheruser@lemmy.today.  I just wanted to send you a message.
    * Florida Man cannot read this.
    * Even instance admins cannot read this.
    

    I guess the only option will be to lock up instance admins for violating Florida law, as they’re operating a social media platform with end-to-end encrypted communications with no backdoor.

    EDIT: It’d also probably be nice to have browser and client support to make this more-convenient, no copy-pasting. I haven’t used it, so I can’t vouch for its functionality, but for users using Firefox, this Firefox extension claims it can automatically detect and decrypt GPG content in a webpage; if it can pick up on encrypted, ASCII-armored blockquoted text in a Threadiverse comment, that would hopefully let one simply read encrypted messages in Lemmy or whatever without any additional copy-pasting effort (though sending an encrypted message would still require copy-pasting some text):

    https://addons.mozilla.org/en-US/firefox/addon/gnupg_decryptor/

    • CosmicTurtle0@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      10
      ·
      6 months ago

      Not that I disagree with your point, but Florida law is only relevant within Florida and, to a limited extent, the United States. Admins of US-based instances could likely be subpoenaed and then held in contempt if they refused, assuming they don’t pull a PornHub and just block all of Florida.

      That said, this is very worrying since subpoenas have a MUCH lower threshold of legal bearing than warrants. I suspect that Apple will likely challenge this in court or they stop selling iPhones there.

      • tal@lemmy.today
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        6 months ago

        Oh, yeah, my concern isn’t really that Florida is planning to go after instance admins — I’m just being sardonic — so much as to point out that any practical enforceability of this is going to have a lot of issues.

        I mean, do you mandate that Lemmy disallow third party clients? Try to force them to detect and block encrypted messages? What happens if I start dumping big PGP messages steganographically in images and simply send those? What happens if the image I’m sending is just a link to isn’t even uploaded to pict-rs on a Lemmy instance?

        I don’t need to move a whole lot of bits to send messages, and it’s really hard to block people who can send any data at all from having software send data that cannot be read by intermediaries, use the existing social media channel to agree upon out-of-band communications channels that social media operators have no control over, and so forth. Like, okay. Say I am a child-molesting terrorist drug running money launderer or whatever. I know someone who uses Facebook.

        Let’s even say that Facebook does a fantastic job of detecting and blocking any E2E-encrypted communications like PGP messages of the sort I mentioned in the above comment.

        Okay. Now let’s say that there is some other non-social-media system that uses OTR. I use Facebook to send someone my identity on that OTR system, as well as – which doesn’t need to be in any kind of standardized format — the shared secret OTR uses to bootstrap trust between two parties. That shared secret becomes useless after the initial handshake completes. Is Florida going to figure out everything that I’m saying, manage to break into whatever other channel I’m using, and MITM the thing? Probably not, since even if they supoena Facebook and Facebook gives them that shared secret, it doesn’t let them later MITM the OTR communications.

        That sounds complicated, but from a user standpoint it’s “Let’s talk on <program X>. I’m <user>, and here’s <string>.” The other person fires up their program, pastes string in, and unless Florida have already supoenaed and MITMed that channel, at that point, the deed is done – out-of-band E2E-encrypted communications are bootstrapped, and Mark Zuckerberg can’t read them or let anyone else read them even if he wants to do so.

      • taco@piefed.social
        link
        fedilink
        English
        arrow-up
        1
        ·
        6 months ago

        …Florida law is only relevant within Florida and, to a limited extent, the United States.

        And even then only to the extent those with the power to do so choose to enforce it. It might matter if you or I break the law; it will not matter in any meaningful way if Meta does.

    • tal@lemmy.today
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      6 months ago

      Actually, on second thought, maybe the automated in-webpage decryption via the plugin thing I stuck at the end is a bad idea if it just inserts the decrypted stuff right into the page (not sure if this is the case). Like, I bet that a malicious or compromised instance could serve up Javascript in the webpage it provides to read and send the decrypted content from the web page.

      But not a problem for the approach in general, just decrypting-in-place in a webpage. Would benefit from client support in general, though.

      EDIT: Also would be nice to have user profile bios have enough space to actually fit a PGP public key, if that is to be used to distribute PGP public keys (rather than keyservers or something, though one issue with using Lemmy instances to distribute them is that a compromised instance could list bogus pubkeys for users who haven’t yet obtained a local copy of the pubkey for a given user). Presently, it looks like the character limit is extremely short on lemmy.today, which is presumably using the Lemmy default; 300 characters. I’d think that it could at least be boosted to the comment length limit of 10,000 characters.

  • Uriel238 [all pronouns]@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    33
    ·
    edit-2
    6 months ago

    The idea that Florida can “protect” minors by making them less safe is dangerous and dumb.

    I assume this is less about protecting children as protecting the movement from children, as well as facilitating wrongdoing against children by members of the movement.

    As a general rule there are no backdoors that are good guys only. In fact predators, foreign agents and industrial spies will know them sooner than their distribution to law enforcement.

  • shortwavesurfer@lemmy.zip
    link
    fedilink
    English
    arrow-up
    33
    ·
    6 months ago

    I’m sorry, but if backdoor laws start getting passed, I’m going to just fucking break the law, and they can come and fucking arrest me if they want. But I’m not putting up with that shit.

    • tal@lemmy.today
      link
      fedilink
      English
      arrow-up
      18
      ·
      edit-2
      6 months ago

      I mean, you aren’t the one breaking the law unless you’re running a social media platform. The obligation is on the operators, not on the users.

  • Fluffy Kitty Cat@slrpnk.net
    link
    fedilink
    English
    arrow-up
    18
    ·
    6 months ago

    It’s pretty clear that young people are an oppressed class and oppression of them is being used as a wedged to hurt everyone else by extension. We have to fight for the rights of everyone including the young or we’ll lose everything

      • prole@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        6 months ago

        It’s the same movement behind both, so I would say it definitely has to do with Trump.

        It’s not a coincidence the the number of insane state legislation has skyrocketed since January 20th.

  • Kualdir@feddit.nl
    link
    fedilink
    English
    arrow-up
    10
    ·
    6 months ago

    Is it really becoming time we encrypt the messages we send ourselves? 🫠

  • x00z@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    6 months ago

    Social media apps should not be E2E encrypted, especially under the age of 18. Chat apps on the other hand should be completely E2E encrypted. We need to have a good balance between safety and privacy, and this is the only decent way.

    Stupid people argue for backdoors and stupid people argue for full encryption. It’s the correct balance that’s far more important and will make everybody happy.

    • PlutoniumAcid@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      6 months ago

      Full encryption means privacy. From everyone. For everyone. Please explain to me why that should not be given to minors?

      In my view, protecting children online is not inherently a tech problem. It’s a part of parenting.

        • A Wild Mimic appears!@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          6 months ago

          That’s an education problem, not a privacy issue. Children also deserve privacy, especially when they have awful and potentially abusive parents. Also, we shouldn’t embed the thought that they are being observed 24/7 in our children - that makes only for self-censoring adults.

        • PlutoniumAcid@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          6 months ago

          Stupid, lazy, overworked, underskilled - it must have been easier to raise us who are adults now, pre Internet, than it is to raise our kids today. And I repeat, tech is not the solution.

  • rottingleaf@lemmy.worldBanned
    link
    fedilink
    English
    arrow-up
    6
    ·
    6 months ago

    You shouldn’t worry about this. You should laugh more at sovcits, second amendment fanboys, militia enthusiasts, gun nuts, and even (real and not “conservative right liberal using the word cause it’s less common”) libertarians. Because allowing some jerks to decide these things for you is fine, right? We’ll vote for someone better and they’ll make more laws, we don’t need fallbacks and overrides to remove cancerous laws by force.

    I think I like the “fallbacks and overrides” pair, because it complements the “checks and balances” one. Directly opposite, but with the same spirit. Something of Tao Te Ching in it.