> "[...]we want you to invest in technology to get around this [encryption] problem, just for child abuse and sexual exploitation not for anything else"

uh huh....

She then goes on to say "we're not ending encryption in any way". So to phrase it all in another way: "we're not taking away the locks on your doors, all the doors will just use the same key."

Don't put anything on your work laptop that you don't want the company to have or, alternatively, entered into the legal record when someone sues your company and your data gets taken for discovery

Signal definitely seems the best out of them if you are into using a third party messenger, for now.

I would still trust the OS level messaging on mobile over third parties because of the scale, future funding, incentives and trust. The OS already has access to your info. Other people getting access to your data is probably always easier on third party systems, even if the third party is trustable, not ever person or dependency is.

iMessage is secure, if you are going straight SMS yes that is more open. I also know what Apple wants and their goals fully, that is a secure platform that isn't just messaging.

The fact is though, every system has holes and security issues, so the best opsec is less third parties, big or small or open or closed...

Just ask Jeff Bezos after he got hacked via WhatsApp temp hole by something sent to him by freaking MBS.

Yeah, that I know, but I was wondering if they publish the md5 of the apk or compiled app so that you can test later on or something. Or if it’s possible to check the md5 of the downloaded apps from the store. I am not sure why I am downvoted, I think it is a legitimate question.

Some bad guys could fork the app, add some changes and publish it in third party stores.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/open-source-apps-google-play

Something similar to this: https://www.infosecurity-magazine.com/news/malicious-python-libraries-found/

And I am not the first one asking this question:

https://opensource.stackexchange.com/questions/11098/what-guarantees-that-the-published-app-matches-the-published-open-source-code

Edit: a colleague just shared this with me! https://signal.org/blog/reproducible-android/

No company with even half a brain would let you log into corporate resources without using a company issued computer. No one uses their home computer for that type of work.

My favorite part is the end of that segment.

Basically says "we will read your messages but only to protect children, only for that purpose". Like that is any better and offers no guarantees that it wont be misused.

It's the intro speech for every right taken away.

Chill bosses until the next bad quarter (for public companies)/recession (for private ones)

But is it the size that is limiting or the performance? ChatGPT is definitely too huge for 1gpu (even the A100 server gpus with 80GB of memory), but once you connect enough gpus to have the space available, i bet you the performance is quite fast. It is similar tu human brain, it takes us days, weeks, years to learn something, but we can then access it in a split of a second. The fastest supercomputers today have tens of thousands of gpus, so if chatgpt can have millions of users running it at the same time, one gpu can have hundreds and thousands of users using it.

I'm starting to understand why this is so complicated for you.

You can’t ditch them. So many companies and people use them.

The article states that they have to come in a couple of days a week and alternate

This is one of the dumbest responses I have ever read. I'm not even a particular defender of the CBC, but this feels like it was written by someone with absolutely no business background or experience whatsoever.

Forget about first year business analysts at any major bank, interns at local credit unions could provide superior analysis. Hell, you can see better written work in shitty business schools.

I could attempt at a response to this, but it's so stupid, it's not worth my time.

Yeah I agree there are always vulnerabilities in software, but the thing is, as far as I know, there aren’t any known bugs that would leak data from Signal so far despite all the security research attention it gets, and plenty of evidence that it’s safe.

Meanwhile, I’ve already explained how it’s trivial to get around the end to end nature of iMessage for a large majority of users.

If you don’t care about your conversation being end to end encrypted, then yes, by all means, use iMessage or even just plain SMS. Much easier. But if you do care, I’m not sure why you’d shoot yourself in the foot with the option known to have a major workaround.

We do this because the opportunity cost overwhelmingly supports taking the easy route.

If the time I’m saving by taking shortcuts is greater than the time spent fixing fuckups it’s a no brainer.

As soon as she said it was to protect the children™, it was obvious it was BS.

This…isn’t true. Remote work is an option for most employees. The problem is that a significant number of people are deciding to work from office and then not actually using the desks. So you see entire buildings of empty desks. Google doesn’t want to continue leasing or building new offices just to house empty desks.

You have to use our product and you have to pay for it!

Seriously though, by all means charge people for using something.

Just don't be surprised or bitter if they decide not to use it.

Have it write a slightly better AI. See where that leads us.

> If a cloud service is truly end to end encrypted, and designed well, nobody but the end user should be able to access the data.

I agree this is just not the case with so many holes and side channels out there. The cloud is good for securing content from others, oversight will always find a way. Anyone that thinks otherwise is a suka.

> Or if you have access to the files on Apple’s server, then no user auth is required.

User auth still required but yeah you could hack Apple I supposed and get it. Good luck though.

> There are many commercial and open source tools that are able to read the backup file for you. Elcomsoft, iMazing and the Citizen Lab Mobile Verification Toolkit are some examples.

If those apps are getting the user context then sure. If not then no.

Take Elcomsoft for instance with LastPass vs Password managers. That is why you don't install clients or extensions, like LastPass.

Read this closely:

>> Windows Data Protection API Not Used

>> One may argue that extracting passwords stored by the Google Chrome browser is similarly a one-click affair with third-party tools (e.g. Elcomsoft Internet Password Breaker). The difference between Chrome and LastPass password storage is that Chrome makes use of Microsoft’s Data Protection API, while LastPass does not.

>> Google Chrome does, indeed, store user’s passwords. Similar to third-party password managers, the Windows edition of the Chrome browser encrypts passwords when stored. By default, the encrypted database is not protected with a master password; instead, Chrome employs the Data Protection API (DPAPI) introduced way back in Windows 2000. DPAPI uses AES-256 to encrypt the password data. In order to access passwords, one must sign in with the user’s Windows credentials (authenticating with a login and password, PIN code, or Windows Hello). As a result, Google Chrome password storage has the same level of protection as the user’s Windows login.

>> This, effectively, enables someone who knows the user’s login and password or hijacks the current session to access the stored passwords. This is exactly what we implemented in Elcomsoft Internet Password Breaker.

>> However, in order to extract passwords from Web browsers such as Chrome or Microsoft Edge, one must possess the user’s Windows login and password or hijack an authenticated session. Analyzing a ‘cold’ disk image without knowing the user’s password will not provide access to Chrome or Edge cached passwords.

>> This is not the case for the LastPass Chrome extension (the desktop app is seemingly not affected). For the LastPass database, the attacker will not need the user’s Windows login credentials of macOS account password. All that’s actually required is the file containing the encrypted password database, which can be easily obtained from the forensic disk image. Neither Windows credentials nor master password are required.

>> macOS has a built-in secure storage, the so-called keychain. The Mac version of Chrome does not use the native keychain to store the user’s passwords; neither does the iOS version. However, Chrome does store the master password in the corresponding macOS or iOS keychain, effectively providing the same level of protection as the system keychain. Elcomsoft Password Digger can decrypt the macOS keychain provided that the user’s logon credentials (or the separate keychain password) are known.

Elcomsoft mentions the OS level protections on these.

> It wouldn’t be the first time someone’s iCloud account was hacked into.

If someone gets into iCloud they are most likely getting into the device and again, the point of a "secure" messenger or cloud falls apart because they have access to their user. Yes, people should be careful with their user, it opens up everything.

> not even the service provider hosting the cloud service can access your data.

If you believe this then you believe in magic. Even if a provider tried to do this, software has holes... See OpenSSL/Log4j/Log4Shell/on and on and on and on... The fact that you trusted it because they said they don't look, it was probably a lie, but even if it wasn't they can get in.

If you let a known hacker work directly in your system you’re a special kind of stupid.

But hey, they’re criminals and nobody accuses them of being smart.

When you google youre looking for more info, Reddit is for passive scrolling

> I mean pretty much anything in a cloud should be considered secure from everything but law enforcement

Again, nope. If a cloud service is truly end to end encrypted, and designed well, nobody but the end user should be able to access the data. Yes, even if there is a subpoena.

> The point is your still need the user context

Or if you have access to the files on Apple’s server, then no user auth is required.

> These files only work with the OS to access them

Again, no. There are many commercial and open source tools that are able to read the backup file for you. Elcomsoft, iMazing and the Citizen Lab Mobile Verification Toolkit are some examples.

> Most people are worried about hackers

It wouldn’t be the first time someone’s iCloud account was hacked into.

> there is a “ghost” user ability

Show me where in the Signal code there is this functionality. Again, it’s open source, so a honeypot would be quickly found. Also, if you’re worried about state level honeypots, note that retrieving an unencrypted iCloud backup is a lot easier.

> It is only plaintext in the context of the user…

…and anyone with access to the files on Apple’s servers, which aren’t only subpoenas but also hackers, governments that don’t respect human rights, etc. which is the whole point of having end to end encryption, even the service provider themselves should not have the ability to access the data on your account.

Do you not understand the point of end to end encryption? The whole point is that nobody, not even the service provider hosting the cloud service can access your data.

Lol are you seriously saying this on Reddit? Nobody reads anything except titles.

If you search for something do you usually read the title of article linked in google and are satisfied with that? No, you click it.