I'm technical and work in security. Since it is trivial, please explain. Ideally not using a strawman like "well just run strings and look for uploadPlaintextChatsToServer()".
(1) made me chuckle. I've worked at nearly every FAANG including Meta. These companies aren't nearly as advanced or competent as you think.
I no longer work at Meta, but in my mind a more likely scenario than (1) is: a senior engineer proposes a 'Decryption at Scale' framework solely to secure their E6 promo, and writes a 40-page Google Doc to farm 'direction' points for PSC. Five PMs repost this on Workplace to celebrate the "alignment" so they can also include it in their PSCs.
The TL and PMs immediately abandon the project after ratings are locked because they already farmed the credit for it. The actual implementation gets assigned to an E4 bootcamp grad who is told by a non-technical EM to pivot 3 months in because it doesn't look like 'measurable impact' in a perf packet. The E4 gets fired to fill the layoff quota and everyone else sails off into the sunset.
The PIN is used when you're too lazy to set an alphanumeric pin or offload the backup to Apple/Google. Now sure, this is most people, but such are the foibles of E2EE - getting E2EE "right" (eg supporting account recovery) requires people to memorize a complex password.
The PIN interface is also an HSM on the backend. The HSM performs the rate limiting. So they'd need a backdoor'd HSM.
That added some context I didn’t have yet thanks. I’m not seeing yet how Meta if it was a bad actor wouldn’t be able to brute force the pin of a particular user. Of this was a black box user terminal site, Meta owns the stack here though, seems plausible that you could inject yourself easily somewhere.
If you choose an alphanumeric pin they can't brute force because of the sheer entropy (and because the key is derived from the alphanumeric PIN itself.)
However, most users can't be bothered to choose such a PIN. In this case they choose a 4 or 6 digit pin.
To mitigate the risk of brute force, the PIN is rate limited by an HSM. The HSM, if it works correctly, should delete the encryption key if too many attempts are used.
Now sure, Meta could insert itself between the client and HSM and MITM to extract the PIN.
But this isn't a Meta specific gap, it's the problem with any E2EE system that doesn't require users to memorize a master password.
I helped design E2EE systems for a big tech company and the unsatisfying answer is that there is no such thing as "user friendly" E2EE. The company can always modify the client, or insert themselves in the key discovery process, etc. There are solutions to this (decentralized app stores and open source protocols, public key servers) but none usable by the average person.
That might be a different pin? Messenger requires a pin to be able to access encrypted chat.
Every time you sign in to the web interface or resign into the app you enter it. I don’t remember an option for an alphanumeric pin or to offload it to a third party.
it doesn't need to be open source for us to know what it's doing. its properties are well understood by the security community because it's been RE'd.
> a client in control of somebody else might just leak the encryption keys from one end of the chat.
has nothing to do with closed/open source. preventing this requires remote attestation. i don't know of any messaging app out there that really does this, closed or open source.
also, ironically remote attestation is the antithesis of open source.
But you have to keep in mind that this is the same as not being able to get stuff done :) Economies don't exist in a vacuum.
If a US company can buy an EU company out,
* business conditions in the EU are not favorable enough for people to want to grow their business in the EU (they would rather sell to the US);
* there are no EU companies that are competitive enough to counteroffer (meaning the EU has not created an environment to grow competitive businesses).
"Getting stuff done" isn't determined in a vacuum, so unless the EU totally isolates its economy it has to deal with the fact that it needs to actually encourage innovation and business to be competitive and "get stuff done" on the world stage.
The US is isolating itself, that really only leaves China for Europe to worry about on these points.
China is absolutely capable of replacing the US as buyer of all the interesting companies, European nations can absolutely fail this if they forget that.
Having near-death experiences has made me much more scared of death. I realized I do not want eternal nothingness and nonexistence. I like existing, loving, etc.
I do not think death adds any value. It certainly does not motivate me in any way. I don't do things because I will die, I do things because I want to. Most of the time I am not thinking about death at all. When I do, it is only with a sense of sadness/dread.
> Living a short, happy life is much better than being miserable forever
IMO this is a false dichotomy. You could also live an immortal happy life in this scenario.
When people talk of life extension and us eventually achieving immortality, it is always "relative immortality" though. Maybe we develop the technology to regenerate our bodies and we could live for thousands of years. Maybe we can transfer our consciousness and minds into computers and maybe live for quite a bit longer than that.
But the time scale of the universe is unfathomable. Even if we lived for millions of years, it would be a drop in the bucket. And that time would still come to an end and we'd reach that same state of eternal nothingness and nonexistence.
AGI via LLMs: No. The AI will need a natural understanding of the real world (the physics you and I live within) and ability to self-modify it's training (ie learn), so we're working on hybrid AI architectures which may include LLMs, but not rely on them. And imho Yes we are solidly on track to AGI <5 yrs 8)
Reading the beginning and end is like eating just the buns off a burger and declaring it bland and tasteless.
Part of the magic of this story is that it can change what you agree with (as it did for me.) Not saying it will do the same for you, but it is a compelling vision; I can't think of other ways to get there without getting unscientific.
I am familiar with NLP and persuasion techniques, and when I started feeling it creep in as I read this story, I started skimming. I have learned that a compelling vision alone does not mean it is correct or even wise.
The analogy is not correct. I know that burger is rich in taste and marvelous. It is also my opinion that it is an illusion, and lacks substance.
There is so much more to the cosmos than science, though I get that this is the current preoccupation of our civilization. Maybe one day, people will expand their consciousness beyond science the way the main character expanded her’s to communicate with aliens. Until then, I recognize I am in the minority here in HN with this view.
It isn’t in the content of the story, but in the craft of storywriting itself. The author does not have to know these to make use of the methods identified by NLP. Rhetoric (as a study in and of itself) and persuasion has long been studied and practiced by humanity.
It's pretty obvious what it's doing, honestly. I did skim the entire thing but I don't think you need much more than the beginning and end once you see the point. Which is more or less lampposted by the title.
It's technology propaganda. The protagonist is initially skeptical, but learns to accept the wonders of tech as her life is magically transformed by it.
Quick, someone set up a Kalshi or Polymarket or whatever claiming that WhatsApp isn't E2EE.
I'll gladly bet against the total volume of people that believe it isn't E2EE -- it'll be an easy 2x for you or me.
reply