• Star@sopuli.xyzOP
    link
    fedilink
    arrow-up
    93
    ·
    1 year ago

    The recent advent of governments worldwide trying to force corporations to build backdoors into their services for the ‘safety of children’ or to ‘counter terrorism’ arguably does more harm than good for the common people.

  • stifle867@programming.dev
    link
    fedilink
    arrow-up
    46
    ·
    1 year ago

    It’s the fact that the intelligence agencies have proven themselves to be unable to responsibility use their powers, and instead find every sneaky way possible to infiltrate and spy on their own citizens while preventing nothing. That’s what has pushed the world to say enough is enough and we are going to encrypt everything we can. Now the global powers are crying poor about how they need access to stop terrorism, while being completely unable to point to a single instance where they stopped a terror attack and contrarily there’s plenty of terror attacks that were never stopped.

  • PLAVAT🧿S@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    18
    ·
    edit-2
    1 year ago

    Slightly off topic - someone mentioned they don’t use Tutanota for social interactions because the domain is weird and I agree whole heartedly. Everytime I’m on the phone with a support dept. or tell my friends and I spell it out I feel so silly. Not to mention my wife has gotten it wrong several times.

    Love the solution, their support is responsive as well, but yeah…

    • wandermind@sopuli.xyz
      link
      fedilink
      arrow-up
      12
      ·
      1 year ago

      That’s the main reason I didn’t even consider them. “Proton(mail)” just sounds more professional when used in actually important contexts and is easier for people to get right.

      In general, I’ve noticed that a lot of privacy focused software, particularly FOSS, are really bad at choosing names which make people want to use them. They tend to have names which might appeal to some crypto-nerds, but which make them sound just weird or questionable or niche to the average user. Like (the precursor to) Signal the messaging app used to be called TextSecure. There’s no way I would’ve gotten my parents and siblings to use something called TextSecure. The name just sounds so geeky and niche.

      • SnipingNinja@slrpnk.net
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        Tbf Google is also a weird name, Yahoo was also a bit weird even if not entirely, there probably are more examples but it’s not just that the name is not great but also that these things aren’t advertised as well

  • Uriel238 [all pronouns]
    link
    fedilink
    arrow-up
    13
    ·
    1 year ago

    Two details:

    FBI expands rapidly to DHS and then the entire US Police State. If you cross borders, expect ICE AND CBP to be up in your body cavities. If the local county sheriff doesn’t like you, or you’re being stalked by an officer (say, an ex) expect them also to have access.

    When you think Hackers think of not only data mining interests like Palantir but also industrial spies. If you have any business interests on your phone subject to an NDA (or you’re motivated not to share because reasons) these guys will sell that information to your competitors, if they weren’t hired by them in the first place.

    If you run more than a mom-and-pop then the default security of your smartphone is not enough. But a lot of sizeable companies supply their officers with unprotected phones.

      • Uriel238 [all pronouns]
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        They did this before with the eliptic curve cryptography, and we knew it had this problem before it was implemented as a standard.

        So if the NSA offers a standard, don’t trust it and include in your encryption software the option to use something different.

          • Uriel238 [all pronouns]
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            It was a big deal in the early 2010s so easy to web search. Techdirt had a lot of posts on it, so you might be able to search them for key words like eliptic, encryption, NSA, NIST, etc.

            Also at the same time, NSA was wooing penetration testers to sell them zero-day vulnerabilities rather than reporting them to appropriate public forums or software developers. Around this time large companies liked to sue white-hats for CFAA violations rather than paying the bounties for discovered vulnerabilities, deflecting said hats towards gray- and black- activities. Some would sell these vulnerabilities to other non-NSA interests, leading to ransomware epidemics and other fun hacker shenanigans.

            It’s a good time to be a hacker without scruples, especially since the NSA is continuing its surveillance efforts rather than securing communications of the free world. (The latter is – was? – the mission of the NSA in the 20th century.)

  • Arthur Besse@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    This article makes some good points generally, but it is ultimately marketing for a commercial snakeoil service which has a gigantic backdoor in its very threat model: when a tutanota users send an “end to end encrypted email” to a non-tutanota user what actually happens is that they receive a link to a web page which they type the encryption key in to.

    Even if the javascript on that page is open source and audited, it is not possible (even for sophisticated users) to verify that the server is actually sending the correct javascript each time that a user accesses it. So, the server can easily target specific users and circumvent their encryption. The same applies to tutanota users emailing eachother when one of them is using the webmail interface.

    This effectively reduces the security of their e2ee to “it works as long as the server remains honest”. But, if you fully trust the server to always do what it says it will, why bother with e2ee at all? They may as well just promise not to read your email.

    I am removing this from !privacy@lemmy.ml with the reason “advertising for snakeoil”. (If you’re reading this on another instance and the post isn’t deleted, ask your instance admins to upgrade… outdated versions of lemmy had a bug which prevents some moderation actions from federating.)

  • Pantherina@feddit.de
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Uhm question, how is Tutanota E2EE? Other than making PGP setup easier. Afaik they just use a different protocol for client-server

    • sir_reginald@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      it is a shitty E2EE implementation in JS incompatible with the email standard OpenPGP.

      but I like that they wrote this post, even if it is for marketing purposes, because Tutanota is based on the EU and hopefully the EU Parliament will listen if enough people tells them.

  • slug@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    i’m genuinely curious about some alternatives to this sort of surveillance to solve issues like CSAM etc., which aren’t “it’s the parents responsibility”. section 230 reform? links to further reading appreciated.