Also https://fakenous.net/ looks like someone's installing a new Wordpress. I've seen this situation before and was able to literally install Wordpress on someone's server.
Onionland people had plenty of warning though. My old v2 Onion bookmarks are all discarded. The new V3 addresses are a good indicator of which .onion operators are serious and want to stay online no matter what.
I consider myself pretty active on tor. I've hosted a number of services for a decade. While I heard about the new Tor v3 services a long time ago I didn't hear about Tor v2 support being completely removed until April 2021. It was quite a shock.
I don't have issues with AI being used by benevolent people for benevolent purposes. It's when this stuff falls into the wrong hands that would bother me.
This is the only reason AI hasn't exploded yet (we know we're playing with fire with AI). It's called our 'final invention' for a reason.
It's why I only use my Apple ID for grabbing apps from the app store. I have disabled all the `cloud storage` features of iCloud. iCloud is a privacy nightmare.
I utterly agree that other direct-to-consumer options are in the same boat - but Apple is quite heavy-handed in it's messaging about, well, messaging being encrypted and private and no-one (including Apple) being able to read your messages. That's only true if you don't backup to iCloud.
I would expect most people on HN to be aware of all of this of course but when you're so strongly selling your privacy protections as part of your brand, it's a pretty glaring window to leave wide open.
By that logic though, Google Drive, OneDrive, AmazonS3, they are all privacy nightmares. And you might agree, but Apple is hardly alone.
And like the article says, they didn’t want to poke the bear anymore. Of course the FBI has congressional friends. It is possible that Apple saw the risk of it backfiring and making things worse as too great.
Google does end-to-end encryption of Android backups. And Apple knows how to do it too, but they intentionally restricted their implementation to only cover backups of Keychain passwords and a few other things, apparently because they don't have the courage to stand up to the FBI, according to Reuters. Strange considering their public stance against the FBI in the San Bernardino case and on privacy issues in general. Especially since iCloud backup totally defeats the highly touted end-to-end encryption in iMessage.
Yes, backups, and Apple should get on that. However, your photos in Google Photos, your location data, your uploads in Google Drive (equivalent to iCloud Drive OP is talking about), not end to end encrypted and no option for it.
I think market share is another sign. Does anyone use actual Android Backup, or do they use the unencrypted “backups” in G Photos and elsewhere? For that reason should the FBI care? Maybe I’m wrong but I believe actual Android Backup is much less used than iCloud and confusingly named alternative “backups” within Google apps.
Let's be really frank about it - no large company is going to offer end-to-end encryption of photos because of what kind of photos might end up on their infrastructure if they do. And honestly I don't blame them at all.
I'd just like to see Apple be more transparent with this one particular issue because it undermines so much of what they're advertising to the consumer.
A transparency label for iCloud backup showing what is and is not E2E before enabling would do. Most people (myself included) would be quite happy with photos being encrypted by an Apple-held key (I'm not worried about the police seeing my boring lunch pics, I just don't want photos of my kids being readily accessible to everyone else).
It should be made clear if they're offering E2E for some features that other settings will render it pointless is all I'm saying.
Are you really arguing that because child pornography exists, no large company should offer ETE photos?
Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?
And that photos present some of the most sensitive materials on your device:
- geo-IP location showing basically everywhere you have taken a photo in, ever since the dawn of time
- people's consensual sex tapes
- photos of passwords, account recovery codes, private keys, seed words
In the bloom filter example, what device calculates the hash inputs for the bloom filters? If it's the server, then the server needs a copy of the image to check. So is it the client? If so, how can you prevent a malicious client from forging their hashes to be those of known-safe images?
Not saying it's not possible to build an E2E image storage service that also has the protections society tends to demand. Just saying that I haven't seen anyone do it yet, because these problems are subtle.
Apple has direct-from-bootloader control over all of their hardware, unless you boot Linux on a Mac (in which case you don't get iCloud).
So a 'malicious client' doesn't need to be part of the threat model here. And also, if you really stretch your argument, that's like saying we need to outlaw Linux and open source software because malicious actors can modify the code.
The whole idea that society demands content providers compromise ETE just because of child pornography isn't something I've heard of being 'accepted as common truth' outside of this post.
Some politicians demand it, but I thought at least amongst tech, there's the recognization that strong, *unbreakable* encryption is important.
There's an implicit obligation to build services and technology that is resistant to abuse, but that isn't an argument to not implement ETE.
Thanks for the "how" - I guess if you fully control the client and server, there's some extra checks you could implement client-side based on the cryptographic root of trust.
FWIW, I wasn't really trying to make a prescriptive statement about how the world ought to be, I was more trying to describe what (I think) the perspective of these corporations has been on the matter.
In the past, I've been an encryption advocate with the knowledge that we (tech) must sacrifice some ability to appease politicians in implementing it. What you're describing sounds like an innovative way to preserve privacy and provide security for at-risk people, which is a perspective I haven't heard before.
> Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?
This is not a good argument. “Known child abuse material” is the tip of the iceberg. There’s nothing stopping people from creating new “child abuse material”, and the people who are doing that sort of thing are the ones who are more important to catch.
I’m arguing that because it exists no company of Apple’s size is going to risk unknowingly hosting it, and I wouldn’t either if I were in their shoes.
I agree with you in terms of photos being some of the most private information we have, but the E2E argument doesn’t ever get won by the tech community without a guarantee of blocking/catching/preventing CP and being able to make that evidence available for prosecution.
To the arguments above: Any processing server side implies no real E2E. Any processing client side is by definition under the control of the client and subject to forgery/hacking/spoofing/tampering.
Absolutely every large company hosts an incredible amount of child pornography and abuse material.
Facebook is the largest platform for child trafficking, and Google is the world's largest resource for finding out how to commit criminal acts.
Crime always exist. We shouldn't build a techno-totalitarian surveillance state just because crime exists.
"It is better that ten guilty persons escape than that one innocent suffer".
Chinese Communists employed similar but opposite reasoning during the uprisings in Jiangxi, China in the 1930s: "Better to kill a hundred innocent people than let one truly guilty person go free".
I don't understand this line of reasoning. Why should photo libraries not be end-to-end encrypted?
Are you suggesting that Apple or the government should be able to search your personal photo library stored in the cloud at any time because maybe you might have child porn in there?
I understand that companies need to scan groups and social features that are used for trafficking underage porn. But do we really need to snoop into the private libraries of innocent people just because they might have illegal material?
Having access to millions of peoples photos is such a huge privacy risk that I can't think giving it up is worth while to make it slightly easier to catch a handful of criminals.
Any large company can offer E2E encryption, as long as they don't have extenuating interests that could make them liable for the way I use their services. Unless Apple is harvesting my data on the regular, they should have no problem with me being the sole keyholder for my iCloud account.
I think Apple would need to ship a different OS in China.
Cloud services offered there must store data in the country and be operated by Chinese companies. (Apple is complying with this)
But Chinese companies HAVE TO assist the authorities in obtaining systematic access to private sector data. (This is not possible with E2E for backups and photos)
Apple already does this. All Chinese iCloud data is stored in a mainland datacenter, completely owned and operated by their government. Similar setups exist in Russia and France, where Apple kowtows to local governments at any cost to turn a buck in their hometown.
Look at the Reuters article they linked. iCloud backup is the issue. Usage of iCloud backup and Android backup are probably very similar (in percentage terms), why would you expect that Android backup is used less? They are pretty much equivalent features, except that one is end-to-end encrypted and the other is not. In both cases, photos are handled separately.
iCloud E2E would be great, even if they offer it at double their current Storage price.
But I would be happy with iOS Time Capsule. Or even sell E2E Backup solution only with an iOS Time Capsule. Great way to increase their Services Revenue.
Looks programmatically generated. The whole account is the same style of incoherent nonsense. Probably powered by https://en.wikipedia.org/wiki/GPT-3
There's a few other accounts I've seen here on HN that just spout random incoherent nonsense text, presumably to accumulate karma so they can power their sockpuppet ring and upvote any story they wish to the frontpage of HN.
Mental illness, intense boredom, weird autistic sense of humor, or being absolutely serious at being a network fuzzing troll farm. It's not fair to put such a fine point on it really.
> It could be Equifax levels of problematic if there would be a intrusion
I'm sure they're not as lax as Equifax. I would hope that Stripe compartment all these documents so that a compromise of one database is not a compromise of the whole database. That's basic data storage hygiene in the information age. `Don't put all your eggs in one basket` as the saying goes.
I think the Estonian e-Card scheme is the right one despite hiccups in its implementation and ID verification should be the domain and responsibility of governments. Each ID card has an embedded private key-public key pair and you can sign to reveal your identity without having to resort to giving away anything else about yourself. There is already a zero-risk way for customers to verify themselves, so giant ID databases are a step backwards.
The electronic identity cards of Austria, Belgium, Estonia, Finland, Germany, Italy, Liechtenstein, Lithuania, Portugal and Spain all have a digital signature application which, upon activation, enables the bearer to authenticate the card using their confidential PIN. Consequently they can, at least theoretically, authenticate documents to satisfy any third party that the document's not been altered after being digitally signed. This application uses a registered certificate in conjunction with public/private key pairs so these enhanced cards do not necessarily have to participate in online transactions.
Germany has an electronic ID card that can be used to certify identity, or only age, or only uniqueness, for a few pennies per auth. There's an app that lets you use your Android phone as a scanner, paired over wifi.
Yet I've never seen any company use it. Everyone uses slower, more expensive private services that don't ask any questions about what you're going to do with the data they collect.
I am too, but that's not an endorsement. And more pertinently, that is nowhere nearly enough.
Every database of value tends towards uncontrollable sharing over time. The more available and more valuable it is, the harder it is to fight that trend.
The best thing for humanity is to stop making high-value data hordes like this. Unfortunately, the interests of smaller groupings are the reverse.
I don't take downvotes personally. I've learned to accept them as meaningless gestures that make people feel powerful and in control, when infact no-one is really in control here. We're all acting :)
I never hallucinated after trying shrooms, even at high doses. I found this odd, since I have read about countless people saying they saw stuff that wasn't there or saw colorful fractal geometry.
So my conclusion is that shrooms simply increased my perception and allowed in more information, and that all this fractal geometry is already there, just waiting to be discovered.
It's just like tuning into a higher frequency. It's not fake or generated by the brain, simply observed for what it is.
I think it really depends on the type of lsd/shroom.
Myself and some friends recently came into a new batch of acid. I don't usually have major visuals but with this batch I really do, and so does everyone else who takes it. Eyes open and the whole room has turned into a beautiful shifting geometric fractal pattern. When I closed my eyes it was even more intense, incredibly colorful, beautiful, sexual, shifting fractal geometries. It really felt like I had stepped into one of those AI art generators except far more coherent and personally meaningful.
Also I had the opportunity to try DMT a few months ago and that really did take me to another reality (not literally of course). Incredible, beautiful multi-sensory experience that I won't try to explain here, however the visual and auditory components were extremely intense.
I don’t think either LSD or Shrooms causes hallucinations (like seeing a creature that isn’t there.) Mushrooms make me feel strange and see a bit blurry but it’s mostly an internal thing and makes my wind wander. LSD is a bit more intense, visually, like colors become more vibrant and my mind creates detail in even the simplest of items (peeing in the toilet damn near gives me a panic attack.) I’ve only ever heard of people seeing things in movies other than maybe sitting in the dark and seeing “demons” but my mind does that already by trying to give forms to the visual noise of darkness; again just not as intense.
Typically “movie” hallucinations like seeing elephants in the room or having strange people visit you or seeing bugs all over you are more typical of deleriants like diphenhydramine or datura, although high dose tryptamines can be so strong that there is no connection to the reality around you - overwhelmingly psychedelic. In that state hallucinations of a different type are possible (talking to entities, being somewhere else entirely, etc.) Movies are a very bad representation of psychedelics generally, though.
Maybe a stupid question but did you close your eyes?
I think you need a really high dose to see more than a bit of distortion when you have your eyes open. But with you eyes closed, your mind can run wild, making colorful visual much more likely in fact, you may not even need drugs for that.
Seeing things that aren't here, true hallucinations, don't happen often with psychedelics, and they are mostly caused by deliriants (ex: datura), or body reactions like fever. These are not fun and deliriants are not controlled substance for that reason, being classified as poisons instead. Psychedelics cause pseudohallucinations, it means they alter your perception but you are aware that what you are seeing is not real.
You also have to have a rebellious and slightly sly streak in you. This helps if you're going to do social engineering. You may have to learn to be more charismatic or learn superficial charm[0] and be able to play people's emotions.
Another thing: some people just fall into blackhat/whitehat/greyhat hacking naturally after learning that Everything is Broken[1].
> Once upon a time, a friend of mine accidentally took over thousands of computers. He had found a vulnerability in a piece of software and started playing with it. In the process, he figured out how to get total administration access over a network. He put it in a script, and ran it to see what would happen, then went to bed for about four hours. Next morning on the way to work he checked on it, and discovered he was now lord and master of about 50,000 computers. After nearly vomiting in fear he killed the whole thing and deleted all the files associated with it. In the end he said he threw the hard drive into a bonfire. I can’t tell you who he is because he doesn’t want to go to Federal prison, which is what could have happened if he’d told anyone that could do anything about the bug he’d found. Did that bug get fixed? Probably eventually, but not by my friend. This story isn’t extraordinary at all. Spend much time in the hacker and security scene, you’ll hear stories like this and worse.
