pull down to refresh
legit (albeit snarky) critique
I'm an a-hole, so unless you mute me it won't be the last time.
emoji thing [..] bitcoiners who might have an imminent use for it.
We all have imminent use for fun, this is why slop-games and fun things like that are out of scope. But if anyone is using this and thinking that they are protected from anything but maybe their spouse, for a while, they're going to be in a world of pain when the FO phase shakes its tail. There is absolutely no use for it except maybe a fun secret way of messaging with your mistress while you're cheating on your wife and pray you never get found out.
isn't it helpful to share a little something to have in one's back pocket, even if not the maximally ideal tool?
Did you inspect the deployed code for fetch and XMLHttpRequest injection on the site you linked? Trackers? What if it just logs every IP address and every message (and if they're lucky, Advertising ID that no one even in 2026 understands they need to disable, and location, and whatever else can be sold)... this is not production software, especially not security software.
Bottom line it's just a fun gimmick, so it gets a pass. But the moment anyone actively encourages anyone to use it as a security tool, it's the most harmful bullshit that can be done; the person doing the encouragement will be either a spook or a retard.
I wonder if undeveloped babies with some merit are getting thrown out
Undeveloped babies aren't products. Developed, maintained, well spec'd and properly executed babies could be products. And if you want to offer something to someone you don't know, you need a product, not some crap you don't even understand yourself. This is because (a) the human with the idea and a coding LLM has no added value: anyone can copy your idea and I bet that there are people out there that can productize the idea better than you or I, and (b) if you don't have any experience in what to ask for, how do you know that you actually have a good product in the first place? Or will the "clients" that use our faked-until-made (where made is likely to be never, because all of it is vapor) "products" have to find out about what we got wrong and suffer the consequences of our incompetence? What an awful waste of time, for everyone.
Of course, if you just need validation of an idea - feedback on a proof of concept - you can do it, but I think that you'd need to be really clear that that is what you're doing. To this end, I love your fedi group idea. Great move! Don't market anything that isn't a product, though. And if you don't know how to make a product but you wanna, learn it. Intern with the best, and learn from them.
It's maybe also worth noting that the opposite of undeveloped ideas being dismissed is happening instead: former at least reasonably productized apps are being slopped to death, because the author found out that they "don't have to code anymore" and pass 3 prompts and woop new feature. Except you introduced 50 vulns with your new feature and while no one that reviews your code is going to use it, and everyone that doesn't read your code (nearly everyone) is now vulnerable: the net contribution is now negative. And it's only because of some dumbass feature that probably no one uses, but it was cool to see Claude code it up.
This happens in the wild all the time, especially the past couple of months, and the only reason that I know is because I review the code of the apps I use, and I stop using apps (or fork, revert & patch) when they seriously mess up. This is not a hypothetical.
I'm an a-hole, so unless you mute me it won't be the last time.
Duly noted.[1]
But the moment anyone actively encourages anyone to use it as a security tool, it's the most harmful bullshit that can be done; the person doing the encouragement will be either a spook or a retard.
But what about a potential urgent moment? This kind of stuff is always on a couple of continuums. How safe is the tool and how desperate the situation. For example, I shared my surveillance routing app atempt with an openstreetmap telegram group and another optimistic type character mentioned that it's kind of pointless because there's no way for the user to know what I might be recording.[2] But at the end of the day, if somebody uses it in a moment of desperation, is the abusive boyfriend or the crooked cop going to always be smart enough to know that, get ahold of me, and head them off at the pass, all before they actually travel? Well maybe, but they're also screwed if they don't use it and just get followed from camera to camera.[3]
If I remember correctly, @DarthCoin goes through airports regularly with a variety of steganography in his possession. If I understand him correctly, he doesn't get caught, not because the means are sophisticated, but because the bad guys just don't know where to look. So basically I agree with you, with the caveats that when someone's in a desperate situation, there can be potentially bad solutions that are better than their current predicament, and second, that not every TSA agent is a genius level super hacker.
Undeveloped babies aren't products.
Agreed. I agree with every claim in the original post here. I was just worried about overextending the idea.
I love your fedi group idea.
Please join! I won't censor snarky feedback.
(or fork, revert & patch)
Hell yeah!
I'm always quick to note that my stuff (so far) is pretty experimental, so maybe it also still gets a pass in your book. I certainly agree that if somebody's selling something, it better be able to verify that it does exactly what it claims. âŠ
Also, in the event that this ever does happen, let the record reflect that I'm a retard, not a spook. ...although I suppose that's what a spook might say. âŠ
But what about a potential urgent moment?
Then it's still a charade and does not offer security. If you have time to go to this website and encode an emoji, you also have time to encrypt it with AES. If you then want to obscure the ciphertext by encoding it as dummy data inside an emoji, then that's cool, but just the encoding itself offers no protection, just adds one more roll of the dice that maybe if your adversary is incompetent, you will get away with it. That's gambling, not security.
And you don't want to position gambling as security. It is 100% the same bullshit as telling someone that the surefire way to get rich is to buy your shitcoin. The danger isn't towards those that actually have some knowledge, it is towards the masses. And that makes it predatory.
Better to, if you have no experience with implementing, hardening and breaking security processes, to simply not advertise/LARP about security properties of something.
There's no way for the user to know what I might be recording.
Exactly, so now you heard it from 2 people. Which is why a URL to a webapp is generally the wrong thing to share in privacy/security space. The only people that will use it for real are those that have no idea how vulnerable it makes them.
What you want instead is a URL pointing to source code that is mature enough to get reviewed. If you want to demo it, make a screen recording. I understand that in reality that is something that's rather hard to deliver if you've never done it before. It's hard for me and I published my first FOSS code almost 30 years ago, back in 1996, and nowadays maintain multiple codebases with very high security requirements. I would need to spend some real time before I ask for external review, to not waste people's time.
if somebody uses it in a moment of desperation
In times of crisis, making good decisions is a game changer. Making poor decisions and getting lucky is not. If I had to put something in someone's head to remember in a moment of desperation and I had to choose between that url or the openssl enc syntax, I'd 200% go for the latter and hope that in their stress they will never remember about deadspace in emoji encoding. It simply is a bad correlation to make in your head.
not every TSA agent is a genius level super hacker.
They (supposedly) work for an institution that has processes. If you're a real suspect, your phone will get imaged, period. If the agent forgets to follow SOP and you, prime suspect, walk out of there without that, then they are incompetent and should look for another job. Sure, it is very possible that this happens, but it is a gamble.
If you're an honest, hard working human with a good heart, please, don't gamble with yourself like that. You're too precious and rare to put yourself at risk.
I kind of get that, but what do you do about something that isn't quite fully baked, yet has utility which others might need right here and now? I think of that emoji steganography thing I posted about the other day. I was exposed to that through someone posting it in a message thread for bitcoiners who might have an imminent use for it. A handful of folks seemed to dismiss it as too basic. Ironically, the thing I found most impressive about the tool was how simple it was while still working. I wasn't actually familiar with unicode (which you mentioned) as the protocol for typed letters and kind of think I understand how it's done now. But my point is, even if there are more sophisticated ways to stick it to a border guard, isn't it helpful to share a little something to have in one's back pocket, even if not the maximally ideal tool?
The idea on a napkin trope only exists because there is a space in which the napkin schematic is the most useful. I can tell you that I'm going to make a ten foot ladder up to the top of that tree. That's abstract, and you can't imagine how it could be done given that third branch sticking out on the left. Conversely, I could just build the whole friggin' ladder, but then you can't help me build it or fund it or give any helpful criticism about the awkward first rung, because the whole thing is done. But on a napkin, I can show you what I can't through words alone without the investment of the whole construction. It seems that one of the helpful things about the agentic age is that our space for writing on napkins is now four dimensional and high fidelity.
Maybe this isn't that emoji app is type of thing you're referring to though? The developer wasn't selling a product in that environment, but there certainly are a number of us spreading the word about it. When you say productize, do you mean commercially, or would you put sharing/proselytizing in that category. I could potentially be hearing some of these arguments in a different light than they're intended. Bullshittery certainly sucks (and sucked for a good number of years before AI hit the scene), but I wonder if undeveloped babies with some merit, are getting thrown out with "3 prompts and a $20 Claude bill" bathwater.
PS - On the last update of https://www.bitcoinisforcriminals.com, I changed the "get involved" link because of your legit (albeit snarky) critique on my napkin. đó ó ó ó ó ˘ó Łó ¤ó ó ó ó ó ó ó ó ó ó ó ó ó ó ó ó ó ó łó ó ó ó ó ó ó ó ó ó đ