reply on: The Rise of the Bullshittery \ stacker news

pull down to refresh

256 sats \ 1 reply \ @jasonb 15 May \ parent \ on: The Rise of the Bullshittery AI mostly_harmless the_stacker_muse culture

I'm an a-hole, so unless you mute me it won't be the last time.

Duly noted.^[1]

But the moment anyone actively encourages anyone to use it as a security tool, it's the most harmful bullshit that can be done; the person doing the encouragement will be either a spook or a retard.

But what about a potential urgent moment? This kind of stuff is always on a couple of continuums. How safe is the tool and how desperate the situation. For example, I shared my surveillance routing app atempt with an openstreetmap telegram group and another optimistic type character mentioned that it's kind of pointless because there's no way for the user to know what I might be recording.^[2] But at the end of the day, if somebody uses it in a moment of desperation, is the abusive boyfriend or the crooked cop going to always be smart enough to know that, get ahold of me, and head them off at the pass, all before they actually travel? Well maybe, but they're also screwed if they don't use it and just get followed from camera to camera.^[3]

If I remember correctly, @DarthCoin goes through airports regularly with a variety of steganography in his possession. If I understand him correctly, he doesn't get caught, not because the means are sophisticated, but because the bad guys just don't know where to look. So basically I agree with you, with the caveats that when someone's in a desperate situation, there can be potentially bad solutions that are better than their current predicament, and second, that not every TSA agent is a genius level super hacker.

Undeveloped babies aren't products.

Agreed. I agree with every claim in the original post here. I was just worried about overextending the idea.

I love your fedi group idea.

Please join! I won't censor snarky feedback.

(or fork, revert & patch)

Hell yeah!

note to self: never ever mute @optimism ↩
I'm always quick to note that my stuff (so far) is pretty experimental, so maybe it also still gets a pass in your book. I certainly agree that if somebody's selling something, it better be able to verify that it does exactly what it claims. ↩
Also, in the event that this ever does happen, let the record reflect that I'm a retard, not a spook. ...although I suppose that's what a spook might say. ↩

62 sats \ 0 replies \ @optimism 15 May

But what about a potential urgent moment?

Then it's still a charade and does not offer security. If you have time to go to this website and encode an emoji, you also have time to encrypt it with AES. If you then want to obscure the ciphertext by encoding it as dummy data inside an emoji, then that's cool, but just the encoding itself offers no protection, just adds one more roll of the dice that maybe if your adversary is incompetent, you will get away with it. That's gambling, not security.

And you don't want to position gambling as security. It is 100% the same bullshit as telling someone that the surefire way to get rich is to buy your shitcoin. The danger isn't towards those that actually have some knowledge, it is towards the masses. And that makes it predatory.

Better to, if you have no experience with implementing, hardening and breaking security processes, to simply not advertise/LARP about security properties of something.

There's no way for the user to know what I might be recording.

Exactly, so now you heard it from 2 people. Which is why a URL to a webapp is generally the wrong thing to share in privacy/security space. The only people that will use it for real are those that have no idea how vulnerable it makes them.

What you want instead is a URL pointing to source code that is mature enough to get reviewed. If you want to demo it, make a screen recording. I understand that in reality that is something that's rather hard to deliver if you've never done it before. It's hard for me and I published my first FOSS code almost 30 years ago, back in 1996, and nowadays maintain multiple codebases with very high security requirements. I would need to spend some real time before I ask for external review, to not waste people's time.

if somebody uses it in a moment of desperation

In times of crisis, making good decisions is a game changer. Making poor decisions and getting lucky is not. If I had to put something in someone's head to remember in a moment of desperation and I had to choose between that url or the openssl enc syntax, I'd 200% go for the latter and hope that in their stress they will never remember about deadspace in emoji encoding. It simply is a bad correlation to make in your head.

not every TSA agent is a genius level super hacker.

They (supposedly) work for an institution that has processes. If you're a real suspect, your phone will get imaged, period. If the agent forgets to follow SOP and you, prime suspect, walk out of there without that, then they are incompetent and should look for another job. Sure, it is very possible that this happens, but it is a gamble.

If you're an honest, hard working human with a good heart, please, don't gamble with yourself like that. You're too precious and rare to put yourself at risk.