Prestigious_Push_947 t1_ja4nxer wrote

This really depends on a lot of scenarios. For example, if you use Signal for desktop on a Windows system without Bitlocker, your message content can be recovered easily without forcing you to unlock the device or installing any kind of keylogger. If you have FDE enabled, but your device is unlocked, then your message content can be retrieved. No keylogger or additional tooling is necessary. Signal is as secure as your device is, it provides no additional security for your messages. They have repeatedly classified bug reports for weak local security as "Won't fix" because they are up front about the fact that their intent is ONLY to secure messages in transit.


Prestigious_Push_947 t1_ja4max0 wrote

You're just speaking nonsense. You don't understand these concepts at all. I'm not sourcing anything for some high school kid who's taken one IT class and thinks they're hot shit b/c they know CIA. There are loads of people reporting "vulnerabilities" in Signal because the on-device data is trivially accessed. Signal's response is consistently and repeatedly that their intent is not to provide on-device security and that you should use FDE. This is a very easy Google search away for you.


Prestigious_Push_947 t1_ja1fuo9 wrote

You should look deeper into the app. It has been reported repeatedly that content is available on the endpoint either in cleartext or in a way that can be trivially recovered. Signal themselves have repeatedly stated that they do not intend to be secure against someone in control of the device. Their encryption on the device is not hardened, and it's not meant to be. They recommend using robust full-disk encryption to secure your messages at rest.


Prestigious_Push_947 t1_ja0pzke wrote

Okay, so you misunderstand what encryption in transit, E2EE or HTTPS are, got it. You know the words, but you don't actually understand any of them. E2EE is by definition encryption in transit. It is encryption from end to end, between two ends, whilst transiting between them. All E2EE is encryption in transit, though not all encryption in transit is E2EE.

HTTPS is just a kind of encryption in transit that protects HTTP traffic while it moves over the wire. There are lots of other protocols that provide encryption in transit for other cleartext protocols. You can even have multiple different ways to provide encryption in transit for different protocols. Signal provides encryption in transit for message traffic, and it only provides encryption in transit. It does not provide other types of encryption (i.e. encryption at rest) for your messages.

You don't understand the proposal, you don't understand even the very basics of any of this.


Prestigious_Push_947 t1_j9zop4q wrote

There are a lot more kinds of encryption in transit than HTTPS, Signal is absolutely not using HTTPS as the protocol to protect your messages in transit. That said, yes, the British proposal is wrong - as I said in my post. But if you're going to criticize them without understanding the proposal, you hurt the effort to counter the it.


Prestigious_Push_947 t1_j9x81jn wrote

In this case, they're talking about scanning on the endpoint, which does get around the issue of breaking the encryption. The messages are only encrypted in transit, not on the endpoints, so this isn't an issue of misunderstanding crypto. I support Signal's stance of non-participation, but you should probably read the article before commenting.


Prestigious_Push_947 t1_j9im0sc wrote

This really depends on the company. Most don't require a couple years before refreshes start vesting. Also, comp doesn't go up til after the stock goes up, so it's never guaranteed when your comp will get better again. Like I said, this is the game of RSU based comp. If you treat RSU's like regular income, you're an idiot.


Prestigious_Push_947 t1_j9e0s2k wrote

Yeah, no refreshes would be rough. Honestly, you couldn't have paid me to work for Amazon in the first place because they're so renowned for how poorly they treat people. I do know that a lot of people in my field went there because they've been paying significantly above market for the last couple of years; spectacular comp is the only reason to work for an outfit like that. If RSUs are cratering and you're not issuing refreshes, you're going to lose tons of people. Then again, I'm sure that's what management wants.