Notices by Matthew Green (matthew_d_green@ioc.exchange), page 3

US government agencies have allegedly been monitoring users through Apple and Google push notifications, according to Senator Wyden. https://www.reuters.com/technology/cybersecurity/governments-spying-apple-google-users-through-push-notifications-us-senator-2023-12-06/

The 16y/o just explained Rust borrowing to me. People, I cannot warn you enough: keep a close eye on what your kids are doing on the Internet.

We mostly abandoned the idea of peer-to-peer protocols between weak clients back in the 90s, but end-to-end encryption is much more like P2P with some servers helping out in the middle.

This is a good comment. People think “the Internet” is big but mostly what they mean by “the Internet” is made up of a few million servers. There are *billions* of end-user devices. https://infosec.exchange/@JessTheUnstill/111325315059319626

This code is not cherry-picked. Every single line looks like this. It’s literally the most terrifying, unreadable pile of dogshit I’ve seen in my life. And as the owner of two dogs, I don’t use that term lightly.

A project my grad student is working on required us to review the implementation of the C++ standard library, and now I want to tear my eyes out.

Ok the option to turn it off is tucked away under Privacy -> Advanced but it warns you that you might experience painful side-effects if you turn it on.

Anytime someone sets a feature as a non-default, I assume 95% of users never touch it. When they put it under the “Privacy” settings menu, I raise my expectation to 99%.

But Privacy -> Settings -> Advanced, wow. That’s like putting it in a disused lavatory in the basement of the town hall, with a sign that says “Beware of Tiger.”

I actually didn’t realize that Signal leaked my IP address to contacts when I initiated a call.

The EU chat control legislation has been temporarily postponed. That’s good news. The bad news is there’s another vote in December. https://www.patrick-breyer.de/en/chat-control-vote-postponed-huge-success-in-defense-of-digital-privacy-of-correspondence/

It’s amazing to me that a proposal to scan *literally ever private communication in Europe* is barely making newspapers, and we’re reading about legislative progress on blogs.

Do read this new investigatory piece on the web of money, AI companies, and shadowy “foundations” bankrolling the EU anti-encryption proposals. TL;DR this is the terrifying thing you get when you combine law enforcement, money and AI. https://balkaninsight.com/2023/09/25/who-benefits-inside-the-eus-fight-over-scanning-for-child-sex-content/

If there’s one thing that makes me deeply suspicious, it’s scrappy child-safety organizations suddenly having huge piles of money to spend on hyper-specific tech focused political pressure campaigns as opposed to, say, children.

If I was in the adtech or data brokerage industry, I’d sure love these ads. Encryption is bad! Apple is too private. Let’s pass some laws to “protect the children.”

I wonder who exactly is paying for the ads and what their specific business interests are.

Can we just not process weird file formats people receive by iMessage/text?

@jef Transcoder written in a safe language and tough luck if it’s slower. The latest iPhone is faster than an i9.

Reading this WebP vulnerability report and I got to the words “lossless image compression” and “Huffman encoded Huffman tables” and I am trying to understand what we’re doing here other than paying for exploit developers’ kids’ orthodontia. https://blog.isosceles.com/the-webp-0day/

Tornado cash founders have been charged with money laundering. https://www.justice.gov/usao-sdny/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations

Chrome is replacing the “lock” icon with… something. I don’t know what it is. Might be two people sharing a sleeping bag. https://blog.chromium.org/2023/05/an-update-on-lock-icon.html