🇮🇹 🇪🇪 🖥

  • 0 Posts
  • 310 Comments
Joined 8 months ago
cake
Cake day: March 19th, 2024

help-circle
  • But Light is like a generic incarnation of god but also knowledge, revelation etc., it’s way more absolute than peace or even love. I think Light does make sense from their perspective, and in the catholic symbolism it is identified basically with all positive stuff.

    You had a bunch of other references that make sense eh, I am not familiar with them, so I respect that people might have different perceptions.





  • Many encryption algorithms rely on the assumption that the factorizations of numbers in prime numbers has an exponential cost and not a polynomial cost (I.e. is a NP problem and not P, and we don’t know if P != NP although many would bet on it). Whether there are infinite prime numbers or not is really irrelevant in the context you are mentioning, because encryption relies on factorizing finite numbers of relatively fixed sizes.

    The problem is that for big numbers like n=p*q (where p and q are both prime) it’s expensive to recover p and q given n.

    Note that actually more modern ciphers don’t rely on this (like elliptic curve crypto).





  • sudneo@lemm.eetoTechnology@lemmy.worldWhat the hell Proton!
    link
    fedilink
    English
    arrow-up
    12
    ·
    1 month ago

    Encrypted DNS doesn’t solve everything. Handshake for TLS sessions is still in clear, you can usually see the SNI, and since we are talking about Wireless, usually this data is available to anybody who is in the vicinity, not just the network owner. This already means that you can see what sites someone is visiting, more or less. TLS 1.3 can mitigate some of this (for those who implement ESNI, but you don’t know that beforehand). Also TLS works until the user is not accepting invalid certificates prompts (HSTS doesn’t work for everything) and there are still tons of HTTP-based redirect (check mailing newsletters and see how many first send you to an HTTP site, for example) that can be used for MiTM attacks.

    A VPN moves the trust to a single provider that you can choose, which is much better than trusting every single WiFi network you can attach to and the people connected to it, I would say.

    Also if you pay for the VPN (I pay Proton), it’s not true that the company business is based on user data, they are based on subscriptions.





  • I read the post, hence my points. I am not really looking for answers, because I don’t have questions, I had observations. You on the other hand seem to have your whole opinion formed on this inaccurate post, and I would expect someone in your position to look for more perspectives, when you clearly are not. You seem instead on a crusade against the company (good for you), and even if all the post was true, because they spent too much on t-shirts, invested too much in AI products (that I repeat, are opt-in)? Because they don’t comply with a technicality of GDPR? Lol Ok, more power to you.

    Also, what I mean by a subscription is that I cancel it and I am done. I didn’t invest in it in any shape or form, what I paid I consumed already, there is no feeling of wasting previous investment in a running subscription.

    Judging from your attitude, your lack of content, your very annoying “homie”, your inability to address any point against the content of the article, I am guessing either you are the author and you are butthurt that is not taken as gospel, or you just have ulterior motives and you are here just to stir shit (instead of “spreading awareness”). Either way, I have already invested too much time writing responses to your silly comments. I will show you how good I am in avoiding the sunk cost fallacy and block you, despite the time invested in the conversation.

    Cya


  • I answered with more stuff in other comments, but you didn’t address any of that anyway.

    I personally have no brand faith, I am a happy customer and the moment the company doesn’t adhere to my principles I will dump it. There is no sunk cost as it’s a running subscription (you keep mentioning this, so I though I will say it).

    That said, if I see someone claiming they have a “blase” approach to privacy or they don’t care about it, I will point out that this is complete bullshit. Using the missing “download my data” feature to support this claim is outright pathetic.

    To be even more precise, as a socialist I don’t like many of Vlad’s ideas that tend towards libertarianism. That said, the company has a good amount of worker ownership, it operates on principles I currently respect and that are miles higher than the standard tech company. I am absolutely in favour of supporting positive business in a field where companies are disgusting on average, and in cases evil.

    Now, if you have anything else than childish arguments I am happy to discuss them. I have pointed to a number of inaccuracies in the article, there are outdated data (like the number of employees) and subjective views from the author. You are posting this article everywhere like it’s some kind of holy grail of gotchas, when it’s not. There are some good points (financial reporting exists, is not 100% transparent - which is not due, the amount spent for the t-shirts was IMHO not a great idea, etc.), but the fundamental points against the company are shacky at best. As I said elsewhere, all the shpiel about AI etc. is fully addressed in kagi own site where they clearly explain what they mean, for example. The features are actually pretty nice, even for someone like me who is not a fan of LLMs, and the results are quite accurate (the post author claims they are almost always wrong) from my experience.

    BTW my searches are unlimited :)




  • That article is quite dense with inaccurate information (e.g. they own a T-shirt factory), and a lot of guesses. There is no need to listen to a random guy idea about kagi’s AI approach when they have that documented on their site.

    Also, the “blase attitude to privacy” is because of a technicality of GDPR? (Not having the ability to download a file with your email address) I am a big fan of GDPR, and their privacy policy is the best I have seen (I read the pp of every product I use and I often choose products also based on it), so really I don’t care about the technical compliance to GDPR (I am not an auditor), but the substantial compliance.

    All-in-all, the article raises some good points, but it is a very random opinion from a random person without any particular competencies in the matter. I would take it for what it is tbh

    EDIT: To add a few more:

    • They achieved profitability (BTW, 2 years of operation and being profitable with 30k users, they really don’t know what they are doing /s)
    • Their price changed twice. It was raised once, and the change was reverted later on, with unlimited searches. For me that is a great sign, especially considering the transparency of telling exactly how much each search costs for them.

    Source: see https://blog.kagi.com/what-is-next-for-kagi (published ~1 month after the linked post).




  • Looking at keepassXC doc I couldn’t find such setup. Maybe it’s possible, but maybe it also leads to trouble down the road. The “official way” seems to use cloud storage.

    You keep saying external server for syncthing, but again: syncthing does direct data transfers, encrypted end to end, between devices.

    I mention that but with a specific context.

    • people with certain ISPs will need to use the relay transfer feature because direct connections can’t be established. Similarly, if you work in an office and you use the corporate network, you usually can’t have device-to-device working (can be both from a technical POV and from a policy POV).
    • even with 0 data transfers, servers still have some trust in establishing your direct connections. I know that syncthing uses keys to establish connections, but that’s why I mentioned CVEs. If there is one, your sync connection could be hijacked and sent elsewhere. It’s a theoretical case, I don’t think it’s very likely, but it’s possible. The moment you have a server doing anything, you are extending trust.

    In those cases then yes, you are extending a bare minimum trust, and you fully encrypted data would temporarily pass on the relay’s RAM

    And from my (consumer) PoV this is functionally equivalent to have the data stored on a server. It might not be all the data (at once), it might be that nobody dumps the memory, but I still need to assume that the encrypted data can be disclosed. Exactly the same assumption that should be made if you use bitwarden server.

    If this makes you paranoid

    Personally it doesn’t. As I said earlier, it’s way more likely that your entire vault can be taken away by compromising your end device, than a sophisticated attack that captures encrypted data. Even in this case, these tools are built to resist to that exact risk, so I am not really worried. However, if someone is worried about this in the case of bitwarden (there is a server, hence your data can be disclosed), then they should be worried also of these corner cases.

    I just get nothing from Bitwarden that syncthing and KeePass don’t offer more easily.

    You can say many things, but that keepass + syncthing is easier is not one of them. It’s a bespoke configuration that needs to be repeated for each device, involving two tools. bitwarden (especially if you use the managed service) works out of the box, for all your devices with 0 setup + offers all features that keepass doesn’t have (I mentioned a few, maybe you don’t need them, but they exist).

    I don’t know how or why you would have vault conflicts, but it really does sound like something fixable

    At the time I did not use syncthing, I just used Drive (2014-2017 I think), and it was extremely annoying. The thing is, I don’t want to think about how to sync my password across devices, and since I moved to bitwarden I don’t have to. This way I don’t need to think about it, and also my whole family doesn’t have to. Win-win.

    That said, if you are happy with your setup, more power to you. I like keepass, I love syncthing, I have nothing against either of them. I just came here to say that sometimes people overblow the risk of a server when it comes to a password manager. Good, audited code + good crypto standards means that the added risk is mininal. If you get convenience/features, it’s a win.