Notices by Matthew Green (matthew_d_green@ioc.exchange)

A project my grad student is working on required us to review the implementation of the C++ standard library, and now I want to tear my eyes out.

This code is not cherry-picked. Every single line looks like this. It’s literally the most terrifying, unreadable pile of dogshit I’ve seen in my life. And as the owner of two dogs, I don’t use that term lightly.

I actually didn’t realize that Signal leaked my IP address to contacts when I initiated a call.

It’s amazing to me that a proposal to scan *literally ever private communication in Europe* is barely making newspapers, and we’re reading about legislative progress on blogs.

The EU chat control legislation has been temporarily postponed. That’s good news. The bad news is there’s another vote in December. https://www.patrick-breyer.de/en/chat-control-vote-postponed-huge-success-in-defense-of-digital-privacy-of-correspondence/

If I was in the adtech or data brokerage industry, I’d sure love these ads. Encryption is bad! Apple is too private. Let’s pass some laws to “protect the children.”

I wonder who exactly is paying for the ads and what their specific business interests are.

If there’s one thing that makes me deeply suspicious, it’s scrappy child-safety organizations suddenly having huge piles of money to spend on hyper-specific tech focused political pressure campaigns as opposed to, say, children.

Tornado cash founders have been charged with money laundering. https://www.justice.gov/usao-sdny/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations

It is remarkable to think that only in the past 15-20 years have we moved most of our private communications to digital channels with centralized storage & the processing power to perform bulk scanning. Coincidentally that’s nearly as long as encrypted messaging has been around.

Many folks in law enforcement and politics seem genuinely confused about the popularity of end-to-end encrypted messaging, like we all just decided to become anarchists or something. That’s not at all the dynamic we’re seeing here. The entire basis of our communications infrastructure shifted in a direction that’s inimical to privacy; encryption is the obvious solution.

If you had the most cynical possible view of humanity and its governments, you’d expect government agencies to be making a *huge* push to end encryption right now; or at least adorn it with mass-scanning infrastructure. And sure enough, that’s exactly what we’re seeing all around the world. https://www.globalencryption.org/2023/04/statement-on-eu-us-cooperation-against-encryption/

Someone on Twitter wrote that “children’s rights should absolutely override privacy rights” and honestly, that shook me. The reason I care about privacy so much is because I have kids, and I don’t want them to grow up in the kind of world that person would build.

The EU’s “chat control” legislation is the most alarming proposal I’ve ever read. Taken in context, it is essentially a design for the most powerful text and image-based mass surveillance system the free world has ever seen.

Per @racheltobac: 75% of Twitter 2FA users are using SMS-based authentication. In theory those users could switch to authenticator apps (or pay 😂) but they probably won’t.

What sets SMS 2FA apart is that it’s almost “free” from a user-effort perspective. If you own a phone, the feature is already built-in and enabled. Setup is nearly effortless. Backup is taken care of. Unfortunately none of the same things are true for HOTP/authenticator apps.

Smart people keep saying things like “but authenticator apps will still be free and those won’t require you to pay, plus they’re more secure.” That’s true! But also completely misunderstands what’s about to happen.

Free one-time code authenticators *should* be built into every phone. They *should* be enabled on the default keyboard. They *should* be securely backed up to an end-to-end encrypted account. If Google/Apple did this, adoption would be high.

The cognitive overhead of installing an authenticator app (and then worrying about what happens when you lose your phone) is absolutely ridiculous. The overall experience is just stunningly bad, given that it’s one of the best defenses we have.

So TIL that iOS natively supports 2FA authenticator codes. However: to find this amazing feature, you need to visit the disused lavatory in the basement of the Settings app, behind the sign that says “Beware of Leopard.”