I am not sure if it is necessarily copied. A lot of influencer-style people used some of these patterns (periods, not X but Y). So I'm not sure who is copying who?
These patterns are learned from magazine articles and other long-form publications. The tendency to have unnecessarily pithy/hooky section titles is one that particularly irks me, but it's not like AI invented that. I was reading some DIY books that are published by a company that does a lot of web/magazine work and they structure the text in the same way (this is all pre-LLM).
Content creators are starting to include these traits into their scripts now, too. It's uncanny when you (literally) hear it.
I feel like the problem is that it's both. We're sanding off the long tail of human expression. It's not profitable this quarter, you see. Faster to let the AI do it.
The problem is the LLMs completely change the equation. Before LLMs, beyond very junior (needs serious coaching) levels, reviewing was typically faster than writing the code that was reviewed. With LLMs, writing code is orders of magnitude faster than reviewing it. We already see open source projects getting buried in LLM slop and you have to find the real human or at least carefully curated contributions among the slop.
I would not be surprised if many open source projects will outright stop taking PRs. I have had the same feeling several times - if I'm communicating with an LLM through the GitHub PR interface, I'd rather just directly talk to an LLM myself.
But ending PRs is going to be painful for acquiring new contributors and training more junior people. Hopefully the tooling will evolve. E.g. I'd love have a system where someone has to open an issue with a plan first and by approving you could give them a 'ticket' to open a single PR for that issue. Though I would be surprised if GitHub and others would create features that are essentially there to rein in Copilot etc.
You don’t need a rooted phone. An open source OS with reproducible builds is enough. That way you can validate what the code does without giving up verified boot, or opening up another attack vector, etc.
1. I need to be able to change SSL root cert, disable SSL cert pinning, and intentionally MITM installed apps and see what they are sending about me to their servers. Open source OS isn't enough if the apps aren't open source.
2. "Apps sending information about me to their motherships that I don't consent to them sending" is a MUCH bigger problem these days than people messing with SSL, so I accept the risks of (1)
3. Verified boot is big brother's dream. I want to be able to verify my own OS.
This. The post immediately reminded me of Win4Lin 9x (the version before it became just another boring VM) and SCO Merge. It was insanely fast, even on the hardware of the day.
The Wikipedia page is not verify informative and presents it as a regular VM (possibly mixing up 9x and later versions that run the NT line of kernels). The manual is a bit more informative about the tech:
I’m a bit surprised it hasn’t been mentioned a lot in the comments. Maybe it’s a bit too old for most people here (Linux in the late 90ies/early 00s was a much smaller community)?
Astroturfing is the deceptive practice of hiding the sponsors of an orchestrated message or organization to make it appear as though it originates from, and is supported by, unsolicited grassroots participants.
They are pretty much the opposite of an astroturfer, they mentioned several times in the comments that they are an active supporter/community member of GrapheneOS. So, they are not hiding and they are grassroots participants.
Please avoid personal attacks on HN, even more so when they are incorrect.
He deleted the signing keys because it looked like the other owner of Copperhead OS wanted to make the signing keys available to government agencies and/or criminal organizations. He deleted the signing keys to protect their users against malicious updates, which is the right thing to do and should increase trust in him and the project.
It's worth actually reading the linked post. Relevant segment:
In 2018, matters between Micay and Donaldson came to a head over Donaldson’s desire to pursue business deals with criminal organizations, and his attempts to compromise the security of CopperheadOS, including by proposing license enforcement and remote updating systems that would allow third-parties to have access to users’ phones. As part of this process, Donaldson began to demand that Micay provide Donaldson with the “signing keys” - i.e. the credentials required to verify the authenticity of releases of CopperheadOS. Donaldson advised that, in order to secure certain new business, potential customers required access to the Keys.
The keys had been in continuous use by Micay, in his personal capacity, since before the incorporation of Copperhead. However, more importantly, any party with the keys could mark malicious software as “authentic”, and thereby infiltrate devices using CopperheadOS.
Micay was unwilling to participate in that kind of security breach. Since Donaldson had control over certain infrastructure for the open source project, he would be able to incorporate (or hire others to incorporate) the privacy-damaging features described above for all future releases of CopperheadOS. Micay therefore deleted the keys permanently and severed ties with Copperhead and Donaldson.
Is it that Donaldson wanted to pursue deals with criminals or he wanted to backdoor an OS for a defense contractor or that he was a government spy? From the article it seems like none. Claims need receipts or they are blind assertions.
Me? I was a CopperheadOS user from the 2021 rebuild era before GrapheneOS existed in its state. All I've seen from GrapheneOS and Micay are claims without evidence and over-moderation of points they don't agree with.
Ah, thanks for setting me straight. That's reassuring. I think I would still have more respect and trust for GrapheneOS if they either didn't respond, or struck a more neutral tone; but that's more subjective.
Well, they have had to deal with multiple swattings, constant misinformation from some competitors (e.g. Murena's CEO doing interviews with various media where they insinuate that security-hardened systems like GrapheneOS are only for criminals and secret agents, complete with 'think of the children'-style arguments), and some local/national governments boosting the narrative that GrapheneOS is for criminals.
So I can understand why they are as defensive as they are.
I agree that this is an issue, but it is impossible to prove a negative. The same could be said for Apple's or other manufacturer's signing keys. Who guarantees that the US government hasn't required access to the iOS signing keys? Or China in exchange for access to the Chinese market? They probably wouldn't even want to reveal that the signing keys were leaked if they were allowed to, since it would undermine their security story.
With a non-profit project of highly principled security experts, there is at least a high probability that they'd rather blow up the project than compromise. People elsewhere in the thread criticize Micay because he deleted the CopperheadOS keys, but to me it increases trust in the GrapheneOS project, since he clearly puts the security of his users over money, fear, and whatnot.
In the end trust arises from running a project or company long-term without evidence that you somehow compromised security.
I wonder in general how this situation could be improved. Second or third independent reproducible build + confirmation signing?
Why do you trust Apple with your private data? Unless you enable ADP, iCloud backups are only encrypted at rest and not end-to-end. So, Apple, law enforcement, etc. can just read your iMessage or WhatsApp messages if needed. Did you enable ADP? Well good luck convincing everyone you communicate with to enable it as well, or their backups will still have all your chats without E2E encryption.
WhatsApp pulls a similar trick on Android. It's E2E encrypted, but by default backups (done to Google Drive) are not. I think most users never enable encrypted backups.
I wouldn't be surprised if there is a deal with law enforcement, where Apple and Meta can do and advertise E2E chats, but the defaults (which most users do not change) are such that law enforcement can still access them. But yeah, Apple and Google were part of PRISM too, so no big surprise I guess?
If you truly care about privacy, either completely disable iCloud backups or get a GrapheneOS phone. Also use Signal, because they exclude themselves from phone backups by default. So either chats are not backed up or they are backed up through Signal's own E2E backup service.
Use signal and disable notification previews… Apple saves even cleared notification text previews on device, which the feds just used in a recent case…
When Apple first released App Tracking Transparency, I immediately used it to block the trackers
There seems to be a common misconception that this blocks trackers, which is not the case. Use a DNS-based ad/tracker blocker and watch the logs and you'll see that many apps happily track you. As far as I understand, ATT blocks is cross-app/website tracking. If you deny, the app does not get access to the Identifier for Advertisers, meaning that tracking services cannot use a single identifier that is used across apps. While this initially had a large financial impact (see the article), trackers have probably developed other ways to correlate data from apps/websites now.
The real solution would be for Apple/Google to offer an option to completely disable in-app trackers and if an app would violate it, boot them from the App Store.
Of course, they would never do that because they make a lot of money from targeted advertising with their own ad networks, so either they would have to block themselves or get in hot water with regulators.
Put differently, Apple and Google are not your friend here.
Hmm yes I should have been more specific. I am aware that it does not block trackers...my Pi-hole logs are still full of sketchy/tracking domains.
I simply meant that the unique ID can't be used to track me anymore, at least across different third party application companies. I would edit my comment but it is too late now.
reply