tal

Oh, yeah, my concern isn't really that Florida is planning to go after instance admins

I'm just being sardonic

so much as to point out that any practical enforceability of this is going to have a lot of issues.

I mean, do you mandate that Lemmy disallow third party clients? Try to force them to detect and block encrypted messages? What happens if I start dumping big PGP messages steganographically in images and simply send those? What happens if the image I'm sending is just a link to isn't even uploaded to pict-rs on a Lemmy instance?

I don't need to move a whole lot of bits to send messages, and it's really hard to block people who can send any data at all from having software send data that cannot be read by intermediaries, use the existing social media channel to agree upon out-of-band communications channels that social media operators have no control over, and so forth. Like, okay. Say I am a child-molesting terrorist drug running money launderer or whatever. I know someone who uses Facebook.

Let's even say that Facebook does a fantastic job of detecting and blocking any E2E-encrypted communications like PGP messages of the sort I mentioned in the above comment.

Okay. Now let's say that there is some other non-social-media system that uses OTR. I use Facebook to send someone my identity on that OTR system, as well as -- which doesn't need to be in any kind of standardized format

the shared secret OTR uses to bootstrap trust between two parties. That shared secret becomes useless after the initial handshake completes. Is Florida going to figure out everything that I'm saying, manage to break into whatever other channel I'm using, and MITM the thing? Probably not, since even if they supoena Facebook and Facebook gives them that shared secret, it doesn't let them later MITM the OTR communications.

That sounds complicated, but from a user standpoint it's "Let's talk on . I'm , and here's ." The other person fires up their program, pastes string in, and unless Florida have already supoenaed and MITMed that channel, at that point, the deed is done -- out-of-band E2E-encrypted communications are bootstrapped, and Mark Zuckerberg can't read them or let anyone else read them even if he wants to do so.

I remember those manuals how to run Skype and every proprietary program from a separate user, while every client in X11 can capture the whole display and see all keystrokes.

I don't know what these manuals said, but you can run an X11 software package in Xnest or Xeyphr to functionally sandbox X11. Both of those have been around for a long time. I use firejail, which will use either to isolate software if being used in an X11 environment. That might permit for clipboard snooping, have to check, but avoids the keylogging and display-dumping issues.

It is true that X11

not to mention most traditional desktop operating systems -- were not really designed to sandbox software packages. Local stuff is trusted. Wayland improves on that a lot. But even so, Linux desktop apps in general still don't normally run isolated. Steam games are not isolated in 2025, which is something that I'd kind of like to see.

But I'm more optimistic than I think your comment is, think that things have generally gotten better, not worse.

Go back a quarter century and nearly all Internet traffic was unencrypted; most is encrypted today. I'd trust Web browsers to reliably sandbox things today more than I did then. We have containers and VMs, which are a big improvement over chroot jails. My software updates are mostly cryptographically-verified. If you want a cryptographic filesystem, it's not a big deal to set up these days. We don't have operating systems automatically invoking binaries because they happened to live on something that looks like a CD drive that was connected. We're using more programming languages that are more-resistant to some common memory management bugs that historically led to a lot of our security problems.

I agree that it's important not to falsely believe that security is present when it's not. But I don't think that everything is dismal, either.

I mean, you aren't the one breaking the law unless you're running a social media platform. The obligation is on the operators, not on the users.

Actually, on second thought, maybe the automated in-webpage decryption via the plugin thing I stuck at the end is a bad idea if it just inserts the decrypted stuff right into the page (not sure if this is the case). Like, I bet that a malicious or compromised instance could serve up Javascript in the webpage it provides to read and send the decrypted content from the web page.

But not a problem for the approach in general, just decrypting-in-place in a webpage. Would benefit from client support in general, though.

EDIT: Also would be nice to have user profile bios have enough space to actually fit a PGP public key, if that is to be used to distribute PGP public keys (rather than keyservers or something, though one issue with using Lemmy instances to distribute them is that a compromised instance could list bogus pubkeys for users who haven't yet obtained a local copy of the pubkey for a given user). Presently, it looks like the character limit is extremely short on lemmy.today, which is presumably using the Lemmy default; 300 characters. I'd think that it could at least be boosted to the comment length limit of 10,000 characters.

it would require “social media platforms to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena.”

Mmmhmm. Apparently the Threadiverse is about to become illegal in Florida.

First, let's generate a strong public-private GPG keypair for myself and some hypothetical other Threadiverse user, anotheruser@lemmy.today:

$ gpg --quick-generate-key tal@lemmy.today
$ gpg --quick-generate-key anotheruser@lemmy.today

And show the tal@lemmy.today public key:

mQGNBGf6kRMBDAD3qJIznSVVQZu092nTthUt8R8DNXS6eYNqgbpYHTY+6i+RSFMe
YDDnOz0cL3drxnWpNC37l9HouJGohua/Cjx2Iju/zd4A5mZkXchIt4lfZ3bbXx2k
p0eC1m9+B3Dc37lSLPgEpTnfPGtMfKJU4bNVBdwkFCyS9Mxc499uIrAUpjPQLmgP
1rQ2Wk1wzGfAh3VNCxg8xsHcOHWQZqSUzsLk/PeG1QtfGTVBG44tI6msGawwQct6
XVnVOk0DfEGmoru4dGuQDk+oZRVz/O4/wLOQzfAVCzsbv/RrCzywrcQM3WAoVBDI
awe9UG++Y4N6Eof46UQ1KnzA2ndkHFt35KybidaqxlWM4Sslx/Is+wCgqt+FpJRN
MPLsAet6Eg6vGB6ES3Fk/IXX5OEvtWMfKKrgSP88NwoP/VFr/BU7SsJW1Opo4Ccf
DDPuWlgMCmsVE9xsPS1oFMzxiHbJYj8gWgH7AOtl24NgYXVi/QdetYA6SZqonU0T
xnGmEw5JdcvWdmMAEQEAAbQPdGFsQGxlbW15LnRvZGF5iQHUBBMBCgA+FiEE7S76
Je3x/gWVtrNsdlwPXPfD8YIFAmf6kRMCGwMFCQWjmoAFCwkIBwIGFQoJCAsCBBYC
AwECHgECF4AACgkQdlwPXPfD8YJy+wv+JJ3MP+zZRy4pJZ+u7iiSOwVVwUboT8Pi
kX7rxLl6TF9wGuLPjl/P8Cfy0WMsZQ2Ab0S/84cE2bIVbcISwqeqkMZ1Puk6y5Nn
8uHK3qHrYb1n89uOwjgeBIC3XopdJpSPtaKBWHZn/s0AYQ3suqJt/BoJo+hTv4oJ
/8Rtcs2+YKnQtoLtM/0tKO3J4Qzvqrzi0F14R1Rv6kiFzePkEPQFSPN4uIR5CPJm
t6HuYWYcWNKhfIkKJH08GAV0jP+qrbe/yacO0tKt8gnxKBdpXLRwLePx5sDV14ch
Ay/3n1aVa7PbUGA4m51xOSl0Ro54s6K8uwJ2fz6z5fdjpOkbvDw51tPEdxQzW0JH
myyaC31j4h5YwzOAfGaK6lp3pAHStDFhDJXZPLYsDlcMGSPvV+qBMAh86t8mqIqd
tBPjNj60aIbps+mImBpRlO/xRvUWjjVsm1FKqxBq7QQR5SW0MLnkwvcnUMDCbOs/
wMN6ghyZp6RDhUXGgb9HJVSQhXLjaqf+uQGNBGf6kRMBDADFYNE00Rr2Ujm9+i7k
LsHz49xqJUNtv3b7pHWTOZNhkSFf/OieayE45lkBMQl1ZkuY56QjmcgYZWsOf7+y
kbrsQjdNE5lHl/hRAqGV13LUscTKPUCvTXnfFX+/p64Kgv1f74fAdfkQu663sGOM
xbFP9/3jOQLF9dI2M8H14TPF/JDhjXDZvvoMrMBxwFlRctvwbeS6Yar+XKxKZQvh
I63Ad2OyFc0p+pnJOnrWN3Q6iEqnAq0SA/EdsjVx3MWpqZW15YDyU0lIWrHAn/yD
PfMaAqcgXj2LLBDziYdfm1ACBceS+WAu6w7i07xMAbdypKOsPB2cL1PlX//WEiwW
55iBTJ7oRAW7Q0LRsk2k40mq61xfOLyOBT8gHJfEb7ked9KuSXQdBn9K2hT2SH+U
OT2E63ShPHL9F2F1yQSbjFbHJve2klIuqrMeJ21QtDWgz+Auzp7PPWZ59SN+XCVj
qzrueXIvzsK3Shfqf636/Buj1g5heIY3nBd3dtbq4gUBO90AEQEAAYkBtgQYAQoA
IBYhBO0u+iXt8f4FlbazbHZcD1z3w/GCBQJn+pETAhsMAAoJEHZcD1z3w/GCzXkL
/i1k5ra/YZPpiJgCOO61x6Iog5/hyL/APhHT/CMg1ZAYObfqCD0QT0f+n0qdZXhH
ALGXzCMsbFqr0oxqOFFccLGQzUxv9AkyrO94HLoL726fxi3gkF+UekHjWgcxkcXQ
PHZCOdHczxyCIGRB+mKn+tGweXpCwMNkymagdoyzOs+t+5cGUTv18ceun72Mqf1H
4vCZ4LLb94NLkSJqGKeQuzjVhopDVCJ8t/exRuk2ra2SkeChKPCpq5zJP+OpzAx3
hPNSL9v8xRD6D/NKQP/zYXvry1dfQaaOYUbw+GMgSxtVNsTyGMtDg2kE8ZSuvVKq
ZIoODdjZRZvTB90+UKFRF3st1MeBXGNskvcZJhit7K1eMGhUbjykNWrq0A8aoRAN
P0DBRg09Uumub1GNnJlHFNxAS5e0A686YHzA6AOify+lhscdrFKiv8GRFBZGK39W
vY5YDDdpY632O6w1Te1UFIhS7pIWXsm5AfffFPDc/UJd6ZaBOcnKH45R4y2qObS2
eA==
=ommg
-----END PGP PUBLIC KEY BLOCK-----

And then show an example of someone else importing it, pretending that they're anotheruser@lemmy.today (though in my case, I've already got the tal@lemmy.today public key in my keyring):

mQGNBGf6kRMBDAD3qJIznSVVQZu092nTthUt8R8DNXS6eYNqgbpYHTY+6i+RSFMe
YDDnOz0cL3drxnWpNC37l9HouJGohua/Cjx2Iju/zd4A5mZkXchIt4lfZ3bbXx2k
p0eC1m9+B3Dc37lSLPgEpTnfPGtMfKJU4bNVBdwkFCyS9Mxc499uIrAUpjPQLmgP
1rQ2Wk1wzGfAh3VNCxg8xsHcOHWQZqSUzsLk/PeG1QtfGTVBG44tI6msGawwQct6
XVnVOk0DfEGmoru4dGuQDk+oZRVz/O4/wLOQzfAVCzsbv/RrCzywrcQM3WAoVBDI
awe9UG++Y4N6Eof46UQ1KnzA2ndkHFt35KybidaqxlWM4Sslx/Is+wCgqt+FpJRN
MPLsAet6Eg6vGB6ES3Fk/IXX5OEvtWMfKKrgSP88NwoP/VFr/BU7SsJW1Opo4Ccf
DDPuWlgMCmsVE9xsPS1oFMzxiHbJYj8gWgH7AOtl24NgYXVi/QdetYA6SZqonU0T
xnGmEw5JdcvWdmMAEQEAAbQPdGFsQGxlbW15LnRvZGF5iQHUBBMBCgA+FiEE7S76
Je3x/gWVtrNsdlwPXPfD8YIFAmf6kRMCGwMFCQWjmoAFCwkIBwIGFQoJCAsCBBYC
AwECHgECF4AACgkQdlwPXPfD8YJy+wv+JJ3MP+zZRy4pJZ+u7iiSOwVVwUboT8Pi
kX7rxLl6TF9wGuLPjl/P8Cfy0WMsZQ2Ab0S/84cE2bIVbcISwqeqkMZ1Puk6y5Nn
8uHK3qHrYb1n89uOwjgeBIC3XopdJpSPtaKBWHZn/s0AYQ3suqJt/BoJo+hTv4oJ
/8Rtcs2+YKnQtoLtM/0tKO3J4Qzvqrzi0F14R1Rv6kiFzePkEPQFSPN4uIR5CPJm
t6HuYWYcWNKhfIkKJH08GAV0jP+qrbe/yacO0tKt8gnxKBdpXLRwLePx5sDV14ch
Ay/3n1aVa7PbUGA4m51xOSl0Ro54s6K8uwJ2fz6z5fdjpOkbvDw51tPEdxQzW0JH
myyaC31j4h5YwzOAfGaK6lp3pAHStDFhDJXZPLYsDlcMGSPvV+qBMAh86t8mqIqd
tBPjNj60aIbps+mImBpRlO/xRvUWjjVsm1FKqxBq7QQR5SW0MLnkwvcnUMDCbOs/
wMN6ghyZp6RDhUXGgb9HJVSQhXLjaqf+uQGNBGf6kRMBDADFYNE00Rr2Ujm9+i7k
LsHz49xqJUNtv3b7pHWTOZNhkSFf/OieayE45lkBMQl1ZkuY56QjmcgYZWsOf7+y
kbrsQjdNE5lHl/hRAqGV13LUscTKPUCvTXnfFX+/p64Kgv1f74fAdfkQu663sGOM
xbFP9/3jOQLF9dI2M8H14TPF/JDhjXDZvvoMrMBxwFlRctvwbeS6Yar+XKxKZQvh
I63Ad2OyFc0p+pnJOnrWN3Q6iEqnAq0SA/EdsjVx3MWpqZW15YDyU0lIWrHAn/yD
PfMaAqcgXj2LLBDziYdfm1ACBceS+WAu6w7i07xMAbdypKOsPB2cL1PlX//WEiwW
55iBTJ7oRAW7Q0LRsk2k40mq61xfOLyOBT8gHJfEb7ked9KuSXQdBn9K2hT2SH+U
OT2E63ShPHL9F2F1yQSbjFbHJve2klIuqrMeJ21QtDWgz+Auzp7PPWZ59SN+XCVj
qzrueXIvzsK3Shfqf636/Buj1g5heIY3nBd3dtbq4gUBO90AEQEAAYkBtgQYAQoA
IBYhBO0u+iXt8f4FlbazbHZcD1z3w/GCBQJn+pETAhsMAAoJEHZcD1z3w/GCzXkL
/i1k5ra/YZPpiJgCOO61x6Iog5/hyL/APhHT/CMg1ZAYObfqCD0QT0f+n0qdZXhH
ALGXzCMsbFqr0oxqOFFccLGQzUxv9AkyrO94HLoL726fxi3gkF+UekHjWgcxkcXQ
PHZCOdHczxyCIGRB+mKn+tGweXpCwMNkymagdoyzOs+t+5cGUTv18ceun72Mqf1H
4vCZ4LLb94NLkSJqGKeQuzjVhopDVCJ8t/exRuk2ra2SkeChKPCpq5zJP+OpzAx3
hPNSL9v8xRD6D/NKQP/zYXvry1dfQaaOYUbw+GMgSxtVNsTyGMtDg2kE8ZSuvVKq
ZIoODdjZRZvTB90+UKFRF3st1MeBXGNskvcZJhit7K1eMGhUbjykNWrq0A8aoRAN
P0DBRg09Uumub1GNnJlHFNxAS5e0A686YHzA6AOify+lhscdrFKiv8GRFBZGK39W
vY5YDDdpY632O6w1Te1UFIhS7pIWXsm5AfffFPDc/UJd6ZaBOcnKH45R4y2qObS2
eA==
=ommg
-----END PGP PUBLIC KEY BLOCK-----
EOF

And now let's pretend we're anotheruser@lemmy.today and use end-to-end encryption that doesn't have a back door, using sed to prefix each line with four spaces so that we get nice blockquoted Markdown that we can paste into a Threadiverse comment or direct message to tal@lemmy.today:

$ gpg -a -e -u anotheruser@lemmy.today -r tal@lemmy.today <<EOF |sed "s/^/    /"
Hello there, tal@lemmy.today!  This is anotheruser@lemmy.today.  I just wanted to send you a message.
* Florida Man cannot read this.
* Even instance admins cannot read this.
EOF
    -----BEGIN PGP MESSAGE-----
    
    hQGMAwk4edDpeyVkAQv+Mu6kJj1KkKs8i72YixAbAMuO+uNJDq0Vu9sz9mGUv3nG
    DibQTkFFz0h+IcK7/2xVrfBcf//6MDqYmlVnTlmpPcNOel4B1YbU4KpHus6ZELcy
    7t0WP2IX03FWTooIBdfX7jIdH9us7PPyG2s4edTX7yD69H7oRdVJiNN6qJUbtObU
    sHWfmq0oQlHoevw47FuWGjAaIbA9volFV3IotEAhmTQ8cCJs2SG8bQjiJmpGE5pO
    xBSNtqo9X49FhQ0xoouwWil/9c76nNw7MtF/4WjU2HlzzRdFIXKeReq0ZzJ8fdkU
    YENYV+7lcp3jmGm91nC+E7HYTCjwy6XmMx+6wrzpCtNnLOaOL9caC7Div6ZvBtBi
    RVTiT1Kewth+QQvLHh2ErN0XKDzFrfFqfrZq4tX3TTn3rQkM/v0UrlR+3rr+iePX
    iKPmtsQBxNa81GVNxx0IR/1r+by8ELenCCRjaq2OpzfUhckqHkn1M6ycBPrwX8yR
    uBuIf7E65Pi2QfSoDeOH0rsBR/yGwU/h8HeEp6ChYEEEs1v+INI2dQ+zxhqaimKz
    vg7gTlVNplI9rpb/VLhlk8tzjCMQ4+Dqe4KeYqtvCLLJtgPFNlujMrgOEmbDL46X
    kQ8xQTForYFqPvODnPDUo+dbmt2UlXJGw3dyztEhQRUEqoCvUan9ERcY1gJS4mT6
    WmAJKfVHfLos+UiibRZBhRzAsFCvyEPF1lOEJNVD0cz9tya2CfszNsqz+ITeHWfm
    HchPmmEq4pqHr1/a
    =PQN2
    -----END PGP MESSAGE-----

And let's have tal@lemmy.today decrypt it:

hQGMAwk4edDpeyVkAQv+Mu6kJj1KkKs8i72YixAbAMuO+uNJDq0Vu9sz9mGUv3nG
DibQTkFFz0h+IcK7/2xVrfBcf//6MDqYmlVnTlmpPcNOel4B1YbU4KpHus6ZELcy
7t0WP2IX03FWTooIBdfX7jIdH9us7PPyG2s4edTX7yD69H7oRdVJiNN6qJUbtObU
sHWfmq0oQlHoevw47FuWGjAaIbA9volFV3IotEAhmTQ8cCJs2SG8bQjiJmpGE5pO
xBSNtqo9X49FhQ0xoouwWil/9c76nNw7MtF/4WjU2HlzzRdFIXKeReq0ZzJ8fdkU
YENYV+7lcp3jmGm91nC+E7HYTCjwy6XmMx+6wrzpCtNnLOaOL9caC7Div6ZvBtBi
RVTiT1Kewth+QQvLHh2ErN0XKDzFrfFqfrZq4tX3TTn3rQkM/v0UrlR+3rr+iePX
iKPmtsQBxNa81GVNxx0IR/1r+by8ELenCCRjaq2OpzfUhckqHkn1M6ycBPrwX8yR
uBuIf7E65Pi2QfSoDeOH0rsBR/yGwU/h8HeEp6ChYEEEs1v+INI2dQ+zxhqaimKz
vg7gTlVNplI9rpb/VLhlk8tzjCMQ4+Dqe4KeYqtvCLLJtgPFNlujMrgOEmbDL46X
kQ8xQTForYFqPvODnPDUo+dbmt2UlXJGw3dyztEhQRUEqoCvUan9ERcY1gJS4mT6
WmAJKfVHfLos+UiibRZBhRzAsFCvyEPF1lOEJNVD0cz9tya2CfszNsqz+ITeHWfm
HchPmmEq4pqHr1/a
=PQN2
-----END PGP MESSAGE-----
EOF
gpg: encrypted with 3072-bit RSA key, ID 093879D0E97B2564, created 2025-04-12
      "tal@lemmy.today"
Hello there, tal@lemmy.today!  This is anotheruser@lemmy.today.  I just wanted to send you a message.
* Florida Man cannot read this.
* Even instance admins cannot read this.

I guess the only option will be to lock up instance admins for violating Florida law, as they're operating a social media platform with end-to-end encrypted communications with no backdoor.

EDIT: It'd also probably be nice to have browser and client support to make this more-convenient, no copy-pasting. I haven't used it, so I can't vouch for its functionality, but for users using Firefox, this Firefox extension claims it can automatically detect and decrypt GPG content in a webpage; if it can pick up on encrypted, ASCII-armored blockquoted text in a Threadiverse comment, that would hopefully let one simply read encrypted messages in Lemmy or whatever without any additional copy-pasting effort (though sending an encrypted message would still require copy-pasting some text):

https://addons.mozilla.org/en-US/firefox/addon/gnupg_decryptor/

I commented on this myself earlier. Doing the extra shipping and bare legal minimum to count as a transformative step to create a new product in some other country will increase the cost of the good relative to where it is today, so there's still an impact, but for virtually all products, it's going to be far less than the 145% increase that tariffs would impose on a directly-shipped-from-China product.

undermining

Prior to the base commander commenting and destroying his effort, Vance was on totally firm ground and had pretty much convinced the entire population of Greenland.

Wikipedia has that this is not the common-use definition of "acronym", though some argue for it. In the common-use sense, an initialism is just one type of acronym.

https://en.wikipedia.org/wiki/Acronym

For some, an initialism or alphabetism, connotes this general meaning, and an acronym is a subset with a narrower definition: an acronym is pronounced as a word rather than as a sequence of letters. In this sense, NASA /ˈnæsə/ is an acronym but USA /juːɛsˈeɪ/ is not.

The broader sense of acronym, ignoring pronunciation, is its original meaning and in common use. Dictionary and style-guide editors dispute whether the term acronym can be legitimately applied to abbreviations which are not pronounced as words, and they do not agree on acronym spacing, casing, and punctuation.

pushes rewind button

https://www.theguardian.com/world/2016/nov/15/germany-trump-ttip-trade-deal

Tue 15 Nov 2016

Transatlantic trade deal 'not realistic' under Trump, German official says

pushes fast forward button

https://www.politico.eu/article/eu-offers-trump-removal-of-all-tariffs/

April 7, 2025

EU offers Trump removal of all industrial tariffs

“Europe is always ready for a good deal,” says Commission President Ursula von der Leyen.

The Onion staff was fighting a valiant rear-guard action against reality, but it was increasingly clear that the odds were stacked against them.

As Trump cabinet member activities go, sporadically mispronouncing some acronym is very low on my list of concerns.

I don't know the specifics here on the tariffs, but my guess is that the way things work is that it's irrelevant where the inputs come from in determining origin of a good. I know that that's true of at least some classes of goods.

So my guess is that what happens is that there's some short-term disruption and shortages, and then what happens is that you have a lot of products made in China get shipped to some random intermediate country with favorable trade policy, that then performs some sort of step to fulfill the legally-minimum requirements to be a transformative step to produce a final product that legally originates in that second country. That product then gets exported to the US.

That'll make the good more expensive, but probably in virtually all cases not 145% more expensive.

If you use keys or strong passwords, it really shouldn't be practical for someone to brute-force.

You can make it more-obnoxious via all sorts of security-through-obscurity routes like portknocking or fail2ban or whatever, or disable direct root login via PermitRootLogin, but those aren't very effective compared to just using strong credentials.