… which gives a timing attack and the ability for bad actors to impersonate someone. I agree with you that, once public, this is a good idea. You cannot convince me that this is a good idea if done privately because there is no way to trust but verify, especially in the highly sensitive contexts they want trust in.
If it’s not public, I won’t trust it. You trust it blindly because it’s in beta. We’re not going to come to an agreement over these mutually exclusive positions.
Yen said Proton might move the feature to a public blockchain
I’m not interested until it’s public. Additionally, building out the chain then dropping it to rebuild a new public one is rewriting history, which violates the whole “immutable” part of “immutable ledger.”
But it’s not public. It’s a private blockchain. The immutable ledger aspect only matters if everyone can see the ledger. Otherwise we take at face value all of the things you said. Assume they run one node and that one node is compromised by a malicious actor. The system fails. Extend it to a limited number of nodes all controlled by SREs and assume an SRE is compromised (this kind of spearphishing is very common). The system fails again.
Sure, you can creatively figure out a way to manage the risks I’ve mentioned and others I haven’t thought of. The core issue, that it’s not public, still remains. If I’m supposed to trust Proton telling me the person I’m emailing is not the NSA pretending to be that person (as the Proton CEO suggested), I need to trust their verification system.
What about infrastructure costs? Are you comfortable making someone else pay for your access? What about the design and implementation of the API? Should all software be free?
Please note that I’m not trying to support this decision at all. I personally feel like API access is similar to SSO for enterprise stuff (check out sso.tax). I also feel like there should be some level of compensation and even profit so people can focus on building stuff like this. It’s really hard to define what that is, especially without transparent costs, which I don’t believe OpenSubtitles shares? Also they use super predatory ads so I don’t think they have any high ground to even suggest what I’m talking about.
While I primarily use streaming services, I almost always still buy albums on Bandcamp for the day when I need to go back to running my own music. You can save up for a Bandcamp Friday when more goes to the artist. Bandcamp has been the best place for music for awhile. Best to get in before Songtradr continues the destruction Epic started.
I worked at one of the majors pre-Microsoft acquisition. “Highly skilled” is actually a relative comparison to the security teams at gaming companies, not an industry benchmark comparison. The bar for highly skilled plummets once you include things like social platforms, launchers, and telemetry.
I’m not really seeing much in the way of cybersecurity tools in this thread. These are all FOSS and usable without extra cost (although some have paid upgrades)
I’m not sure I follow the closed source bit. For example, Virus Total is closed source but a something used by cybersecurity professionals across the world. Most of the software that powers cloud giants is closed source and security professionals everywhere accept the shared security model.
Closed source matters for encryption, not necessarily tooling. It’s a red herring unless you’re talking about a tool’s ability to encrypt/decrypt.