> Reddit's new "private" chat system is powered by send bird without any additional end to end encryption.
> This means send bird provides a searchable plaintext database of all of these "private" chats.
> I like the (public) chat feature but to introduce "private" chats a feature that is clearly intended to increase interactivity and thus use of the feature without making this clear is just wrong IMO.
Hence the move to call things "direct" messages, rather than "private" as it used to be.
A practical example: https://signal.org/blog/private-contact-discovery/
I was thinking of having a third-party trusted services that compares the hash of the deployed application to the one they independently compiled themselves.
But the complexity is nontrivial and there is enough variations between the output of the same source code across different build environments that would make hashes useless.
Another possibility is having trusted compilers that would send link the source code to the build in a trusted repository.
When the sender and recipient are connected directly to the same system, there are no endpoints.
"Customers can choose to further encrypt the messages prior to sending and after receiving for end- to-end encryption as needed (but this will cause moderation tools and search features to malfunction)."
Reddit may prefer to not provide end-to-end encryption due to reasons, say, keyword marketing.
It encrypts messages with a passphrase using scrypt, AES-GCM, and sha256 for an HMAC.
Each v1 protocol message includes a salt/iv, scrypt N&r, HMAC, and whether or not to lower-case the password. All messages encrypted with the proof-of-concept will be decrypt-able by all future clients, as there's room for 13 more protocol versions.
The code is in complete disarray, and I wouldn't want anyone to sift through it in it's current state, but the proof-of-concept is finished, and life came up, so it's been sitting since.
I have a list of features I want to add in the issues tracker :)
 if you do want to sift through it don't miss https://github.com/aurorabbit/libemojicrypt. I separated the repos without following through on that reorganization.
I'm kinda surprised, if some new account tosses out 100 DMs ... you'd think they'd be able to automatically cut them off.
Then again they don't cut off accounts that just spam their blog or news site all the time either...
Defensive technology is expensive and loses utility in times of peace.
I mean if they have hundreds or thousands of engineers, billions of dollars etc. they have surely considered these heuristics before, and there's probably a reason they haven't done them "right," we just are not privy to that reason.
Reddit don't. They have a handful of engineers.
You can throw the SpamAssassin detection engine at the PMs, and you’ll already get a much higher detection ratio than what Reddit gets today.
Also, these are not private messages. That's why Tweakers.net calls private messages "direct messages" (DMs) and not "private messages" (PMs). They scan them, they read them back in case of a dispute, but apart from the moderator team other users cannot read them.
The title of this subject seems to call it DM whereas Reddit appears to call their system PMs. Either way, Reddit falls under a different jurisdiction than Tweakers.
A simple solution could be using GPG, or a different method of communication e.g. using JS over a less censoring platform. By using GPG (or some other form of public key cryptography), the messages are private, and the integrity of the data can be guaranteed.
Also, convincing reddit users to use GPG is definitely easier than convincing email users, because it only needs to happen for specific subsets of them, and many already use it (eg in the old /r/DarkNetMarkets).
My assumption is that you don't.
A transparent browser addon using JS and redditcensored.com would take care of that. ProtonMail is also browser-based and user-friendly.
Meanwhile, ROT13 (or a variation) could be a useful alternative for the time being. Has anyone tested it?
Until they start blocking that (it's very easy to detect excessively high entropy, in fact one of the properties of good encryption is that output is indistinguishable from random noise) --- in which case, start using stenography...
Technically this is not correct, though your point about high entropy nonetheless stands. Ciphertext indistinguishability (IND, and more generally computational indistinguishability) refers to the inability of a polynomial-time algorithm to differentiate between two different output streams of data, given some input stream of data. To be precise, it is sufficient for a ciphertext to achieve indistinguishability under an adaptive chosen ciphertext attack (IND-CCA2) if an attacker cannot distinguish which of two ciphertexts corresponds to a plaintext message with greater with 50% probability in polynomial time, even when they can arbitrarily decrypt ciphertexts of their choosing.
Academically speaking, distinguishability against a set of uniformly random bits is a nice model and a bar to strive for. In practice it's not necessary, and it's harder to achieve with public-key cryptography than secret key cryptography. AES's substitution permutation network should generally have output that appears uniform (except for special cases, like GCM). But public-key cryptosystems like RSA rely on so much algebraic structure to achieve their encryption that it's very regular to find some latent structure which clearly distinguishes ciphertext data from random data. This doesn't diminish the security, because you still can't distinguish between ciphertexts themselves in polynomial time. But from the perspective of attackers and onlookers, if it's not already obvious how a ciphertext was generated from context, it's usually not infeasible to figure it out by looking directly at the ciphertexts or their accompanying metadata. It is much harder to do this with hash functions.
There is not much research in cryptographically secure stenography because that sort of obscurity is usually not desirable except for very special cases. To combat the appearance of high entropy, I would use a specialized encoding algorithm that breaks the ciphertext into many short, variable-length fragments, then intersperses it into a commensurately larger corpus of randomly generated plaintext. Localized pockets of entropy would still be evident even if it's less "loud", so I'd then disguise them by putting them into e.g. very long URLs, which often have great length and pseudorandomly generated tokens.
With an actual research team and a few months I'm confident you could massage this plan into something pretty decently secure as long as the underlying cryptography wasn't too radical. The real question is why go through all the effort to impose secrecy on a platform that's clear antagonistic to it? If you're at the point of considering stenography for a direct messaging system, just message a redditor and ask them to chat with you on a different system for security.
It's why europe has been on a censoring rampage. It's why china/russia/etc are very strict about social media.
Do you think that advertisers, who are stepping over each other to advertise in china ( where they kill prisoners to harvest their organs ) or saudi arabia ( where they stone rape victims for adultery ) have any morals?
Ultimately, reddit, facebook, youtube and others doesn't need advertisers. The advertisers need them. That's why the establishment has been waging a war to take control over social media. Social media is where the people ( young and increasingly the older ) are.
I bet URL shorteners don't work either, for the same reason.
reddit is really starting to go downhill.
The general consensus seems that the re-design has a horrible user experience for most people. Curious on what their approach would be as I'm sure they're seeing horrible conversions.
Maybe on r/redesign that's the consensus, but that's ignoring the rest of the users that doesn't care.
Sure, it’s fixed after logging in, as I’ve opted for the “classic” look, but how long will they support both displays?
Did they forget that the reason they got so many users in the first place was because of the Digg redesign?
Your response falls completely flat because I never claimed a right to Reddit.
It may not hold up after all, i.e. facebook censoring users because they are a private entity, they may be forced to provide some avenue for people to do so in the future. Its interesting to me because it goes against everything I use to believed in, but at the same time these entities are being used to promote a dark globalist agenda.