Gruber has a very nice disclaimer at the bottom of posts mentioning Bloomberg now:
"Bloomberg, of course, is the publication that published “The Big Hack” last October — a sensational story alleging that data centers of Apple, Amazon, and dozens of other companies were compromised by China’s intelligence services. The story presented no confirmable evidence at all, was vehemently denied by all companies involved, has not been confirmed by a single other publication (despite much effort to do so), and has been largely discredited by one of Bloomberg’s own sources. By all appearances “The Big Hack” was complete bullshit. Yet Bloomberg has issued no correction or retraction, and seemingly hopes we’ll all just forget about it. I say we do not just forget about it. Bloomberg’s institutional credibility is severely damaged, and everything they publish should be treated with skepticism until they retract the story or provide evidence that it was true."
If you apply for a writer's job at Bloomberg or many of these media companies, people will ask you if you have a following on Twitter, Facebook and the like with which you can share content you write so that your employment poses a smaller risk to your new employer than someone with little to no following. That in itself might just make writers statistically more loyal to big tech than really necessary.
But that's diving down the paranoia rabbit hole.
While I have an inactive account at PM, I'm not involved with them in any way. This is just an observation that I have made over the recent years.
For years companies used to provide all sorts of incentives to put apps in their store. It benefits them highly.
This is ridiculous: https://protonmail.com/blog/clarifying-protonmail-and-huawei...
Are you implying that Huawei is paying ProtonMail so that they put their app in the Huawei AppGallery? Can you provide any proof?
For example, no mainstream media outlet in the UK covers Al Quds day in London (absolutely nothing about this on the BBC or print media). Facts on the ground at the most recent (and previous) marches is that there is a lot of Hezbollah flags flown.
Another example is the BBC’s treatment of Brexit on three flagship panel shows, Question Time, Politics Live and Any Questions where Remain commentators outnumber Brexit commentators 3 to 1.
In this instance, Bloomberg seems to be wanting to push the 'Huawei is spying on you' narrative as well as 'Proton Mail isn't secure' narrative.
Make what you will of the points above, maybe they mean something, maybe they don't. I just keep an open mind, try to think for myself, see things from different perspectives, and do my best not to fall for my own cognitive biases.
I still use Proton Mail, and I trust their service more than GMail (I migrated from GMail to Proton Mail), but it's a nice reminder not to trust any corporation too much or get complacent with security. I really don't feel like rolling my own encrypted email solution so the question is, "Who am I willing to trust the solution to?" Ultimately I'm accountable to myself.
As for media bias, sometimes it is blatant, most times however I find it subtle. Either way it is pervasive. Unless you are scanning for it, I imagine it is incredibly easy not to think for yourself.
From what I can tell, the March on this day tends to attract less than 500 people. So lack of coverage is not a indication of BBC bias.
Regarding Brexit, Question Time seems to have Nigel Farrage on all the time, despite his lack of electoral success.
Still, I decide to take a look at last week's panel for you. And here is what I found:
Kwasi Kwarteng - Pro Brexit
Emily Thornberry - Remain
Layla Moran - Remain
Ian Blackford - Remain
Iain Dale - Pro Brexit
Richard Tice - Pro Bexit
No huge anti-Brexit bias in evidence.
Considering London has suffered from multiple ideologically possessed terror attacks it might be worth reconsidering how newsworthy open support of a terrorist organisation is.
Additionally, the Jewish community in London are particularly sensitive to the march as Al Quds day brings about hate speech towards them.
I'm not saying Al Quds day should be banned in London, but I think a public dialogue and debate should be had. In my estimation the lack of it is due to the 'multiculturalism is our strength' narrative bias held at the BBC.
Now I'm not saying 'multiculturalism is bad', I'm the product of it, and I definitely think it has benefits. But there are problems with it, which need to be confronted and worked through for a better society. Without a doubt these are sensitive, and ugly issues, but pretending they don't exist because you are captured by bias, will not solve the issues.
As for your Brexit comment, I believe you are suffering from recency bias.
In a report published in January 2018 called ‘Brussels Broadcasting Corporation?’, think-tank Civitas in conjunction with the group News-watch, monitored thousands of hours of radio and TV shows dating back to 1999 including the BBC flagship Radio 4 programme Today.
Of 4,275 guests on Today between 2005 and 2015 who talked about the EU, only 132 were Brexiteers.
Put another way, just 3.2% of Today interviewees were anti-EU, despite consistent public support for EU withdrawal throughout this time.
There are also a plethora of articles about this on Google, so in a way you are kind of proving my point because the data is out there but you didn't want to, or think to, look for it.
However I'm far less concerned about being 'right' and far more concerned about dealing with reality... and I believe the more people that deal with reality there are the better the world will be.
In the interest of remaining fair and balanced, media ultimately has to appear biased, if the supporters of the issue are... unbalanced in appeal.
I think this is less of an issue with Brexit, as one can make a cogent argument for Leave (although that doesn't seem to be the popular argument).
But for something like chemtrails? How could you possibly hold a "debate" that a believer couldn't look at and say "You're just biased against my side?"
. Flying the Hezbollah flag was made illegal by the British Parliament in March, ahead of the most recent march: https://www.algemeiner.com/2019/05/28/flying-the-hezbollah-f...
The open support for Hezbollah was there in 2018 and in previous years... but from 2019 the reports I've read, it seems like the police enforced the new law. I would need to make a freedom of information request with the police to see if there were any arrests to verify this.
Bloomberg is a source that investors and traders trust with getting them some level of access to the rumour mill (in the spirit of the saying that exists among traders that goes "buy the rumour, sell the news"). The problem here is that, fact or fiction, rumours affect the financial markets, and not knowing about them puts a market participant at a disadvantage.
The article starts by saying in indicative mood "ProtonMail is in talks with Huawei Technologies Co. about including its encrypted email service in future mobile devices [...]" ...I don't really see a problem with that part of the statement since they were indeed in talks of some kind, and there's a certain bandwidth of what "including" could mean. It could just mean "making available through Huawei AppGallery", so there is nothing wrong with using indicative mood here.
In the second paragraph, the article switches the modality and says "The Swiss company’s service COULD come preloaded ..." Now, it could of course be the case, as people are alleging, that they just completely made that shit up and MANUFACTURED a rumour. But it could also be the case that they were reflecting a rumour that was already out there and sufficiently widespread that they thought that investors and traders should know about it. They used subjunctive mood using the auxiliary verb COULD to signal that there was something going on here about the modality of the statement.
ProtonMail speculated that a misunderstanding of their earlier announcement must have been the basis of Bloomberg's article. But I guess we'll never find out if that was indeed so.
ProtonMail clarified their earlier announcement and took issue with the word "partnership" being used to describe their relationship with Huawei, but, interestingly, they did not come flat out to respond to these assertions. For example, they did not say that preloading was not a topic that was discussed.
Now, it stands to reason that preloading would amount to Huawei handing a huge chunk of marketshare to ProtonMail, and then it's up to users to make up their minds about the likelihood of Huawei asking for quid-pro-quo and ProtonMail's response.
Rather than there being no basis at all for the Bloomberg article, another scenario could be that ProtonMail saw that making-up-of-minds play out on social media in response to the Bloomberg article and decided to do a one-eighty on that as a result.
...I guess we'll never know.
But you don't have to just take our word on it. ProtonVPN in particularly has been heavily scrutinized, by both Mozilla (who we partnered with) and also the European Commission (which is providing funding): https://protonvpn.com/blog/is-protonvpn-trustworthy/
In other words, there are plenty of non-anonymous, legitimate third party sources, who have checked things out and confirmed the story is bogus.
One main allegation was that Proton shares an address with another company, but it fails to mention that our office in Vilnius is in a 30 story office building with hundreds of other companies: https://www.instagram.com/p/BxMz62oHb6K/
For instance, at my employer we had training on the GDPR rules and how they relate to us. We are a US based company with many global clients. However, we do have a physical presence in some EU countries so that does differ with the ProtonMail situation. However, in our training we were told that our business presence in the EU is irrelevant to the actual law because we would still be bound by it as it relates to our global clients. The layman's explanation we were given was that if you are using the internet to conduct digital business across country borders then you are pretty much subject to the laws of both nations between the client and the service provider.
That generally translates to defaulting to whichever law is more restrictive. For companies like Facebook and Google, they've rolled out GDPR style protections for everyone globally because it's much easier to do so than to only have it apply to a portion of their users, but that's a separate story.
I think everyone intuitively understands and knows this to be true. We can all think of cases where hackers have committed crimes that may only violate, for example, US laws and have been tried and convicted of such crimes even though they were committed overseas but the aggrieved party is the US or its citizens.
I think what ProtonMail is really saying is that because Switzerland doesn't have laws similar to China in this regard, China won't be able to convince Switzerland to extradite them to China for prosecution.
That's also why Russia threatened to ban them - because they know there is zero chance they will be willingly handed over to Russian authorities for this.
What led you to believe this is so clear?
2) "Proton does not have offices, employees, subsidiaries, or any permanent establishments in China or Russia, and as such, we do not fall under the scope of these laws, nor can these laws be enforced against us. However, this does not mean authorities in these countries would not try to enforce the laws anyways."
Is there any good&reputable replacement for ProtonMail?
HN does not allow you to delete comments. I would ask that if you think that not having Yubikeys does not require a significant and immediate answer from the ProtonMail team, to sign your name (I will) at the bottom of your response. If you can’t do that, perhaps provide a burner email address.
CISSP, CCSP, CISM
EDIT: spacing between my signature, change of comment to commentS
It has been known for some time that TOTP 6 digit codes are easy to intercept. SMS Codes can also be intercepted, or gained via SSB7 vulns/ SIM jacking. This made things like Google Authenticator or Authy more resilient but certainly still quite vulnerable.
To intercept and exploit MFA in ProtonMail would absolutely trivial for a skilled single person to do. DNS poisoning + this github library would be all you needed: https://github.com/kgretzky/evilginx2
EDIT: replaced quotemark with asterisk
Not doing this was a deliberate choice. The benefits of implementing it outweigh at maybe a dozen orders of magnitude not implementing it.
The very scary thing btw is simple. They were bribed the same way the WordPress Core Contributors have been for years.
Let me discuss this quickly, and I’m happy to name names in a separate posting (Gary Pendergast out of Australia is going to jail though along with another America dev). That being said please review this discussion where several core contributors admit to not even reading an extremely important path from arguably one of the best PHP developers in the world (certainly in terms of security): https://core.trac.wordpress.org/ticket/39309
not having yubikey support is obviously not "very very scary" since most people (even on hn) don't have yubikeys and we don't run around with our tails between our legs.
many reasons can lead to not supporting yubikey yet, including the simplest, which is that it's lower on the priority list for a resource-constrained organization. or another likely explanation: yubikey has unsolved ux issues that keep it a niche product (for now), so demand simply isn't there.
this seems to be an important issue for you, so if you want to effect change, then you need to come across as well-reasoned, not fud-filled. (edit: and don't let perfect be the enemy of good.)
But even if email-via-notification worked, it is still pretty much unusable. My usecase is to get to wifi, download emails and get offline, but with Proton mail I'd have to be super careful not to have my app open when enabling connection to wifi, otherwise it instantly downloads all headers and shows no notification, because app is in a foreground, after that there is simply no way to download message bodies other than opening them one by one in all folders. Surprisingly support saw not problem with this UX either.
So whilst it might have been meant callously, from my third party glance it seems quite important.
FWIW, offline access is even more important in developing countries, yet devs living in Switzerland and clearly having no probem with their 4G coverage are failing to realise that.
Ideally, pushing the APK to multiple distribution channels is mostly a one-time job to integrate with their build and deploy pipelines and then it's relatively business-as-usual, so I would imagine it won't take away a lot from development effort in other places once up & running.
As a non-Google Play user, I'm installing via Aptoide (a platform I don't _really_ trust yet) and relying on signatures to validate that the package is valid. Any moves by ProtonMail to offer '1st party' distributions (e.g. F-Droid) is really welcome.
But I guess there just is not enough demand for that.
Given how simple WireGuard is to set up I don't understand why they don't support it. Their UI etc, sure. Then just make it alpha or beta or whatever. I'd happily test it. Give feedback, etc.
Meanwhile, I paid for a 2 year sub and barely use it because of this reason. Instead, I run a WireGuard VPN _to_ my home cable connection.
Your WG tunnel to your home is nice for accessing home stuff from outside, and for protecting your use of the coffee shop wifi, but it isn't anonymizing your traffic to your home ISP or to websites you use, which is a big reason for using a VPN product.