The appeal of GraphQL is that it eliminates the need for a BFF and easily solves service meshing. Over fetching is more of a component design problem than a performance issue.
Right it felt pretty bad. It chugs tons of tokens just to be like "I need to scroll up!". Then 5 seconds later it scrolls up, chugs more tokens. "I need to scroll up more!"
Google would control everything if they could, but this won’t achieve that and they know that so it’s not the specific intention of this. Even if you’re feeling doomerish about it.
My theory is that Google wants to bake Gemini into Chrome to preempt a future antitrust ruling ordering them to spin the browser out, for the same reason Microsoft made IE an integral part of Windows 98.
It’s how a lot of code is being generated by owners of small startups with minimal engineering engagement. PMs are producing full walking skeletons of designs that used to take a week to polish to that fidelity.
Sure--but it's also the most widely used IDE for integrated AI assistance to normal software engineers. It's a "vibe coding" app in the same way that a washing machine is a "sock cleaning machine." I mean, yes, it does that, but that's a small part of its designed and in-practice usage.
They used an internal fork delivered via MDM. There are no guarantees that Signal can make about the software running on those phones and per the reports it’s a lot of phones.
This is currently my bet. This looks like something I would set up— state actors are not in my threat list. But, I’m usually being paid to protect the employer not the employee.
This is so frightening. I worked in corporate security, and that was occasionally a leaking ship, but this wouldn’t even fly with our engineers even if we wanted their message history. This is negligence.
On a more meta note, I wonder who even works at companies founded on ideas that are just... bad. On average, I expect good engineers to push back on such business requirements and also have better job mobility so they can leave and work elsewhere. The researcher found the vulnerabilities "in less than 30 minutes" so it seems there's some lack of competence here.
Unfortunately, misguided business requirements like this won't simply disappear and I get that those can be niche offerings that attract juicy contracts.
Casinos, scams (both of these Web3 as well as traditional), game hack developers, ransomware and database hackers. Adtech, which thousands of HNers work in (anyone at Google). Temu, Shein, gacha/lootbox games, dopamine drug dealers (Meta, Bytedance). NSO group, spyware. Policeware, Clearview, surveillance tech. You could name defense as well, but I find that more ambiguous.
I wouldn't be surprised if it at least 25% of HN has worked for such companies for at least 2 years of their career.
The reality is that its a dog eat dog world out there. I know people who worked in adtech. Yeah, they thought it sucked too and was boring stupid work compared to doing something cool. But it paid the bills, and interesting work is hard to land even without having to pivot into it mid career.
People generally need jobs, and some of these jobs aren't so good. Not everyone is talented enough to work at the next hot startup building a frontend to ChatGPT.
But tl;dr anything said on those phones is assumed to be compromised until proven otherwise by time or a whole lot of very interesting security verifications. So far the evidence that this is a very large leak looks probable based on the evidence presented.
Why do you say "everything said on those phones" - did you mean "on this app"? If the backend of an app was compromised, that wouldn't mean the phone itself was rooted?
It is reasonable to assume that the intelligence services of unfriendly countries are actively devoting significant resources to compromising both issued and personal phones of top-level officials in the US government. They would be negligent not to. It's also a good guess that those efforts would be increased after the first time it became public knowledge the officials were likely using those phones for secret official business.
It is also reasonable to guess that such services have access to malware similar to the infamous Pegasus and a nonzero success rate at deploying it. In short, it's careless to assume none of the phones aren't rooted by a hostile actor.
That's one of several reasons the government has rules requiring that classified conversations take place on specific approved devices which aren't used for anything else.
By installing MDM you’re effectively chaining your security to the security of the MDM. The MDM gives you the ability to install arbitrary code via a blessed backdoor. There’s no reason currently not to suspect that anything said on that phone (signal or not) is compromised.
The MDM admin can do whatever the user can do (or more), sure. So yes the MDM admin can potentially read/hear/see stuff, but everyone knows that. That's not a vulnerability, that's by design.
The compromise is only wrt the admin. Are you claiming the admin itself is compromised? What's the evidence for that?
Yeah, I was shocked to see this buried. If the allegations are verified this could be a huge leak on what a number of people were led to believe is a secure by default platform. It turns out when you can’t trust the CI/CD pipe those guarantees go out the window.
CGO_ENABLED=0 go build -ldflags "-X main.version=dev -X main.commit=$(git rev-parse --short HEAD) -X 'main.buildDate=$(date +%Y-%m-%d)'" -o witr ./cmd/witr
Call me old-fashioned, but if there's an install.sh, I would hope it would prefer the local src over binaries.
Very cool utility! Simple tools like these keep me glued to the terminal. Thank you!