• FreedomAdvocate@lemmy.net.au
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    3
    ·
    3 days ago

    No - did you even read the article? An x employee confirmed that they’re using the “special” servers to store the keys that mean that they cannot see them. The author then says that the employee confirming it doesn’t mean they do, because the author doesn’t want it to be true.

    • Natanael@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      3 days ago

      There are hardware for that called hardware security modules, but yeah I definitely wouldn’t trust Twitter’s implementation - especially because they probably just need the auth team to tell the HSM that the user logged in when they didn’t to get that key

      A proper implementation would use multiple security measures and require a reset (delete) of certain private account data before the account access can be reset, otherwise the user’s password would be needed (for key derivation) or some other secret held by the user’s devices (in the TPM chip or equivalent)

        • Natanael@infosec.pub
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          2 days ago

          I’ve run a cryptography forum for 10 years. I can tell snake oil from the real deal.

          Musk’s Twitter doesn’t know how to do key distribution. The only major company using HSMs the way Musk intends to is Apple, and they have far more and much more experienced cryptographers than X does.

          • FreedomAdvocate@lemmy.net.au
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            2 days ago

            So again - you just don’t want it to be true, and you think the people that know more than you about it are lying.

                • Natanael@infosec.pub
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  20 hours ago

                  If you can’t demonstrate that you know more about cryptography then me, it’s time for you to admit you’re wrong

                  • FreedomAdvocate@lemmy.net.au
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    20 hours ago

                    You said this

                    There are hardware for that called hardware security modules, but yeah I definitely wouldn’t trust Twitter’s implementation - especially because they probably just need the auth team to tell the HSM that the user logged in when they didn’t to get that key

                    So again - you’re just hoping that they’ve done it wrong, based on nothing other than you wanting them to have done it wrong. They’ve told you they did, but you don’t believe them based on…nothing…nothing whatsoever…other than your hatred.

                    Feel free to tell me how your knowledge of cryptography proves that it’s done incorrectly though. Please.