Ex-WhatsApp engineer here. WhatsApp team makes so much effort to make this end to end encrypted messages possible. From the time I worked I know for sure it is not possible to read the encrypted messages.

From business standpoint they don’t have to read these messages, since WhatsApp business API provide the necessary funding for the org as a whole.

Facebook has never been satisfied with direct funding. The value is in selling attention and influencing users’ behavior.

This is why most tech founders who go big never retire, even as billionaires. The power they gain, only the wisest would refuse.

> Ex-WhatsApp engineer here. WhatsApp team makes so much effort to make this end to end encrypted messages possible. From the time I worked I know for sure it is not possible to read the encrypted messages.

None of this makes the point you want to make. Being a former engineer. The team making "so much effort". You "knowing for sure". Like many in security, a single hole is all it takes for your privacy to pour out of your metaphorical bag of sand.

It’s not even “a single hole,” it’s that companies can change their mind at any time.

That person doesn’t work there anymore. For all we know Zuck could wake up one day and say “that’s it, we need the data and revenue from reading WhatsApp chats. Change our policy in the most low key way possible.”

Honestly, it’s too tempting isn’t it? They have the largest conversation network out there.

It doesn’t help that the company has just about zero trust built up among their customers. The whole dang company changed their name arguably to try to shed the “Facebook” baggage.

Nice! Hey, question: I noticed Signal at one point had same address on Google Play Store as WA. Can you tell us if Signal devs shared office space with WA during integration of the Signal protocol? Related to that, did they hold WA devs' hand during the process, meaning at least at the time it was sort of greenlighted by Moxie or something. If this is stuff under NDA I fully understand but anything you can share I'd love to hear.

It's public knowledge that Moxie and team helped out https://signal.org/blog/whatsapp-complete/

It only takes one engineer in all the teams at Whatsapp that has different directives to make all your privacy work completely useless.

The legal and liability protection these messaging services get from E2EE is far too big to break it.

Besides I get the feeling we're so cooked these days from marketing that when I get freaked out that an advert is what I was thinking about. It's probably because they made me think about it.

Or maybe I need to update my meds?

Assuming there's no code review or audit, I suppose.

How would you hide that? Unless you’re assuming nobody ever has to try and fix bugs or audit code to find it, and there’s some kind of closed off area of code that nobody thinks is suspicious. Or you maintain a complete second set of the app core libs that a few clandestine folks can access, and then hope nobody notices that the binaries don’t line up and crash logs are happening in obscured places.

I would be surprised if the code was hidden from other people engineers.

How are you hiding it from IDA pro though?

So how was Andreas Schjelderup caught sharing minor content?

According to Kristeligt Dagblad in Denmark, he was using Snapchat: https://www.kristeligt-dagblad.dk/tidligere-superligaspiller...

I have no doubt that that rank and file engineers were not aware of the underlying functionality that allowed for plain text content to be read.

Nobody would ever create a SendPlainTextToZuck() function that had to be called on every message.

It would be as simple as using a built in PRNG for client side key generation and then surreptitiously leaking the initial state (dozens of bytes) once in a nonce signing or something when authenticating with the server.

I’ve often thought one of Zuck’s superpowers is in finding ways to get smart and moral people to do truly evil things. Sometimes it’s mind games. Sometimes it’s careful layers of obfuscation.

Here it might be: This analytics package is dynamically loaded at runtime because reasons. This abuse flagging and review system is bundled with analytics because reasons. This add on for reconfiguring how the analytics package behaves at runtime, and has a bunch of switches nobody remembers why they’re here but don’t touch them they’re fragile.

The backups are either unencrypted by default or have keys held by Meta / your backup provider. I think this means three-letter agencies can see your chats, just with a slight delay.

Another comment above mentions that you can recover conversation histories with just your phone number--if that's true then yup. The E2EE is all smoke and mirrors.

From what you know about WA, is it possible for the servers to MitM the connection between two clients? Is there a way for a client to independently verify the identity of the other client, such as by comparing keys (is it even possible to view them?), or comparing the contents of data packets sent from one client with the ones received on the other side?

Thanks.

No.

Whatsapp uses key transparency. Anyone can check what the current published keys for a user are, and be sure they get the same value as any other user. Specifically, your wa client checks that these keys are the right key.

Whatsapp has a blog post with more details available.

I have not fired a technical writer, but writing documentation that understands and maintains users focus is hard even with llm. I am trying to write documentation for my start up and it is harder than I expected even with llm.

Kudos to all technical writer who made my job as software engineer easier.

I feel local rag system , slows down my computer (I got M1 Pro 32 GB)

So I use hosted one to prevent this. My business use vector db, so created a new db to vectorize and host my knowledge base. 1. All my knowledge base is markdown files. So I split that by header tags. 2. The split is hashed and hash value is stored in SQLite 3. The hashed version is vectorized and pushed to cloud db. 4. When ever I make changes , I run a script which splits and checks hash, if it is changed the. I upsert the document. If not I don’t do anything. This helps me keep the store up to date

For search I have a cli query which searches and fetches from vector store.

This isn't easy to prove, but the sentiment in our field for a very long time is that the interviews are frequently the hardest part of the job.

That makes sense. Safari is so smooth now in iOS. Moved from Firefox.

Working on Ai agent (not chatbot) for customer support with automatic human handoff to Slack( in future for Zendesk, Teams, Jira)

Focusing on creating a omnichannel ai-powered support platform on Slack.

And you forgot the js library that lets you check if the number is odd https://www.npmjs.com/package/is-odd

Funny enough there is another library which checks if it is even https://www.npmjs.com/package/is-even

Both written by the same (somewhat notorious) purveyor of trivial shenanigans disguised as resume bullet points.

I feel it is hyped product oversold to people who cannot told. When we developers tell them that it cannot do as much as you expect, they think that we are afraid of loosing our job and downplaying the AI.

Like everyone said, my productivity boost is in 1-4% range and not more than that.

I actually have flashbacks from the crypto hype, with people coming up with exactly the same arguments: that we don't understand blockchain, that we don't get how web3 is revolutionary, that we don't grasp the consequences of the revolution and so on.

The difference here is that LLMs do have some genuine use cases, it's just they are far away from the hype.