The U.S. Missile Defense Agency (MDA), in cooperation with U.S. Space Force and U.S. Northern Command, conducted a flight test on June 23, 2025, in which the Long Range Discrimination Radar (LRDR) at Clear Space Force Station, Alaska, successfully acquired, tracked and reported missile target data to the Command and Control Battle Management and Communications (C2BMC). This was the radar’s first flight test tracking a live Intercontinental Ballistic Missile (ICBM) representative target. More: https://www.mda.mil/news/25news0006.html
Readit Newspetedoyle commented on U.S. Missile Defense Agency: Successful Test of Long Range Discrimination Radar [video] youtube.com/watch?v=YIQWm... · Posted by u/petedoyle
petedoyle commented on Maintaining an Android app in Google Play Store is a lot of work ashishb.net/programming/m... · Posted by u/ashishb
> > The absolute nightmare is about giving Google the root signing key of your application
> It seems plausible the US government could send a NSL (or similar) to Google and force them to distribute modified APKs for apps like Signal
Since when do you have to hand over your signing keys to Google? I seem to remember the Signal devs saying that they preferred publishing their app on Google Play as opposed to F-Droid because in the former case they control the signing keys. Has this changed?
Apologies / small correction:
Apps first published to the Play store before August 2021 are not required to upload their keys [1]. This likely includes Signal.
petedoyle commented on Maintaining an Android app in Google Play Store is a lot of work ashishb.net/programming/m... · Posted by u/ashishb
Well, this is one of those HN comments that I will never forget. Someone wrote (and then removed after a buyer purchased it and required it's take down) a stylometry analyzer once for HN comments. A supposedly senior-y Google-r lambasted some Snowden slides commenting things were impossibly unimaginable inside Google (this was before it has done become widely accepted that internal services at such companies such of course be using some transport security). I got in some silly fight with someone ... 13+ years ago? These are specific things I remember. And now probably your comment.
I didn't trust stock Android before, and I felt the sinking-gut feeling as soon as I realized where "upload root signing key" was going, but spelling it out here puts a ... fine point on things.
Thanks for the comment.
Maybe this? https://en.wikipedia.org/wiki/MUSCULAR
petedoyle commented on Maintaining an Android app in Google Play Store is a lot of work ashishb.net/programming/m... · Posted by u/ashishb
And all this article is "just" about the building of the Java/Kotlin application :)
Native NDK is another can of worms, with updates linked to SDK or sometimes not, unclear documentation about device and API compatibilities, compiler behavior changes and other requirements (like the 16K one) that impact so many 3rd party native libraries.
But, of course, the rules on the uploading and the changes of the Console, that changes so often is what makes it painful.
The absolute nightmare is about giving Google the root signing key of your application, the unfinished business about app bundles (which should reduce the size of the downloaded app, and more often than not, make it bigger), the changes in compliance, letters to sign for different countries, the compatibility for Google form factors (XR, TV, Auto, Automotive), Inline installs and other Teacher Progams, Play for family and so on.
All of this changes non-stop and is very poorly documented :)
At least, the Play Store is still GPLv2 compatible, so for now, we're saved (VLC)
> The absolute nightmare is about giving Google the root signing key of your application
I wish more people talked about this. At Amazon, I helped with the early threat modeling around adoption of "App Signing by Google Play", which requires sending your app's root signing key to Google (and is now required, with no publicly-available opt-out for new apps.) It would have added some nice things for Android devs: app bundles, smaller downloads, instant apps, etc.
That said, we imagined the following scenario, and were unable to find a reasonable mitigation at the time:
It seems plausible the US government could send a NSL (or similar) to Google and force them to distribute modified APKs for apps like Signal (ex: to exfiltrate keys). This would be nearly impossible to detect, especially if the modified APK were distributed to only an individual user, or a small group. A few people raised concerns [1], but I don't recall Google ever giving a reasonable response.
[1] https://commonsware.com/blog/2020/09/23/uncomfortable-questi...
Edit: clarify no opt out applies to new apps
petedoyle commented on The cryptography behind passkeys blog.trailofbits.com/2025... · Posted by u/tatersolid
Somewhat off-topic: Does anyone know the underlying strength of the keys used as the "root of trust" behind passkey synchronization on Android/iOS? I can't find a lot of documentation on this.
It seems like they're synced between devices using client-side encryption, with keys derived from your phone's lock code (typically only 4-6 digits). Is it possible that the passkeys are fully random, but then encrypted with far less than 128/256 bits of actual entropy while being synchronized between devices?
Could it be possible to brute force the keys server-side (IIUC, derived from 4-6 digit pins) with non-excessive amounts of compute? What am I missing?
I didn't know him, but followed his work on bufferbloat closely. I've never seen anyone work so diligently, for so many years, to fix a problem most people will never know even existed. And yet, that work will be felt by almost everyone on the internet. I'm sad knowing he's passed, and thankful to have seen his work. Rest in peace.
Interesting. Running any chrome extensions that might be messing with things? Alternatively, if you can share any errors you're getting in the console lmk.
Oh, looks like it. I disabled extensions one by one til I found it was reflect.app's extension. Edit: reported on their discord.
False alarm :) Amazing work!!
petedoyle commented on NCSC, GCHQ, UK Gov't expunge advice to “use Apple encryption” alecmuffett.com/article/1... · Posted by u/jjgreen
I'm all for the DSA as well, but this argument doesn't hold water. Any sufficiently large cloud provider alternative (ie. Google, Microsoft, etc) would likely be the target of similar government instructions. In fact, I bet they already are - they just can't talk about it.
And of course, it's already possible to disable iCloud backups and use a smaller provider or host your own alternatives. I already do, through Nextcloud, etc. It's not as fully integrated of course, but you bet that if it was, then the largest alternatives would be targeted all the same.
If Apple were to add new APIs, it might be possible to use personal cloud storage (NAS, Decentralized Web Nodes, etc.) with the same UX as iCloud with E2EE.