First you have to be very specific with what you mean by idiomatic code - what’s idiomatic for you is not idiomatic for an LLM. Personally I would approach it like this:
1) Thoroughly define step-by-step what you deem to be the code convention/style you want to adhere to and steps on how you (it) should approach the task. Do not reference entire files like “produce it like this file”, it’s too broad. The document should include simple small examples of “Good” and “Bad” idiomatic code as you deem it. The smaller the initial step-by-step guide and code conventions the better, context is king with LLMs and you need to give it just enough context to work with but not enough it causes confusion.
2) Feed it to Opus 4.5 in planning mode and ask it to follow up with any questions or gaps and have it produce a final implementation plan.md. Review this, tweak it, remove any fluff and get it down to bare bones.
3) Run the plan.md through a fresh Agentic session and see what the output is like. Where it’s not quite correct add those clarifications and guardrails into the original plan.md and go again with step 3.
What I absolutely would NOT do is ask for fixes or changes if it does not one-shot it after the first go. I would revise plan.md to get it into a state where it gets you 99% of the way there in the first go and just do final cleanup by hand. You will bang your head against the wall attempting to guide it like you would a junior developer (at least for something like this).
With the current generation of model, it really isn't necessary to restart every time you don't like something. Certainly this depends on the model. Most of my recent experience is with Claude Sonnet/Opus and Gpt-5.x.
I very often, when reviewing code, think of better abstractions or enhancements and just continue asking for refactors inline. Very very rarely does the model fall off the rails.
I suppose if your unit of work was very large you might have more issues perhaps? Generally though, large units of work have other issues as well.
Yes I too have found newer models (mostly Opus) to be much better at iterative development. With that being said if I have very strong architectural/developmental steer on what I believe the output should be [mostly for production code where I thoroughly review absolute everything] it’s better to have a documented spec with everything covered rather than trying to clean up via an agent conversation. In the team I’m in we keep all plan.mds for a feature, previously before AI tooling we created/revised these plans in Confluence, so to some degree reworking the plan is more an artefact of the previous process and not necessarily a best practice I don’t think.
Understandable. Certainly my style is not applicable to everyone. I tend to "grow" my software more organically. Usually because the more optimal structure isn't evident until you are actually looking at how all the contracts fit together or what dependencies are needed. So adding a lot of plan/documentation just slows me down.
I tend to create a very high level plan, then code systems, then document the resulting structure if I need documentation.
This works well for very iterative development where I'm changing contracts as I realize the weak point of the current setup.
For example, I was using inheritence for specialized payloads in a pipeline, then realized if I wanted to attach policies/behaviours to them as they flow through the pipeline, I was better off just changing the whole thing to a payload with bag of attached aspects.
Often those designs are not obvious when making the initial architectural plan. So I approach development using AI in much the same way: Generate code, review, think, request revision, repeat.
This really only applies when establishing architecturs though, which is generally the hardest part. Once you have an example, then you can mostly one-shot new instances or minor enhancements.
Even if you don’t use tailwind the tailwind UI page has some nice example options. It’s nice in that they’re all on a single page so can quickly compare what UX might work for your use case.
Even outside of AI coding I have found a tremendous amount of value in using AI to produce a requirements and spec document for me to code from. The key unlock for me is asking AI to “interview” me about how this system/feature should work. As part of that process it will often ask a question that gets me thinking about interesting edge cases.
I will say I always provide an initial context document about the feature/system, to avoid us starting with trivial questions. After about 45minutes I’ll often feel I’ve covered enough ground and given the problem enough thought to really put pen to paper. Off the back of this I’ll ask it to summarise the spec and produce a document. This can be a good point to ditch AI if you are so inclined but still get value from it.
Beautiful. You can just tell when things are made with the core premise of how they wanted someone to FEEL playing it. Not some lore, not some "cool" gameplay ideas they had, not some fancy gfx concept they'd prototyped. It just feels different when you know it's been approached from a completely emotional perspective.
Just watched your video, really love the style and openness.
My only suggestion is niche it down a bit. The SQL tutorial guides and features sound great, but the functional list feels a bit like a laundry list. Even here you describe it as a tool for "developers/founders/teams".
Try targeting a specific domain, tech stack, database type, or developer segment (e.g., large B2B teams, small B2B teams, indie devs, or funded startup founders) to stand out. If you pick a clear niche, you can build a stronger SEO strategy around long tail keywords and tailor both the product and the messaging and work out what order to build out features. Even if long term you plan on wanting it to be a tool for all databases, segments etc.
It's much easier to produce content with this in mind, e.g. if you were targetting getting the most out of Postgres you could easily produce a bunch of content for PostgreSQL 18 which formally came out of beta a few weeks ago and has native support for UUIDv7 etc.
Fwiw I’m doing a ton with SQLite atm as a solo dev. If your landing page had said "THE VERY BEST TOOL FOR SQLITE MANAGEMENT TO HELP SOLO DEVS AND SMALL TEAMS MAXIMIZE SQLITE PERFORMANCE AND PRODUCTIVITY" there’s a good chance I would have signed up for updates but atm it felt a little generic, some of the features I might use, some I definitely would not.
As a solo/indie dev who's currently early in building a product, I've been keeping a journal of "ideas" for content in a txt file in the codebase as I hate context switching and want to build this up before I get to it.
Here's what I've done:
- At the top of the file I've listed my audience, 3 personas
- My content has to be useful to one of those
- If I see an interesting post/take on social media I hold the link and write an idea for my own spin/take (takes 30 seconds) - log it
- If I have a problem/issue that I resolve that would be useful to my audience - log it
- If I have a key product/design/UX choice that took some time to think through - log it
- If something takes me much longer than I thought because there's more to it (iceberge effect) - log it
I've been doing this for about 6 weeks now and I've got 100 ideas for pieces of content.
One of the best pieces of advice I read is that when you're solo, many times people/community rally around you. You are the product too so you have to share what you're doing, it's interesting to many, not just your customers. They care about the advice you give, the input you have, the way you build things. You are a subject matter expert in this domain, so you should structure your content with this in mind.
"You escape competition through authenticity." - @naval
I have a paper notebook next to my keyboard entitled 'sleep deprivation induced fever-dreams'. It is an excellent collection and useful tool so I dont let my ideas runaway with my attention.
Often when I return to what I write, about 60% I look back at with the novelty gone, and reassess from a more suitable eye and cross them off the list.
I get the same whenever I get my daily walk in. Pure unbounded epiphany of ideas and experiments, surging with creativity. I'll revisit them a few days later and for 90% of them my immediate internal response is "that sounds like a really sh*t idea".
Yea 90% is a more realistic fail rate of my 2am ideas which seem great at 2am, but then terrible a few days later with good sleep. If GP is batting almost .400 for insomnia fever ideas, that sounds pretty stellar to me.
And, if you're like me, you notice sometimes that you've been rediscovering the same interesting thought over and over again, and should really give it some structure and start building on it, rather than rewriting it again and and again, years apart. That's on the list of things I think that LLMs could help with.
Of course that's also an opportunity to combine the best of all of those iterations together, and still toss out a bunch of paper (or archive a bunch of bits.)
> Often when I return to what I write, about 60% I look back at with the novelty gone, and reassess from a more suitable eye and cross them off the list.
That is a perfect name for a notebook like that. I have one in my head and it never lets me sleep. Maybe I should keep one like yours to dump mine into it. btw 60% is incredible.
> If I see an interesting post/take on social media I hold the link and write an idea for my own spin/take (takes 30 seconds) - log it
Not quite the same thing, but a perspective to be aware of...
For example, I used to be on a semi-private forum, where some people would lurk without participating, and then seemed to "arbitrage" ideas from there, to blog and social media posts, to promote their brand.
Ideas generally should be shared, and I wouldn't say that this "arbitrage" behavior is wrong, but it can sometimes seem a bit like leeching off a group without contributing.
I suppose this is more noticeable in smaller groups that are closer to "communities". Maybe no one would care if it's just more conventional social media posts where there's no community, and most people are just playing their own promotion games.
(For example, probably no one cares if someone else also forwards around the same LinkedIn inspirational leadership image post, which they themselves took from someone else. Because usually no one at all cares about those, not even the sender.)
I do this on paper, with each page dated with the date I started filling the page. The goal is to check off most of the improvements before or shortly after starting a new page.
I personally enjoy reading about the journey most solopreneurs take, and that includes the mistakes they made, their thought process etc. So definitely start sharing instead of waiting.
True. 99% won't care, but that shouldn't hold you back. You get outsized returns from even a handful of people caring - feedback, amplification, motivation, moral support etc.
>"You escape competition through authenticity." - @naval
Except none of this is authentic. Its just another form of marketing and it should be illegal to go around spamming posts advertising a product. Or the accounts should be marked as sponsored or promotion accounts so they can be filtered out accordingly.
> Its just another form of marketing and it should be illegal to go around spamming posts advertising a product
I think this is the dogma that holds a lot of devs back, the belief that sharing your work, the product, the thought process, the journey, the mistakes, the wins etc is “spammy”. Would save your rhetoric for those who actually spam - ai slop generators, bots, link farmers, paid shillers etc. Not indie devs on HN trying to build something for the world.
I'd consider cold DMs to be spam. What if every business did this? This b2b call center stuff happening on peoples social media accounts. Its gross and I dont like it. Please keep advertising within advertising channels. You arent authentic by spamming people's DMs.
Yes, by all means, build and promote your product.
Planning out interactions according to 3 fake personas is still fake though. Not that I have any better ideas, we all have to engage with this nonsense and waste our lives producing it. It would be nice to somehow not have to.
The whole parasocial aspect of it is what feels fake, distasteful, and icky.
The very idea of gaining power in the modern world is through parasocial relationships. Think Taylor Swift: her fans follow every single one of her updates even though they are highly scripted to engage exactly their "user persona", and present a Taylor who has nothing to do with the real one, another persona. Whoever can be at the top of this pyramid (i.e. make enough people believe that an Instagram-mediated relationship with a fake media persona is real) - wins the game.
I don't claim to have an answer, however, consider this. A few years ago it was considered impossible to win the battle against Big Food. They would continue to shove increasingly fake food simulacra down our throats and we'd be doomed. There was a backlash. With parasocial relationships, I feel that AI has tipped the scales into "enough is enough" category and people will demand real connection over personas.
And maybe we are just talking past each other. Maybe.
I get an immense amount of pride when I see anything that the Royal Museum Greenwich do because not only is it very local to me but they have such a great way of balancing the history of maritime/meridian with modern services and facilities.
If you’re coming to London please spend a day in Greenwich, you won’t regret it, take in the museums, the small markets, the observatory, stroll round the park, grab a photo of the best view in London (imo) https://www.rmg.co.uk/royal-observatory/attractions/enjoy-be... - then take a walk along the Thames, once you’re done you can hop on an Uber boat and head into central London.
I find the wordsmithery on Meta's statement the most interesting:
“We do not track your *PRECISE* location, we don’t keep logs of who everyone is messaging and we do not track the *PERSONAL* messages people are sending one another," it added. “We do not provide *BULK* information to any government.”
If you read around their points, it sounds like they track general location, log group messages, and provide specific information on request to a government.
Meta can also just lie about it. If they were secretly granting backdoor root access to some NSA spooks, like Microsoft did with PRISM or AT&T did with 641A, most likely no one would find out, so, there'd be zero actual downside to simply lying.
Usually the three letter agencies will send you a National Security Letter. If somebody sends you a NSL you're not allowed to talk about it, which makes it very difficult to even tell if the NSL is legal or not because it's very difficult to retain legal counsel with these kinds of matters, and secret courts don't have a whole lot of accountability either.
Because the entire rest of society has wrapped itself around Facebook, Whatsapp, and Instagram. It is easy to be a free software purist until you need to know if your child's school has a snow day. Websites and mailing lists are dead. I cannot be involved in my child's school or any of the informal social networks around the parents and teachers without using Meta's platforms. I cannot volunteer at a non-profit I care deeply about without using Meta's platforms, because that's what they have to coordinate.
Are you going to suggest to me that I should force them onto Signal and a pile of other DIY platforms? I dare you. Look a burned out parent in their bloodshot eyes first.
I live in a mostly rural part of Norway, and I have had a very similar experience with a volunteer group I cared deeply about. I created a Facebook account solely to access two groups they used to coordinate events. Initially it worked, but over time, Facebook’s algorithms stopped showing me new posts at the top. Since I was not an active user, I missed important messages and caused real frustration, both for others and for myself. Trying to explain why I was not seeing the content was more awkward than simply saying, “Sorry, I am not on Facebook.”
Eventually, I decided to step away. This was partly because I was not willing to engage more deeply just to make the platform work properly, and partly because of personal circumstances, such as having twins. After deleting my account, I noticed a significant reduction in stress.
These days, my children’s kindergarten uses a dedicated app to communicate with parents, and their sports club uses another (Spond, which seems fairly common in Norway). However, when I try to connect more informally with other parents, the conversation almost always leads back to Facebook, Messenger, or "insta". Even when people express understanding or sympathy for my choice to avoid those platforms, exchanging phone numbers or using alternatives rarely leads to real communication. It feels as if, socially, I cease to exist if I am not part of those groups.
So no, I would not suggest trying to push others onto Signal or similar platforms. I relate to your experience completely. Although we may have made different choices, the underlying challenge is the same: wanting to participate meaningfully, but finding that the tools we're expected to use often come with a cost we are not willing to pay.
Then you’ll be excluded from a lot of groups and social activities without even knowing. That might be an acceptable trade off for you but it's a trade off nonetheless.
And that’s fine, just pointing out that if you were part of a sports club, parents group, whatever, you’re relying on someone keeping you in the loop and making your life harder if you want to be part of it. I don’t judge, I just don’t see why you think it’s immature to want to have a social life.
There are parts of the world that run on WhatsApp. In Brazil it is impossible to live a normal life without it, as absolutely everything from shopping to parking to healthcare is managed through WhatsApp specifically.
"I am not going to suggest you anything except to tell you that you can live a beautiful live outside of the meta-world. it is super easy"
Great it is super easy for you, but why do you think your individual experience is valid for other people (who might be thousands of km away in a very different setting)?
it may not be but I’ve also heard this excuse a million times before. and whatever the situation is meta products can be avoided. we just have a tendency to give into “hey, we have WhateverSupApp group, why don’t you just install garbage on your phone to be a member of this cool group… thanks, but no thanks :)
Because super vast majority of the population doesn't care. You can just look at the leaks from the last decade and its outcomes. Every company that deals with socials also know that people only care about their privacy within their own small circle. As in, they only care about privacy within their own small bubbles.
Imagine a small local non-profit with 5000 likes on their page. They might be trying their darnedest to improve their newsletter numbers, but they still need to be on Facebook.
meta has made everyone believe that only through their platform can you grow your non-profits and whatnots. and they are obviously great at this, everyone bought that shit. you can organically grow (especially small) non-profits without fucking meta apps.
The alternatives are also probably up to the same sketchy shit, so your choices are to be a hermit, or accept that your services will spy on you.
If you want to participate in society, you have to either trust a very large list of untrustworthy people... Or acknowledge that they are untrustworthy, and mitigate accordingly. Part of that mitigation is accepting the possibility that if the Mossad want to murder you by blowing up your toaster, nobody's going to stop them.
don’t use any alternatives. I have been off social media for years now and my life and health and relationships and career and … have improved so much I cannot put it in words. even if one says “well that’s crazy, I must get my dopamine through an “app” on my phone meta is on another level of insanity to even consider infesting your life and especially your loved one’s life
Checking out of society or any number of other activities you don't feel a huge need for may work for you. You are not everyone and what works for you may not be appropriate for any other individual or group of individuals.
> I have been off social media for years now and my life and health and relationships and career and … have improved so much I cannot put it in words.
It sounds like you personally had a problem. Congratulations I suppose on solving it. However, I have no such issues. My life, health and relationships are all already where I want them to be, and are not impacted by occasional interaction with others through technology as luckily, I have had no such struggles with self control or moderation.
My relationships would be impacted on the other hand if I was to throw a big toddler tantrum about using whatsapp for two weeks whilst i'm overseas with my employer and twenty other people. So i'm probably not going to do that.
Sure, I can also avoid putting chemicals on my body by washing my hair with apple cider vinegar and baking soda, and I can also churn my own butter by hand, and if mom wants to hear from me, she can cross an international border and drive for five hours, with her travels being logged by countless security and traffic cameras, gas station payment processors, and no less than two governments, so that she can converse with me in person in my RF-shielded, copper-lined[1] Faraday-cage basement.
There's social media use and there's social media use. Hacker News, Reddit, Facebook, Instagram, Whatsapp, EMail, and my phone's SMS systems all serve dramatically different purposes, and all of them are a varied mix of pros and cons and risks.
---
[1] Any Arcanist worth his salt knows that copper has no name, and thus cannot be turned against you.
Hyperbole much? The only social network I use is HN. As a matter of fact last week I was chaperoning a middle school parade. The other chaperones wanted to make a WhatsApp chat group t0 keep in touch during the parade - which I rejected as a matter of principle; so we did a phone chat group. I do not wash my hair with vinegar or do any of the other nonsense you mentioned.
this is too funny how you mind believes social media is “advancement in society” of any kind… don’t blame you though, you are with the majority (and you know what they say when you are… :) )
I believe nothing of the sort about social (or mass) media.
I do, however, believe that you aren't engaging with what I'm saying, or recognizing some very obvious logical holes in your arguments. Your argument seems to be one of dogma, not one of reason.
huh? let me quote one of the commenters here and see if you recognize the words
Sure, I can also avoid putting chemicals on my body by washing my hair with apple cider vinegar and baking soda, and I can also churn my own butter by hand…
c’mon mate, the first sentence is the most important sentence to reel me in :)
jokes aside, I did read your entire post and I don’t disagree with a single word you wrote. I still don’t understand why anyone in their right mind would install a Meta-owned application on their PHONE. Lots of people overall and number on this thread go with “hey, the GOVERNMENT is already spying on you so why don’t I also let one of the most evil corporations in the history of mankind access to all my everything too… I don’t expect privacy in general, it is 2025 after all and we are talking on HN but these silly “plate reader excuses” are really too much… like saying “well the government can obviously break into my home whenever they want (in 2025 without a warrant as well) so why don’t I leave the door wide open, if government can enter why would I care if someone else does :)
Signal lagged so far in polish and features that getting friends and family to use it was doa. So I can choose to communicate with friends and family on the apps they use, or I make it very difficult for them to communicate with me.
That ends with them mostly not communicating with me, not with them switching apps.
all these are easy excuses… you are here on HN, probably some dope SWE doing amazing shit, I am sure you are more than capable of solving any “picture sharing” problem that is an issue with SMS.
I am not capable of solving shitty downscaled image sharing; flakiness with mms message receipt (esp photos) both on tmobile and verizon; and even worse downscaled video sharing. Because those cannot be addressed by anyone but the telcos.
Nor the inability to add people to groups. sms doesn't have groups; it has pools of numbers. And it works terribly when, eg, one of you is traveling or living outside the US.
You send the photo via mms. When there's that one great shot you really want to save, ask them to email it to you. This isn't nearly as hard as you make it out to be.
You're using a telephone to call and message people?
If you think that your phone provider isn't spying on you, I would like to cut you into an incredible, once-in-a-lifetime investment opportunity in some Louisiana waterfront property.
All I need is your phone number, mother's maiden name, ...
I agree, I think you should just go with tried&true trusted apps made by guy who could not get laid in high school and is trying to compensate for that by fucking with you and all your loved ones that install his shitware on their phones :)
And this is just the publicly known stuff. So perhaps you weren’t privy to everything?
So Facebook (not Meta at the time) just “forgot” to turn off the camera after they were done with it? Sounds reasonable… except wait, they were actively re-activating it while you were scrolling, and until iOS 14 users were none-the-wiser. If it was an honest mistake, do you think FB testers would have not caught it during the MONTHS between iOS 14 developer preview and release? And yet, for this one I do think it was probably a bug about when to activate the camera.
Are you doing one of those 'a lie requires intention, and we can't know their internal state of mind, so we can't know if something is a lie unless they tell us' things?
Do you consider misrepresentation a lie?
If there's a lawsuit which determines that Meta misrepresented something, do you consider that a lie, even if Meta says it was merely on honest mistake made in good faith?
If the European Commission "fines Facebook €110 million for providing misleading information about WhatsApp takeover" and that "contrary to Facebook's statements in the 2014 merger review process, the technical possibility of automatically matching Facebook and WhatsApp users' identities already existed in 2014, and that Facebook staff were aware of such a possibility" then that statement was not actually a lie, right, because no one at Facebook said they lied, correct?
Can you give an example of any company which has lied, but where the company officials have never agreed with that conclusion?
I don't think they misrepresented anything. The European Commission is wrong on the facts. Technology improved in unpredictable ways.
Large public companies do not lie very often because it's incredibly easily for lies to be discovered, and the penalties are high. There are many examples where the popular narrative is the the company lied, but when you look at details it becomes clear that no lying occurred.
For example, David Rainey probably did not actually lie about the extent of the BP oil spill even though most people still believe he did. He was acquitted by a jury who had access to far more information, and more time to think about it, than anyone else.
You can go decompose the binary and check (or monitor network activity). WhatsApp has been audited for implementing E2E encryption and consistently passed.
Well, yes, they have been found to bypass tracking restrictions, most recently using Local Mess (https://localmess.github.io/), but they haven't been found exfiltrating WhatsApp private keys or messages in plaintext. And people are looking for this specifically.
The European Commission has found that Facebook provided “misleading information” about its 2014 takeover of WhatsApp following an investigation into the deal.
The commission’s complaint relates specifically to the sharing of user data between Facebook and WhatsApp. In a submission to the EU made in August 2014, Facebook said it would not be possible to create a reliable automated system for matching users. In August 2016, WhatsApp announced that it would be linking WhatsApp user phone numbers with Facebook user identities.
Read that book in two days. Wild stuff. Of course I don't absolve Sarah Wynn for of her responsibility that is Facebook and it's completely maliciously run company. She is also complicit I don't care how many "I was trying to do the right thing! Whaa!" she sprinkled throughout the book.
The fact that they successfully got the book removed from sale for a while speaks volumes. They not only lie they are encouraged to.
The best lies are corporate lies. And those lies are said plainly, calmly, and with a sense not of conviction but rather it it's not a serious claim because it was always a true statement ... just repeating it now.
They are also uttered on TV, in public talks and to a far lesser extent in court. Court is a formal process. Outside it's not. There's a big difference.
There is some dish detergent that advertises it cleans dishes up to 100% clean. I guess they figure showing “100%” is all that is needed and the dumb public won’t question it further. It’s still an insulting ad.
Ha. This is why the best lawyers in the world work for these people. Over drinks, when I brought up some of the blatant dark patterns in the ad market, someone who worked at one of the biggest companies in the world responded to me bluntly: "yeah, sure, but have we ever lost a case in court over click fraud? No, we have not."
Correct. The best liers like the best bullies are really good at assessing risk. They're honest in close when they sense they're butt is not on the line.
I would classify their "oops we reset your privacy settings accidentally again" as a lie. Granted this was a common occurrence in the 2000's, and not so much the last 15 years.
The privacy settings also did not obviously do what their wording suggested - accidental over-sharing was their goal, and the wording was carefully crafted to deceive and confuse. Is that lying? It's a technical argument, and not really relevant - they are shady AF and always have been.
Just to be a bit more clear, this was a while ago. The answer in gp was to the question: "hey, I am not an ads guy, but my friend asked me to look at his account, and he had no geo restriction set. Why did 60% of his clicks for 'barn wedding venue east tennesse' come from Malaysia? Why would so many people from there see that, and click on in it?"
The bragging wasn't about their lawyers' ability in court, it was about their lawyers' ability to draft Terms and Conditions such that they could not be caught in a lie.
Except we dont live in a stasi regime. What the nsa/fbi/cia can get a subpoena for from the courts is well documented in law. So there is no question that meta does provide individual messages. You guys have got to quit living in this fantasy land of big bad g-men just because you like feeling the flutter in your stomach
Palantir, Meta and OpenAI just had executives commissioned as lieutenant colonels in the US armed forces. They are defacto extensions of the US government now.
It is rather shocking seeing how rapidly the US is shifting from all of its historic norms. Trump sees the US as a "store" where he dictates the terms, he directly has control over US Steel after the Nippon Steel "takeover" -- straight out of the communist central control dictums -- and now US major corporations are embedded in the US military.
It is insane. This is stuff people accused China of for time eternal but apparently it was taken as a good lesson to learn from.
But absolutely no one outside the US -- whether enemies or allies -- should trust anything from US corporations now. The country has fallen.
I think group messages would still be considered personal. It would only be messages you send to a business or in a group with a business that wouldn't be personal.
Does the WhatsApp program generate and store/mange the private keys? If so, it would be possible for the program to send private keys on request, effectively backdooring the endpoint. Such an arrangement would allow Meta to put its hand on it heart and truthfully say it is end-to-end encrypted (on the network), whilst still providing a way around it.
Yes, but users can compare fingerprints (sure, most probably don't, but it's definitely a deterrence against MITMing all conversations by default), receive warnings whenever fingerprints change etc.
There's also supposedly a key transparency service deployed (similar to Certificate Transparency), but I haven't looked into that in detail.
Reverse engineering to some extent as well – it's an extremely popular app, and as such attracts both security researchers and bloggers that just want to get scoops on new features behind feature flags etc.
> Would you even know if you got a special copy of Whatsapp (still signed by Meta and valid) that has this explicit code?
Given the above, it's feasible – at least on Android, it's fairly easy to hash the .apk you've received and compare it to publicly know versions.
The threat of somebody finding unusual code on their phone will probably not deter targeted deploys by sophisticated/state level actors to specific users, but it goes some way towards making it implausible that everybody is running a backdoored version, potentially backdoored by Meta themselves, which is arguably the goal.
Yeah. Go review eg. okta verify apk and tell me it doesn't do anything nefarious. It's an app that basically just does a TOTP hash from some short secret for all I care/use it for. I can probably implement what it does for me in about 200-300 lines of C code without any dependencies.
The shit app has 60 MiB compressed. I was not even able to find where in the code it works with the damn secrets it uses for TOTP.
Now do WhatsApp with its zillion features.
If you mean that it's hard to explain away for the devs themselves, then people do much worse things in this world, and are able explain it to themselves just fine as something good, even.
Meta works by identifying users, modelling their behavior, and then combining that data with third party sources (typically your financial activities) and then selling access to that data to third parties. Mostly for advertising.
When you use credit or debit cards your transactions and data related to it is collected and sold. When you apply for mortgages and close on a house all that information you put in there is collected and sold.
When you put your address in for the post office, when you apply for a drivers or fishing license... Your local governments collect that information and sell access to it.
Meta tries to then tie in your online and app/phone activity with your legal/financial identity it can obtain through partner data brokers.
This is Facebook's businesses model.
So, yes, this data is available to pretty much anybody that is willing to pay for it. Which includes governments.
None of this should be surprising to anybody at this point. Apple, Google, Microsoft, etc.. all of these companies will do this to greater or lesser extents nowadays since has worked out so well for Meta's bottom line.
Also take the "can't see your messages" statement with a grain of salt. Like the famous Lotus Notes backdoor [1] they might have given the government an easy(ier) way to decrypt those messages.
The backdoor in Lotus Notes (differential cryptography) wasn't a secret. It was public information. Ray Ozzie used it as a way to circumvent US encryption export laws. Today companies have to be more discrete.
This is just a lie. I personally know somebody who worked at meta and they had a whole set of teams dedicated to building tools for governments to mass-export data based on their queries
Now I don't know the exact details of which governments had which access (was it just for warrants, which nations, what was the line between actual terrorist versus persecuting journalists), but there was absolutely bulk export and the fact that they are lying about it makes me inclined to presume the worst.
Remember Snowden outlined the Google<>US government interface:
The US agency would type in the gmail address of the subject (ie the primary key/identifier) and somewhere between the agency and Google a decision would be automatically made as to whether the owner of the account was a US person* or not.
If yes - FISA warrant was required
If no - the US agency user would have immediate access to the entire google account (think Google Take Out).
In other words, if you were not a US person there was no duty to protect data.
* = US Person is either a US citizen located anywhere in the world or anyone of any nationality who is physically in the US (current interpretation includes visa holders, visitors and even undocumented but that's shifting)
Isn't it more likely that Meta has been infiltrated by Mossad, just as they no doubt have by other intelligence services and they use these insiders to exfiltrate location data on specific targets?
Sandberg herself does teary, falsehood ridden war propaganda videos for Israel, these days.
Microsoft shared data early on with IDF to help target their users (would have to check their ToS to see if there's a clause for that there).
I doubt there's any need to hide anything inside these kinds of companies. Leaders there likely believe they're doing the right thing helping "the good cause" by supporting extrajudicial executions of people. At worst they'll have to kick out employees who'll raise their voices, like they already did many times. No biggie.
> building tools for governments to mass-export data based on their queries
While I can totally imagine that governments would mass-export data, and I don’t doubt your friends claim, I can also imagine more innocent interpretation of this work.
I once worked on a large company’s GDPR data-export project. It was a large enough company that it also had a dedicated team to handle legal requests regularly from government(s). GDPR exporting needs to work “at scale” for all accounts, without human-in-the-loop work, and without causing any load issues to running services. The same system also handled legal requests, where the legal team could get an export for a user (almost) identically to the process of a user getting their own data. The legal team had tools set up to work with warrants, subpoenas and similar (internationally) legal data requests from courts and law enforcement. It looks like a “mass export” system, because it was, but it wasn’t used in “bulk requests” from the legal system.
Yes, I can imagine a benign use of this technology, but past behavior and the PR dishonesty have given me no reason to prefer the most benign interpretation over the most profitable interpretation.
If however they said something more authentic like "We export data in all these cases, in all these countries, and it's never more than .01% of users in a given country, and it never includes freedom-of-speech crimes, and ..." or something then maybe I'd be inclined to consider that.
> In the ordinary course of providing our service, WhatsApp does not store messages once they are delivered or transaction logs of such delivered messages. Undelivered messages are deleted from our servers after 30 days. As stated in the WhatsApp Privacy Policy, we may collect, use, preserve, and share user information if we have a good-faith belief that it is reasonably necessary to (a) keep our users safe, (b) detect, investigate, and prevent illegal activity, (c) respond to legal process, or to government requests, (d) enforce our Terms and policies. This may include information about how some users interact with others on our service. We also offer end-to-end encryption for our services, which is always activated. End-to-end encryption means that messages are encrypted to protect against WhatsApp and third parties from reading them. Additional information about WhatsApp's security can be found here.
Note specifically "information about how some users interact with others on our service", which contradicts their claim they don't keep logs of which people are messaging each other.
I think rdrd just missed that piece of the fine wordsmithing - so long as there's at least one person not included in that "some users", then "we don’t keep logs of who EVERYONE is messaging" is still true.
This is the company that built a secret localhost listener on Android so that they could track users across websites even in private mode. Do not believe this for a second.
I'm much more inclined to believe they track everything in high precision and also MITM all the messages. Especially now that they are inserting ads.
I'm no apologist for Facebook, none of whose services I use. But get your facts straight. They are not 'inserting ads' in your chats, as you imply. AFAIK they are adding adds to the never-used 'Updates' tab.
Annoying from an ad perspective, no doubt. Vastly different from a are-they-MITMing-your-messages perspective.
If they log IP addresses, they can't say they don't log location at all.
> we don’t keep logs of who everyone is messaging
Seems like a pretty strong claim
> we do not track the PERSONAL messages people are sending one another
I don't know much about their business offering, but it seems likely it's not e2e encrypted or has some kind of escrow. Businesses often multiple people to be able to access an account and that is best done without e2e encryption... let alone auditing requirements.
> We do not provide BULK information to any government
Because they are subject to subpoena and search warrants. They are legally required to provided tailored information to governments.
====
All in all it's pretty much what you'd expect for Whatsapp's "e2e but otherwise conventional saas" approach. If you want better, use signal.
In general, all your personal information stored with Google or Apple or any other American company is subject to getting requested by a court order. If you listen to any of the True Crime podcasts, you'll always hear how google searches and cell tower location are always presented in a trial as evidence. People here always think they are so smart saying
> Actualllly you can't prove that it was me who made that search query.
> Actualllly you can't prove that it was me who had that cellphone around that cell tower. Could have been anybody. I could have been hacked.
Judges always allow those evidence and jury always views it as incriminating. What makes more sense, that some unknown hacker hacked into your account and googled something about the thing you're here for, or that you actually just googled it yourself?
I was on a jury where data like this harvested from Facebook pushed us beyond a reasonable doubt. There was just enough doubt to acquit or have a hung jury with only the physical evidence and eye witnesses. There was plenty of doubt with only the social media stuff. When you put all of it together, we reached a verdict pretty quickly.
Definitely, but they don't have to contain any (plaintext) message content for encrypted messengers.
On Android, push notifications were always processed by the receiving app, so it can just decrypt a payload directly (or download new messages from the server and decrypt these); on iOS, this isn't as reliable (e.g. swiping the app out of the app switcher used to break it in several iOS versions), but "VoIP notifications" and the newer "message decryption extension" [1] are.
The same principle applies to Web Push – I believe end-to-end encryption is even mandatory there.
Additionally the NSA has all Meta and WhatsApp servers directly tapped and can just harvest data, oops i mean 'meta data', that way. Then just pass that info to Israel when their internal systems get an alert on good intel.
> Then just pass that info to Israel when their internal systems get an alert on good intel.
And on top of that if you want make any money with company like X, you need to send your biometrics to some company in Israel. What is this Israel and surveillance capitalism? Or has this always being the case, and I am just now start to realizing it.
IME, they're stored on device only. If you've ever moved phones this becomes painfully obvious unless you've setup backups to your personal Google Drive (native integration with app).
I'm not saying I believe their statement, but in principle they could be storing messages indexed by recipient and have the sender id be part of the encrypted content? Then you can drop messages in each user's inbox as they arrive, from which the user's app can read, but not have stored enough information to retroactively query "Show me everyone Alice has talked to"?
It’s a lie. Russia Ukraine war demonstrated clearly that everything you write in whatsapp, your location, any photo etc are easily accessible and monitored in real time by USA government and their three letter agencies.
That's doubly suspicious, so they can, by that statement readily hand over your imprecise other-than-personal messages at an individual level to the Israelis.
This isn’t some conspiracy, it’s just CYA. They know your general location from your IP and device APIs, they don’t encrypt business messaging, and they comply with subpoenas.
I remember working for a client who needed to support IE6 (with all the insane bugs/quirks/limitations) and I’d despair every time the designers would hand over a Photoshop design with rounded corners. They also needed it to be responsive (at the time mostly just different desktop sizes). Would usually require cutting the corners out and positioning them in table cells. There’s a certain amount of dev resilience you build having to do stuff like that by hand!
We worked with an internal design team, but basically just one UX specialist who has zero comprehension of how HTML, CSS or and web related technologies worked. At one point we where meet with "I don't like that the site blinks!" ... What do you mean by "blinks", we built it, it doesn't blink. Turns out she didn't like that that switching pages would cause the browser to load the next page and in turn there would be an ever so brief moment where the browser would show a blank page while loading the next page. This was in the initial ASP.NET and Ajax days, to the end result was "wrap the whole damn thing in an update panel".
For those who doesn't know the ASP.NET update panel was basically HTMX before HTMX. The browser would do a background request and replace the content of the update panel with the html returned by the background request. Normally you'd just use if for a form submit, e.g. like a comment box. The user puts in their comment, the backend return all the comments, including the new one and the browser replace the current list of comments with the new one. We essentially put the entire site in to the update panel.
Even though it was a long time ago I still have IE6/7 workarounds burned into my brain, most of them float related but also having a whole stylesheet for that damn browser... <!--[if lte IE 6]>:
I have noticed a few people grumbling that the slow requests for Gemini in particular are taking upwards of 4-5 minutes to complete. I have noticed a massive decline in the slow request responses for Gemini in the last 48 hours too.
1) Thoroughly define step-by-step what you deem to be the code convention/style you want to adhere to and steps on how you (it) should approach the task. Do not reference entire files like “produce it like this file”, it’s too broad. The document should include simple small examples of “Good” and “Bad” idiomatic code as you deem it. The smaller the initial step-by-step guide and code conventions the better, context is king with LLMs and you need to give it just enough context to work with but not enough it causes confusion.
2) Feed it to Opus 4.5 in planning mode and ask it to follow up with any questions or gaps and have it produce a final implementation plan.md. Review this, tweak it, remove any fluff and get it down to bare bones.
3) Run the plan.md through a fresh Agentic session and see what the output is like. Where it’s not quite correct add those clarifications and guardrails into the original plan.md and go again with step 3.
What I absolutely would NOT do is ask for fixes or changes if it does not one-shot it after the first go. I would revise plan.md to get it into a state where it gets you 99% of the way there in the first go and just do final cleanup by hand. You will bang your head against the wall attempting to guide it like you would a junior developer (at least for something like this).