Hacker News: lucasfin000

New comment by lucasfin000 in "Aster Mail – End-to-end encrypted email with post-quantum cryptography"

lucasfin000 — Thu, 23 Apr 2026 15:34:49 +0000

This is definitely a fair concern, and something that we have thought thoroughly about, but let me clarify some things:

Our architecture makes jurisdiction less relevant than it would be for a traditional email provider. All email content, subjects, attachments, contacts, etc are encrypted client-side, locally, before they reach our servers, and you hold the keys, not us.

If we ever were to receive a legal request, we could only hand over encrypted blobs and routing metadata (sender/recipient addresses, timestamps), the same metadata any email provider in any country would have.

We maintain a warrant canary at https://astermail.org/notices/canary.txt, and we have a full transparency report at https://astermail.org/transparency. We have never received a secret government subpoena, national security letter, or a gag order to date.

New comment by lucasfin000 in "Aster Mail – End-to-end encrypted email with post-quantum cryptography"

lucasfin000 — Thu, 23 Apr 2026 15:28:12 +0000

Yes, we did see the thread shortly after it was posted, and we did move the restricted email address validation to the server side. The client-side check is still there in the UX layer, but it is no longer the security boundary. Thank you for bringing it up here.

New comment by lucasfin000 in "Aster Mail – End-to-end encrypted email with post-quantum cryptography"

lucasfin000 — Thu, 23 Apr 2026 15:00:49 +0000

Hi HN. We have been building a quantum-safe, end-to-end encrypted email service where we, by design, cannot read your mail. Very few encrypted email services have post-quantum cryptography in production that works with any encrypted email provider, not just their own users. Client-side encryption with post-quantum cryptography, zero-access architecture, fully open source under AGPL v3, our servers are located in Germany. We have officially released, and you can create your account at: https://astermail.org/

We built Aster Mail because we wanted end-to-end encrypted email that's actually private. All encryption and decryption happens client-side. We encrypt email content, subjects, contacts, folder structure, search indices, timestamps, and attachment data before anything touches our servers. Minimal routing metadata (sender/recipient addresses) is required for SMTP delivery, but we encrypt everything we can beyond that. On top of standard PGP, we include post-quantum cryptography by default, protecting against store-now-decrypt-later attacks.

Aster's feature set includes things like: free aliases & ghost aliases (auto-generated anonymous addresses), free custom domains, encrypted contacts with device syncing, burn-after-read messages, scheduled send, email snooze, encrypted search, and subscription management.

We ran a closed beta since early Feb and have gone through 150+ revision cycles based on tester feedback, so the product is stable and feature-complete. The entire codebase is public on GitHub and licensed under AGPL v3, and our team is here in the comments to answer questions about how it works.

Longer term, Aster is building a full encrypted communications suite with drive, chat, and authenticator. Aster Mail is currently available on Web, Windows/Mac, Linux, and will be available soon on iOS/Android.

Side note, since it'll come up: "why not just use Proton?" Proton's architecture exposes metadata to the server, which means it can be handed over in response to legal requests, and has been, repeatedly. Aster encrypts email content, subjects, contacts, and most metadata client-side. Between Aster users, we use a Signal-inspired protocol (X3DH + Double Ratchet + ML-KEM-768) that provides forward secrecy, so even if keys are compromised in the future, past messages stay protected. External emails use RSA-4096 PGP. Our architecture is designed so that even under legal compulsion, there's very little useful data to hand over.

We're not anti-Proton. We just think there should be an alternative that actually protects users' privacy and is practical, in an increasingly monitored world.

Aster Mail – End-to-end encrypted email with post-quantum cryptography

lucasfin000 — Thu, 23 Apr 2026 15:00:49 +0000

Article URL: https://astermail.org/

Comments URL: https://news.ycombinator.com/item?id=47876548

Points: 1

# Comments: 7

New comment by lucasfin000 in "My MacBook keyboard is broken and it's insanely expensive to fix"

lucasfin000 — Sun, 29 Mar 2026 21:14:59 +0000

The "just buy another one" argument only works if the alternatives are even comparable. For a lot of people, macOS is a hard requirement and not a preference, so telling them just to buy a framework that runs Linux ignores that entirely. Right to repair regulation doesn't force Apple to make a worse product it just requires that the parts and repair information are available.

New comment by lucasfin000 in "ChatGPT won't let you type until Cloudflare reads your React state"

lucasfin000 — Sun, 29 Mar 2026 21:12:11 +0000

The real frustrating part is that Cloudflare's "definition" of suspicious keeps changing and expanding. VPN users, privacy-first browsers, uncommon IP ranges, they all get flagged. The people most likely to get caught by these systems are exactly the ones who care most about their privacy, and not the bots that they are apparently targeting.

New comment by lucasfin000 in "The "Vibe Coding" Wall of Shame"

lucasfin000 — Sun, 29 Mar 2026 21:09:32 +0000

This is definitely the right question. A list of failures without any baseline won't tell you anything. You would need the same exercise for human-written code at a comparable scale before drawing any conclusions at all. Without it, it's just confirmation bias.

New comment by lucasfin000 in "Police used AI facial recognition to wrongly arrest TN woman for crimes in ND"

lucasfin000 — Sun, 29 Mar 2026 21:05:43 +0000

The actual scariest part isn't that the AI got it wrong... it's that nobody felt the need to verify the AI. A tip from an anonymous caller can get investigated and found out if its true or not, and a match from a facial recognition system apparently does not. People haven't built better investigative tools they've just built better ways to skip around the investigation.

New comment by lucasfin000 in "Paper Tape Is All You Need – Training a Transformer on a 1976 Minicomputer"

lucasfin000 — Sun, 29 Mar 2026 14:24:06 +0000

Post-quantum crypto is a good example of this. Lattice-based schemes were theorized in the 90s, but they took decades to actually reach production. The math existed, the hardware existed, and the ideas for making it work were just not there yet.

New comment by lucasfin000 in "What if AI doesn't need more RAM but better math?"

lucasfin000 — Sun, 29 Mar 2026 14:20:33 +0000

MoE feels a lot more like engineering to me. You're routing around the problem rather than actually solving it. The real math gains are things like quantization schemes that change how information is actually represented. Whether that distinction matters long term probably will depend on whether we hit a capability wall first or an efficiency ceiling first.

New comment by lucasfin000 in "Miasma: A tool to trap AI web scrapers in an endless poison pit"

lucasfin000 — Sun, 29 Mar 2026 14:18:20 +0000

The asymmetry is what makes this very interesting. The cost to inject poison is basically zero for the site owner, but the cost to detect and filter it at scale is significant for the scraper. That math gets a lot worse for them as more sites adopt it. It doesn't solve the problem, but it changes the economics.

New comment by lucasfin000 in "AI overly affirms users asking for personal advice"

lucasfin000 — Sun, 29 Mar 2026 14:04:05 +0000

The tone and sensitivity thing is a real issue. A neutral prompt will get a neutral answer, but adding any emotional charge, it will immediately fold. That's not really a reasoning failure it's just a training problem. RLHF rewards whatever felt good in the moment, not whatever was actually correct. You can't prompt your way out of that one, when it's already in the weights.

New comment by lucasfin000 in "LinkedIn uses 2.4 GB RAM across two tabs"

lucasfin000 — Sun, 29 Mar 2026 14:01:39 +0000

uBlock origin on Firefox or Brave, which will block most of the tracker bloat, causing the RAM spike. It's not a perfect fix, but it will cut out a significant chunk of it. Tab Wrangler also helps by suspending inactive tabs automatically. You should try out both.

New comment by lucasfin000 in "Emails to Outlook.com rejected due to a fault or overzealous blocking rules"

lucasfin000 — Wed, 04 Mar 2026 18:51:43 +0000

This is the price every small sender pays. The unblock request process is essentially designed to make you give up or move to a large ESP. There's no appeals process, no SLA, no acknowledgment that your reputation data might just be wrong. You're at the mercy of a system that treats false positives as acceptable damage.

New comment by lucasfin000 in "Nobody gets promoted for simplicity"

lucasfin000 — Wed, 04 Mar 2026 18:09:58 +0000

The awkwardness after your answered was the interview telling you something important. A team that penalizes picking the right tool over an impressive one is a team where you'll spend years creating complexity nobody needs. The lesson isn't "next time pretend Google Sheets doesn't exist." It's that you found out early what they actually reward.

New comment by lucasfin000 in "TikTok will not introduce end-to-end encryption, saying it makes users less safe"

lucasfin000 — Wed, 04 Mar 2026 17:50:41 +0000

I dont think the argument is really about child safety. If it was tiktok would also be working on fixing their algorithm that can send minors toward harmful content, which is a far larger documented vector than encrypted DMs. This is about preserving access.

New comment by lucasfin000 in "Motorola GrapheneOS devices will be bootloader unlockable/relockable"

lucasfin000 — Wed, 04 Mar 2026 15:13:20 +0000

That's the entire point of verified boot with custom keys, you don't need to trust Motorola or Lenovo. You can control what runs from the first boot, the threat model for a compromised supply chain is different from a backdoored chip. If you are worried about the latter that applies to every manufacturer including Google & Apple.

New comment by lucasfin000 in "Meta’s AI smart glasses and data privacy concerns"

lucasfin000 — Wed, 04 Mar 2026 15:07:25 +0000

The worst part isn't even that quote, its that nothing structurally has changed one bit since then. The business model still requires users as the product. Glasses that upload video to Meta's servers is the entire point.

New comment by lucasfin000 in "The JVG algorithm could break RSA-2048 encryption with fewer than 5k qubits"

lucasfin000 — Wed, 04 Mar 2026 15:04:40 +0000

Even if the algorithm holds up we are still years out from a actual quantum computer that can run at scale. But that's kind of the point. NIST finalized ML-KEM in 2024 because you don't need to wait until the house is on fire to buy insurance. Harvest now decrypt later attacks are already happening today so thee migration window is closing regardless of whether quantum ever delivers.