Post 2704051 by bikecurious@whomst.dog
(DIR) More posts by bikecurious@whomst.dog
(DIR) Post #2694673 by strypey@mastodon.nzoss.nz
2019-01-06T06:12:01Z
3 likes, 2 repeats
This "security guide" is mind-boggling. Use #iThings instead of an #Android/Linux device (ideally with a custom ROM), and even instead of a laptop?!? Use #Chrome (not Chromium, *Chrome*) and a #Chromebook?!? #WTFhttps://techsolidarity.org/resources/basic_security.htm
(DIR) Post #2694689 by strypey@mastodon.nzoss.nz
2019-01-06T06:17:39Z
0 likes, 0 repeats
Use #Signal? Despite the fact that there any *many* good reasons for anyone with important secrets to protect*not* to do that (US-based, no warrant canary etc), and Moxie has defended aspects of his centralized set-up by saying people shouldn't use it for that?
(DIR) Post #2694690 by noorul@s.noorul.xyz
2019-01-06T06:22:03.668478Z
0 likes, 0 repeats
U mean using Signal is not safe?@strypey
(DIR) Post #2694849 by grainloom@cybre.space
2019-01-06T06:38:17Z
0 likes, 0 repeats
@strypey I guess they consider security from random crackers more important than security from Big Brother
(DIR) Post #2695072 by strypey@mastodon.nzoss.nz
2019-01-06T06:50:19Z
0 likes, 1 repeats
@grainloom nope:> Basic security precautions for non-profits and journalists in the United States, mid-2017. For activists and journalists, the #5Eyes are a much more dangerous adversary to protect against than random crackers (ask #EdwardSnowden). Besides, there are other apps providing the same kind of #E2EE service as Signal that are not US-based (eg #Wire). Why recommend Signal specifically? It bothers me that this list provides no rationale or evidence to back up its recommendations.
(DIR) Post #2695324 by gentoorebel@fosstodon.org
2019-01-06T06:33:25Z
1 likes, 0 repeats
@noorul @strypey there is no "safe". There are degrees of safety, and there are very real reasons to doubt the safety of Signal.
(DIR) Post #2695325 by strypey@mastodon.nzoss.nz
2019-01-06T06:53:53Z
3 likes, 1 repeats
@gentoorebel @noorul This piece sums up most of the problems with Signal quite nicely:https://drewdevault.com/2018/08/08/Signal.html
(DIR) Post #2695381 by noorul@s.noorul.xyz
2019-01-06T07:06:40.261522Z
0 likes, 0 repeats
@strypey @gentoorebel going to uninstall Signal
(DIR) Post #2696839 by gentoorebel@fosstodon.org
2019-01-06T07:07:41Z
0 likes, 0 repeats
@noorul @strypey I'm not going that far yet. If I had more principles I wouldn't use half the software I do. I give #Signal the same treatment as #Telegram:I use it, but I do not trust it, and I will not exchange sensitive data with it.
(DIR) Post #2696840 by strypey@mastodon.nzoss.nz
2019-01-06T07:15:37Z
1 likes, 1 repeats
@gentoorebel > I do not trust [Signal], and I will not exchange sensitive data with it.So why use it at all? If you're only using it for non-sensitive data, you don't really need an encrypted chat app. It is because you have contacts you want to keep in touch with who refuse to use anything else (#NetworkEffect)?@noorul
(DIR) Post #2697658 by Wolf480pl@niu.moe
2019-01-06T09:01:02Z
0 likes, 0 repeats
@strypey Looks like this guide is pretty confused in its threat model.Sometimes it behaves as if US Gov was an adversary, sometimes like it isn't.Also>WhatsAppwtf?>Bluetooth keyboardeven more wtf?
(DIR) Post #2699471 by bikecurious@whomst.dog
2019-01-06T10:09:25Z
0 likes, 0 repeats
@strypey @gentoorebel @noorul Concerning @fdroidorg, its still a royal PITA to update apps from F-Droid, and #Signal has made it a priority that users should be on a recent version (the Android app deregisters if you don't update it for 3 months). Builds also have to be done by F-Droid on their servers, removing control from the devs.Comparing the Signal Updater to F-Droid directly, the latter is a two step process (download & then manually install an update) versus just installing the update
(DIR) Post #2699472 by strypey@mastodon.nzoss.nz
2019-01-06T10:17:24Z
0 likes, 1 repeats
@bikecurious > Builds also have to be done by F-Droid on their servers, removing control from the devs.That's a good thing. It allows us to be sure that the binaries being distributed are actually derived from the source code being published. The fact that Moxie actively blocks attempts to make Signal builds reproducible is ... fishy.@gentoorebel @noorul @fdroidorg
(DIR) Post #2700272 by strypey@mastodon.nzoss.nz
2019-01-06T10:54:58Z
0 likes, 0 repeats
@Wolf480pl exactly. Not only is there no discussion of #ThreatModelling, but also no reasons for *why* any of the advice is given, just a list of DOs and DON'Ts. I can't think of a worse way to educate people about computer security than "look for someone that seems like a geek and mindlessly follow whatever unsubstantiated security advice they give". The first thing I say when asked for security tips by other activists is "take everything I say with a grain of salt and do your own research".
(DIR) Post #2703782 by bikecurious@whomst.dog
2019-01-06T10:16:05Z
0 likes, 0 repeats
@strypey @gentoorebel @noorul @fdroidorg These control issues may stem from when TextSecure connected to WhisperSystem's servers, and CyanogenMod had their own texting client and servers that seamlessly worked with eachother.As CyanogenMod collapsed, many of their users were stuck on an ancient chat client, and TextSecure was frozen in amber until most of those users migrated (hence APKs only working for 90 days, you never have year old, unsupported, insecure clients hanging around).
(DIR) Post #2703783 by bikecurious@whomst.dog
2019-01-06T10:35:52Z
0 likes, 1 repeats
@strypey @gentoorebel @noorul It seems the author literally wants Briar (metadata free chat, I use it :P), but then decides servers are useful and should be federated, at which point they have essentially described Matrix (once again, you can't have a server and entirely eliminate your metadata...).Wrt other frontends for Signal, they do exist :P There is Signal-weechat, Signal-cli and hopefully the new qt desktop client will be packaged soon. None were developed by OWS ppl it looks like.
(DIR) Post #2703784 by strypey@mastodon.nzoss.nz
2019-01-06T11:18:53Z
0 likes, 0 repeats
@bikecurious intriguing. Are you familiar with the history of #LibreSignal? Basically Moxie threw his toys about #trademark infringement. He's also said he doesn't want any third-party clients connecting to the Signal servers. If that policy has changed, that would be great, because it would allow another client that can talk to Signal users to be added to F-Droid. Not holding my breath though ...@gentoorebel @noorul
(DIR) Post #2703785 by strypey@mastodon.nzoss.nz
2019-01-06T11:24:54Z
0 likes, 0 repeats
@bikecurious here's the forum thread where the whole sorry saga played out:https://github.com/LibreSignal/LibreSignal/issues/37Reading this, and particularly Moxie's string of disingenuous/ evasive answers, were a major contributor to my arriving at the same distrust of Moxie and Signal that Drew did.@gentoorebel @noorul
(DIR) Post #2703786 by bikecurious@whomst.dog
2019-01-06T11:34:44Z
0 likes, 0 repeats
@strypey @gentoorebel @noorul I have read through that thread more than once over the last few years.Name squatting is a serious issue (eg: Signal Plus & LibreSignal), users should have clarity on what is from OWS (Signal branded) and what is not.Lightly maintained forks do hold back networks IMO, its been lethal to Olm ever getting traction outside of Riot on Matrix.
(DIR) Post #2703787 by strypey@mastodon.nzoss.nz
2019-01-06T13:04:20Z
0 likes, 0 repeats
@bikecurious Olm? > Lightly maintained forks do hold back networks IMOYeah that's Moxie's argument in 'The Ecosystem is Moving'. I don't buy it. It's basically a 1990s-Microsoft-ish argument against #OpenStandards. If it was true, the internet and the web wouldn't work. What actually happens is that poorly-maintained clients just don't get used and eventually die (or just languish in obscurity).@gentoorebel @noorul
(DIR) Post #2703788 by strypey@mastodon.nzoss.nz
2019-01-06T13:07:42Z
0 likes, 0 repeats
@bikecurious Moxie even tries to claim TCP/IP and HTTP are being held back by being open standards, even though they work fine, and the #IETF and #W3C are discussing and rolling out incremental improvements to them as needed. He doesn't say (or doesn't know) that there are good reasons for keeping basement-level transport protocols stable, and innovating on the top of them.@gentoorebel @noorul
(DIR) Post #2703789 by noorul@s.noorul.xyz
2019-01-06T13:11:46.867520Z
0 likes, 0 repeats
@strypey @gentoorebel @bikecurious A kind request buddies...Please remove my name handle in this conversation
(DIR) Post #2704048 by strypey@mastodon.nzoss.nz
2019-01-06T10:18:36Z
0 likes, 0 repeats
@bikecurious > its still a royal PITA to update apps from F-DroidWhen did you last use it? On my #Android device, #FDroid has automated updates, and has for some time. It's no hassle at all. Yes, the F-Droid team has to compile each update from source and push it, but that doesn't take 3 months.@gentoorebel @noorul @fdroidorg
(DIR) Post #2704049 by bikecurious@whomst.dog
2019-01-06T10:27:20Z
0 likes, 0 repeats
@strypey @gentoorebel @noorul @fdroidorg The maintenance of apps in F-Droid has been spotty in the recent past, which seems to have made some devs think F-Droid = CACert or something to that effect.No clue what your talking about wrt automatic updates, it sure doesn't work on my device! I've tried the F-Droid helper in the past. My settings should automatically download updates daily, but that doesn't seem to work either? Its set to always download updates over both cellular & WiFi...
(DIR) Post #2704050 by strypey@mastodon.nzoss.nz
2019-01-06T11:30:46Z
0 likes, 0 repeats
@bikecurious I have an ancient Android (4.2.2) and F-Droid is constantly updating the apps I install with it. I can tell because sometimes when I check for updates in #Yalp there will be updates for apps I've installed with F-Droid, and the next time I check they aren't there (even though I didn't update them with Yalp). Sounds like you've struck a bug. Have you reported this behaviour to the F-Droid devs?@gentoorebel @noorul @fdroidorg
(DIR) Post #2704051 by bikecurious@whomst.dog
2019-01-06T11:39:47Z
0 likes, 0 repeats
@strypey @gentoorebel @noorul @fdroidorg I don't intentionally run vulnerable devices, you realize Android 4.2.2 is extremely vulnerable, with Stagefright any type of media could pop a shell on your phone and make it part of a botnet: https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/version_id-157201/Google-Android-4.2.2.htmlI'm on Android 8.1 on one device, and Android 9 on another...
(DIR) Post #2704052 by strypey@mastodon.nzoss.nz
2019-01-06T13:19:11Z
2 likes, 1 repeats
@bikecurious The Android device I have is a testing toy I got given, I don't trust it. TBH I don't want to have an Android device at all. I don't consider any of them trustworthy. They are pwned from the day they OS is installed, either by Google, or by the manufacturer, or by the government of the country they are made or sold in. I'm waiting for the #Librem5 to be released.@gentoorebel @noorul @fdroidorg
(DIR) Post #2704202 by noorul@s.noorul.xyz
2019-01-06T13:32:38.706696Z
0 likes, 0 repeats
@strypey @fdroidorg @gentoorebel @bikecurious Hell yes. Librem5.
(DIR) Post #2706667 by kawaiipunk@sunbeam.city
2019-01-06T10:32:01Z
0 likes, 0 repeats
@strypey @gentoorebel @noorul the person who wrote this article about Signal didn't actually read and respond to the actual reasons why those choices were made. There's epic Github threads that touch on every nuance.
(DIR) Post #2706668 by strypey@mastodon.nzoss.nz
2019-01-06T12:18:59Z
0 likes, 0 repeats
@kawaiipunk can you give me an example?@gentoorebel @noorul
(DIR) Post #2706669 by kawaiipunk@sunbeam.city
2019-01-06T14:29:25Z
0 likes, 0 repeats
@strypey @gentoorebel @noorul Sorry I don't have links rn.Signal is the best of a bad situation. Android is already a somewhat compromised platform with all the Google stuff and proprietary apps that 99% of people use. I think it does a good job of what it was intended for which is provide E2E crypted mobile messaging with a good UX.All of these criticisms of Signal are addressed by XMPP and OMEMO?
(DIR) Post #2706670 by bob@soc.freedombone.net
2019-01-06T14:40:34.755875Z
0 likes, 0 repeats
@kawaiipunk @noorul @gentoorebel @strypey The best which could happen with Signal would be if they made their own F-droid repo and had some federation protocol.But even if that happened all it would achieve would be to reinvent Quicksy-style XMPP but with a standardized server configuration.
(DIR) Post #2706671 by kawaiipunk@sunbeam.city
2019-01-06T15:00:52Z
1 likes, 1 repeats
@bob @gentoorebel @strypey @noorul I agree Bob. We need to be thinking about next gen P2P projects like Briar et al.
(DIR) Post #2706691 by noorul@s.noorul.xyz
2019-01-06T15:55:27.785975Z
0 likes, 0 repeats
Does Matrix securer?@kawaiipunk
(DIR) Post #2708324 by z428@social.tchncs.de
2019-01-06T09:42:08Z
0 likes, 0 repeats
@strypey I'm really really unhappy with this article, still. Problems are more than valid but it pretty much seems about completely misunderstanding Signals threat model and target group.@gentoorebel @noorul
(DIR) Post #2708325 by strypey@mastodon.nzoss.nz
2019-01-06T11:11:28Z
0 likes, 0 repeats
@z428 can you expand on that? If you have a blog post or a previous fediverse thread on the topic, feel free to link me to that rather than re-explaining.@gentoorebel @noorul
(DIR) Post #2708326 by z428@social.tchncs.de
2019-01-06T11:49:39Z
0 likes, 0 repeats
@strypey I still think this comment by Moxie Marlinspike nails it, he has a few very valid points throughout the whole thread: https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217661076@gentoorebel @noorul
(DIR) Post #2708327 by strypey@mastodon.nzoss.nz
2019-01-06T14:38:19Z
0 likes, 0 repeats
@z428 there's a lot to unpack in that comment. The dismissal of anyone who thinks #SoftwareFreedom is a necessary precondition for secure software as "cryptonerds and moralists" is notable. Once you strip out all the hyperbole and sarcasm, most of the factual claims are debunked in the proceeding comments, starting with:https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217664961@gentoorebel @noorul
(DIR) Post #2708328 by z428@social.tchncs.de
2019-01-06T17:07:33Z
0 likes, 0 repeats
@strypey I wouldn't really say "debunked". It all pretty much looks like an exchange of "facts" that at least to me are pretty hard to verify. My bottom line is: For someone totally unskilled on a technical level, it requires both trustworthy software and trustworthy operation of it. The whole thread *seems* to still argue on completely different levels of abstraction here... π@gentoorebel @noorul
(DIR) Post #2708605 by z428@social.tchncs.de
2019-01-06T15:48:45Z
0 likes, 1 repeats
@strypey I don't general disagree, but I'm a bit concerned about trust, in this context, mistaking a "people thing" for something technical. There are already plenty of players you just got to trust using digital means of communication. I'm concerned that, with our current concepts of freedom and openness, this adds a lot more parties to the game which, in the end, most users just "have to trust".@gentoorebel @noorul
(DIR) Post #2709168 by aral@mastodon.ar.al
2019-01-06T10:19:12Z
1 likes, 2 repeats
@strypey Itβs all over the place. I agree with use and iPhone over Android. But use Gmail? Really? And WhatsApp but not iMessage. Any such βguideβ should have at least a paragraph with sources explaining the exact rationale of every single recommendation.
(DIR) Post #2709210 by strypey@mastodon.nzoss.nz
2019-01-06T12:10:14Z
1 likes, 2 repeats
@aral > I agree with use and iPhone over AndroidReally? Why? An Android device, with sufficient modification, can be made significantly more secure. Everything about the way iThings works makes it impossible for users to do any of those things. They are inherently pwned by Apple, not owned by the user.
(DIR) Post #2709326 by alcinnz@floss.social
2019-01-06T17:53:04Z
1 likes, 1 repeats
@strypey @aral yes, we need more options. And I'm excited for the Librem 5, finally a super powerful and freedom respecting smartphone that knows it's first and foremost a phone!
(DIR) Post #2709880 by alcinnz@floss.social
2019-01-06T18:16:41Z
1 likes, 1 repeats
@strypey @aral Though from what I've read it seems like Signal and the Librem 5 will conflict over their views of usability.They won't be able to agree who should control the UI, because Purism wants only one UI for all protocols.
(DIR) Post #2711696 by strypey@mastodon.nzoss.nz
2019-01-06T18:02:36Z
1 likes, 1 repeats
@kawaiipunk I've been thinking about these for years, like #Serval, #GNU #Jami (formerly #Ring), #Tox, and others. But I struggle to find people to test them with, and when a "secure" chat app only has clients for iOS and Android, I struggle to take them seriously.@bob @gentoorebel @noorul
(DIR) Post #2711757 by noorul@s.noorul.xyz
2019-01-06T19:38:15.572062Z
0 likes, 0 repeats
Strypey,I am still having to #Jami & #Tox with me.You said you'd want to test but you gone to HK last Sept.As of early today, @Ajz and myself testing Jami text chat. Though I will say #Jami is more of audio/video call than text. @strypey
(DIR) Post #2711789 by noorul@s.noorul.xyz
2019-01-06T19:39:36.870245Z
0 likes, 0 repeats
I am really like to hear the list of "secure" app.@strypey
(DIR) Post #2711930 by strypey@mastodon.nzoss.nz
2019-01-06T19:43:45Z
1 likes, 0 repeats
@noorul secure against what? What kind of app security you need depends on your #ThreatModel. But if you're trying to do security of any serious kind, not allowing people to use your app on GNU/Linux without also using an iOS or Android device just seem amateur. As does tying your chat ID to your phone number, which makes it much easier to tie metadata to real humans.
(DIR) Post #2712095 by kawaiipunk@sunbeam.city
2019-01-06T19:35:41Z
0 likes, 0 repeats
@strypey @bob @gentoorebel @noorul It's a hard problem to solve!Just on the iOS/Android thing. That is the computing platform that most people use most of the time so you can see why projects decide to go mobile first.
(DIR) Post #2712096 by strypey@mastodon.nzoss.nz
2019-01-06T19:51:03Z
0 likes, 0 repeats
@kawaiipunk if your target is high user numbers, not secure chat, then going for vanilla mobiles makes total sense. But most current mobile devices are inherently pwned by the OS vendors, device manufacturers, and others, in ways that we've spent 20 years figuring out how to hack around on the desktop platform with things like #Tails/ #Heads.@bob @gentoorebel @noorul
(DIR) Post #2712097 by kawaiipunk@sunbeam.city
2019-01-06T19:53:13Z
1 likes, 0 repeats
@strypey @bob @gentoorebel @noorul True... but what's the point of secure email if everyone you need to talk to is on Gmail? I think we shouldn't be isolating ourselves. I actually want to communicate securely with my friends and family who aren't hackers π
(DIR) Post #2712120 by leip4Ier@niu.moe
2019-01-06T19:23:27Z
0 likes, 0 repeats
@strypey this is a really really useful article, so thanks for mentioning it! now i'm gonna bookmark it and send the link to anyone arguing that signal is safe to use, esp. if they're trying to get me there. i'm tired of explaining. maybe there's a similar thing for telegram (although nearly everyone knows it's totally not safe from its owners now)?@gentoorebel @noorul
(DIR) Post #2712121 by strypey@mastodon.nzoss.nz
2019-01-06T19:53:11Z
0 likes, 1 repeats
@leip4Ier the #Telegram server is not free code. So users have no way to verify what happens to their messages when they hit the servers, and what it's doing. In that respect Telegram is evens worse than Signal, which at least releases source code that they claim is what they use on their servers.@gentoorebel @noorul
(DIR) Post #2712144 by strypey@mastodon.nzoss.nz
2019-01-06T19:56:50Z
0 likes, 0 repeats
@alcinnz I'd prefer to see Purism working with folks like #JMP. Leave Signal to stew in their silo.@aral
(DIR) Post #2712157 by alcinnz@floss.social
2019-01-06T19:58:30Z
0 likes, 0 repeats
@strypey @aral They're mostly working with Matrix at the moment.
(DIR) Post #2712252 by noorul@s.noorul.xyz
2019-01-06T20:03:03.483328Z
0 likes, 0 repeats
One step at a time.First, we secure our communication and then we bring our loved ones (non hackers) to secure platform.I am still clueless what is secure platform after learning Signal,( recommended by Snowden) is not a secure IM@kawaiipunk @strypey
(DIR) Post #2712273 by kawaiipunk@sunbeam.city
2019-01-06T20:02:47Z
1 likes, 1 repeats
@noorul I would say it's not great as the E2E encryption isn't on by default and the key management UX isn't great.
(DIR) Post #2712297 by noorul@s.noorul.xyz
2019-01-06T20:05:26.022681Z
0 likes, 0 repeats
I got the part that end to end encryption is not enabled by default with Matrix/Riot IM.And user experience is not great. And what is key management are you referring to?@kawaiipunk
(DIR) Post #2712301 by kawaiipunk@sunbeam.city
2019-01-06T20:04:49Z
1 likes, 0 repeats
@noorul @strypey I don't agree with either of those statements π
(DIR) Post #2712325 by noorul@s.noorul.xyz
2019-01-06T20:07:17.921497Z
0 likes, 0 repeats
Oh goodness,Has Snowden start using fediverse, I got to ask him about "secure" channel@kawaiipunk @strypey
(DIR) Post #2712350 by kawaiipunk@sunbeam.city
2019-01-06T20:07:42Z
1 likes, 1 repeats
@noorul If you have multiple sessions open, you have to manually export your keys and import them to a different device. I see people with 20 different keys on their account. It's impractical to verify all of those keys.This talk from congress is a good update: https://media.ccc.de/v/35c3-9400-matrix_the_current_status_and_year_to_date
(DIR) Post #2712561 by noorul@s.noorul.xyz
2019-01-06T20:16:59.079808Z
0 likes, 0 repeats
That's true. I am getting tired of manually enable e2e encryption and verifying the devices.Quick question, whats's your IM?@kawaiipunk
(DIR) Post #2712653 by bob@soc.freedombone.net
2019-01-06T20:16:27.741891Z
1 likes, 2 repeats
@alcinnz @aral @strypey I don't know if they are working with Matrix. I didn't order a Purism phone and so havn't kept up with it, but the last I heard Purism had made all sorts of claims about Matrix, to which the Matrix developers were like "you never told us about all this additional work specific to your phone that you want doing gratis".
(DIR) Post #2712847 by z428@social.tchncs.de
2019-01-06T11:46:38Z
0 likes, 0 repeats
@strypey In example I remember OWS doing domain fronting to hide Signal services behind amazon or Google infrastructure to both slip under the radar of local censorship and control. How to enable end users with little technical skills and a great risk (journalists, ...) to have manageable, reasonable safety? How does federation and decentralization help here? Or even fdroid? Seems like just more complexity you need to trust. @gentoorebel @noorul
(DIR) Post #2712848 by strypey@mastodon.nzoss.nz
2019-01-06T19:34:54Z
1 likes, 0 repeats
@z428 > How does federation and decentralization help here?if Signal was federated, users could set up their own server, under their own control, and still communicate with users on servers they can't access directly. As long as the server>server federation used standard protocols censors can't afford to block that is. Then Moxie wouldn't need to risk compromising other people's domains (AWS have threatened to boot Signal for domain fronting). https://www.techrepublic.com/article/as-google-and-aws-kill-domain-fronting-users-must-find-a-new-way-to-fight-censorship/ @gentoorebel
(DIR) Post #2712952 by strypey@mastodon.nzoss.nz
2019-01-06T20:24:07Z
1 likes, 1 repeats
@kawaiipunk > Signal is the best of a bad situation.I'm still not sure why you think that.> All of these criticisms of Signal are addressed by XMPP and OMEMO?Many of the more urgent ones are already addressed by Wire. Another set will be when Wire rolls out server>server federation. If we can get them to use #OpenStandards like #XMPP and #OMEMO, that would address another set.@gentoorebel @noorul
(DIR) Post #2713121 by KekunPlazas@mamot.fr
2019-01-06T20:40:10Z
1 likes, 0 repeats
@bobI don't know all the details be we are working on improving the Fractal Matrix client for GNOME.@alcinnz @aral @strypey
(DIR) Post #2713177 by strypey@mastodon.nzoss.nz
2019-01-06T20:40:50Z
1 likes, 1 repeats
@noorul what's your use case? Who are you trying to chat with? Text or voice/ video? One-to-one or group? How sensitive are the chats likely to be? What kinds of adversaries do you want to be secure against? In my experience it's best to use a non-secure app, and choose what to say on that basis, than to speak freely using an app you think is secure when it really isn't.FYI I've got various lists of #FreeCode chat apps here:https://www.coactivate.org/projects/disintermedia/core-ushttps://www.coactivate.org/projects/disintermedia/slacking-off
(DIR) Post #2713186 by noorul@s.noorul.xyz
2019-01-06T20:46:00.032813Z
0 likes, 0 repeats
Checked the links. Useful@strypey
(DIR) Post #2713219 by noorul@s.noorul.xyz
2019-01-06T20:48:21.874518Z
0 likes, 0 repeats
I want app for personal and work communication.Sensitive data can be personal or work related.Nothing really big deal.I like to adapt safer and securer platform for everything@strypey
(DIR) Post #2713515 by strypey@mastodon.nzoss.nz
2019-01-06T20:20:19Z
0 likes, 1 repeats
@kawaiipunk there are two separate problems here, that need separate solutions. A chat app simple enough to > communicate securely with my friends and family who aren't hackers... will have to make so many trade-offs for user convenience it won't be suitable for sensitive comms . Signal makes these trade-offs, while still claiming to be useful to activists, journalists, dissidents against unfriendly governments etc. As Drew says, this is horrifically irresponsible.@bob @gentoorebel @noorul
(DIR) Post #2713517 by strypey@mastodon.nzoss.nz
2019-01-06T21:01:49Z
1 likes, 0 repeats
@dgold take a chill pill bro. I've spent most of the day explaining this to multiple people. You could try doing the reading:https://mastodon.nzoss.nz/@strypey/101368165804910431I refer to Drew's blog piece because it sums up a lot of the issues in one place:https://drewdevault.com/2018/08/08/Signal.htmlIf you use untrustworthy software for secret squirrel comms, you will get yourself and/or others arresteted (or worse). I'd rather than didn't happen, but ... whatever.
(DIR) Post #2717688 by strypey@mastodon.nzoss.nz
2019-01-06T06:18:23Z
1 likes, 0 repeats
BTW I was linked to that guide from @nolan 's blog piece on using a #YubiKey, which is well worth the read:https://nolanlawson.com/2018/09/15/yubikeys-are-neat/
(DIR) Post #2725993 by strypey@mastodon.nzoss.nz
2019-01-06T23:14:57Z
1 likes, 1 repeats
@noorul TBH your threat level is about what Signal can cope with. Even if it was a honeypot and Moxie worked for the NSA that's not going to affect you much. I would use Wire instead though. It has all the same pros, plus supports more platforms, doesn't require your phone number, and is developed by a team of professionals who take both software freedom and UX seriously. Swiss-based, so bound by GDPR.
(DIR) Post #2726175 by noorul@s.noorul.xyz
2019-01-07T05:36:53.322011Z
0 likes, 0 repeats
Thank you for the suggestion. I appreciate.Though, I am skipping #Wire option now as not available on #Fdroid and it's from a corporate. I like to prefer social business or not for profit org.And I am will drawing off from #Signal soon as it's founder associates with NSA and honeypot@strypey
(DIR) Post #2726206 by strypey@mastodon.nzoss.nz
2019-01-06T21:56:21Z
1 likes, 2 repeats
@dgold you're missing a few things from that summary: * Signal uses a rootkit (Google Play Services) in its "secure" app* the *reasons* Moxie won't let F-Droid distribute Signal, which don't stack up, suggesting there's a reason he's not saying* animated GIF search to a third-party server in a "secure" app. Seriously #WTF?* the security flaws in the official APK download (and the fact it tries to scare users into using the rootkitted Play Store version) etc@kawaiipunk @gentoorebel @noorul
(DIR) Post #2726207 by Bobo_PK@chaos.social
2019-01-06T22:33:02Z
0 likes, 0 repeats
@strypey @dgold @kawaiipunk @gentoorebel @noorul into flamewars *jumps* you can use Signal without any Play store or Gapps installed. You can load the APK from their site or compile it from git. GIF loading by third party site is a feature you can use but should not if you do not want to leak metadata to that instance. It all depends on your thread level and Signal fits for a lot of "standard" usecases. Also use xmpp ;-)
(DIR) Post #2726208 by strypey@mastodon.nzoss.nz
2019-01-06T23:03:17Z
1 likes, 0 repeats
@Bobo_PK I've made my point here. Read the whole thread. Also, please untag me unless you're adding something new and unexpected to the discussion. Cheers ;-)@dgold @kawaiipunk @gentoorebel @noorul
(DIR) Post #2726249 by strypey@mastodon.nzoss.nz
2019-01-06T22:01:21Z
1 likes, 1 repeats
@dgold there are lots of ways to do federation. XMPP and Matrix are two open chat standards I'm aware of, there is SIP and Jingle for voice, and Muji for video. I've been researching chat tech for a while:https://www.coactivate.org/projects/disintermedia/core-usBut let me ask you this. If you don't think federated comms are important, why are you here and not on the birdsite?@kawaiipunk @gentoorebel @noorul
(DIR) Post #2740368 by dredmorbius@mastodon.cloud
2019-01-06T14:22:17Z
0 likes, 0 repeats
@strypey The idea behind that is useful IMPROVED securiy for mere mortals.
(DIR) Post #2740369 by strypey@mastodon.nzoss.nz
2019-01-06T20:26:22Z
0 likes, 0 repeats
@dredmorbius right, which is why recommending thing that AFAIK reduce your security seems odd. I mean, it does depend on your threat model, but exposing oneself to more Apple/ Google than you have to (and thus the US government), opens up a pretty large attack surface for few different kinds of adversaries.
(DIR) Post #2740370 by dredmorbius@mastodon.cloud
2019-01-07T08:54:03Z
0 likes, 0 repeats
@strypey Also:When you're advising/training at-risk end users, it's not enough that it be possible to achieve some kind of security with a given load-out. It needs to be secure without trying hard.So for the purposes of this document, we don't really need to litigate this phone or that browser. We just have to note that for non-specialist end-users in high-stakes environments:* It has to work.* It has to stand a good chance of retaining secure without trying....https://news.ycombinator.com/item?id=15777576
(DIR) Post #2740371 by dredmorbius@mastodon.cloud
2019-01-07T08:54:16Z
0 likes, 0 repeats
@strypey * It has to be incredibly simple to get everyone set up the same way./end/
(DIR) Post #2740372 by strypey@mastodon.nzoss.nz
2019-01-07T16:23:23Z
0 likes, 0 repeats
@dredmorbius there is are a lot of questionable assumptions to be unpacked in this. For one thing, I'm still mystified by the specific recommendations. For example, why iPhone? This is recommending people buy a piece of hardware, not helping them secure what they already have. So why not recommend they buy one of the few mobile devices that is secure *by design*, because the OS is owned by the user (they have root), not the manufacturer or OS vendor (ie respects #SoftwareFreedom)?
(DIR) Post #2740373 by strypey@mastodon.nzoss.nz
2019-01-07T16:27:32Z
0 likes, 1 repeats
@dredmorbius my first piece of advice for people wanting to communicate securely, especially if they are activists or journalists who might be facing *targeted* interception, not just mass surveillance, is "don't use a vanilla mobile device". IMHO they are inherently vulnerable to such adversaries. Use a laptop that can run #Debian with no non-free repos enabled. Use a burner OS like #Heads (100% free fork of #Tails), and reboot (ideally relocate to a new WiFi) between each comms action you do.
(DIR) Post #2740479 by strypey@mastodon.nzoss.nz
2019-01-07T16:46:58Z
1 likes, 1 repeats
@noorul > I am will drawing off from #Signal soon as it's founder associates with NSA and honeypotCareful! AFAIK nobody has claimed that's the case, let alone proved it. All we've said is some of the things they do are *compatible* with being a honeypot. It's more likely that Moxie is just a grumpy narcissist, who knows much more about crytography than he does about being an activist or dissident.
(DIR) Post #2740504 by strypey@mastodon.nzoss.nz
2019-01-07T16:45:41Z
0 likes, 0 repeats
@noorul Wire Swiss GmbH is not a corporation (a publicly-listed company owned by shareholders). It's a self-funding private company, that makes its money from a premium service (based on the same software) aimed at enterprise teams.
(DIR) Post #2740505 by noorul@s.noorul.xyz
2019-01-07T17:11:21.593186Z
0 likes, 0 repeats
@strypey so a privately owned enterprise offering floss service
(DIR) Post #2742816 by strypey@mastodon.nzoss.nz
2019-01-07T18:34:46Z
1 likes, 0 repeats
@noorul yes. So if you're specifically looking for a service offered by a non-profit or a cooperative, Wire isn't that. But if you just want a provider that exists to serve its users, not shareholders, Wire ticks that box (it doesn't have shareholders, just private owners). If you want a non-profit, I suggest you check out #DigitalCafes like #RiseUp, #FramaSoft, #Disroot etc. Disroot might be the best option for your needs, as they have a big focus on improving the #UX of hosted #FreeCode tech.
(DIR) Post #2742837 by noorul@s.noorul.xyz
2019-01-07T18:36:51.416422Z
0 likes, 0 repeats
@strypey i am using Riseup for long.Now I am self hosting, matrix and xmpp.
(DIR) Post #2743873 by z428@social.tchncs.de
2019-01-06T19:47:34Z
0 likes, 0 repeats
@strypey But individual target users for apps such as Signal don't have the skills to do so, in worst case they won't even be able to recognize a federated server that has been prepared for the sole purpose of spying on them. Or security issues in example caused by protocol flaws. How do you get *all* servers to update this soon enough? Again, in this case, I don't generally argue against it but ...@gentoorebel
(DIR) Post #2743875 by strypey@mastodon.nzoss.nz
2019-01-06T21:37:49Z
0 likes, 0 repeats
@z428 > But individual target users for apps such as Signal don't have the skills to do so,So what, they just rely on Signal's domain fronting hacks?> in worst case they won't even be able to recognize a federated server that has been prepared for the sole purpose of spying on them.Hmm. You mean they won't be able to recognize if Signal has been set up for the sole purpose of spying on them?@gentoorebel
(DIR) Post #2743876 by z428@social.tchncs.de
2019-01-07T05:01:00Z
0 likes, 0 repeats
@strypey Yes, exactly the latter is what I mean. Given enough money and skills, this should be easily doable. Plus, worse: Things are "easy" if you're an anonymous user, one of a few millions on some provider who doesn't know all of them. If you're on an instance hosted by people you (think you) know, this all of a sudden gets closer. In the best case, again it's just about trust. In worst case, both you and your operator are at risk.@gentoorebel
(DIR) Post #2743877 by strypey@mastodon.nzoss.nz
2019-01-07T17:44:08Z
0 likes, 0 repeats
@z428 you missed my point. If they don't have any way to know whether a self-hosted Signal server is set up to spy on them, how are they supposed to assess whether or not OWS set up Signal to spy on them? Are they supposed to just trust Moxie? Or read widely about Signal's security practice, and make the effort to understand what makes a service more or less secure? In which case they could apply that knowledge to a self-hosted server.@gentoorebel
(DIR) Post #2743878 by strypey@mastodon.nzoss.nz
2019-01-07T17:49:32Z
0 likes, 0 repeats
@z428 basically, people with sensitive secrets to communicate shouldn't be trying to do that with networked technologies unless;a) they have the info and skills to competently assess how secure a networked technology is (either a hosted service or something they self-host)ORb) they have access to someone they are sure they can trust who doesOtherwise they *will* get pwned. This is even more important if they are organizing against governments that imprison and kill dissidents.@gentoorebel
(DIR) Post #2743879 by z428@social.tchncs.de
2019-01-07T19:10:59Z
0 likes, 1 repeats
@strypey Well... So we know plenty of ways these people shouldn't be trying, which however leaves unanswered: Given this target group, which, *right now*, is the technological choice least dangerous, assuming they're operating in a real world, know a bunch of contacts and need some means of communication that is reasonably tamper-proof, assuming there's no 100% security? What would we recommend? Right now, I see a lot of this totally lost in different people providing (mostly ...@gentoorebel
(DIR) Post #2743906 by strypey@mastodon.nzoss.nz
2019-01-06T20:06:24Z
0 likes, 0 repeats
@z428 there are at least three things to consider 1) is it possible to audit the security, 2) has the security been audited, 3) did the auditors do a thorough job? In order to meet the preconditions for 1), you need a) access to the source code, and b) a way to ensure that the source code you're given was actually used to compile the binaries/ installed on the server. Signal now meets a) but goes to great lengths to avoid b), which is ... fishy.@gentoorebel
(DIR) Post #2743907 by strypey@mastodon.nzoss.nz
2019-01-06T20:14:11Z
0 likes, 0 repeats
@z428 secondly, a federation of servers can be imagined as a single server made up of many parts, each of which has to communicate with every other part for the system to work as advertised. Instead of the server being a black box (like Signal), where you just have to trust what happens between client>server, in a federation you can check exactly what's being passed between servers, and how secure it is. Lots of people can check, and check each others' work.@gentoorebel
(DIR) Post #2743908 by z428@social.tchncs.de
2019-01-06T20:18:55Z
0 likes, 0 repeats
@strypey Agree. But it also increases attack surface by requiring facilities for server2server communication, and it *might* get things more messy if one or some of the nodes go compromised without users noticing it, which might be more a real risk in example while looking at loads of self hosted web CMS that got setup once but aren't really "administered", updated, maintained. That's still one of my biggest issues with decentralization in general. @gentoorebel
(DIR) Post #2743909 by strypey@mastodon.nzoss.nz
2019-01-06T21:23:37Z
0 likes, 0 repeats
@z428 there are various ways to address this. OWS doesn't let clients older than 3 months connect to their servers. A secure chat federation protocol could include refusing to connect to another server that hasn't been updated for more than 3 months. There are all sorts of systems you can use to ensure security across a federated network (ask Mike from #Hubzilla / #Osada / #Zap about it). The only main problem with XMPP is that until recently security wasn't a design goal, but now #OMEMO exists.
(DIR) Post #2743910 by z428@social.tchncs.de
2019-01-07T07:03:13Z
0 likes, 0 repeats
@strypey ... has administrative access to the infrastructure? Are these people trained and educated to honour things such as privacy of user data? The whole idea of running federated services that aren't run by the end-users themselves completely misses out in this point in my opinion.
(DIR) Post #2743911 by strypey@mastodon.nzoss.nz
2019-01-07T18:17:16Z
0 likes, 0 repeats
@z428 you raise a lot of important points. I just don't agree that the answer to the questions you're asking is centralized silo. I don't think you do either, or we'd be having this debate on the birdsite, not here. There's a lot to unpack here, so I'm working on a blog post #WatchThisSpace
(DIR) Post #2743912 by z428@social.tchncs.de
2019-01-07T19:07:34Z
0 likes, 1 repeats
@strypey ... to deal with something such as a "server" or "hosting". After all, most of the current federation services aren't fundamentally better or different to Twitter or Facebook, they do the same thing (databases, file storage, web server, "small centralized federating instances" yet on a smaller scale). We'd rather need potent, powerful end-user applications that don't have any server dependencies and instead work against, say, a internet-wide, replicated, encrypted, large storage that...
(DIR) Post #2748873 by z428@social.tchncs.de
2019-01-07T19:08:46Z
0 likes, 0 repeats
@strypey ... is reasonably redundant, encrypted, tamper-proof and distributed across a thousand of nodes without local administrators being able to read data, know whose data is stored on their system, let alone track users or even modify data they read. But I don't see that in any of current "federated" systems. They all seem just very little better than Twitter and just in some aspects.
(DIR) Post #2748874 by strypey@mastodon.nzoss.nz
2019-01-07T21:44:07Z
0 likes, 0 repeats
@z428 all the issues you raise apply to email. Yet, email is a federated private message technology that people use every day, even for sensitive communication, without batting an eyelid. I mean, they *shouldn't*, at least not without learning to use #PGP, and even then not for anything that puts anyone's life / freedom at risk. But they do.
(DIR) Post #2748875 by strypey@mastodon.nzoss.nz
2019-01-07T21:44:43Z
0 likes, 0 repeats
@z428 Decentralization is not the problem. Instance trust is the problem. It's even more of a problem with Signal, because there's only one instance, and you just have to trust it.
(DIR) Post #2748876 by strypey@mastodon.nzoss.nz
2019-01-07T21:50:19Z
0 likes, 0 repeats
@z428 the solution, as I see it, is basically to go back to the 1990s ISP model, where one entity hosts all your services (email, chat, blog, micro-blog, media-sharing, remote backups etc). Unlike the 90s, that ISP need not be the company that you lease your internet connection from (probably won't be), but it is an entity you have a trust relationship with. Not just an "instance" you've picked at random via web searches. I've written a bit about that vision here:https://www.coactivate.org/projects/disintermedia/blog/2018/06/12/from-digital-cages-to-cooperative-digital-cafes/
(DIR) Post #2748877 by alcinnz@floss.social
2019-01-07T22:02:36Z
0 likes, 0 repeats
@strypey @z428 I'm very pleased with FastMail's offerings this way, now that I'm getting into them more. They're very standards-based!The only problem is the AA bill...
(DIR) Post #2758069 by strypey@mastodon.nzoss.nz
2019-01-07T21:21:37Z
1 likes, 0 repeats
@noorul OK. So why would you use Signal? Contacts on iPhones who can't find a decent XMPP or Matrix app?
(DIR) Post #2758070 by noorul@s.noorul.xyz
2019-01-08T04:16:00.516662Z
0 likes, 0 repeats
Using #Signal because it's advertised secure platform and recommended by Snowden@strypey
(DIR) Post #2760423 by dredmorbius@mastodon.cloud
2019-01-07T08:44:18Z
0 likes, 0 repeats
@strypey Maciej CegΕowski and Thomas Ptacek are two of the people involved, Tom's HN comment:"These instructions are written for unsophisticated users, particularly journalists and activists, and were written with feedback from those users. So, for instance, the steps you might take to arrive at a secure Firefox or Android configuration are probably fine, but not workable for the audience these instructions are intended for."https://news.ycombinator.com/item?id=136235001/
(DIR) Post #2760424 by dredmorbius@mastodon.cloud
2019-01-07T08:46:18Z
0 likes, 0 repeats
@strypey You've got to remember that the typical person's tech skills and knowledge are near nil, ESPECIALLY in security contexts. Choosing a slightly-worse-on-average option that avoids REALLY BAD failure modes might well be a net advantage.Maciej ("idlewords") here:"The goal is to provide practical security advice that people will use, and that does not make things worse."https://news.ycombinator.com/item?id=13629205
(DIR) Post #2760425 by strypey@mastodon.nzoss.nz
2019-01-07T16:33:51Z
1 likes, 0 repeats
@dredmorbius > "The goal is to provide practical security advice that people will use, and that does not make things worse."Right, but my objection is that at least half of the advice in that last, AFAIK, *would* make things worse. There's an awful lot I don't know about what makes this or that piece of tech secure or vulnerable (I'm human after all), so I could be totally wrong. That's why I want to see the reasoning, and as I said in another post, the lack of it is poor education practice.
(DIR) Post #2761283 by z428@social.tchncs.de
2019-01-08T07:10:55Z
0 likes, 1 repeats
@alcinnz I'm currently looking into https://mailbox.org/; so far however still torn as I still have web space hosting paid monthly where I keep my mails, nextcloud and stuff for "personal" or family use. It's the same again, though: Trust. The heap of technology not under my control (servers, storage, connectivity, ...) in there is larger than the aspects I choose to have control over. @strypey
(DIR) Post #2761638 by z428@social.tchncs.de
2019-01-07T19:12:10Z
0 likes, 0 repeats
@strypey ... valid) arguments against each others technologies, but in the end nothing practicable is essentially left. The EFF writeup on that issue ends up just in a similar way, btw: https://www.eff.org/deeplinks/2018/03/why-we-cant-give-you-recommendation@gentoorebel
(DIR) Post #2761639 by strypey@mastodon.nzoss.nz
2019-01-07T21:07:33Z
0 likes, 0 repeats
@z428 > but in the end nothing practicable is essentially left.Right. So if communication secrets across the net is not safe with any known combination of technologies, the only sane security advice to give is "DON'T DO IT!?!". Especially, as I say, when people's lives or freedom is on the line. Yet I regularly see people (including Moxie) recommending Signal for activists, journalists, dissident, and so on, any of whom could be in that situation. This is highly irresponsible!@gentoorebel
(DIR) Post #2761640 by strypey@mastodon.nzoss.nz
2019-01-07T21:12:16Z
0 likes, 1 repeats
@z428 maybe we need to make an effort to have more nuanced conversations about this? Where we specify at the outset whether we're talking about defending the average person's privacy against passive mass surveillance, or defending dissidents against active interception attempts, or something else. Different #ThreatModels require different approaches. As the #EFF quite rightly conclude, there's no silver bullet here.@gentoorebel
(DIR) Post #2807001 by strypey@mastodon.nzoss.nz
2019-01-09T17:52:01Z
1 likes, 2 repeats
@noorul > recommended by SnowdenYeah, I find that weird. Snowden may, for example, have only endorsed Signal as a good solution for average Jo Users wanting to avoid passive datafarming. I did a web search for Snowden's actual comments, but all I could find was gossip column quality commentary by journalists about what a fan Snowden is of Signal, in which any such nuance is long lost.
(DIR) Post #2807022 by noorul@s.noorul.xyz
2019-01-09T18:07:25.955237Z
0 likes, 0 repeats
@strypey that's nice of you to find out more about it.Signal website shows as Snowden is endorsing
(DIR) Post #2825299 by strypey@mastodon.nzoss.nz
2019-01-10T07:33:37Z
1 likes, 0 repeats
@noorul if I haven't already mentioned this, I note that the Signal website is *not* blocked by the Great Firewall, while almost any other website that mentions encryption, VPNs etc is blocked. I find this ... fishy, although I guess this could be #OWS using domain fronting? Not sure.
(DIR) Post #2826267 by noorul@s.noorul.xyz
2019-01-10T08:27:36.589786Z
0 likes, 0 repeats
I've stopped using #signal and moved to xmpphttps://bdtechtalks.com/2018/06/19/domain-fronting-signal-telegram-censorship/@strypey
(DIR) Post #2826704 by strypey@mastodon.nzoss.nz
2019-01-10T07:39:03Z
1 likes, 1 repeats
@noorul I notice those quotes are not linked to sources. So we don't get to see *when* those things were said, or in what context, without doing a web search on the quote and trying to find the original. How convenient for #OWS. If Snowden recanted this opinion later, they could still leave that shining endorsement quote on the #Signal homepage, and most people would be none the wiser.
(DIR) Post #2826705 by strypey@mastodon.nzoss.nz
2019-01-10T07:43:44Z
1 likes, 1 repeats
@noorul BTW With all due respect to #LauraPoitras, she is a journalist not a programmer, and she relies on people like Snowden (or Drew) to tell her which apps are safe to use. #BruceSchneier is a public figure, and has very little to lose if his encrypted conversations turned out not to be secure. #MattGreen's quote is just about code quality. None of these endorsements have any bearing on whether the Signal service is safe for dissidents with 3-letter adversaries in their #ThreatModel to use.
(DIR) Post #2826858 by noorul@s.noorul.xyz
2019-01-10T08:52:24.986756Z
0 likes, 0 repeats
Are we not going to take BruceSchneier words?@strypey
(DIR) Post #2826878 by noorul@s.noorul.xyz
2019-01-10T08:53:10.628118Z
0 likes, 0 repeats
Deleting #Signal accounthttps://support.signal.org/hc/en-us/articles/360007061192-Unregister-or-Delete-Account#honeypot@strypey
(DIR) Post #2826951 by noorul@s.noorul.xyz
2019-01-10T08:56:57.757783Z
0 likes, 0 repeats
Goodbye #Signal IMGoodbye #NSA too@strypey
(DIR) Post #2826974 by noorul@s.noorul.xyz
2019-01-10T08:58:45.219757Z
0 likes, 0 repeats
My bad, I've introduced #Signal to more than 20 people.Now i've to unregister for all of themπ¬@strypey
(DIR) Post #2827124 by strypey@mastodon.nzoss.nz
2019-01-10T09:03:37Z
1 likes, 1 repeats
@noorul like me, and you, and everyone, Bruce a) has more knowledge about some things than others, and b) comments on things from his own POV. A big part of #ThreatModelling is figuring out what kinds of adversaries you're trying to secure things against, and what the worst case scenario is if your security measures fail. Like I said, Bruce is pretty safe if any cryptography he uses happens to fail. Not so a dissident in Turkey, or Russia, or China. This distinction is crucial.
(DIR) Post #2827154 by noorul@s.noorul.xyz
2019-01-10T09:06:35.456802Z
0 likes, 0 repeats
@strypey well explained !πππππππYou're great #mentor!
(DIR) Post #2827187 by noorul@s.noorul.xyz
2019-01-10T09:07:46.180065Z
0 likes, 0 repeats
@strypey yes, absolutely true
(DIR) Post #2828741 by strypey@mastodon.nzoss.nz
2019-01-10T09:16:08Z
1 likes, 1 repeats
@noorul There's no shame in re-evaluating software choices based on new information, in fact it's something to be proud of. We all make strategic decisions about what apps and services to use, based on what options are available, and what information we have about them. For all its flaws, Signal is a better choice than WhatsApp or Telegram (because Signal publishes source code for its client *and* server software). Before #OMEMO, it was arguably a better choice than #XMPP. It's always a toss-up.
(DIR) Post #2828743 by strypey@mastodon.nzoss.nz
2019-01-10T09:10:54Z
1 likes, 1 repeats
@noorul I just wanted to remind you of this:https://mastodon.nzoss.nz/@strypey/101376302692253851Unless you have any evidence of a relationship between OWS / Signal and the NSA that I'm not aware of? I mentioned the honeypot possibility as an example of a worst-case-scenario, I was *not* stating it as a known fact (AFAIK it isn't, and let's remember innocent until proven guilty).
(DIR) Post #2834340 by strypey@mastodon.nzoss.nz
2019-01-10T11:49:18Z
1 likes, 0 repeats
@noorul aww shucks :-P
(DIR) Post #2834425 by noorul@s.noorul.xyz
2019-01-10T14:17:56.917930Z
0 likes, 0 repeats
You put me in thinking.The primary reason I am leaving #Signal As it's require mobile number,Naturally, mobile first appNot decentralised as easy to self host like Matrix xmppI did choose signal to move from telegram but now the good oldies xmpp with omemo simplify my need.Apart from this, my love for p2p is strong.Love live #Jami #Tox@strypey
(DIR) Post #2836251 by strypey@mastodon.nzoss.nz
2019-01-10T15:11:17Z
1 likes, 0 repeats
@noorul good reasoning. I'm looking forward to having a chat with you on Jami and Tox after my one month sabbatical.)
(DIR) Post #2836257 by noorul@s.noorul.xyz
2019-01-10T15:26:56.161402Z
0 likes, 0 repeats
@strypey π
(DIR) Post #2836317 by noorul@s.noorul.xyz
2019-01-10T15:29:07.833354Z
0 likes, 0 repeats
@strypey This is screenshot of text chatting on #Jami 3 days ago.I can't tolerate the failed messages
(DIR) Post #9gykfx2nkA1Dgt7yDo by jalcine@playvicious.social
2019-03-21T00:26:09Z
0 likes, 0 repeats
@alcinnz @strypey @aral that's a shame - shoehorning so many people into that system :(
(DIR) Post #9hCdGEkCcMyOOGvpb6 by strypey@mastodon.nzoss.nz
2019-03-27T15:03:12Z
0 likes, 1 repeats
@jalcine at least #Matrix is a federated system. In that respect it's still an improvement on Signal.@alcinnz @aral
(DIR) Post #9oN1ctQnAje7gZsVQu by erlequin@libranet.de
2019-10-28T02:33:10Z
0 likes, 0 repeats
@strypey Use android without google, which is called /e/Or Sailfish or ubports
(DIR) Post #9oNKyS51RSMqMEgmYq by strypey@mastodon.nzoss.nz
2019-10-28T06:10:32Z
0 likes, 0 repeats
@bikecurious > There is Signal-weechat, Signal-cli and hopefully the new qt desktop client will be packaged soon. None were developed by OWS ppl it looks like.If they're using "Signal" in their name, and they're not developed by OWS, they're likely to face the same fate as #LibreSignal. Moxie insisted that they stop using the Signal trademark, and then insisted that any app not using the Signal branding (and thus controlled by OWS) not connect to their servers.@gentoorebel @noorul
(DIR) Post #9oNLBMgao9lZOQQ5Bo by strypey@mastodon.nzoss.nz
2019-01-06T12:30:41Z
0 likes, 0 repeats
@bikecurious does #Briar do voice and video chat, or just text?@gentoorebel @noorul
(DIR) Post #9oNLBN0nb1vgP5sDgW by bikecurious@whomst.dog
2019-01-06T22:28:57Z
0 likes, 0 repeats
@strypey Just text, they are working on media support (which, once again your phone is very vulnerable to infection through via the Stagefright bug).There is no libsignal or similar, so building bots, alternative clients, etc is not very approachable
(DIR) Post #9oNLBNRjyrTpkeTjg8 by strypey@mastodon.nzoss.nz
2019-10-28T06:13:00Z
1 likes, 0 repeats
@bikecurious the source code is there. Anyone whose idea of developing apps is plugging a black box library into their preferred UI should *not* be developing encrypted comms software, or if they are, anybody using it should assume that the encryption implementation has holes in it.
(DIR) Post #9oNMZsdXlcWROIFO9A by strypey@mastodon.nzoss.nz
2019-10-28T06:28:39Z
1 likes, 0 repeats
@bikecurious however, as of 2017 the "backend" (non-UI components dealing with encryption etc) is separated out into a component called #bramble "You can build it as aJAR or AAR, separately from the rest of the Briar code, and use it in other projects. It runs on Java SE as well as Android."https://sourceforge.net/p/briar/mailman/message/36038299/So external developers could use that as a base for building independent clients.
(DIR) Post #9oNQpmtZHVM229aDjs by bikecurious@whomst.dog
2019-10-28T07:14:40Z
0 likes, 0 repeats
@strypey @gentoorebel @noorul Check out Pyre.chat
(DIR) Post #9oPgCbndzwpiHqHQpc by strypey@mastodon.nzoss.nz
2019-10-29T09:17:59Z
0 likes, 0 repeats
@bikecurious thanks, I am :)
(DIR) Post #9oPnXNUl4pIPgMITyq by strypey@mastodon.nzoss.nz
2019-10-29T10:40:11Z
0 likes, 0 repeats
@erlequin FYI only one of those OS is actually Android ;) #Sailfish is a separate OS, forked from #Meego. #UBports is a community continuation of #UbuntuTouch, so it's a full mobile GNU/Linux. They do all run on some kind of #Linux kernel though :)
(DIR) Post #9oSOEMdS8Oki8M52yu by erlequin@libranet.de
2019-10-30T16:40:42Z
0 likes, 0 repeats
@strypey Not really, Ubuntu Touch is actually using some kind of a modded Lineage OS android kernel. In this sense Ubuntu Touch is not full mobile Linux (even if someone says it because android goes back to linux), at least not like e.g. PostmarketOS or PureOS. Both Sailfish and UT run android apps though with alien dalvik and anbox.
(DIR) Post #9oVaGsoj1pxF194UfA by strypey@mastodon.nzoss.nz
2019-11-01T05:39:19Z
1 likes, 0 repeats
@erlequin let's untangle this mess. Linux is a kernel, not an OS, and is the kernel used by both GNU/Linux and Android/Linux. What distinguished a GNU-based mobile OS from an Android-based one is not the kernel used (although Androids uses a modified version with less security support), but the userland and UI. Is it GNU with a modified desktop DE like Unity, GNOME or KDE, or one Goggle's Java one? Sailfish is basically a (partly proprietary) mobile DE on top of a GNU userland.
(DIR) Post #9oVaaB9f4dLNOQ46LI by strypey@mastodon.nzoss.nz
2019-11-01T05:43:15Z
0 likes, 0 repeats
@erlequin > In this sense Ubuntu Touch is not full mobile Linux Given what I explained in the last post, there's absolutely no question than UT - and thus UBports - is Linux. But what I think you're saying here is that it's not GNU/Linux, but rather Android/Linux. AFAIK the UI for UBPorts is a fork of the Unity DE that UT used. There was no reason to port that to the Android userland, if you can get devices running on a mainline kernel and use the mature GNU one where Unity was known to work.