Post 9vrFUy10dNKk27FrKS by michel_slm@floss.social
(DIR) More posts by michel_slm@floss.social
(DIR) Post #9vYfdXIcuH6zwffmKW by strypey@mastodon.nzoss.nz
2020-05-30T02:28:48Z
1 likes, 0 repeats
"This was a mistake. We had imagined that the textual representation would be used for remote comparisons and the QR code for local (in person) comparisons, but some users found it easier to send a screenshot of both formats via a public forum like Twitter, unknowingly publishing the phone numbers embedded in the QR code."https://signal.org/blog/safety-number-updates/So, Signal apologists, remind me how forcing users to associate their phone number with their #Signal account isn't a privacy risk?
(DIR) Post #9vYgmSiXPbSWIKc3fs by strypey@mastodon.nzoss.nz
2020-05-30T02:41:37Z
1 likes, 0 repeats
Also, this:"Steve Thomas pointed out that one caveat remains: if you have previously published an old-style Signal fingerprint or QR code and you now publish a new-style Signal safety number or QR code for the same identity key (i.e. without having reinstalled Signal), your phone number could still be discovered by a brute-force search. "#Signal
(DIR) Post #9vYvGgVe63Ab7Et7I0 by michel_slm@floss.social
2020-05-30T05:23:54Z
0 likes, 0 repeats
@strypey Riot/Matrix would be a much more preferable alternative to Signal once it matures a bit. Phone numbers are terrible as identifiers, can't believe Signal did the lazy thing and copied WhatsApp there.
(DIR) Post #9vZ4YshuNpYRkLNL8a by strypey@mastodon.nzoss.nz
2020-05-30T07:07:54Z
0 likes, 0 repeats
@michel_slm can you give me an example of what you think makes Riot less mature than Signal?
(DIR) Post #9vZ4rSi5GSC2cUJkLg by strypey@mastodon.nzoss.nz
2020-05-30T07:10:10Z
0 likes, 0 repeats
@michel_slm can you give me an example of what you think makes Riot less mature than Signal? Now that device cross-signing has shipped and E2EE is on by default for private chats, I would already recommend Riot.
(DIR) Post #9vZIeb8q0HxgMaajnE by FiXato@mastodon.social
2020-05-30T09:45:00Z
0 likes, 0 repeats
@strypey one of the main reasons I still don't have a #Telegram or #Signal account...
(DIR) Post #9vZJzh2xLMU8iHSmu0 by michel_slm@floss.social
2020-05-30T10:01:02Z
0 likes, 0 repeats
@strypey the transition to device cross-signing is a bit rough (some people with existing logins get stuck trying to enable it - nothing that can't be worked around if you're tech savvy).There's performance issues too - matrix.org is slow, upgrading to a modular.im plan would fix this but the migration scripts are not nature yet.The new RiotX mobile app is shaping up nicely though, the old Riot app was so slow.
(DIR) Post #9vZikYC8TDpRlmdJMu by elplatt@greatjustice.net
2020-05-30T14:38:19Z
0 likes, 0 repeats
@strypey it's a calculated risk. It seems like an unnecessary risk to include it in the QR code though. So you know of better secure messengers that are easy enough for the general public to use?
(DIR) Post #9vZww0o1pkXD37iUXQ by mathew@mastodon.social
2020-05-30T17:17:04Z
0 likes, 0 repeats
@strypey Ironically that's one of the reasons why they introduced the PIN that everyone has been complaining about — so they can have identifiers other than phone numbers.
(DIR) Post #9vfCnYwIOlaQ3Uaot6 by strypey@mastodon.nzoss.nz
2020-06-02T06:08:39Z
0 likes, 0 repeats
@FiXato same. Signal boosters love to go on about metadata, totally ignoring that a cell phone # potentially allows adversaries to associate a huge amount of metadata with an account holder. If your threat model includes targeted surveillance (eg activists, dissidents, journalists), Signal is worse than useless.
(DIR) Post #9vfD3OyNDmjfmJ7LSi by strypey@mastodon.nzoss.nz
2020-06-02T06:11:01Z
0 likes, 0 repeats
@FiXato same. Signal boosters love to go on about metadata, totally ignoring that a cell phone # potentially allows adversaries to associate a huge amount of metadata with an account holder. If your threat model includes targeted surveillance (eg activists, dissidents, journalists), Signal is worse than useless. Especially given that it operates in the primary 5 Eyes jurisdiction.
(DIR) Post #9vfE5HSmDG1B1LnXdY by strypey@mastodon.nzoss.nz
2020-06-02T06:23:01Z
0 likes, 0 repeats
@michel_slm > the transition to device cross-signing is a bit roughI agree with all this. But transitional issues don't really affect new users.> matrix.org is slowCentralization is hard to scale, which is why Matrix is federated. New users can get better server performance by self-hosting, joining an organisation that does (eg join @feneas !), or at least picking a less popular public server. > migration scripts are not nature yet.I just manually migrated to #strypey:feneas.org
(DIR) Post #9vfFVtSjeeQKMC25Ka by strypey@mastodon.nzoss.nz
2020-06-02T06:39:05Z
0 likes, 0 repeats
@elplatt Great question :) The answer is, as with any security advice, it depends on your threat model. Jane Average wanting to reclaim privacy from surveillance capitalists, faces different threats thanactivists planning a banner drop at a corporate headquarters. An anti-corporate political party planning campaign strategy need defence against a set of threats that are different again. Different apps solve different problems and there's no silver bullet.
(DIR) Post #9vfGXKhbxkF75GF03U by strypey@mastodon.nzoss.nz
2020-06-02T06:50:30Z
0 likes, 0 repeats
@elplatt I also think it's worth reminding readers to take any security advice you read online with a grain of salt, including mine. But having laid out all those caveats ...Now that device cross-signing has been rolled out, I'd say Riot is already a better encrypted chat app than Signal for most purposes. IMHO the Matrix community continue to prove Moxie wrong. Yes, the ecosystem is moving, but away from centralized silos like Signal, and towards federation (eg https://wire.com/en/blog/mls-future-of-collaboration/ ).
(DIR) Post #9vfGztiZMyJ3n5JGvQ by strypey@mastodon.nzoss.nz
2020-06-02T06:55:42Z
0 likes, 0 repeats
@mathew havent seen those complaints yet. Got any links to notable examples?
(DIR) Post #9vgpUHUllWQEhDYmQK by michel_slm@floss.social
2020-06-03T00:56:44Z
0 likes, 0 repeats
@strypey @feneas huh Feneas has *both* Friendica *and* Matrix? I'm almost sold. Does it bridge to IRC as well? (especially Freenode, but GIMPnet will be a nice bonus)Agreed that transition does not affect new users. A friend of mine is really fussy about UX, I should get him to try out the new version.Also, they just announced something really cool -- alpha of a #P2P architecture!https://matrix.org/blog/2020/06/02/introducing-p-2-p-matrix
(DIR) Post #9vh1ZmTPDTOjfdJLJQ by strypey@mastodon.nzoss.nz
2020-06-03T03:12:19Z
0 likes, 0 repeats
@michel_slm > Does it bridge to IRCI'm in a bunch of IRC rooms via Matrix, including the Feneas room on Freenode which is bridged to:#feneas:feneas.orgJust to be clear, Feneas.org is an organisation, not a single software instance. But financial members get full use of accounts on all the services they run, including Friendica (OStatus, Diaspora, ActivityPub protocols), Synapse (Matrix), and GitLab (Git).> alpha of a #P2P architecture!Hybrid federated/ distributed networks. Exciting :)
(DIR) Post #9vhAr34pdXRrfz7qKW by michel_slm@floss.social
2020-06-03T04:56:11Z
0 likes, 0 repeats
@strypey thanks for confirming! I'll probably join then. Matrix admins can choose what integrations to enable, and I've tried another instance that doesn't have IRC set up.Will probably move my mostly unused Friendica account too and consolidate in one place.
(DIR) Post #9vhWh3Ntpv8Kj3gQxE by strypey@mastodon.nzoss.nz
2020-06-03T09:00:45Z
0 likes, 0 repeats
@michel_slm cool! Info about how to join is here:https://feneas.org/membership/Dues are 1 euro per month.
(DIR) Post #9vrFUy10dNKk27FrKS by michel_slm@floss.social
2020-06-08T01:35:22Z
0 likes, 0 repeats
@strypey I just got invoiced yesterday so hopefully I'll be there sometime this/next week!