Post 9webykTxWERppaycfw by grimfrenzy@mstdn.social
(DIR) More posts by grimfrenzy@mstdn.social
(DIR) Post #9webStVmPdOUZJdgoa by sir@cmpwn.com
2020-07-01T21:00:48Z
3 likes, 1 repeats
I should write a blog post about how Protonmail and Signal and Brave and so on are basically marketing to the privacy/security equivalent of LARPers, when they actually provide *less* security/privacy than not using them, and are a net harm on society because those who actually need them are duped into relying on them.
(DIR) Post #9webe0JXSdzgqsD8tM by sir@cmpwn.com
2020-07-01T21:01:39Z
3 likes, 3 repeats
If someone stands to make money from you, you should assume that they're lying to you through their teeth until you can prove beyond a reasonable doubt that they're working in your best interests, not theirs
(DIR) Post #9webe0T6t3eNKYgmoK by p@lol.dydx.moe
2020-07-01T21:04:36.454232Z
0 likes, 0 repeats
who hurt you man@sir
(DIR) Post #9webykTxWERppaycfw by grimfrenzy@mstdn.social
2020-07-01T21:05:39Z
0 likes, 0 repeats
@sirI'd read it (or an equivalent article you recommend).
(DIR) Post #9wec6WbP0YnX6GANCC by sir@cmpwn.com
2020-07-01T21:05:53Z
3 likes, 1 repeats
@p capitalism hacked our brains to make normal people okay with taking advantage of others
(DIR) Post #9wec6XIePlOPGOOubg by p@lol.dydx.moe
2020-07-01T21:09:44.635696Z
0 likes, 0 repeats
No, people did. Capitalism is not alive.Temptation comes in many forms. @sir
(DIR) Post #9wec7h3Zcm75oTtt6O by mithrandir@pl.wizards.zone
2020-07-01T21:09:58.885878Z
0 likes, 0 repeats
@sir I understand Brave, but what's wrong with Protonmail and Signal?
(DIR) Post #9wed1x25PfQrZw1x2W by avalos@cybre.space
2020-07-01T21:17:58Z
1 likes, 0 repeats
@mithrandir @sir They are centralized, perhaps? I mean, ProtonMail is more than e-mail, it is a service that provides a lot of stuff for security and encryption, but those things are exclusive to their service, and you're forced to use their clients.Signal is also centralized. You can run your own instance, but you cannot federate with other instances, and you need to customize the clients in order to connect with your instance.
(DIR) Post #9wed1xDmiAn2ADVIH2 by mithrandir@pl.wizards.zone
2020-07-01T21:20:06.356264Z
0 likes, 0 repeats
@avalos @sir sure they both have serious flaws. But the claim is that they are worse than not using them. Considering that three letter agencies can get phone or email records basically at will, and those services have open source and audited end-to-end encryption, I fail to understand how this could be the case.
(DIR) Post #9wedQGjRp4YBcouMLo by sir@cmpwn.com
2020-07-01T21:20:50Z
0 likes, 0 repeats
@mithrandir @avalos protonmail is not end to end encrypted
(DIR) Post #9wedTJ37fBzjgHYj7Q by mithrandir@pl.wizards.zone
2020-07-01T21:24:47.059007Z
0 likes, 0 repeats
@sir @avalos so you mean they directly lie on their website?
(DIR) Post #9wedcuF4kc5vdejArA by mithrandir@pl.wizards.zone
2020-07-01T21:26:50.747920Z
0 likes, 0 repeats
@sir @avalos "ProtonMail also makes use of OpenPGPjs as our message cryptography is PGP compliant." according to the github. PGP is end to end encryption, unless the keys are stored on protonmail servers un-encrypted. . https://github.com/ProtonMail/WebClient
(DIR) Post #9wede7eAOjjFVC2lsW by avalos@cybre.space
2020-07-01T21:25:24Z
0 likes, 0 repeats
@sir @mithrandir Hmm… then, what do they mean by "e2ee" in their website? Some sort of Telegram-like cloud encrypted thing?
(DIR) Post #9wede7uTQ6lyJlfnIO by sir@cmpwn.com
2020-07-01T21:26:31Z
0 likes, 0 repeats
@avalos @mithrandir they're gaslighting you
(DIR) Post #9wede8Xp3oFSHo5Dd2 by mithrandir@pl.wizards.zone
2020-07-01T21:27:00.617534Z
0 likes, 0 repeats
@sir @avalos give me proof.
(DIR) Post #9wedlOqUqqZGs2HUDA by mithrandir@pl.wizards.zone
2020-07-01T21:28:22.147499Z
0 likes, 0 repeats
@sir @avalos and, if they are lying, we should probably start a lawsuit for false advertising.
(DIR) Post #9wedvwUoaxou8BAPDM by sir@cmpwn.com
2020-07-01T21:27:32Z
0 likes, 0 repeats
@mithrandir @avalos no
(DIR) Post #9wedvwhZpW1oll8b6e by mithrandir@pl.wizards.zone
2020-07-01T21:30:14.305127Z
0 likes, 0 repeats
@sir @avalos Then you're probably lying.
(DIR) Post #9wedyUtPgDNRODtHUW by sir@cmpwn.com
2020-07-01T21:26:36Z
0 likes, 0 repeats
@mithrandir @avalos yes
(DIR) Post #9wee8P0OQLmw1fsWcC by lord@lord.sh
2020-07-01T21:32:29.263882Z
0 likes, 1 repeats
@avalos @sir @mithrandir it works only then you write to another Proton user (how many times you did it?). And it "works" only if we believe them. What they are really doing with you emails is still a mystery due to closed source server-side.
(DIR) Post #9weeGLCoR23oYfTOHQ by sir@cmpwn.com
2020-07-01T21:29:25Z
0 likes, 0 repeats
@mithrandir @avalos be my guest
(DIR) Post #9weePKg9lLUbWyUBqi by sir@cmpwn.com
2020-07-01T21:31:38Z
0 likes, 0 repeats
@mithrandir @avalos what a rude thing to say, screw you
(DIR) Post #9weeRpv4a8WT07en7Q by mithrandir@pl.wizards.zone
2020-07-01T21:36:00.930592Z
0 likes, 0 repeats
@lord @avalos @sir you don't need to believe them, the client is open source and anyone could audit it. So unless you think they use a faulty PGP implementation, or people who have checked it did a bad job, whatever they are doing with the emails server side, they are not able to decrypt them unless they have a quantum computer.
(DIR) Post #9weecAkG0Xk4UCWhkm by sir@cmpwn.com
2020-07-01T21:36:58Z
0 likes, 0 repeats
@syntacticsugarglider @mithrandir @avalos how about the real answer, which is that I've explained why protonmail is lying to its users a half dozen times before and I'm too busy with more important shit to reply to yet another random who's pissed that I dissed their mail service provider
(DIR) Post #9weecAzV5rw3FTesVs by mithrandir@pl.wizards.zone
2020-07-01T21:37:52.206990Z
0 likes, 0 repeats
@sir @syntacticsugarglider @avalos I don't use protonmail and never have.
(DIR) Post #9weeotqa94bxqIYOeW by mithrandir@pl.wizards.zone
2020-07-01T21:40:11.967012Z
0 likes, 0 repeats
@lord @avalos @sir the other possibility is that they are the ones who dole out public keys, allowing them to MITM every conversation.In Signal's case, you can manually verify keys out of band.I don't know about the protonmail client.
(DIR) Post #9wehHvOzdu98yIcKum by lord@lord.sh
2020-07-01T22:07:50.735629Z
1 likes, 1 repeats
@mithrandir @avalos @sir I worked with GopenPGP (their lib to work with PGP) and was highly surprised how fucking bad it was. No tests, bad doc, many bugs, heavy API changes few days after release, etc. I hope it's better now, but I was surprised that they used it in production.I like this "everyone can audit it". Who exactly? It's a property of private company. I have zero interest to audit this shit. Like any other cryptanalyst.They just successfully jumped at this privacy hype train and earn tons of money on people who doesn't even understand what E2E is and how does it works.It's also about false advertisement. They push E2E as main feature at their landing page. Question: how many ProtonMail users understand that it DOES NOT work when they use Proton as a provider to work with existing email infrastructure?
(DIR) Post #9wek5k0UU33G192RRg by mithrandir@pl.wizards.zone
2020-07-01T22:39:16.361861Z
0 likes, 0 repeats
@lord @avalos @sir according to their github, they use OpenPGPjs. Don't know if that's the same thing.>I like this "everyone can audit it". Who exactly?anyone who looks at their github repo.>I have zero interest to audit this shit. Like any other cryptanalyst.Sure, but presumably you aren't using it for anything important and you obviously aren't very invested in it. An organization or individual which uses protonmail might perform or pay for an independent audit. If they're dealing with health records they might legally have to.>It's also about false advertisement. They push E2E as main feature at their landing page. Question: how many ProtonMail users understand that it DOES NOT work when they use Proton as a provider to work with existing email infrastructure?This is true, and is certainly an issue. Really there's no reason to use protonmail over GnuPG. But I also see no reason to assume that their PGP encryption doesn't work at all.
(DIR) Post #9wekc0yuuLkfvigwIi by tty@sunbeam.city
2020-07-01T22:39:54Z
0 likes, 0 repeats
@sir I'd be interested in this.
(DIR) Post #9wen2qqmso2mEgoV0q by shellkr@mstdn.io
2020-07-01T23:12:19Z
2 likes, 0 repeats
@syntacticsugarglider @sir @mithrandir @avalos Protonmail may have intent on protecting you but would be forced by law to submit anything they have on you. Email can't be secure... or more precise the meta data can't be. The messages are encrypted with your own GPG-key so that I doubt they can circumvent..
(DIR) Post #9wencXeDktux6YxDAO by ivan@vucica.net
2020-07-01T23:09:44.863265Z
1 likes, 0 repeats
@sir @avalos @mithrandir @syntacticsugarglider genuinely interested here, I tried to find something you wrote, but there's just too much noise.Related to this maybe? https://eprint.iacr.org/2018/1121
(DIR) Post #9weoLPFFqKxk4kfYUS by lord@lord.sh
2020-07-01T23:26:53.720179Z
1 likes, 1 repeats
@mithrandir @avalos @sir Here: https://gopenpgp.org/I guess they use it at server-side and a part of Bridge. Sure, client-side uses OpenPGP.js or kinda.> but presumably you aren't using it for anything important and you obviously aren't very invested in itI don't want to invest my time into auditing for free proprietary code dropped by private company. And no one wants.I would better invest it into projects like Delta.Chat or AutoCrypt-based email clients.> But I also see no reason to assume that their PGP encryption doesn't work at all.I didn't say that. It probably works. @sir probably meant something more prosaic by saying it.
(DIR) Post #9werx7ysmKlvOmgqFU by peexea@fosstodon.org
2020-07-02T00:05:51Z
0 likes, 0 repeats
@sir you know, that's a very strong statement. Why is it "lees secure that not using it"? Without futher explaination it sounds like "<your_favorite_privacy_abuser> is more secure than a tool which at least _have_ privacy features" yes, protonmail's security model is very questionable, but it is still better than gmail.
(DIR) Post #9wet3oXrXSmX6Jntvk by Kimba@quey.org
2020-07-02T00:14:09Z
0 likes, 0 repeats
@peexea @sir What email provider do you guys recommend?
(DIR) Post #9wet3ovG8TUsGskaOm by sir@cmpwn.com
2020-07-02T00:18:37Z
0 likes, 0 repeats
@Kimba @peexea migadu
(DIR) Post #9wetG4OaQuwNjdJDzE by peexea@fosstodon.org
2020-07-02T00:19:40Z
0 likes, 0 repeats
@sir BTW, signal is a non-profit organisation, so "want to sell you smth" sounds very unreasonable.
(DIR) Post #9wetG4adi6a8L0wqm0 by sir@cmpwn.com
2020-07-02T00:20:52Z
0 likes, 0 repeats
@peexea lol, signal is one of the most profit motivated "non-profits" I know of. Not all non-profits are good, you knowGet your signal simping out of my notifications, please
(DIR) Post #9wetNnEY7mWcpDITLM by Kimba@quey.org
2020-07-02T00:22:01Z
0 likes, 0 repeats
@sir @peexea I didn't know that service, thanks. Will be a very interesting lecture if you can explain your point about why you don't like ProtonMail and why Migadu it's a better choice.
(DIR) Post #9wetVg1gnznGmw2bgm by sir@cmpwn.com
2020-07-02T00:22:56Z
0 likes, 0 repeats
@Kimba @peexea if you're really using end-to-end encryption then the service provider in the middle has very little to do with privacy. Don't let anyone mislead you with promises of privacy delivered *on the server*
(DIR) Post #9wetfc34RuunLbQPMe by sir@cmpwn.com
2020-07-02T00:19:11Z
1 likes, 0 repeats
@peexea there are many reasons but I can completely dismiss it with a single truth: they require your phone number.
(DIR) Post #9wetfcPl5Z3yTy2WjA by peexea@fosstodon.org
2020-07-02T00:24:35Z
0 likes, 0 repeats
@sir and what? They know, who I am. They can say, that I am yousing their service. What else?
(DIR) Post #9wetn6CKkk1cshKMDo by sir@cmpwn.com
2020-07-02T00:25:57Z
1 likes, 0 repeats
@peexea "they know who I am"FUCKING RIGHT THEY DO
(DIR) Post #9wettTEo0Jhk4kWPPk by sir@cmpwn.com
2020-07-02T00:26:20Z
1 likes, 0 repeats
@peexea they know who you're talking to and when, too, and you bet your ass that coulid be enough evidence to put you in prison
(DIR) Post #9weu0Nv8Ajs3bxcFo8 by sir@cmpwn.com
2020-07-02T00:27:59Z
0 likes, 0 repeats
@peexea https://drewdevault.com/2018/08/08/Signal.html
(DIR) Post #9weu8KeAEAENm6TAJ6 by peexea@fosstodon.org
2020-07-02T00:28:38Z
0 likes, 0 repeats
@sir @Kimba and that's the signal case. If you don't want to reveal you phone number, use wire, or wait till the end of the year. IFAIK, signal had started migrating from phone verification to sonething else.
(DIR) Post #9weuMNE3R5sXpLx72G by sir@cmpwn.com
2020-07-02T00:29:29Z
0 likes, 0 repeats
@peexea look, no one likes to be played for a sucker. You got lied to, your trust was broken, and that hurts. Your judgement was wrong, and you go on the defensive because that puts your ego on the line.Resist the doublethink. Don't let moxie gaslight you.
(DIR) Post #9weuUCBgMN9xuRZZAm by peexea@fosstodon.org
2020-07-02T00:30:01Z
0 likes, 0 repeats
@sir do not mix privacy and anonymity, it's not the same.
(DIR) Post #9weujB7uaP8gxlxAm0 by peexea@fosstodon.org
2020-07-02T00:33:29Z
0 likes, 0 repeats
@sir well, if you want protection from contact tracing, you have only one variant: closed f2f networks. Provided, you connect only to unknown nodes, so your mail of IM will be transfered through multiple relay nodes.
(DIR) Post #9wf7ifXVKF5KOw0m4e by gws@mastodon.host
2020-07-02T03:03:45Z
0 likes, 1 repeats
@sir If it's them initiating contact with you, you're probably just a lead. See also: opportunity only knocks once.
(DIR) Post #9wfDte45kNQAjrs4MS by peexea@fosstodon.org
2020-07-02T00:47:42Z
0 likes, 0 repeats
Partially, but I've read it.OFK, p2p (and, even more, f2f) is more private, but, man, it is different usecase.Yes, federative messaging is far better than centralised servers - totally agree.We do not have a federated IM know. At least that is used not just by authors and their friends.
(DIR) Post #9wfDteuYbJO9MaPy8f by peexea@fosstodon.org
2020-07-02T00:52:53Z
0 likes, 0 repeats
Maybe, I was not very good at explaining myself, so again.1)Signal protocol itself is quite good from crypto point of view.2)There *are* several quastionable design desitions in signal itself which can significantly reduce your privacy.3)We should you the best tool we have *so far* and, well, xmpp+otr does not fullfill my expectations from a IM tool.Except the abovementioned xmpp+otr I don't know any IM tool with comparable cryptographic abilities.
(DIR) Post #9wfDtfElOBYGNFs6dM by amolith@social.nixnet.services
2020-07-02T04:13:10Z
0 likes, 0 repeats
@peexea OTR is a defunct encryption method for XMPP. It's been superseded by OMEMO for a very long time now; both the user experience and crypto are much better.https://wiki.xmpp.org/web/OTR
(DIR) Post #9wfIHQuUhvJUhryqPI by zethra@fosstodon.org
2020-07-02T05:01:10Z
0 likes, 0 repeats
@avalos @sir @mithrandir if it was end to end encrypted you wouldn't be able to email to non-protonmail users.
(DIR) Post #9wfIHRFPSA2lkjlY0W by mithrandir@pl.wizards.zone
2020-07-02T05:02:18.069829Z
0 likes, 0 repeats
@zethra @avalos @sir The encryption is only active between protonmail users.
(DIR) Post #9wfkwb9oJMyB4oYtea by peexea@fosstodon.org
2020-07-02T10:23:28Z
0 likes, 0 repeats
@amolith wow, I should definitely read the specs of OMEMO. As far as I can see, they use Double Ratchet and though should provide privacy recovery after device compromise. (Which *is* in my threat model, as in my country device confiscation by the authorities is a common practice.)Thank you!
(DIR) Post #9wg2Nabo9n4QPo76dk by awaspnest@mastodon.xyz
2020-07-02T13:36:59Z
0 likes, 0 repeats
@sirYou might also want to checkout https://purelymail.com/Impressively it's mostly a one man show.@Kimba @peexea
(DIR) Post #9wg6fSlgRlTT7vVkaO by HarneyBA@pleroma.site
2020-07-02T14:26:57.082198Z
0 likes, 0 repeats
@sir Would read and share. Not technically competent enough to explain it as well.