Folgen

Lol Signal is linking to a copy of the talk Moxie hold and what they officially wanted to be taken down... seems really like they just did it for publicity 🤦‍♀️

signal.org/blog/looking-back-a

@jr Well,fuck Signal even more then.The people behind it suck as much as the software itself 👎

@nipos @jr They never wanted the talk to be taken down. The talk should have never been recorded (speakers at 36c3 can opt-out from a recording). This opt-out hab been ignored by mistake.

I guess, now, since the talk is recorded and on the web anyway, moxie accepted its existence and there no good reason not to link to it.

@fluxx I know that... but they did make a big thing out of a mistake of a person and now they are linking to what they criticized back then? @nipos

@fluxx @jr The biggest damage is the existence of Signal.

@nipos @jr Signal is the only App, that provides strong e2ee by default, is completely open source and offers great usability (i.e. is easy to use for everyone). Imho, Signal is a very valuable solution to the hard problem of secure messaging.

@fluxx @jr No,maybe,no and no.It's not the only one,have a look at Threema or Session.Encryption may be strong but with servers at AWS in the United States I still don't trust that infrastructure.And the code is open source but it's not free as in freedom: If you change anything,you're not allowed to connect to the server anymore.And other solutions aren't harder to use.Signal isn't a solution,it's part of the problem.

@nipos
With good e2ee it can use any infrastructure without any privacy concerns. There might be ethical problems with using services like AWS though, I agree.
And if they'd open up for every client, a potentially malicious client could gain popularity and they couldn't do shit about it. If you see a viable way of keeping everything as secure as possible AND go the way of decentralization, then you should give them a call.
Since when is Threema's e2ee open source?
@fluxx @jr

@eutektoid @jr @fluxx Threema is not open source but that doesn't matter if you can't make use of the open API anyway.At least they have infrastructure without GAFAM and are based in switzerland.Anyway I personally wouldn't use that one too.Matrix is just fine.Decentralized and open source.

@nipos
Okay, I see your point.
But imagine there was a matrix client with a backdoor. What could anybody do about it, when many people (average non-IT people) would start using it due to very good marketing. The users would feel secure but weren't save. What would you recommend? I would really love to know. That keeps me from using matrix. Who would've time to check all the clients for flaws (even if they'd all be open)?
@jr @fluxx

@eutektoid @fluxx @jr The big advantage of decentralized software is that nobody has control over everything.In that case it means nobody can block this client for everyone.But server admins can block clients connecting to their servers.But what should a malicious client do?It doesn't have a phone number or email address,only your user name and the messages.Sure,it could abuse that data but you always have this risk.Signal and Whatsapp could decrypt and spy on your messages,too.And I don't doubt that they do.You operating system can also have a keylogger.Or the keyboard app you use.I don't see why anyone should use a manipulated Matrix client for that.In the end,you're never 100% safe if you don't use 100% open source software on both ends of the conversation.

@nipos
»But server admins can block clients connecting to their servers.«
I see, but first you were complaining that the signal network was not open for everyone. If I can't choose my client in the end to connect to the whole network, there is no advantage. First, server admins would have to check the client's source code, and second, they shouldn't be able to block anyone 'cause that would be oppression. It's like blocking a party from parliament, 'cause you don't like it.
@fluxx @jr

@nipos @fluxx @jr
»you're never 100% safe if you don't use 100% open source software on both ends of the conversation.«
Agreed!

@nipos @fluxx @jr

»Sure,it could abuse that data but you always have this risk.«
The risk is at minimum when everybody has to check just one client and one piece of server code. And the secure communication is MY priority and I would rank decentralization below more safety. Don't get me wrong: decentralization is nice in some ways, but data safety is more important for me in private conversations. So I always have a risk, but it has not the same size in every scenario.

@nipos @fluxx @jr

And as far as I understood this, that is one of the Signal project's priority too: more safety above decentralization.

»Signal and Whatsapp could decrypt and spy on your messages,too.And I don't doubt that they do.«
WhatsApp maybe, but Signal is open source and the e2ee is working. So, no they can't read your messages and decrypt it, or what am I missing here?

btw: really nice conversation! thank you!

@eutektoid @jr @fluxx Whatsapps end to end encryption is working,too and that's proven.The thing is that you can't exactly know what the client does.The client has to decrypt the data to present it to you and after doing so,it could theoretically send the cleartext data back to it's company.Whatsapp is closed source and Signal doesn't allow modified client,so you have to trust the builds in the app store.Everyone can build their own Riot from source and make sure that this can't happen,therefore I think Matrix is the safer way.And if that's too much work,you can download the safe build from F-Droid which has been reviewed by the F-Droid team.Whatsapp and Signal both aren't available in the F-Droid store.Yes,the different clients *could* mean a low risk of manipulated clients,but I see a large choice as a advantage.You should also think about upcoming systems like the new Linux phones which will likely never receive official builds of Whatsapp or Signal but everyone can write their own Matrix client for it.A walled-garden can harm the adoption of new platforms as long as their market share isn't relevant enough,therefore I think we do absolutely need decentralization.

@eutektoid @jr @fluxx I didn't say that anyone should block any client but that is a possibility if any client appears that phones home all your data (what I don't think will happen).

@nipos
Okay yeah, not per se, but there IS a possibility, exactly!

Some attackers (states) will do what they can and what saves time in mass surveillance. Hacking every device might be feasible as well, but seems harder to me, than attacking the communication's infrastructure at the weakest point.

Don't you think?

@jr @fluxx

Melde dich an, um an der Konversation teilzuhaben
social.anoxinon.de - Mastodon

Mastodon ist ein soziales Netzwerk. Es basiert auf offenen Web-Protokollen und freier, quelloffener Software. Es ist dezentral (so wie E-Mail!).