Recent searches
Search options
Today is a good day to familiarize yourself with the Russian concept of "managed democracy".
& to download #Signal and/or #DeltaChat
Signal had issues though...!
@VeroniqueB99 The biggest issue that I know of it is that they rely on AWS.
What issues are you referring to?
Thanks btw, because you made me think to add Delta Chat. I'm thinking it's the best longterm solution that I've seen.
I can't remember but wasn't there a leak of some kind recently, like a security issue or they gave their customer's data/got hacked or something...? (don't quote me I'll try to find it again)...
@VeroniqueB99 @SrRochardBunson Signal has no data to give. See https://signal.org/bigbrother/. What you're probably thinking of is the novel way Russia was phishing Ukraine soldiers to get them to link their Signal accounts to devices they controlled. That has since been resolved, and Signal has been putting in various safety features to warn users about suspicious linked devices if a similar attack were used in the future.
yes, it's probably that... so...super safe?
@VeroniqueB99 @Avitus Everyone I trust that knows more about tech than me says #Signal is safe. You'll notice Rolling Stone and other journalists using it almost exclusively now.
all righty then... thanks!
@VeroniqueB99 @Avitus @SrRochardBunson there are always techniques to get around security. The question is how hard you make them work for it. Signal makes it the hardest. If a nation-state targets you and wants to commit money, time and personnel, they MIGHT get through. Make them work for it.
@SrRochardBunson @VeroniqueB99 AWS, Azure, and Google Cloud are the only viable options for providing a global service. Signal uses a combination of all three for various parts of the Signal infrastructure.
@SrRochardBunson @VeroniqueB99 Delta Chat is based on email which leaks metadata like a sieve.
I would not use it for any kind of activivism. You're one warrant away from having your entire social graph mapped out.
The contents might be end to end encrypted but who you're talking to isn't and all those people are susceptible to rubber hose decryption.
@k3fnb just because #DeltaChat uses the email protocol you are making some wrong assumptions that only apply to classic email, sure if you go doing activism using #gmail that is not safe, but to use Delta Chat, you don't need to provide ANY personal data / metadata and hence can't leak metadata, you can create an anonymous account for a protest and throw it away afterwards, if cops get your phone they get random contacts not phone numbers unlike in #Signal etc.
@adbenitez This is just not the way people typically use messengers. Everybody is used to using their phone number as an identifier for whatever messaging solution (SMS, WhatsApp, iMessage, etc.). It's a much better idea to just use a messenger with sufficient metadata protection. No Matrix, and nothing based on email then. @signalapp and @simplex are probably the best solutions.
if cops get your phone
I hope you're using a secure phone then. #GrapheneOS has stood really well against forensic companies like Cellebrite. https://grapheneos.social/@GrapheneOS/112826160880324005
You can also use the @mollyim client for Signal to encrypt your message database, which on modern devices is also tied to the hardware keystore. https://github.com/mollyim/mollyim-android/wiki/Data-Encryption-At-Rest
> "It's a much better idea to just use a messenger with sufficient metadata protection"
this is your very own opinion, mine is that it is better not to require phone numbers or SIM cards, often tied to personal ID card or passport in some countries. An app requiring ZERO personal data is better.
@adbenitez Yes, that is my opinion. But I think it's pretty unrealistic to believe that people are just gonna abandon their habit of using phone numbers as identifiers for messaging apps. I don't like it either, but you can't build a messenger for yourself, other people actually need to use it, in order for it to be useful.
There's a reason why Signal is by far the most popular private messenger.
@Andromxda I am using #DeltaChat to chat with my family since years, that is why I started contributing, I don't use #WhatsApp nor #Signal and all my family and friends are amazed at how easy and pain-free it is to onboard on Delta Chat, just setting a name, and that is it, no SMS codes, no captcha no BS, then just scanning each other's QR or clicking an invite link, no manual typing phone numbers etc.
> There's a reason why Signal is by far the most popular private messenger.
Signal only has 70M users, WhatsApp has 2.9 billion, so it's not the most popular private messenger. We can both agree that Meta is far less trustworthy than Signal, but WhatsApp still uses thes same strong encryption as Signal. It still counts as a private messenger.
Allegedly it's costing Signal $1/user to operate. Think about that for a minute. How is Signal ever going to be able to scale to the planet using it? It's barely holding on today. The next major recession could literally kill Signal.
@adbenitez @SrRochardBunson @VeroniqueB99
it leaks metadata in the way that everyone you talk to open to the server. The server needs that information in order to route mail to the correct recipient. Your server knows who you're talking to and every server you talk to knows who you're talking to.
Sure you can find an email providers that is anonymous, but your social graph is still vulnerable. This is a privacy flaw that is inherent to the architecture of email.
@k3fnb it is not that "you can find an anonymous address" this is the default approach, users just set a name to use DeltaChat, then all what the server knows is that some rubbish address like a5Gh80xFp@example.com is talking to a similar rubbish address, who is the "you" the server knows the "social graph" of? That line of thought only applies if you are using phone numbers, which is the case for #Signal, #WhatsApp etc
Which metadata here is sensitive? Not the subject, it's faked as "[ ... ]". The real subject for the chat/group is included in the encrypted body along with all the other chat functionality.
There are no names. There are no client IP addresses. Every header except the ones needed for verifying the signature/authenticity or for the email to actually be processed properly (MIME-Version, Content-Type, etc) have been scrubbed.
DeltaChat turns email servers into dumb routers of encrypted data packets.
Consider how HTTPS / port 443 have been repurposed to do many many things other than transmit HTML. This is what DeltaChat is doing to email.
I can change my email address to another random one in the client -- even to a different chatmail server -- and all my chats will keep working. As soon as you send a message to your peers they will update to your new identity. This is a feature called AEAP -- Automatic Email Address Porting and hopefully soon we'll see a mechanism implemented that automatically enables forwarding of your old address to your new address (to not lose messages from people who don't know about your new identity yet), and then #DeltaChat can enable functionality to automatically rotate you through new anonynmous identities transparently.
https://delta.chat/en/2022-09-14-aeap
@feld another point people miss: unlike on #Signal, #WhatsApp, #Telegram, etc where there is a central server watching all the social graphs of the whole network, in #DeltaChat and other decentralized platforms like #XMPP what a server can see is pretty limited and fragmented, We started talking about activists btw, and having the freedom to choose a server instead a central server potentially collaborating with your enemy is a killer feature
@adbenitez @feld @k3fnb @VeroniqueB99 @SrRochardBunson Signal doesn't "track social graphs" because it can't: https://signal.org/bigbrother/
@feld @Avitus @VeroniqueB99 @adbenitez @SrRochardBunson
Is that still true after the username change? Very few of my chat contacts have visible phone numbers.
@feld @Avitus @VeroniqueB99 @adbenitez @SrRochardBunson
Looking at the server side code, Signal stores the phone number with the account id.
So if the cops were able to decrypt my phone app's database, enumerate all the account ids in my Signal's contacts/messages, they could submit a warrent to Signal a gain access to all the phone numbers associated with those account ids.
The phone number has been my biggest complaint about Signal.
@feld @Avitus @VeroniqueB99 @adbenitez @SrRochardBunson
Now, if the cops got ahold of my phone's DeltaChat messages, they would be able to build a graph of what email addresses I've been talking to, but they'd have a hard time mapping those to real world identities, especially if they're pseudonymous chatmail addresses.
why worry about them decrypting your phone's database when they'll probably catch you with it unlocked or force you to use biometrics to unlock it? lol
@Avitus @VeroniqueB99 @adbenitez @SrRochardBunson
@k3fnb @feld @Avitus @VeroniqueB99 @adbenitez @SrRochardBunson instead of asking signal could the feds also just come for amazon to convey them the full dynamodb database that hosts the account id phone number mapping asfaik?
> Sure you can find an email providers that is anonymous, but your social graph is still vulnerable. This is a privacy flaw that is inherent to the architecture of email.
ok, so this is where things get confusing for people.
Chatmail servers offer free, instant email address signup. The mechanism is literally "try to login with a random email address and password" and if the account doesn't exist it's registered immediately. This is done through a custom auth integration with Dovecot.
Now you may be thinking, "That's terrible, you're basically creating an open relay and we suffered from enough spam due to those".
That would be correct, except the Postfix configuration denies federating of emails that aren't encrypted. Spammers don't send PGP-encrypted emails to people. So if a spammer wants to create accounts and try to send spam they'll get nowhere.
Additionally, there is throttling on sending of messages and if an account goes idle for too long it's automatically deleted. Defaults for my deployment: users can only send 60 messages per minute, all stored emails deleted after 20 days, inactive users automatically deleted after 90 days.
I know that each Chatmail deployment has its own setup, but I never read anything about idle accounts being deleted with other Chatmail deployments, unless the user intentionally sign out. I'm sure you have a reason to do this for your deployment, but I can't think of a compelling security reason to delete a signed in account just because it is inactive.
https://github.com/chatmail/server/blob/main/chatmaild/src/chatmaild/delete_inactive_users.py
For an account to be completely abandoned (no logins), the user needs to log out first, by deleting the account from inside the Delta Chat app, right?
@feld @k3fnb @VeroniqueB99 @adbenitez @SrRochardBunson just for the record I think it is fair and necessary to answer to that is: mail addresses.
Yes, you can remove sensitivity (as mentioned), but that is on you! People using ordinary mail get screwed.
It's a bit like having encryption but off by default. But worse: it isn't a simple check-mark to turn it on.
Kudos to DC to make it very easy to set up such an account. That goes a long way, especially since Signal can't do that - at all. 
@k3fnb It also lacks forward secrecy btw.
@SrRochardBunson Delta Chat has far more issues. The lack of fundamental cryptographic features like forward secrecy is probably the largest flaw. I would recommend @simplex instead.
@SrRochardBunson Awww, honey - managed democracy is all any of us has *ever* had. That's all capitalism will allow.