• 0 Posts
Joined duela 2 urte
Cake day: eka. 28, 2021


I’ve read from SME’s that Signal is the gold standard for encrypted private messaging. I haven’t seen that claim of any other messenger. What are the alternatives?

I’ve tried Briar and that seems like it may be good in 5+ years, but not something I’d ask non-techy people to use in its current form. Sessions dropped Perfect Forward Secrecy because it was too hard to make it work. I don’t want security features dropped just because they’re “hard” so that’s an immediate no from me. What are viable alternatives that don’t leak metadata?

“Don’t let perfect be the enemy of good” Nobody’s forcing you to use the “official” join mastodon site - it’s not a keystone of the fediverse. And not to be dismissive, but you made a PR and someone didn’t follow up with you? Nobody owes you anything in life, including a response to a PR. People get busy or just don’t even want to respond for no reason at all - learn to deal with it in a graceful way.

Your data already resides completely viewable to them without you knowing any better. Discord could sell off every single one of your messages without your knowledge and without using any trackers built into the app/website itself.

So we’re trusting Tor but not Mullvad who collaborated with the Tor Project [0] to create this browser?

… developed in a collaboration between Mullvad VPN and the Tor Project

Who’s behind Librewolf and Ungoogled Chromium that we should trust them over Mullvad?

Even Librewolf recommends you use Tor [1].

Can I use LibreWolf with Tor?

Please don’t.

The Tor network is designed to give you complete anonymity, but it can be compromised if you use it with any browser other than the Tor Browser. If you want anonymity, download the Tor Browser.

They’re all open source projects, how do you define who should/shouldn’t be trusted? Seems rather reactionary to discredit Mullvad without any evidence when the alternatives provided suffer the same issue - who’s behind the project and how do you establish trust?

Lastly, Ungoogled Chromium provides almost no privacy enhancing features by default [2], so how could this be a recommended as a privacy preserving browser?

ungoogled-chromium features tweaks to enhance privacy, control, and transparency. However, almost all of these features must be manually activated or enabled.

Lets discuss real alternatives and real issues, not jump to conclusions and throw everything out because it’s not “perfect”

“Don’t let perfect be the enemy of good” and all that.

[0] https://mullvad.net/en/browser

[1] https://librewolf.net/docs/faq/#can-i-use-librewolf-with-tor

[2] https://github.com/ungoogled-software/ungoogled-chromium#objectives

As much as I love (and still support) Matrix - this is the problem that Signal warned about with allowing multiple clients onto your platform. Not all of them support the same features and hold back the progress as you find incompatibilities with people you’re attempting to communicate with. Even Fluffy chat (at least last I tried it) was missing a bunch of features that forced me to go back to Element.

I’m not saying Matrix or Signal is better, just that there is a valid reason for Signal wanting people to use the “official” client, it ensures feature compatibility.

you could say human brains are also “just chaining words together that seem to occur together in the wild”. What is thinking if not bringing ideas (words) together that we’ve learned from our environment (the wild)?

While it is true that using unnecessary words can clutter your writing and make it less effective, it’s also important to consider the context and purpose of your writing. In some cases, boilerplate language or repetitive phrasing can serve a useful purpose, such as providing clarity or emphasizing a point.

Additionally, it’s important to consider your audience and their familiarity with the subject matter. While a particular word or phrase may seem superfluous to you, it may be necessary for readers who are less familiar with the topic.

Ultimately, the goal of effective writing is to communicate your message clearly and efficiently, and sometimes that means using words or phrases that may seem redundant or unnecessary to some readers. As a writer, it’s important to strike a balance between clarity and concision, and to make thoughtful choices about the language you use to convey your ideas.

Check out Aptera https://www.youtube.com/watch?v=HNjUdTJjiNk

They appear to be completely behind supporting right to repair and providing schematics so you can do your own repairs as well. Additionally, efficiency appears to be their primary goal, which I would really like as a “daily commuter”.

They don’t have a car in the market yet, but when they do, I’m buying for sure. You should look into them https://aptera.us/

there’s a browser-based wormehole protocol “app” available at wormhole.app. You go there from your phone upload a file, open the link on any other device that has internet and you can download it directly from the other user End to End encrypted. There’s also standalone clients available, but for cases where you don’t/can’t setup SMB file sharing, it’s pretty handy.

This is great news, but I’m still waiting on an AMD CPU option for my purchase.

Anyone have any insight on Revolt - https://app.revolt.chat ? Seems to be a decent Discord alternative, but wondering what other’s thoughts are on it.

What viable user-friendly (i.e. no account creation required) options are there? I just want my messages between friends and family to not be mined by greedy corporations.

Great read! Thanks for sharing.

look up ‘dislocker’ [0]. Comes pre-installed in grml [1], along with various other tools that come in handy. I’ve used it various times for various things.

[0] http://tuxdiary.com/2015/03/20/dislocker/

[1] https://grml.org/

You’re glad you move away from DDG because they’re fighting spam and misinformation? That doesn’t make sense to me. SearX is great, but ditching DDG because they’re doing a net positive is illogical.

Not an expert at all in anonymizing audio, but I suspect anything “off the shelf” to mask your voice may be easy, or at least easy for experts, to undo. I would suggest instead to use a TTS engine and mask that instead. Here’s a list of decent - from my now ancient experience - TTS engines you may be able to use: https://linuxhint.com/command-line-text-speech-apps-linux/

Regarding uploading without leaking your IP - you could use Tor, but ensure javascript is disabled and/or you completely trust the server you’re uploading to, lastly some people would advise that Tor has been long compromised, but take that with a grain of salt and wait for others with more recent knowledge/experience chime in.

I was going to point out a few myself but saw that someone had already done the work for me - “on the shoulders of giants” as they say ;)

Check out MiroTalk https://mirotalk.herokuapp.com/.

It’s free, browser-based, open-source, you could self-host if you want to. You basically go to a unique link, like this for example: https://mirotalk.herokuapp.com/join/51839BlueDuck. Anyone who visits the link can join the room, you can even lock the room to prevent people from joining after all your members have hopped on.

Some of its features:

  • 100% Free and Open Source
  • No download, plug-in or login required, entirely browser based
  • Unlimited number of conference rooms without call time limitation
  • Possibility to Lock/Unlock the Room
  • Desktop and Mobile compatible
  • Webcam Streaming (Front - Rear for mobile)
  • Audio Streaming crystal clear
  • Screen Sharing to present documents, slides, and more…
  • File Sharing, share any files to your participants in the room
  • Select Audio Input - Output && Video source
  • Ability to set video quality up to 4K and adapt the FPS
  • Recording your Screen, Audio and Video
  • Chat with Emoji Picker & Private messages & Save the conversations
  • Advance collaborative whiteboard for the teachers
  • Share any YouTube video in real time
  • Full Screen Mode on mouse click on the Video element
  • Change UI Themes
  • Right-click on the Video elements for more options
  • Direct peer-to-peer connection ensures the lowest latency thanks to WebRTC

Sorry, didn’t mean to upset you. I think my response was pretty solid, sorry if you’re unable to understand what I’m saying.

Briar is probably more secure and it’s not the only secure app to chat in this world, Signal isn’t the MOST SECURED one xD.

A communication platform is only as good as it’s feature-set, ease-of-use, and accessibility. I’m not going to ask my grandma to install Briar - hell, half my friends and family with iPhones can’t even install it, there’s no app for it. I would consider my PGP signed/encrypted text files delivered via carrier pigeon even more secure than briar, but who would I even talk to? Maybe Briar will be a great alternative in the future, but it has a lot of ground to cover. Also, Signal is fully E2EE - that’s what I want, that’s what I care about right now. I’m keeping an eye on Briar, but I’m not asking anyone to install it yet.

Just block and done.

You’re simplifying a problem in a domain you seem to have zero experience with. I will just leave it at at that, as my previous examples in my previous reply didn’t seem to click.

if FBI asks for a backdoor you are forced to make it BY LAW and you can’t even tell this to anyone BY LAW

This is a lie.

Forced labor in the US is illegal. The FBI cannot force you or an organization to work without compensation. As such, the FBI cannot compel software developers to work (modify their code to make it less secure) without breaking the law.

The All Writs Act forces companies to assist in investigations by providing data they already have, (which Signal gladly does [1] )but it does not grant the ability to force someone to work (which is what software development is and is what would be required to backdoor their own systems).

[0] https://www.beencrypted.com/news/apple-vs-fbi-events-summary/

[1] Reminder that Signal only collects: 1) the date you signed up 2) the last day your client pinged their servers.

In security, you can’t assume that the the server isn’t storing a piece of data just because the operator says it isn’t

100% agree with you about being unable to confirm what the server is doing, but the fact of the matter is anyone you interact with - centralized server-client or decentralized peer-to-peer - can store some metadata.

The FBI could force Moxie to hand it over, and may have already done so without us knowing

Private contact discovery is engineered in a way that you would be unable to retrieve what is being processed even if you had access to Signal’s infrastructure or admin/root rights. If you don’t believe this is true, please point out where the weakness in their code is, it’s open for review and for anyone to point out its flaws.

Lastly, the FBI cannot compel anyone - individuals or companies - to work on anything without compensation. That is considered forced labor, which is highly illegal in the United States where Signal resides. The FBI attempted to force Apple to develop software to compromise the security of iOS, but they dropped the case, likely because they knew they would fail. Although they claim they found the software they needed elsewhere [0].

So the FBI can ask Signal for assistance, but that’s it. Signal must comply with the law so they always provide the info they do have - which is the data I previously pointed out - but they do not have to build any such system that would compromise the security of their service as it would fall under forced labor; i.e. developing software against their will.

[0] https://www.beencrypted.com/news/apple-vs-fbi-events-summary/

I never get any spam on my chats

I’ve never crashed my car, should everyone get rid of their car’s seat belts?

Your experience does not represent the world. I’ve only experienced 2 cases of spam on Signal, but they were all within the last year. I’ve had zero spam in the many years I’ve now been using Signal. So, while my anecdote is just as invalid as your single point of data, there’s definitely a trend for increased spam as a service gains popularity and it makes sense that they’re looking at enhanced methods to block spammers.

I still don’t see why they want a super secure smart system to block with captcha

You don’t understand why Signal, one of the most secure messaging platforms available, wants a super secure smart system to block spammers? I think you answered your own question.

Telegram for example you can add your own bot to kick the bot users. If you get a direct message you can just block and report

Telegram stores all your data and can view everything you do - unless you opt into their inferior E2EE chat solution known as “Secret Chats” - so it’s easier for them to moderate their services. When you report someone, Telegram moderators see your messages for review [0] and can limit an account’s capabilities. Signal can’t view your messages because everything is E2EE, nobody but the intended recipient can view your messages, they can’t review anything.

As you can see, without even digging into it too much, I’ve already found one case where Signal faces challenges not present in Telegram. Thing’s aren’t always as simple as they seem. Especially not for Signal, as they’ve worked their asses off to ensure they have as little data on their users as possible.

[0] https://www.telegram.org/faq_spam#q-what-happened-to-my-account

A simple system like that is easy to implement. I don’t think anyone’s questioning that they can build the worst attempt at an anti-spam system, like the one you’re suggesting. The types of spam you see on modern systems needs a bit more thought than “block if reported more than x times in x times” because you could easily target people and disable them remotely by coordinating attacks.

So yeah, it’s not magic if you want a dumb system that may introduce other problems, but you really have to think about things sometimes if you want it to work well in the long run.

This is incorrect.

They store:

  • Your number
  • The date you first registered.
  • Last day (not time) a client last pinged their servers.

Signal’s access to your contacts lets the client (not them):

determine whether the contacts in their address book are Signal users without revealing the contacts in their address book to the Signal service [0].

They’ve been developing/improving contact discovery since at least 2014 [1], I’d wager they know a thing or two about how to do it in a secure and scalable way. If you disagree or have evidence that proves otherwise, I’d love to be enlightened. The code is open [2], anyone is free to test it and publish their findings.

[0] https://signal.org/blog/private-contact-discovery/

[1] https://signal.org/blog/contact-discovery/

[2] https://github.com/signalapp/ContactDiscoveryService/

It’s a form of evidence. They were compelled by the law to provide everything they have on a user and the only thing they could provide, because they don’t log anything, is the date a user signed up and the last time a client pinged their servers- that’s it!

If you can’t trust the ACLU, the courts, Signal, cryptography experts, etc, who can you trust?

Is the ACLU denying the evidence posted by Signal? Is the Judge denying the records posted by Signal?

I get that Signal has posted this on their website and it could be faked, but do you realize how crazy it sounds that everyone involved would be in on one of the biggest conspiracy theories regarding secure messengers EVER?

I understand scrutinizing Signal to ensure they’re above board, but this is kinda ridiculous.

They’re hiding the function (rules) that will trigger a captcha response in the client if they get enough reports that it’s a spammer, after which the client will be unable to continue to send messages until the captcha is solved. That’s it. The reason you can’t check how they’re doing it is because the spammers would just read it as instructions on how to avoid getting caught.

Communication/messaging, everything, is still E2EE. Nobody is getting anything out of this. If the FBI asks them to get user data, they will be unable to share anything with them. They don’t need to warn users because they don’t keep any data anyways - as can be seen by the multiple subpoenas they’ve fought to make public and continue to not provide any useful info.

If you don’t understand why he’s comparing Discord to Matrix, the comment went over your head. Give it a read again, let me know if it still doesn’t click, I can attempt to explain.

I like Matrix and use it along with Signal, but it leaks significant metadata compared to Signal https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org/-/blob/master/part1/README.md

It’s not a real solution, an alternative, yes, but only has federation/self hosting above Signal. Signal leaks significantly less data.

Can you explain what the other ways are? Because I’ve seen everyone talking bad about this, but nobody offering real alternatives.

Being developed in secret or rejecting community PR’s does not make a project closed source. They may be your requirements for an open source project, but it doesn’t mean the code is closed source.

You’re conflating two separate ideas and spreading misinformation to dissuade people away from a project you personally don’t like. I find that behavior dishonest and think we can do better than that.

That’s my though too. It seems people are jumping to conclusions, but what is the real world alternative other than making public the methods being used so that spammers can just look at the code and operate within documented limits? People are against it, but offering zero alternatives, and instead jumping to “Signal bad, boo!”

So what’s the alternative? I’d love to know what the alternative is.

I’m here to say this is a welcome addition. I’ve received 2 spam messages in the last few months, which is an increase from 0 in the last few years I’ve used Signal. I’m glad they’re getting ahead of this cat and mouse game and hope people don’t get all paranoid. The client is still open source. Your payloads are all still E2EE.

It’s essential for an anonymous messenger, not a secure or private one. You’re trying to solve a different problem.

Ya’ll really don’t give people a break do you? Make one mistake and you have to live with it forever these days. It’s not like they didn’t release the code or threatened to keep it secret.

Legit question, what is the alternative solution? Build it out in the open for spammers to bypass? The interface to the code will be public, but the implementation will be hidden. Why do you disagree with this? The client is still E2EE and they still collect no metadata.