Mastodawn

intafon Nov 30, 2022

ATTENTION EVERYONE WRINGING THEIR HANDS OVER “#MASTODON ADMINS CAN READ MY DIRECT MESSAGES”: #SysAdmins have *always* been able to read your #email and DMs unless encrypted, including at the big #SocialNetworks and Internet providers. We used to have t-shirts that said, “I READ YOUR EMAIL.”

It’s just hitting now because you got used to places where the admins were kept away in their cubicles and data centers instead of greeting you at the front door.

#privacy #security #InfoSec #cybersecurity

Mark Gardner Nov 26, 2022

Oh, and #Slack, #Discord, #Steam, etc., all down the line too. Unless they have end-to-end #encryption where *you* and *only you* have the *only* private key, it’s not #private. No exceptions.

#privacy #security #InfoSec #cybersecurity

Mark Gardner Nov 26, 2022

Is this worrisome on “free” services where “you (and your data) are the product”? You betcha.

Appropriate Tributes Nov 26, 2022

@mjgardner PRODUCTS FOR THE PRODUCT GOD

Ben ✌️Nov 26, 2022

@mjgardner I’d love some way of integrating e2e protocols with activitypub, eg advertising Signal username as part of profile metadata and offloading private comms to something focussed on privacy.
In the meantime I guess all users can do is try work out which servers have good admins

Mark Gardner Nov 27, 2022

@uc The #Mastodon developers are working on it. Unclear if it can be a generic #ActivityPub thing, and of course the devil is in the details—do you trust your recipients’ implementations?

Cassandrich Nov 27, 2022

@uc @mjgardner If only @signalapp had usernames...

Just nameless Nov 27, 2022

@dalias @uc @mjgardner @signalapp
There are signal offsprings that do. Session comes to mind and not sure how Briar works

@mjgardner Nobody's worried unless they've got something to hide. In which case use WhatsApp.

Mark Gardner Nov 27, 2022

@Jason I don’t want my private communications informing my commercial activity by default. Only totalitarians make the “nothing to hide” argument. https://en.wikipedia.org/wiki/Nothing_to_hide_argument

Nothing to hide argument - Wikipedia

@mjgardner I was just thinking if it's really private to use WhatsApp. Of course you are correct. System administrators can read anything. Your ISP can spy on you too the same way. Whoever has root access will always see.

bassplayer Nov 27, 2022

@Jason @mjgardner
I like Snowden's take. Saying you don't care about privacy because you have nothing to hide is like saying you don't care about free speech because you have nothing to say. @techlore breaks down why other apps like signal are better than whatsapp. Consider your threat model and be safe out there.

Mark Gardner Nov 27, 2022

@bassplayer @Jason Wikipedia collects that and other “nothing to hide” criticisms https://en.wikipedia.org/wiki/Nothing_to_hide_argument

“You have nothing to worry about if you have nothing to hide” is an authoritarian slogan

Nothing to hide argument - Wikipedia

Cassandrich Nov 27, 2022

@Jason @mjgardner Your ISP can see what network hosts you connect with and in what volumes via IP addresses, DNS (maybe not even that nowadays with DOH), and SNI. Not any content.

Jake Nov 27, 2022

@mjgardner the difference is you’re more likely to have legal recourse should they do some damage with the big guys. Mastadon instances now are likely a Wild West type of setup. But I wouldn’t use any Mastadon site for sensitive info anyway.

Jimi Viita-aho Nov 27, 2022

@mjgardner I’m thinking about GMail which used to scan user emails in order to better target ads

Tartas1995 Nov 27, 2022

@jimbo @mjgardner they ask for permission to scan them now. Supposedly for better sorting/filtering (iirc)

@jimbo @mjgardner

Google: here is my free Browser, Email Service, Map Service, DNS, Podcast Client,...

Random people: FREE stuff 🥰

Google: 😎

IT people: 🙄

sudnadja Nov 27, 2022

@mjgardner Signal is "free" yet they claim they can't read your messages. FB is "free" and you are the product and they claim they can't read your messages if you use secret mode.

Carl B. Latro Nov 28, 2022

@mjgardner
I'd say it's worrisome anywhere. That end-to-end encryption isn't the default everywhere by now is just bonkers..

realcaseyrollins ✝️Feb 17, 2023

Yep, and this is what I like about #Matrix and #Tox. Complete #E2EE, in the case of #Tox there aren’t any hosts at all.

TECI Social

kurtseifried (he/him)Nov 26, 2022

@mjgardner Also the admins in your google org/Microsoft365, the backup admins (you wanted a backup of your email right?), and ultimately your DNS admins (it'd be noisy but they can basically hijack your infra/account recovery stuff)... Also, the people repairing your computer unless you encrypted the hard drive https://www.techlicious.com/blog/geek-squad-searching-your-computer/ and so on....

There's a lot of trust in IT that people have happily ignored for decades. It's a bit like SBOM, time to pay the bill...

Geek Squad Staff Snoop Through Customers’ Computers

In addition to repairing your computer, Best Buy's Geek Squad may be snooping through your files.

Nephryn Nov 26, 2022

@mjgardner How about #Signal?

Mark Gardner Nov 26, 2022

@nephryn @signalapp is well-known to be end-to-end #encrypted. Only conversation participants hold keys https://support.signal.org/hc/en-us/articles/360007320391-Is-it-private-Can-I-trust-it-

#Signal #E2EE #encryption #security #InfoSec #privacy

Nephryn Nov 26, 2022

@mjgardner @signalapp @hypermug1
Thank you! So, from what I gather, the safety numbers are the encryption, and they are randomly created when I add a new contact and stored only on my device and my contact's, and nowhere else. That's how I know I have the encryption key and no one else, which was one of the requisites you mentioned in the beginning, Mark.

Mark Gardner Nov 27, 2022

@nephryn @signalapp @hypermug1 Kinda… A Signal safety number is made from a key and helps you verify it, but it’s not the key itself. You can’t take a safety number and use it to encrypt or decrypt a message, and you can’t reverse the process that made the safety number in order to get the key that was used to make it.

Mark Gardner Nov 27, 2022

@signalapp @hypermug1 @nephryn The technical term for it is “cryptographic hash.” Drop that term at a party next time you want to see if any nerds like me are in attendance 🤓

Nephryn Nov 27, 2022

@mjgardner @signalapp @hypermug1 Great tip. I'll make sure to do that. 😄 Unfortunately, there hasn't been many parties lately, so I might have to hang on to my cryptographic hash for a while. 😅 Thanks again for all the information. I googled cryptographic hash and found a page with a YT clip trying to explain it to me, so I've been indulging myself further.

👩‍💻https://www.hypr.com/security-encyclopedia/cryptographic-hash-function

What is a Cryptographic Hash Function (CHF)? | Security Encyclopedia

A cryptographic hash function (CHF) is an equation used to verify the validity of data.

Agustin Haro Nov 27, 2022

@mjgardner @nephryn why don't try #deltachat @delta

Stereophonic

NeoFox Nov 27, 2022

@mjgardner Yep, agree.
In #Discord, they are literally called "Direct messages", NOT "Private messages"

@mjgardner hope #Threema is not on this list.

SandyInRockville Nov 27, 2022

@mjgardner sorry but even if you have encryption end to end you can’t guarantee that the person on the other end doesn’t take a screen shot. If you are on a corporate owned device you could have key click software installed. If you truly want privacy about anything you can write it on a single sheet of paper and physically hand it to an individual to read then burn it after they have read it. Or you can speak about whatever in person making sure there are no recording device.

Tartas1995 Nov 27, 2022

@SandyInRockville @mjgardner technically, yes even if e2e is the case, spyware on the device that you use to read those messages, can obviously read them too

John-Mark Gurney Nov 27, 2022

@mjgardner
If you can't verify who the other party is despite having "private" keys, it's not E2EE, e.g. iMessage, where apple can add a new device without your knowledge, and you'll never know it gets copies of all the messages you receive.

Chix Nov 27, 2022

@mjgardner What about WhatsApp? It's technically end-to-end but I've heard privacy concerns regarding that? I mean, obviously it's from Facebook but do they really read your messages?

@mjgardner #Slack has a very nice "enterprise" feature that let admins search your DM. Nobody is safe... Unless you run your own, and even there, lots of things "call home". Rule by which I abid: don't put ANYTHING on the internet that you don't want there to be forever... Even in private...

Haplogroup News

@mjgardner Seriously. For anyone who somehow did not know, the operators for paging services could always read pages. The pages sent between hospital staff are notoriously hilarious.

A Smol Bear Nov 27, 2022

@HaplogroupNews @mjgardner anyone with a radio receiver and computer can read them.

e.g. https://www.rtl-sdr.com/rtl-sdr-tutorial-pocsag-pager-decoding/

RTL-SDR Tutorial: POCSAG Pager Decoding

The RTL-SDR software defined radio combined with SDRSharp, and a POCSAG/Flex capable decoding application can be used to decode pager messages. With this setup you can receive pager messages from all pager users on the system. If you don't know what a pager is, since they are now uncommon, here is a brief explanation from Wikipedia: A pager is a wireless telecommunications device that receives and displays numeric or text messages, or receives and announces voice messages. Not many people use pagers these days with mobile phone text messaging being used more, but pagers are still popular with doctors, hospitals in general, some fire

rtl-sdr.com

ftg Dec 18, 2022

@HaplogroupNews @mjgardner
Most old school pager traffic is broadcast in the clear over the air. Anyone in range who bothers to can receive them for about 30usd worth of equipment.

phreck Nov 26, 2022

pro-tip: If you're worried about other people reading your messages, then move your messages to a platform where you control the confidentiality of said messages.

I like signal for this.

Pick your poison though. Assume your shit can be read, it's a healthy assumption.

Just Your Luck, You'll Survive Nov 26, 2022

@mjgardner
LOLOLOLOLOL

Julie Webgirl Nov 26, 2022

@mjgardner
Lawyer (not mine): "But our IT guy says our email IS encrypted"

Me (through clenched teeth) : Not end-to-end. Please delete the email you just sent my social security number in, on all of your devices, your teams devices and call your IT guy and delete last night's backup as well!

(I know I know, but I was livid and on a roll)

Tartas1995 Nov 27, 2022

@juliewebgirl @mjgardner you were correct and people should care.

Cyber Yuki Nov 26, 2022

@mjgardner Do people really say this in here, or it's just over Twitter? (I'm just wondering if you're preaching to the choir 😅 )

Mark Gardner Nov 26, 2022

@yuki2501 Yes, I follow the #privacy hashtag and see posts and responses about it

Cyber Yuki Nov 26, 2022

@mjgardner Yikes. 😬

Magdalena Donea 🇷🇴 🇬🇷 🏳️‍🌈 ♿️Nov 26, 2022

@mjgardner LOL, yes. Honestly, I have been reminded of BOFH more times in the past month than I have in the past decade combined.

Defizit oder Eugen Brochier Nov 26, 2022

@mjgardner
HaHa the Moderator of our site would be very busy to read all postst from over 4,000 users - she is happy when the server doesn't fail and she administers other servers too

Barry Schwartz 🫖Nov 26, 2022

@mjgardner And the emails could be relayed.

Marcelo Magallon Nov 26, 2022

@mjgardner
That t-shirt is also a sad commentary on how we tech-folk perceive the rest of the world: "they" read it like "I have read your email (that you sent to me)", while we read it as "I'm reading your email (that you sent someone else)". We try to get off the hook by saying "I tried to warn you and you didn't listen".

Mark Gardner Nov 27, 2022

@mem Sadly, our employers sometimes count on the ability to breach colleagues’ perceived #privacy. And management won’t advertise that fact by wearing a cheeky t-shirt.

joosteto Nov 26, 2022

@mjgardner Also, when sending that direct message, the button that sends the message is labelled "Publish!".

Mark Gardner Nov 27, 2022

@joosteto Yes, Mastodon “DMs” are just posts with a flag set https://docs.joinmastodon.org/user/network/#direct

Using the network features - Mastodon documentation

Follow and talk to anyone from any server.

Fallon Stone Nov 26, 2022

@mjgardner what emails are people reading through? Do users get Mastadon emails?

Mark Gardner Nov 27, 2022

@FallonStone I was specifically referring to one-to-one messages on Mastodon that people believe are analogous to the direct messages on other social networks. They’re not, they’re just normal posts with a “direct” switch turned on. Here’s the official documentation on it: https://docs.joinmastodon.org/user/network/#direct

Using the network features - Mastodon documentation

Follow and talk to anyone from any server.

Fallon Stone Nov 27, 2022

@mjgardner thanks!

Bethany Black Nov 26, 2022

@mjgardner the number of times when I was a youngster and a bit of a baddie that friends who worked at these places would *show* me people’s private DMs and I’m sure they still do for others.

I worked for a credit card company years ago and knew who to phone if you wanted your credit rating “fixing”

spherulitic Nov 26, 2022

@mjgardner Seriously, people need to take a deep breath. There was a time I had access to like a thousand employees SSN, date of birth, home address, salary, etc. Databases don’t administer themselves by magic. If you don’t trust your SA you have larger problems than reading your messages.

Mark Gardner Nov 27, 2022

@spherulitic It's not the SAs I worry about, it’s their employers’ business models https://mastodon.sdf.org/@mjgardner/109412152421365905

Mark Gardner 🧾 (@[email protected])

Is this worrisome on “free” services where “you (and your data) are the product”? You betcha.

Mastodon @ SDF