RobaqueJul 25, 2023
Ian Campbell 🏴

Just saw someone advocating progressive movements organize on the Fediverse.

BE VERY VERY CAREFUL ABOUT SAYING STUFF LIKE THIS.

-Most fediverse tie-ins are not architected to protect you. For instance, Mastodon Direct Messages are not encrypted and admins can access them.

-Most instances are hosted by ordinary people who don't have the time, knowledge, or resources to fight subpoenas in either criminal or civil actions.

Meet here. Support each other. Cheer each other on. Show solidarity, and elevate and amplify each other.

Organize in much more restricted environments, like end-to-end encrypted messengers like Signal.

Jul 24, 2023 at 10:15pmWeb
Show threadReckonin’Jul 24, 2023
@neurovagrant would it still make sense to you if there was some level of organizing to get reach and stuff. Like instances that had resources to more encrypted platforms? Just curious as your perspective on this cuz if there’s organizing on mastodon in the future I want to help participate
Show threadPJT NorthJul 24, 2023

@neurovagrant

Point well taken.

Show threadTasthesoseJul 24, 2023
@neurovagrant yep. And organize Locally - helping people across state and international lines might actually be a big issue for some people.
Show threadReckonin’Jul 25, 2023
@tasthesose @neurovagrant but international organizing is kinda something I think people should still be open too. I think it’s vital yes it comes with issues buts international solidarity is vital. Take the 2020 protesters and Palestine getting gobal outcry of support on the internet which ceased the bomb fire cuz it made Israel look bad and people started striking companies supporting them. They’re benefits but I think I get y’all we have to understand the danger.
Show threadTasthesoseJul 25, 2023
@Madaligned @neurovagrant yep you’re correct! But we can be learning how we can help who you want to help - some people can raise money and send legally others might get in trouble for anything more than spreading awareness of a situation.
Show threadSpammy Snarker L.J.Jul 24, 2023

@neurovagrant Heck, full corporations have shut down in the face of stuff like federal subpoenas, e.g. encrypted email providers, and the ones currently in business will also either go under or give in (honestly the false sense of security encrypted email providers give users is a whole rant in itself). Only providers in the range of Apple-big have a chance in hell of fighting back, and that's only if they want to--fuck you, Facebook.

Also don't put too much trust in encrypted communication providers, it's contact tracing that gets people even if the actual content of the messages can't be read. Having a single public identity is itself a security risk. Doesn't matter shit that someone's Signal, Telegram, ProtonMail etc. messages are encrypted if they give out the account like candy.

Show threadmybarkingdogsJul 25, 2023

@neurovagrant Depending on current situation, organizing for some things is *probably* okay depending on both local conditions and such.

Listing safest to least safe, in order.

Mutual aid and/or donation and/or support/charity/relief are probably all more than okay as long as you're not tax scamming or redirecting monies toward anything that could even be misinterpreted as aiding a crime.

Literature distribution is usually protected to the degree speech is.

Electioneering/get out the vote/running for office/gathering funds and people for legal actions such as lawsuits/bail funds/otherwise participating legitimately in the electoral or legal system is also probably fine enough to organize on here with fairly low risk.

Union activity, including strikes in professions that are allowed to strike and malicious compliance - also probably fine, just make sure your instance isn't letting in anyone from the job/other snoops.

Expressly nonviolent pickets and the like are debatable but *might be, depending*

Show threadapophisJul 25, 2023
@neurovagrant
> Meet here. Support each other. Cheer each other on. Show solidarity, and elevate and amplify each other.

> Organize in much more restricted environments, like end-to-end encrypted messengers like Signal.

yes this thank you!

(it's rare to see posts that point out the opsec problems of fedi that don't explicitly acknowledge that different messages have different demands and there are things fedi *is* good for)
Show threaddibi58Jul 25, 2023

@neurovagrant

like briar, am, simplex ...

Show threadIris Richardson Fine Art 🇩🇪🇺🇸📷Jul 25, 2023
@neurovagrant Fear is no way to live life. Was the whole idea about Mastodon not to be able to withstand big corporations and big brother?
Show threadCornelia Es SaidJul 25, 2023
@neurovagrant important advice!
Show threadHawkwinter :firefish:Jul 25, 2023
@neurovagrant
Ive read signal isnt safe either. I dunno what the right answer is, but signal didnt sound as safe as they claimed.

Certainly safer than mastodon though. This isnt private at all, its a very public space.
Show threadChupacabra 78704Jul 25, 2023

@neurovagrant Are direct messages unseen by no one else? I heard otherwise.

Thank you.

Show threadJane AdamsJul 25, 2023

@neurovagrant we use CryptPad for our spreadsheets and it works great on desktop, mobile is still a little iffy but it's a lot safer than G suite

https://cryptpad.fr/

CryptPad: end-to-end encrypted collaboration suite

CryptPad: end-to-end encrypted collaboration suite

Show threadCautionWIP (he/him) 🏳️‍🌈🇨🇦🕎Jul 26, 2023
@janeadams @neurovagrant Have you checked out Skiff at all? I’ve heard good things from friends who’ve checked it out.
Show threadJi FuJul 25, 2023

@neurovagrant it depends what you mean by fedi, first off. There are some federated platforms, like Diaspora, that are specifically set up for encrypted communication such as via i2p or Tor hidden service. regardless any federated service is going to be better than Facebook or Twitter.

lastly, Most leftists aren't actually doing anything, certainly nothing that capitalists nor their gouvernments actually care about.

Show threadShoq 🌿Jul 25, 2023
@neurovagrant I’ve been involved in multiple levels of online activism for 3 decades. In terms of political organizing, very little of it requires that level of security. At least in America. Having reach matters much more. Activists who only reach other activists through secure activist networks rarely reach critical mass with broad swaths of the electorate. Tactical Ops needs security, but we don’t do much of that here in America.
Show threadpmroman 🇪🇺Jul 25, 2023
@neurovagrant As a general rule, we shouldn't write anything here which we wouldn't say at an open public meeting with a nametag on us. Actually I've said many things at public open meetings which I wouldn't write here because folks behave better face to face than they do in social media.
Show threadoceaniceternityJul 25, 2023
@neurovagrant Agree. Social media... Has fundamental problems with privacy due to its purpose being to spread content around the internet. Signal is a good suggestion. Matrix is another good suggestion.
Show threadlinusJul 25, 2023
Signal is bad. Use matrix
Show threadKevin Karhan Jul 25, 2023

@neurovagrant no, because #Signal is a #proprietary #SingleVendor / #SingleProvider solition that is subject to #CloudAct and thus can't be secure by design.

If you really want #InfoSec, #OpSec, #ComSec & #ITsec, then #SelfHosting everything is key.

But that'll require #TechLiteracy and may not scale well...

IMHO self-hosting a #Zulip Server works good for organizational structures.

Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant Turn off Contact Discovery and Signal basically eliminates the need to trust the server. It doesn’t matter what the server is running because all metadata except the recipient is encrypted. Your group names, group participants, reactions, typing notifications, profile pictures, message bodies, etc. are all opaque and indistinguishable.

Matrix and XMPP spew all your metadata across all servers participating in a room, encrypting very little besides message bodies. There are some progressing XEPs to encrypt more metadata, but we shouldn’t rely on platforms like Matrix or XMPP in their current form to hide our metadata because they don’t. Participants, probable cause from linked profiles outside the conversation, timestamps, group information, etc. are all as private as your Fedi DMs.

The only thing that comes close to Signal with something like Tor would be Briar, but I don’t know how well offline messaging works on it. I can’t speak for alternatives like SimpleX since I’m not familiar.

Show threadEchedelle ⚧Jul 25, 2023
@Seirdy @neurovagrant @kkarhan XMPP doesn't spew your metadata if you use the centralized room type.
Show threadEchedelle ⚧Jul 25, 2023
@Seirdy @kkarhan @neurovagrant currently default
Show threadKevin Karhan Jul 25, 2023
@elr @neurovagrant @Seirdy +1
https://mstdn.social/@kkarhan/110773543778048887
Kevin Karhan :verified: (@[email protected])

@[email protected] @[email protected] just use #XMPP over #Tor then... Also it's not done with "Just use Signal" because #ITsec, #InfoSec, #OpSec & #ComSec are all interlinked. #Signal is for gullible #TechIlliterates that are too lazy to learn despite being #TechLiterate is part of their job. Assholes like #GlennGreenwald for example... Signal will inevitably crash down like #EncroChat and #ANØM before...

Mastodon 🐘
Show threadKevin Karhan Jul 25, 2023

@elr @neurovagrant @Seirdy also that #Wikispaining #TechBro chose #cowardice over answering the pressing questions.

https://mstdn.social/@kkarhan/110773698318439631

Kevin Karhan :verified: (@[email protected])

@[email protected] @[email protected] instead of Wikisplaining me like the ignorant #TechBro you are you could first answer me the simple question: Why isn't #Signal #decentralized? Why don't users hold the #PrivateKey|s?? Why can't you #SelfHost a #Server??? But that would shatter your naive worldview and expose your escalating commitment as the bad thibg it is... https://pleroma.envs.net/objects/7bec917f-f678-4af9-b0de-fd638c407125

Mastodon 🐘
Show threadKevin Karhan Jul 25, 2023

@elr @neurovagrant @Seirdy because #Signal can't be #SelfHosted (unlike #XMPP and even #Zulip) I can't recommend or use it any professional capacity because I've to comply with #GDPR & #BDSG and that includes evidently having control over data and being able to comply with #auditability and #datadeletion requests in any organization.

Also #Signal does collect #PhoneNumbers and enforces #Cyberfacist embargos.

Show threadMoanosJul 25, 2023

@kkarhan It's very different if you are a progressive movement/activist group or if your are an organization like a club.

I would reccomend #matrix to most people when you are okay that your server operator knows who you are but your contacts don't (neccessarily). When you trust the people you communicate with people should use #signal or even better encrypted mail (with #Tails). There is not one solution that fit's every threat model

Show threadFlaJul 25, 2023

@kkarhan @elr @neurovagrant @Seirdy

Can I know where your hate for Signal comes from?

Show threadSeirdyJul 25, 2023
@elr @neurovagrant @kkarhan Does the server see the room name, participants, room for a given message, or have the ability to link sender and recipient on the application protocol layer?
Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant In other words, Signal’s open-source clients assume that the server can’t be trusted on the application protocol layer. Even before you add something like Tor for the TCP layer, Matrix or XMPP can’t really compare.

My main complaint is that I’d rather not have message recipients see my phone number or have to work around that limitation with an intermediary phone-number service, especially when maintaining multiple profiles.

Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant problem is that #Signal literally implements #Cyberfacism by restricting functionality based off claimed user location (phone number)...

The fact that they can do that alone is concerning.

Now add #CloudAct to it and you badically have a giant #HoneyPot.

All #Centralized #singlevendor / #SingleProvider solutions are inherently bad from #ITsec, #InfoSec, #OpSec & #ComSec factors alone!

Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant just use #XMPP over #Tor then...
Also it's not done with "Just use Signal" because #ITsec, #InfoSec, #OpSec & #ComSec are all interlinked.

#Signal is for gullible #TechIlliterates that are too lazy to learn despite being #TechLiterate is part of their job.

Assholes like #GlennGreenwald for example...

Signal will inevitably crash down like #EncroChat and #ANØM before...

Show threadSeirdyJul 25, 2023
@kkarhan @neurovagrant All of the concerns I raised were at the application protocol layer. Tor is a TCP anonymizer.
Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant use a client that doesn't shit itself out, like #MonoclesChat and #Gajim...

Also unless I can preproducibly built client and server myself I won't trust any app or software at all!

Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant Ok. Let’s say I use one of those clients. I create a room and my friends, using those clients, join it. Say we all use the same server, and the server gets compromised.

What data is at risk?

  • The name of the room
  • Members of the room
  • Timestamps of encrypted messages
  • Senders of encrypted messages
  • Group member display names
  • Group member profile pictures
  • Description of the room
  • Who sent DMs to whom
  • Most active group members
  • A given message’s sender and recipient.

The full Signal Protocol is far more than Signal’s double-ratchet encryption protocol. It prevents any of this from leaking, and assumes the server has already been compromised. All the server sees is the recipient of a message; the sender is sealed on the application protocol layer.

Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant You purposefully refuse to accept the core problem:

#Signal is a.#centralozed #SingleVendor / #SingleProvoder solution that is subject to #CloudAct and obviously implementing #Govware #Backdoors.

Why else are all the #tinfoilhat|ed conspiracy theorists on #Telegram and not #Signal??
https://www.youtube.com/watch?v=G1thc5DSHwA

The cost of shilling VPN companies is your reputation.

YouTube
Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant

And since #Signal isn't financed by it's users, it must finance itself somehow...

I.e. #PRISM membership?
https://www.youtube.com/watch?v=WVDQEoe6ZWY

This Video Is Sponsored By ███ VPN

I tried to write a more honest VPN commercial. The sponsor wasn't happy about it. • Get ██ days of ███ VPN free at ██████.com/honestThe ASA ruling I referenc...

YouTube
Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant because when "push comes to shove", admins held at gunpoint will integrate #Govware #Backdoors into the #centralized #SingleVendor / #SingleProvider service...

https://twitter.com/thegrugq/status/1085614812581715968

thaddeus e. grugq (@thegrugq) on X

I’m gonna tell you a secret about “logless VPNs” — they don’t exist. Noone is going to risk jail for your $5/mo https://t.co/Q2aOQJkG4g

X (formerly Twitter)
Show threadKevin Karhan Jul 25, 2023
@Seirdy @neurovagrant just like #ProtonMail did:
https://www.youtube.com/watch?v=QCx_G_R0UmQ
ProtonMail Sends User IP and Device Info to Swiss Authorities.

YouTube
Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant You have not explained what a data compromised signal server can access.

The Signal protocol assumes the server is already compromised. The protocol assumes that the servers are run by a hostile actor, and hides metadata accordingly.

Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant that is irrelevant for the problem.

If I were to control a PBX, then encrypting your calls only buys your time at best if not allow me to literally MITM stuff since, #NotYourKeysNotYourControl!

Whereas I can exchange keys in #PGP / #MIME and #XMPP - #OMEMO via other ways and actually verify shit instead if #TOFU!

Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant I…you realize that key exchange and rotation mechanisms used in megolm and OMEMO are borrowed from Double Ratchet, right? Neither protocol adds anything significant, although Matrix removes quite a bit (Matrix lacks strong backwards security, having only forward security (if my understanding of Megolm is correct)).

Where did you read that Signal uses TOFU? Signal is where Double Ratchet was born.

Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant Moreover, if you were to compromise a key, you’d only be able to read the messages that key decrypts. But forward and backward security will prevent you from using that key to decrypt the full history.

Where are you getting your information from?

Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant Stop throwing smoke grenades amd answer a simple question:

Why should I ever trust a #centralized #SingleVendor / #SingleProvider "solution" that is not.only.capable.but entirely willing to enfoce #Cyberfacist "restrictions" against it's users.

Just like Signal did...

Or do you believe Moxie's successor would be walking free or even breathing if #Signal was actually secure against the U.S. government?

They ain't decentralized like #Tor...

Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant Case in point: every big provider will do #Govware #Backdoors because otherwise their business model would be illegal around the globe as per #Telco laws..

The only exceptions are organziation-internal & privately self-hosted systems.

Thus everythibg that is as #centralized as #Signal is inherently insecure.

Whereas I can run an #XMPP server #airgapped in a #LAN or even inside a #VPN that is only accessible via #Tor...

Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant Sigh. You’ve repeated yourself.

What data will a compromised signal expose?

You are the NSA and have stormed into the Signal datacenter and placed your backdoors everywhere, and can monitor all traffic. I am using a Signal client with a reproducible build signature. What do you now have on me, given the constraints imposed by my client?

Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant that signature is useless since I literally MITM all traffic and have literally replaced all keys.

A single update of the server have made it trivial...

IOW: You only need to hold the right people at gunpoint to do so...

And I get you €500 that they're under gag order and have integrated a #Govware #Backdoor...

Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant Or to put it simple:

If your #centralized #SingleVendor / #SingleProvider "solution" isn't criminalized to be used in Russia, India, "P.R." China and Saudi-Arabia, then it's #backdoored like #iCloud in the PRC...
https://www.youtube.com/watch?v=Ev9_oDHNf-4

How Tim Cook Surrendered Apple to the Chinese Government

YouTube
Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant Alright, I’m going to link you the Wikipedia article for the Double Ratchet algorithm and mute this conversation since I think it’s clear you don’t understand how the modern e2ee key management algorithms work and how they differ from e.g. TLS to prevent this exact thing from happening:

https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm

Double Ratchet Algorithm - Wikipedia

Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant so you admit defeat amidst the fact that you refuse to acknowledge the fact that a #centralized #SingleVendor / #SingleProvider solution is impossible to secure against the will of the government it's incorporated under (as per law)...

Not Opensourcing the backend and it's APIs is literally violating #KerckhoffsPrinciple so hard it disqualifies any security claims as fanboyism!

Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant instead of Wikisplaining me like the ignorant #TechBro you are you could first answer me the simple question:

Why isn't #Signal #decentralized?
Why don't users hold the #PrivateKey|s??
Why can't you #SelfHost a #Server???

But that would shatter your naive worldview and expose your escalating commitment as the bad thibg it is...

https://pleroma.envs.net/objects/7bec917f-f678-4af9-b0de-fd638c407125

Show threadKevin Karhan Jul 25, 2023
@Seirdy @neurovagrant #Signal is neither good for individuals nor orgs.
https://mstdn.social/@kkarhan/110773718884285468
Kevin Karhan :verified: (@[email protected])

@[email protected] @[email protected] @[email protected] because #Signal can't be #SelfHosted (unlike #XMPP and even #Zulip) I can't recommend or use it any professional capacity because I've to comply with #GDPR & #BDSG and that includes evidently having control over data and being able to comply with #auditability and #datadeletion requests in any organization. Also #Signal does collect #PhoneNumbers and enforces #Cyberfacist embargos.

Mastodon 🐘
Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant All right, say you’re right about Signal being a honeypot. Say you you’re one of the bad actors leveraging its backdoors, and you have access to the Signal servers. I send messages from a Signal client with a reproducible build signature. How would you find out any of the data I described?

For a compromised XMPP or Matrix server, you’d have your answers with a few database queries. How would you go about this with Signal?

Show threadFlaJul 25, 2023

@Seirdy @neurovagrant @kkarhan

Reading your conversation. Kevin, be a bit more respectful, you could learn stuff 😉
Signal cryptography is the state of the art. Everyone is reusing their work, WhatsApp, Matrix... Does that protect you from the NSA? Probably not, but nothing does. Is it a bad thing that Signal is centralized? Yes, mostly because you can block their servers to shutdown the service, and also because you depend of them, if they become "evil". (I am a bit afraid by their crypto)
1

Show threadFlaJul 25, 2023

@Seirdy @neurovagrant @kkarhan

Is decentralization a better solution? For privacy from corporation and independence, yes. If you want to protect yourself from the NSA, obviously not. If they want to, they will break your server in no time. Nothing would protect you from them.

Show threadKevin Karhan Jul 25, 2023

@fla @Seirdy @neurovagrant Then you obviously seem to not know basic concepts such as #airgapping and #AsymetricCryptography.

You see, the #NSA can only hack what's connected to thei internet, and cops can only seize what they'll find on a person / inside a home/car/garage/warehouse...

https://github.com/KBtechnologies/PocketCrypto

GitHub - KBtechnologies/PocketCrypto: An airgapped encryption/decryption device for off-grid communication

An airgapped encryption/decryption device for off-grid communication - KBtechnologies/PocketCrypto

GitHub
Show threadKevin Karhan Jul 25, 2023

@fla @Seirdy @neurovagrant But if you really have to face state-sponsored attackers of the #NSA kind you've already failed so hard in terms of #InfoSec, #OpSec & #ComSec that it's easier to fake the death of one than to even begin leveling up #ITsec.

So your points are entirely moot.

https://mastodon.social/@fla/110776269617206885

Show threadKevin Karhan Jul 25, 2023

@neurovagrant

THE CORE PROBLEM YOU BOTH ( @fla & @Seirdy ) ARE IGNORING IS #CENTRALIZATION!

Because it's a #SingleVendor / #SingleProvider solution they'll be naturally subject to state intervention aka. being forced to integrate #Govware #Backdoors under the threat of getting their shit forcibly unplugged.

The people that work at @signalapp have names and adresses the state knows, and thus they'll be subject to threats by the state.

Show threadKevin Karhan Jul 25, 2023

@neurovagrant @fla @Seirdy it is not only a legal requirement for providers like @signalapp to integrate #Govware #Backdoors AND comply with #Cyberfacism aka. "Export Controls" on #Cryptography whereas with fully - #opensource|d and #decentralized systems [i.e. @torproject ] the state can't force the maintainers to backdoor it.

I mean just look at #Tor, #Monero and all the other tools llike @kalilinux that get used by people regardless of the legality of their actions.