Ian Campbell 🏴Jul 24, 2023

Just saw someone advocating progressive movements organize on the Fediverse.

BE VERY VERY CAREFUL ABOUT SAYING STUFF LIKE THIS.

-Most fediverse tie-ins are not architected to protect you. For instance, Mastodon Direct Messages are not encrypted and admins can access them.

-Most instances are hosted by ordinary people who don't have the time, knowledge, or resources to fight subpoenas in either criminal or civil actions.

Meet here. Support each other. Cheer each other on. Show solidarity, and elevate and amplify each other.

Organize in much more restricted environments, like end-to-end encrypted messengers like Signal.

Show threadKevin Karhan Jul 25, 2023

@neurovagrant no, because #Signal is a #proprietary #SingleVendor / #SingleProvider solition that is subject to #CloudAct and thus can't be secure by design.

If you really want #InfoSec, #OpSec, #ComSec & #ITsec, then #SelfHosting everything is key.

But that'll require #TechLiteracy and may not scale well...

IMHO self-hosting a #Zulip Server works good for organizational structures.

Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant Turn off Contact Discovery and Signal basically eliminates the need to trust the server. It doesn’t matter what the server is running because all metadata except the recipient is encrypted. Your group names, group participants, reactions, typing notifications, profile pictures, message bodies, etc. are all opaque and indistinguishable.

Matrix and XMPP spew all your metadata across all servers participating in a room, encrypting very little besides message bodies. There are some progressing XEPs to encrypt more metadata, but we shouldn’t rely on platforms like Matrix or XMPP in their current form to hide our metadata because they don’t. Participants, probable cause from linked profiles outside the conversation, timestamps, group information, etc. are all as private as your Fedi DMs.

The only thing that comes close to Signal with something like Tor would be Briar, but I don’t know how well offline messaging works on it. I can’t speak for alternatives like SimpleX since I’m not familiar.

Show threadEchedelle ⚧
@Seirdy @neurovagrant @kkarhan XMPP doesn't spew your metadata if you use the centralized room type.
Jul 25, 2023 at 7:27amWeb
Show threadEchedelle ⚧Jul 25, 2023
@Seirdy @kkarhan @neurovagrant currently default
Show threadKevin Karhan Jul 25, 2023
@elr @neurovagrant @Seirdy +1
https://mstdn.social/@kkarhan/110773543778048887
Kevin Karhan :verified: (@[email protected])

@[email protected] @[email protected] just use #XMPP over #Tor then... Also it's not done with "Just use Signal" because #ITsec, #InfoSec, #OpSec & #ComSec are all interlinked. #Signal is for gullible #TechIlliterates that are too lazy to learn despite being #TechLiterate is part of their job. Assholes like #GlennGreenwald for example... Signal will inevitably crash down like #EncroChat and #ANØM before...

Mastodon 🐘
Show threadKevin Karhan Jul 25, 2023

@elr @neurovagrant @Seirdy also that #Wikispaining #TechBro chose #cowardice over answering the pressing questions.

https://mstdn.social/@kkarhan/110773698318439631

Kevin Karhan :verified: (@[email protected])

@[email protected] @[email protected] instead of Wikisplaining me like the ignorant #TechBro you are you could first answer me the simple question: Why isn't #Signal #decentralized? Why don't users hold the #PrivateKey|s?? Why can't you #SelfHost a #Server??? But that would shatter your naive worldview and expose your escalating commitment as the bad thibg it is... https://pleroma.envs.net/objects/7bec917f-f678-4af9-b0de-fd638c407125

Mastodon 🐘
Show threadKevin Karhan Jul 25, 2023

@elr @neurovagrant @Seirdy because #Signal can't be #SelfHosted (unlike #XMPP and even #Zulip) I can't recommend or use it any professional capacity because I've to comply with #GDPR & #BDSG and that includes evidently having control over data and being able to comply with #auditability and #datadeletion requests in any organization.

Also #Signal does collect #PhoneNumbers and enforces #Cyberfacist embargos.

Show threadMoanosJul 25, 2023

@kkarhan It's very different if you are a progressive movement/activist group or if your are an organization like a club.

I would reccomend #matrix to most people when you are okay that your server operator knows who you are but your contacts don't (neccessarily). When you trust the people you communicate with people should use #signal or even better encrypted mail (with #Tails). There is not one solution that fit's every threat model

Show threadFlaJul 25, 2023

@kkarhan @elr @neurovagrant @Seirdy

Can I know where your hate for Signal comes from?

Show threadSeirdyJul 25, 2023
@elr @neurovagrant @kkarhan Does the server see the room name, participants, room for a given message, or have the ability to link sender and recipient on the application protocol layer?