Ian Campbell 🏴Jul 24, 2023

Just saw someone advocating progressive movements organize on the Fediverse.

BE VERY VERY CAREFUL ABOUT SAYING STUFF LIKE THIS.

-Most fediverse tie-ins are not architected to protect you. For instance, Mastodon Direct Messages are not encrypted and admins can access them.

-Most instances are hosted by ordinary people who don't have the time, knowledge, or resources to fight subpoenas in either criminal or civil actions.

Meet here. Support each other. Cheer each other on. Show solidarity, and elevate and amplify each other.

Organize in much more restricted environments, like end-to-end encrypted messengers like Signal.

Show threadKevin Karhan Jul 25, 2023

@neurovagrant no, because #Signal is a #proprietary #SingleVendor / #SingleProvider solition that is subject to #CloudAct and thus can't be secure by design.

If you really want #InfoSec, #OpSec, #ComSec & #ITsec, then #SelfHosting everything is key.

But that'll require #TechLiteracy and may not scale well...

IMHO self-hosting a #Zulip Server works good for organizational structures.

Show threadSeirdyJul 25, 2023

@kkarhan @neurovagrant Turn off Contact Discovery and Signal basically eliminates the need to trust the server. It doesn’t matter what the server is running because all metadata except the recipient is encrypted. Your group names, group participants, reactions, typing notifications, profile pictures, message bodies, etc. are all opaque and indistinguishable.

Matrix and XMPP spew all your metadata across all servers participating in a room, encrypting very little besides message bodies. There are some progressing XEPs to encrypt more metadata, but we shouldn’t rely on platforms like Matrix or XMPP in their current form to hide our metadata because they don’t. Participants, probable cause from linked profiles outside the conversation, timestamps, group information, etc. are all as private as your Fedi DMs.

The only thing that comes close to Signal with something like Tor would be Briar, but I don’t know how well offline messaging works on it. I can’t speak for alternatives like SimpleX since I’m not familiar.

Show threadSeirdy

@kkarhan @neurovagrant In other words, Signal’s open-source clients assume that the server can’t be trusted on the application protocol layer. Even before you add something like Tor for the TCP layer, Matrix or XMPP can’t really compare.

My main complaint is that I’d rather not have message recipients see my phone number or have to work around that limitation with an intermediary phone-number service, especially when maintaining multiple profiles.

Jul 25, 2023 at 7:27amWeb
Show threadKevin Karhan Jul 25, 2023

@Seirdy @neurovagrant problem is that #Signal literally implements #Cyberfacism by restricting functionality based off claimed user location (phone number)...

The fact that they can do that alone is concerning.

Now add #CloudAct to it and you badically have a giant #HoneyPot.

All #Centralized #singlevendor / #SingleProvider solutions are inherently bad from #ITsec, #InfoSec, #OpSec & #ComSec factors alone!