Kevin Karhan Jan 21, 2025

@agturcz @rysiek Use @torproject or better yet, #XMPP+#OMEMO with an #OnionService aka. #Server on a .onion domain...

Kevin Karhan :verified: (@[email protected])

@[email protected] I do agree to some extent. #PGP/MIME & #XMPP+#OMEMO keep the coversation contents secure, but merely encrypting messages is just 10% of #ComSec! - One also needs to deal with #InfoSec, #OpSec & #ITsec in general... Like: If you use some garbage Android 8.1 device that never got security updates then you can use #Signal all day and that won't protect ya ass! - Speaking of @[email protected], the same as with any #eMail provider or #Messenger applies: [none of them will refuse to comply with a duely submitted subopena]( https://web.archive.org/web/20210226175949/https://twitter.com/thegrugq/status/1085614812581715968), otherwise @[email protected] would already be in prison. - And Signal, like all #centralized, #SingleVendor & #SingleProvider #Messengers collects #PII [#PhoneNumber!] with *no legitimate reason* and is subject to #CloudAct, which is inherently incompatible with #GDPR & #BDSG...

Infosec.Space
Show threadMichał "rysiek" Woźniak · 🇺🇦Jan 22, 2025

@kkarhan I ran and hosted a bunch of XMPP servers a while back. It was a pain to use, and it was easy for users to make mistakes and accidentally send messages in the clear.

You are making people les safe. Last time: please stop doing this in my mentions and replies.

@agturcz @torproject

Show threadKevin Karhan Jan 22, 2025

@rysiek @agturcz that's not how you fix #TechIlliteracy, espechally since things changed for the better.

@monocles / #monoclesChat & @gajim / #gajim are quite easy, whereas @signalapp / #Signal demands #PII in the form of a #Phone number which is more often than not not legally obtainable without "#KYC" aka. "forced #SelfDoxxing" all whilst being an extremely #centralized, #SingleVendor & #SingleProvider solution that falls under #CloudAct ant thus cannot adhere to #GDPR & #BDSG!

Otherwise we'd only perpetuate the #Enshittification-#Lifecycle as has happened with #AIM, #ICQ, #BBM and so many more...

  • Mark my words, cuz I've been proven correct up to this point.

If #Signal and @Mer__edith actually cared, they would've setup their system truly decentralized as an #OnionService over @torproject / #Tor!

#THXBYE #EOD #ITsec #InfoSec #OpSec #ComSec #DigitalSnakeoil #FakeSec

Michał "rysiek" Woźniak · 🇺🇦 (@[email protected])

@[email protected] I ran and hosted a bunch of XMPP servers a while back. It was a pain to use, and it was easy for users to make mistakes and accidentally send messages in the clear. You are making people les safe. Last time: please stop doing this in my mentions and replies. @[email protected] @[email protected]

Mastodon 🐘
Show threadMax L.

@kkarhan Sorry but no, the correct solution is to push for easy to use solutions that are at the same time private and secure. Hiding privacy and security behind a veil of "you need to know" is discrimination of people that are not able (either mentally, physically or monetary) to gain that knowledge.

The correct move here is for @signalapp and any other service to fix this and for legislators to enact laws enforcing proper security and privacy by design.

Jan 22, 2025 at 12:31pmWeb
Show threadKevin Karhan Jan 22, 2025

@max
To quote you directly:

"[...] easy to use solutions that are at the same time private and secure. [...]"

It is easier, faster, cheaper and overall simpler to get someone setup with #XMPP + #OMEMO espechally if they don't have a #PhoneNumber and/or #ID to acquire a #SIM.

And if you go and say, "Just buy a [insert country here] [e]SIM!" and expect #TechIlliterates without a #CreditCard, #PayPal or other means of #OnlinePayment to fiddle around with some #eSIM if not having to get some #eSIMcard because they can only afford to maintain one SIM and can't spend triple-digits on a new devices then you completely missed the point!

It's not that I expect anyone to get #TechLiterate within minutes, but similar to setting up a cordless DECT phone it's something one has to do once in 5 years and just have them put the password in a safe spot to retain...

Point is that #Signal #WontFix their setup and that was evidently clear even before @Mer__edith succeeded #MoxieMarlinspike: Their entire operation has a distinct #CryptoAG stench as it's an #unsustainable #VCmoneyBurning party!

A counterexample on how this could've been done are #Tor, #eMail and other truly #OpenSource as in #MultiVendor & #MultiProvider standards.

Whereas it's trivial to get people setup on one of many XMPP servers I've personally tested!

AFAIK Signal doesn't even have an #OnionService / .onion for their Website, much less any #API enpoints to use it with!

You're free to also provide evidence and supporting data to your arguments, rather then neighsaying against proven to be more secure and reliable [by virtue of decentralization] options like XMPP+OMEMO and/or #PGP/MIME.

The proper fix is to actually assess the situation and acknowledge the risks and limitations as well as the very nature of communications, which means upgrading later is exponentially more painful, thus getting people properly setup once is way easier.

  • Just because WE [ or rather @rysiek in this case ] rather privilegued enough to not be hatecrimed in their current location doesn't mean this is the case for everyone. And having places like Signal rely on a "#CDN" is just another red flag to me because questions like this one just don't arise with monocles.chat as people can just exercise proper #SelfCustody and just use Tor!

Speaking of #monocles: That business is at least #sustainable because it's funded by users (€2 p.m.) which they can pay anonymously

Max L. (@[email protected])

@[email protected] Sorry but no, the correct solution is to push for easy to use solutions that are at the same time private and secure. Hiding privacy and security behind a veil of "you need to know" is discrimination of people that are not able (either mentally, physically or monetary) to gain that knowledge. The correct move here is for @[email protected] and any other service to fix this and for legislators to enact laws enforcing proper security and privacy by design.

gruene.social
Show threadCpyJx 🍉Jan 23, 2025
I sent my grandma the app store link for @signal and she was able to install it and communicate with the family without having to guide her through anything. They've really made it that simple. I wouldn't be able to do that with any other app.
Show threadClaudiusJan 22, 2025
@max @kkarhan please point me at a system with a better ratio of security gained to effort spent than @signalapp ? Bonus points if it's actually used by people.
Show threadKevin Karhan Jan 22, 2025

@claudius @max @signalapp

No problem:

I could go on all night, so please shove that #TechPopulism somewhere the sun doesn't shine!

#EOD #thxbye #next #muted

Kevin Karhan :verified: (@[email protected])

@[email protected] To [quote you directly](https://gruene.social/@max/113872018769294131): > "[...] easy to use solutions that are at the same time private and secure. [...]" - The fact that @[email protected] requires #PII like a #PhoneNumber which more often than not *cannot be legally acquired anonymously* makes it not #private. It is easier, faster, cheaper and overall simpler to get someone setup with #XMPP + #OMEMO espechally if they don't have a #PhoneNumber and/or #ID to acquire a #SIM. And if you go and say, *"Just buy a [insert country here] [e]SIM!"* and expect #TechIlliterates without a #CreditCard, #PayPal or other means of #OnlinePayment to fiddle around with some #eSIM if not having to get some #eSIMcard because they can only afford to maintain one SIM and can't spend triple-digits on a new devices then you *completely missed the point*! - I can much faster and easier get TechIlliterates setup show them around - either in a @[email protected] / @[email protected] / #CryptoParty - style #classroom / #seminar or 1:1 tutoring than I can *legally acquire and activate a new SIM in #Germany* [since 07/2017]... It's not that I expect anyone to get #TechLiterate within minutes, but similar to setting up a cordless DECT phone it's something one has to do once in 5 years and just have them put the password in a safe spot to retain... - - - Point is that #Signal #WontFix their setup and that was evidently clear even before @[email protected] succeeded #MoxieMarlinspike: Their entire operation has a *distinct #CryptoAG stench* as it's an #unsustainable #VCmoneyBurning party! - #CloudAct and the #NOBUS [hegemony](https://en.wikipedia.org/wiki/NOBUS#Criticism) ain't something that just got executed now (neither was #GDPR & #BDSG!)... A counterexample on how this could've been done are #Tor, #eMail and other *truly #OpenSource* as in #MultiVendor & #MultiProvider standards. - *NOTHING* compells Signal to [demand PII](https://en.wikipedia.org/wiki/Signal_(software)), run a #Shitcoin #Scam [aka.](https://en.wikipedia.org/wiki/Signal_(software)#In-app_payments) #MobileCoin that even seasoned #TechLiterates and #CryptoBros [can't setup properly](https://www.youtube.com/watch?v=0DSGq9FQKU4), and in fact Signal using [phone numbers makes it trivial to discriminate against users and easier for them to identify them](https://en.wikipedia.org/wiki/Signal_(software)#Controversial_use)! - If [my reasoning](https://infosec.space/@kkarhan/113869305765533809) didn't resonate with you, then try helping i.e. undocumented migrants aka. *"#SansPapier|s"* to get setup with it without violating laws and/or ToS and/or needing an imported SIM which I'm shure most folks don't have on hand! Whereas it's trivial to get people setup on [one of many XMPP servers I've personally tested](https://github.com/greyhat-academy/lists.d/blob/main/xmpp.servers.list.tsv)! - Not to mention clients like @[email protected] / #monoclesChat and @[email protected] / #gajim are way more user-friendly and unlike Signal can also work perfectly fine over #Tor, including #OnionServices as endpoints. AFAIK Signal doesn't even have an #OnionService / [```.onion```](https://en.wikipedia.org/wiki/.onion) for their Website, much less any #API enpoints to use it with! - Them relying on #ClownFlare is just something that makes them even *more #sus* as there is *[no legitimate reason](https://en.wikipedia.org/wiki/Cloudflare#Controversies)* to use a #RogueISP like that. - - - You're free to also provide evidence and supporting data to your arguments, rather then *neighsaying* against *proven to be more secure and reliable [by virtue of decentralization]* options like XMPP+OMEMO and/or #PGP/MIME. - What gets my blood boiling is the constant #disinfo by [Signal](https://mstdn.social/@rysiek/113868777937162686) [Fanboys](https://mstdn.social/@rysiek/113869169340313254) like @[email protected] who sell it like #DigitalSnakeoil akin to #AntivirusSoftware, because it's at best *"#TechPopulism"* and at worst [will mislead "TechIlliterates"](https://infosec.space/@[email protected]/113868748895262202) with a [false sense of security](https://infosec.space/@kkarhan/113868987217053362), which in turn puts more users at risk. The *proper fix* is to actually *assess the situation* and acknowledge the *risks and limitations* as well as the very nature of communications, which means *upgrading later* is exponentially more painful, thus getting people *properly setup once* is way easier. - Just because *WE* [ or rather @[email protected] in this case ] rather *privilegued enough* to not be *hatecrimed in their current location* doesn't mean this is the case for everyone. And having places like Signal rely on a *"#CDN"* is just another *red flag* to me because questions like [this one](https://circumstances.run/@agturcz/113866980398547492) just don't arise with [monocles.chat](http://monocles.chat) as people can just exercise proper #SelfCustody and just use Tor! Speaking of #monocles: That business is at least #sustainable because it's funded by users [(€2 p.m.)](https://store.monocles.eu/produkt/monocles-starter-account/) which they can [pay anonymously](https://monocles.eu/more/#payment-section)

Infosec.Space