Soatok DreamseekerFeb 20

I've had a few people ask why I didn't post the full Matrix email on my Fedi thread. There are two reasons:

  • It wouldn't fit in 1k characters.
  • Listen carefully:

    • Y'know how "just getting caught cheating on your monogamous partner" isn't the right time to discuss exploring ethical nonmonogamy?

    In a similar vein, asking for information while dismissing a report as "no practical security impact" is still dismissing the goddamn report.

    I excerpted the part of their email where they dismissed my report. That was the part that initiated the immediate disclosure. The inciting turn of phrase.

    It doesn't matter how much you piss on my leg, I'm not going to believe it's raining.

    Show threadSoatok DreamseekerFeb 20

    Matrix has many incentives to lie or mislead. Their leadership includes the CEO of a company whose product is a Matrix client. There's active political talks about the EU investing heavily in Matrix. He's got a vested interest in looking good, even at the expense of doing or even being good.

    On the other hand, I have nothing to gain. If everyone switches to Matrix tomorrow, nothing in my life changes. If Matrix self-implodes and everyone goes back to XMPP tomorrow, nothing in my lfie changes.

    The only things I want are:

  • End-to-end encryption to be better.
  • End-to-end encryption to become ubiquitous for communication protocols and apps.
  • The large tech companies whose business models involve privacy violations and stealing from artists and other creative workers to burn down so gloriously that society forgets the word "billionaire" in twenty years.
    • Show threadSoatok DreamseekerFeb 20

    But what about "don't make perfect the enemy of good"?

    If your cryptography isn't damn near-perfect, it's shit. There aren't many cryptographic solutions that get a C+ in the world. It's either an A, A-, or an F.

    Show thread🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉

    @soatok what do you think about autocrypt v2

    https://autocrypt2.org/#/

    https://fosdem.org/2026/schedule/event/TV7GCC-autocrypt_2_post-quantum-cryptography_and_reliable_deletion_forward-secrecy/

    Btw if I bother please feel free to ignore. I don't want no smoke 🙏

    Autocrypt v2 - Post-Quantum and Reliable Deletion

    Modern OpenPGP v6 certificate with post-quantum cryptography, reliable deletion, and transport-agnostic messaging for decentralized systems.

    Feb 20 at 3:59amWeb
    Show threadSoatok DreamseekerFeb 20
    @nemo It's built on OpenPGP, so I immediately bail out
    Show thread🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉Feb 20

    @soatok OK :) Thanks 🙏

    Last question: if something should happen to Signal/Molly, I've read that some folks proposed a cross-platform contingency plan. Do you have two cents on that if the worst-case should happen and Signal shouldn't be available for a prolonged time due to deliberate problems?

    Show threadSoatok DreamseekerFeb 20

    @nemo If that happens, use whatever apps you can but assume they're all compromised.

    https://grugq.github.io/blog/2013/06/13/ignorance-is-strength/

    ignorance is strength - Hacker OPSEC

    Seven, this rule is so underratedKeep your family and business completely separatedBiggie Smalls Counterintelligence Theory and Practice for Crack …

    Show thread🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉Feb 20

    @soatok I hope that this will not happen…

    Thank you very much for your time and your work appreciate it a lot 💚 🙏

    Show threadleberschnitzelFeb 20
    @soatok do you have a link to what's wrong with OpenPGP? I really like delta chat, but they also rely on OpenPGP. But of course say that's fine https://delta.chat/en/help#openpgp-secure
    And me as someone who doesn't understand anything about cryptography would really appreciate a professional explaining what's wrong (but I don't want to take up too much of your time)
    Delta Chat: FAQ

    What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...

    Show threadSoatok DreamseekerFeb 20
    @leberschnitzel https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/ This has references
    What To Use Instead of PGP - Dhole Moments

    It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing they s…

    Dhole Moments
    Show threadleberschnitzelFeb 20
    @soatok thank you!
    Show threadww 🩶Feb 20
    @soatok @leberschnitzel i know it's an old post, but, npm had sigstore before pip :p

    (https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/)
    Introducing npm package provenance

    How to verifiably link npm packages to their source repository and build instructions.

    The GitHub Blog
    Show threadVal Packett 🧉Feb 20
    @leberschnitzel @soatok Delta/Chatmail is an absolutely BONKERS protocol. Why do you like it? o.0
    Show threadleberschnitzelFeb 20
    @valpackett what makes it bonkers?
    Show threadleckseFeb 20
    @leberschnitzel @valpackett Well, it’s Email.
    Everything You Need to Know About Email Encryption in 2026 - Dhole Moments

    If you think about emails as if they’re anything but the digital equivalent of a postcard–that is to say, postcards provide zero confidentiality–then someone lied to you and I&#82…

    Dhole Moments
    Show threadleberschnitzelFeb 20
    @leckse indeed, and that's why I find it great! 😅 even after reading the blog: All of the difficulty and possible mistakes by users fall away when all of that is done in the client itself. If you use a chatmail server, there's (as far as my noob brain can see) no "accidental plaintext" possibility, and metadata is also obscured and encrypted. The only part that makes me think is DKIM...
    But to all of this: I'm not a security researcher, so all of my opinion on it is mute   @valpackett