CaptainAlchemy

CaptainAlchemy, 8 months ago

I don’t see an issue as signal is designed not to trust the server. Signal also uses sealed sender and Perfect Forward Secrecy, which is something almost all e2ee messengers lack. What it means in practice is signal leaks very little if any metadata, if you leak metadata you give away details about who your talking to and for how long, etc. Examples might include talking with a suicide hotline, or a doctor, maybe a customer service agent at a company and for how long. Those details will give a lot away about you, even if the messages or calls themselves are encrypted. Matrix is not recommended for communication because it fails to properly hide metadata and actively trusts the servers. When you make a call on signal, as long as both users have “Always Relay Calls” set to disabled, your calls will be peer to peer instead of trusting a central server to facilitate the connection and trusting a middle man. What this means is since the connection is peer to peer you can leak your IP address to the user you’re talking to, however a VPN fixes this issue.

CaptainAlchemy, 8 months ago

Molly is only available on Android, as far as differences it is a hardened fork of signal with an encrypted database, what that means in practice is even if someone was actively probing your phone to try to gain access to messages they wouldn’t be able to due to the encryption. It’s very useful if you are an active target or you don’t trust your phone os to play nice. I personally use it myself and really like it but in general it’s not terribly different.

CaptainAlchemy, 8 months ago

Signal on the Google play store isn’t FOSS but it facilitates the delivery of notifications to the user. The protocol itself is open source and notifications are handled securely even with Google play services on the phone. If you want a FOSS version, use the APK on their website, it has an auto updater.

CaptainAlchemy, 8 months ago

The main issue with encrypting the database using Molly’s setup is you’ll miss notifications and calls until you unlock, this might be able to be fixed using a different database encryption setup but as it stands it would be inconvenient for many.

CaptainAlchemy, 8 months ago

It’s only encrypted in a BFU state, (before first unlock). Police can probe your phone for data using a tool by cellebrite without root. GrapheneOS includes a auto rebooting feature to place it back in a BFU state but other phones will lack this feature. Using Molly’s database lock allows you to not trust the OS itself by encrypting it.

edit: corrected cellbrite to cellebrite

CaptainAlchemy, 8 months ago (edited 8 months ago)

A prime one is that the entity that you (have no choice but to) trust today will eventually turn against you at some point down the road.

• How does that change with federation, you always trust someone. Why should I trust the shady person running software on their basement, even if you self host, you are trusting the developers not to ship bad or poorly written code.

using a 3rd party client is against Signal’s ToS

As far as it being against signals tos, molly exists and had not received any problems from the signal foundation to my knowledge, discord has the same clause and they don’t seem to give a rats ass. Sure they could enforce it but they don’t, and personally with how matrix clients are handled they have mixed security, fluffychat has security issues ranging from outdated SDK versions to quite literally ddosing homeservers because of a non-existent rate limit.

pushing controversial features like crypto payments

The crypto stuff wasn’t great but you know what’s cool? You don’t have to use it. Simple as that. You don’t have to engage with it and you and I both know that. It’s buried in settings and you have to find it yourself.

Signal is an entity that’s incorporated in a jurisdiction and might be compelled by law or to degrade its encryption to comply with the local regulator.

• I’ve always used integrity as a metric as to how trustworthy a service is, and in terms of signals e2ee, they’ve never lied about it, it’s been proven in court multiple times not having any data on their users, no government can compel anyone or any company for things they don’t have. Signal had everything to lose by lying about their encryption and nothing to gain, so why would they? Why would any company take a huge chance at a death blow just because? Signal is a non profit so they don’t have any incentive to degrade it, they would be dead tomorrow if they got caught.

Using a centralized service like Signal makes you an easily identifiable/prime target in such a scenario.

Signal is not an anonymity tool, and has never been advertised as such, if you need anonymity, signal is not a good choice. You can make it more anonymous by using a burner phone but that’s a different topic.

No matter what Signal says, nobody but themselves can verify what code runs on their servers

• You can’t really confirm what any software can or cannot do, even if it runs on your system. Open source software is bound to the same principals of code, it will do exactly what you tell it to do, even if it is not intended (a 0-day, bug, etc.). Thousands of people constantly are monitoring the Linux kernel and it is still found to have tons of 0 days baked in due to it running a fuck ton on ring zero. You can’t just inspect code and know exactly what it’s doing, unless it’s a hello world program it gets quite complicated. Verified safety numbers also make sure that no man-in-the-middle attacks can take place, making conversations even more trustworthy and still not trusting any server.

As far as I understand the American law, any agency could tap into that, either directly, or via Amazon on which the whole thing is running.

If everything is encrypted, what could Amazon tap? You do realize sealed sender and PFS take away any trust from the server correct? It’s all encrypted, your aren’t trusting the server at all, it’s completely trust-less, and unless you think Amazon or governments can at this very moment tap any encrypted data and decrypt it, I would recommend taking a walk outside and realize that no one, NO ONE can decrypt current encrypted standards.

Unless you can point me to a reputable article showing in great detail that signal is lying about their e2ee claims then I’ll rest my case. Signal has been proven time and time again to not have any data on their users except the minimum required for the service to work, that’s called integrity.

Also there will always be someone you trust on the internet, nothing will change that unless we completely rethink how the internet works.

Edit: added quotes Edit 2: added extra info

CaptainAlchemy, 8 months ago

I hate to say this, but this is a blessing in full view. If people want the “freedom” to not take a vaccine because “risks, 5G mind control, whatever” then let’s let them. Life is full of risks and they need a wakeup call.

CaptainAlchemy, 8 months ago

Once again, I’m still trying to figure out how apple users can defend this. Yes, Google maps had this feature, but everytime I talk to apple users I’m always told they got their phone because “it just works!”. But then I learn that features I consider basic at best are completely missing. If my iphone should “just work” I expect the features I want to exist without another app installation. Things on iphone only seem to work if you don’t know anything better.

CaptainAlchemy, 8 months ago

To be fair, unlike previous years iphone releases I’ve seen more skepticism than normal. I fully expected diehard apple users to be resenting the removal of the lightning connector due to excess charging cables. And while those comments exist, it is a very small minority of people. However with that said I don’t fully understand the mindset of buying a phone that has limited or obsolete hardware / software. (ergo headphone jack, ergo missing software feature, ergo USB 2.0 from 23 years ago)

CaptainAlchemy, 8 months ago

Well it tends to come up for me because I’m the tech person around the house and at work, so phone and other device / software recommendations tend to come my way. I don’t really care what phone you use, I ain’t that much of a prick.

CaptainAlchemy, 8 months ago

I think part of the “it just works” definition is the default apps should work without missing features, however you’re not wrong, alternatives do exist.

Edit: spelling

CaptainAlchemy, 8 months ago

I agree, the features apple does implement do tend to be more polished or at the very least not annoying to the user.

CaptainAlchemy, 8 months ago

Samsung in terms of security, privacy and hardware is a total mess. I would avoid Samsung products at all costs.

CaptainAlchemy, 8 months ago

I feel like Google has two departments internally, a security research and implementation team and a Google ads team. One of them betters security for all android users and another gets bad press for making bad decisions with YouTube, chrome, or other Google services. I’d love to know how the culture is at Google. It’s not like security conflicts with Google data collection practices but I still find out interesting to think about nonetheless

CaptainAlchemy, 10 months ago

Printers print very small dots on the sheet of paper you print so it canbe identified. en.wikipedia.org/…/Machine_Identification_Code

CaptainAlchemy, 10 months ago

You love to see it, I genuinely smiled, probably not the normal reaction for most people but it makes me happy to see people use signal.

CaptainAlchemy, 10 months ago

Honestly briar would be my pick in an ideal world, you don’t need an internet connection, just Bluetooth. Sure it has short range but its the starting point for decentralized messaging

CaptainAlchemy, 10 months ago

This makes me wanna get my Sony DSLR and start taking photography lessons again, this is awesome!

CaptainAlchemy, 10 months ago (edited 10 months ago)

By far windows, windows lacks or doesn’t fully utilize features like full verified boot, sandboxing which means even if a program installs itself it still has to ask for permission for mic, camera, etc. Adding on to the issues even the programs themselves can be unsafe. Running a program that uses a memory safe programming language is pretty rare and a lot of vulnerabilities come from memory allocation and buffer overflow bugs. Android attempts to mitigate these issues by sandboxing every app, all phones ship with verified boot and full disk encryption, and usually have a memory allocator of sorts. And if you run a degoogled ROM you’ll mitigate the privacy issues by not having Google play services installed.

If you need some way to monitor these devices as an admin there are apps on android that allow this functionality, iOS has similar admin features.

edit: typos edit 2: added information

CaptainAlchemy, 10 months ago

Pertaining to the signal issue, as with anything, if you and I can use it, so can corrupt politicians, drug dealers, terrorists, and more. Signal is a great tool but it can be abused like anything else

edit: I’m not saying what these politicians are doing is okay, I’m only mentioning this just in case someone is anti-encryption, encryption is good and any political figure trying to outlaw it can go fuck themselves

CaptainAlchemy, 10 months ago

Strongly agree

CaptainAlchemy, 10 months ago

Okay great, if I live anywhere besides NYC, where’s my damn train for transport? Oh right its nonexistent. I’d love to take a train but the people that run this shithole say its too expensive and continue to pave more roads! Wow I love living here where my government continues to listen to big oil and destroy the planet in the process!!

CaptainAlchemy, 11 months ago

Me when I run sudo pacman -Syu

CaptainAlchemy, 11 months ago

We live dangerously around here >:)

CaptainAlchemy, 11 months ago

Honestly I wish I was surprised but I'm not. I am so blackpilled about humanity its not even funny... the general masses really do fuck everything up, they accept things for what they are, like Netflix password sharing, look at how well that's going for Netflix. The masses will accept anything if they get a little dopamine hit. Doesn't mean I won't stop fighting for a better future, I'm just somewhat disillusioned.