dngray

dngray, 2 months ago

Seems like a step up from “Covenant Eyes” with weirdo politicians sharing their porn habits with their children.

dngray, 9 months ago

It’s probably also media’s fault for this. They only publish when a bad person does a bad thing on the internet with it, not all the millions of users who don’t do bad things. That would be boring.

dngray, 10 months ago

Not unless websites require certain features to be visible, that’s the major concern.

dngray, 10 months ago

Vanadium is built specifically for security. It lacks privacy features such as an ad blocker

Currently I use the AdGuard DoH server. It’s not perfect, but I don’t do a lot of browsing on my phone. There were some plans to implement this in vanadium github.com/GrapheneOS/Vanadium/issues/10

dngray, 10 months ago

Related thread here discuss.privacyguides.net/t/…/13274The main thing we find is Vanadium is not lagging behind upstream and it has hardening patches that a lot of other WebView implementations do not have. Whether you like a to “contribute to chromium based market share” you’ll have a WebView implementation on your Android device used by apps you use. It’s also worth noting that per site isolation doesn’t seem to be a thing on Android for non-chromium browsers.

dngray, 10 months ago

I know with standard setttings my isp see everything, but if i will use some encrypted dns what they will see exactly

Basically the same thing.

Encrypted DNS is not for privacy, it is for stopping someone from altering your queries basically, because normal DNS is not encrypted. Domains are exposed through other various methods we explain. Please see our website where we’ve gone to the effort to explain this www.privacyguides.org/en/advanced/dns-overview/ we have a flow chart that characterizes the above methods of obtaining the domains you’re requesting.

dngray, 10 months ago (edited 10 months ago)

Yes the article is FUD and sloppy. This is what Matthew Hodgson (Arathorn) had to say about it:

Talking of sloppiness, that hackea.org article is a huge steaming pile of FUD about Matrix.

For what it’s worth, the team who came up with Matrix was originally based in two separate startups: one in the UK doing VoIP, one in France doing mobile dev. Both got acquired by Amdocs in 2010, but we ended up forming an independent “incubated startup” first to build telco apps, and then we came up with the idea of Matrix in ~2013. We then built out Matrix until 2017 when Amdocs killed our funding, having run out of patience for what amounted to generous FOSS philanthropy.

We then set up New Vector (now Element) as an entirely independent UK/FR startup, and have received zero funding from Amdocs since. To be crystal clear: Amdocs has zero privileged influence or control over Matrix (or Element, for that matter), and has zero access to the Matrix servers we operate as Element. And besides - the whole point of Matrix is that you can and should run your own servers so you can pick who to trust, even if you don’t trust the project itself.

dngray, 10 months ago (edited 10 months ago)

you’re referring is using XMPP without OMEMO

OMEMO encrypts text messages for VOIP you need DTLS-SRTP encryption or Jingle session encryption. OMEMO has no concept of cross signing, ie one device being trusted and therefore the others either if they do an authentication with each other. Device verification has to be done each session which is a massive pain.

warns you your message content is unencrypted if this is disabled

The point is that Matrix 1:1 calls are always encrypted and soon with MSC3401: Native Group VoIP Signalling 1:many VOIP calls will be as well. Having foot guns about what might be encrypted or not in a client isn’t very private at all.

Also, XMPP has better (imo) and more numerous clients than Matrix on every platform except iOS and MacOS (No better XMPP client than Element on these platforms).

I’ve used Nheko and that’s pretty good. Last time I checked the XMPP clients that existed had a lot of rough edges and feature inconsistency.

I definitely prefer an extensible protocol to a much heavier, metadata-leaking, less-feasible to self host solution like Matrix.

That is definitely your opinion, Matrix has shown to be very feasible in a commercial sense as there are many providers and commercial clients using it, french, german government etc. There are also quite a few clients using EMS. They claim: “Matrix is an open network for secure, decentralised communication, connecting 80M+ users over 80K+ deployments.”

Which is probably a lot more than XMPP.

Matrix really can be quite lightweight enough that it will be entirely possible to run a homeserver locally in WASM which is what the Matrix P2P project is about. arewep2pyet.com has more details about that. It’s also possible to have very light Matrix servers Breaking the 100bps barrier with Matrix, meshsim & coap-proxy. The reason that a lot of public Matrix servers are quite “heavy” is because they have many numbers of users, and activity. Synapse has also made huge gains in this regard to what it was originally, and we know that Dendrite uses a lot less resources (that I’ve tested privately).

With RFC 9420 aka Messaging Layer Security (MLS) it should be entirely possible to have large E2EE rooms without too much of a performance hit. Matrix is also working on MLS: A giant leap forwards for encryption with MLS. They have a site tracking that: arewemlsyet.com

The point is a lot of testing and thought goes into these things.

metadata-leaking

You’re pretending XMPP doesn’t have metadata between servers, it certainly does it’s really no more private than Matrix.

This is what Matthew Hodgson (Arathorn) - CEO of Element had to say about it in March 13, 2022:

Talking of sloppiness, that hackea.org article is a huge steaming pile of FUD about Matrix.

For what it’s worth, the team who came up with Matrix was originally based in two separate startups: one in the UK doing VoIP, one in France doing mobile dev. Both got acquired by Amdocs in 2010, but we ended up forming an independent “incubated startup” first to build telco apps, and then we came up with the idea of Matrix in ~2013. We then built out Matrix until 2017 when Amdocs killed our funding, having run out of patience for what amounted to generous FOSS philanthropy.

We then set up New Vector (now Element) as an entirely independent UK/FR startup, and have received zero funding from Amdocs since. To be crystal clear: Amdocs has zero privileged influence or control over Matrix (or Element, for that matter), and has zero access to the Matrix servers we operate as Element. And besides - the whole point of Matrix is that you can and should run your own servers so you can pick who to trust, even if you don’t trust the project itself.

dngray, 10 months ago

That is the nature of any federated protocol.

E2EE works well enough within rooms and that is likely where private data is to be anyway. As long as you Matrix and assume that everyone can see your Matrix ID and room IDs you’ll be okay.

XMPP isn’t any better in that regard.

dngray, 10 months ago

leaks more metadata than XMPP

XMPP is not a private protocol either. In a lot of cases data is not E2EE, there is no reference clients and there’s a mess of standards that very few if any clients fully implement.

dngray, 10 months ago

I am sure that Tutanota does not use any custom encryption algorithm. It is clearly stated in the FAQ that they use RSA (with PFS) and AES to encrypt emails exchanged between Tutanota users. tutanota.com/encryption

These are only primitive algorithms, the actual implementation is custom and specific to Tutanota, which mean it will only work with Tutanota as nothing else will implement it.

There is no way to do key distribution outside of Tutanota’s service.

dngray, 10 months ago

Probably another point is that the encryption for Matrix/Element has undergone multiple audits, one in 2016 and another one of their newer rust library. Whereas telegram just has not. There was this also a not too long ago. MTProto is also used nowhere else, whereas a lot of encryption has been influenced by the Double Ratchet which is well understood.

The other thing worth noting is that Matrix is the foundation for other products which many governments use for secure communications.

dngray, 10 months ago

I certainly think so.

Even Windows or Chrome OS, provides quite a bit of “control” it’s just that a lot of it is “opt out”. Google does, for example record what YouTube videos you look at against a logged in account by default. Windows does have targeted advertising enabled by default.

I think privacy is really more about what you do on such platforms. If you use products (sites) that clearly have bad policies in regard to privacy then no OS is going to provide really all that much improvement.

dngray, 10 months ago

Stopped reading at “storing my passwords on a db”. Even if you encrypt the data, is it not just plain better to use a generative algorithm for passwords instead that needs no cloud?

There are quite a few reasons why we don’t recommend deterministic password managers and I have been meaning to write an article about it. There is a summary and further discussion in that thread.

Third party blog article which is still relevant tonyarcieri.com/4-fatal-flaws-in-deterministic-pa…

dngray, 10 months ago

Just a reminder, we specifically recommend against Garuda due to their unsafe usage of Chaotic-AUR.

dngray, 10 months ago

VPNs are still worth it for that purpose, particularly torrenting… Not sure who is saying this but they are wrong.

dngray, 11 months ago

Keep in mind posteo.net does not have DMARC which means anyone can spoof an email @posteo domain.

All of the other providers have this. Mailing lists can be used with DMARC.

dngray, 11 months ago

100% this, and it's why I still used old.reddit.com, because the new reddit site is just awful.

What I will say is there is less "noise" on our lemmy/discussion forums, and distinctly higher quality posts. This is something we'd like to encourage long term, particularly when people ask questions already answered quite clearly on our website.

dngray, 11 months ago

1. Pretty much Crowdin works very well, particularly with it's TM (Translation Memory) and specific terms.
2. We are currently mirroring there but there's no reason you couldn't use git-send-email to one of the team members if you need to really do that. Ideally, just use a VPN or Tor anyway, because you're probably going to need that anyway. Github is available in Iran nowadays https://github.blog/2021-01-05-advancing-developer-freedom-github-is-fully-available-in-iran/
3. Because they often lag behind in security https://www.phoronix.com/news/GNU-Linux-Libre-5.7-Released (for example this allowed the GPU to be used in browser fingerprint.
4. In a lot of cases the site is research, and words we've written based on our experience. There isn't much reason for derivatives to exist based on our content. If there were, those would be a complete re-write. We aim to have the site as accurate as possible, and want changes contributed back there to benefit everyone and be translated. That does promote centralization, but in this case that is a good thing.
5. Libreboot won't ever be recommended, basically because unless you want an ancient laptop from 8-10 years ago it's a non-starter.

dngray, 11 months ago

A lot of these are unnecessary or actually modify your fingerprint.

• privacy badger

Can be detected https://adtechmadness.wordpress.com/2020/03/27/detecting-privacy-badgers-canvas-fp-detection/

• clearurls

Unnecessary, as uBO has removeparam

• decentraleyes

Modifies your fingerprint making you more unique.

For more information about what not to use see https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-dont-bother

dngray, 11 months ago

Probably not, it's likely trying to shift Russian citizens from buying them over to some Chinese counterpart. Even in China "Apple" stuff means you're rich and it has exclusivity factor.

dngray, 11 months ago

That is exactly the reason. The idea is to let someone else hold the bag, and "oh well" if they figure out they paid more for it than it was actually worth.

I have to wonder how much Reddit will actually be worth when it's just the site of cat pictures and crappy memes. The quality of Reddit dropped significantly when they changed all the default subreddits, this is going back to the days when "old reddit" was "normal reddit" (around that era).

dngray, 11 months ago

I think fundamentally Reddit doesn't give a shit.

For them it's likely about value of accounts, how much data they can sell, and they will hope that non-tech communities will carry people's "addiction". A bit like an abusive ex "you can't leave me because you'll lose XYZ" so now they've resorted to reining in anything that dare reduces or inhibits maximum revenue stream.

dngray, 11 months ago

I have to admit, I don't really think I would use Reddit if old.reddit.com went away, the "new reddit website" is slow, and ugly, and fits very little content on the page. It seems it's largely optimized for posts which contain shallow content like "cat pictures" memes and other rubbish not meaningful discussions. I appreciate RedReddit, due to the fact I can fit many posts on my screen. Reddit also requires quite a bit of moderation as there is a lot very low quality content posted there. It's quite a tiring process.