Viewing a single comment thread. View all comments

engi wrote

signal is awful for many reasons. requiring phone#, can't self-host, not standardized. don't use it if you're involved in any activism since the spooks no doubt have access to their database.

xmpp with omemo is a possible replacement. tox might also be worthwhile checking out.

6

jaidedctrl wrote (edited )

(don't know why you were downvoted, these are genuine problems with signal :/)

matrix might be work looking into, as well— it's standardized, self-hostable, federated, and the good clients support E2E encryption.
it's more user-friendly than xmpp, and easier to get people to hop on board with than xmpp, ime.

4

celebratedrecluse OP wrote

the common matrix servers have been compromised in the past, I believe through social engineering. Fortunately, you can set up your own, however maintaining the security is a hugely complicated enterprise for most people, and would totally negate the ease of use factor for those folks unless perhaps someone in their community is willing to do that labor unremunerated.

3

engi wrote

that hack had more to do with how the matrix.org infrastructure worked, not the software itself

most leftist orgs I know of have at least one or two computer peeps, so I don't think that's a huge problem. it's just that a lot of the people who should know how to run things have gotten lazy and complacent toward the surveillance capitalist platforms

3

engi wrote

I don't really buy the user-friendliness thing. there's plenty of web clients for xmpp. if half the effort that has gone into matrix was spent on a new xmpp client with shiny ux then it could use the existing network instead of causing further fracturing in the federated IM space (splitters!)

2

jaidedctrl wrote (edited )

I dunno— XMPP is a pleasure to use (I use the cheogram SMS→XMPP bridge all the time), and I wish I could use it more… but the inconsistent implementation of some important features (OMEMO, video/voice chat) is kind of a down-side.

I've tried video/voice with Pidgin before, no dice. With Jitsi (not webRTC jitsi), worked, but poorly. Haven't managed to find an Android client with video— the only good libre one I've found on F-Droid is Conversations, which is great (OMEMO, too!), but no video/voice.

Like, whenever I've talked to friends about installing an XMPP client, I remember frantically searching for which Android/iOS clients support what bits we need, and having trouble explaining the issues to them. It's just a total headache.

Not even just clients, it's servers, too. Not all servers will support everything, it's… well.

Matrix doesn't really have that problem— there's a pretty canonical client (Riot) which supports all you need, and no-one even needs to spare a thought on compatibility, because everything pretty much follows Riot. There's more consistency, it seems to be catching on in these radical nerd-spaces, so whatever.

XMPP isn't bad, and if you have a well-informed friend to introduce you to it (“use X server, use X shiny web-client”) it's pretty much perfect. In cases other than that… it can be a headache.

EDIT: Not user-friendly-related, but I figured I might as well tack onto my dumb rant.

XMPP really isn't as group-oriented as Matrix is. It supports group-chats, yes, but there is variety in client support, and… there just isn't a “culture” around it. Group chats are becoming ridiculously widespread and mainstreamed. Discord is an obvious example. If you want your chat protocol or service to have a chance at hitting it big, group chats need to be first-class shit. Matrix treats group-chats as first-class. It has a developing “group chat culture”— there are communities using it, being created on it, and growing. Sometimes circumstance outweighs technical merit— especially when it comes to a tool for communication. XMPP just doesn't have the “culture” Matrix does.

If we're trying to push a chat protocol to comrades, federation and community need to be first class. Matrix fulfills both, XMPP only one. Hell, there're even a few Raddle Matrix rooms.

EDIT-EDIT:
On the subject of federation and community— it's common practice to see Matrix, IRC, and Discord channels merged. Bridging seems to be less common (if it ever happens?) with XMPP in group chats. At the end of the day, bridging is probably the best option for dealing with this hodge-podge of protocols and services… if there is no technical limit to bridging on XMPP, it should be more often pushed.

Fuck, sorry about this block of text.

2

engi wrote

matrix is certainly better than signal. I agree that the xmpp ecosystem is a bit of a mess. one way to manage it is to just say "use this client, and we'll use this server" for your org. that it federates with other servers is then seen as a bonus, not a requirement

xmpp bridging used to be a huge thing about ten years ago

another way to look at this is that perhaps you don't need to do everything with one single protocol. we have mumble for voice, email for structured+archived discussion, irc for ephemeral chat. I see some of these new protocols attempting to please every damn user, and it's bound to fail imo. matrix and mastodon stand out in that regard

2

celebratedrecluse OP wrote

Tox is experimental, has security bugs, doesn't have an active enough development team imho. XMPP is the standard for folks, but as i understand it doesn't have the features like calling/videochat etc that signal does, nor does it have the same ease of setup & use for the average user.

Which brings me to my main point. the problem is that signal has, by their design choices (ease of use, outsourcing user identity creation to corporate PSTN networks, etc), become the biggest filter bubble for the opsec-minded subpopulation. Due to their anti-federated design, this filter bubble excludes and discourages anyone using other privacy protection systems for the niche that signal fills.

Very convenient for someone who wanted to concentrate their attacks on this subpopulation, that Signal has these competitive policies built right into the network concept, and has centralized most targets into a single node. Makes it very difficult for others to compete. Combined with the Whats App founder pumping 50 million US dollars into Signal-- which was literally obtained from their sale of Whats App to FB, they even advertised this-- there's basically no hope for creating a comprehensively secure and widespread private communication system for privacy-concerned people. Signal is likely the best we will get for a long time, not because technology prohibits the development of something more robust, but because market dynamics are shaping this intentionally into reality against the technological advancement being made piecemeal, disproportionately by insurgent and explicitly political FOSS developers and always without the scale of financial support that the surveillance apparatus does for marketing & development.

The broad Fourteen Eyes strategy is to make all-- or, functionally, >95%-- of communications reviewable by the intelligence agencies. They want this in the long term in order to develop machine learning algorithms for processing the data with even less human labor time, maximizing their returns on investment.

However, in the short term it provides avenues for which to identify threats and begin investigations, even if the initial leads aren't included in the evidence produced during the criminal proceedings. This is called Parallel Construction and every person who might be targeted by the state should understand this concept.

The way they accomplish these ends are by not only compromising all communications, but compromising communications and infosec at multiple layers. Backdoors in individual applications, end user operating systems, server OSes, network routing embedded devices, the firmware of important components, and ultimately even specially designed hardware bugs deployed on the most evasive and interesting targets.

The privatization of the network infrastructure helps the state as well, by creating a black box of information and a slew of ways that the government can obtain information from private companies and use them as a bulkwark against public understanding and opposition to what is fundamentally both a capitalist and a statist project-- the surveillance of the internet.

Finally, there's yet another set of layers: the compromising of enough nodes on decentralized federated structures such as tor through the use of their basically unlimited financial resources, and the running of honeypot VPNs/proxies or compromising the more legit ones through secret legal proceedings.

So understand that everything is broken, and realize that engaging in basic security culture that isn't technologically dependent is probably the best strategy for keeping you and your community safe from this type of surveillance in the short term.

3

engi wrote

XMPP is the standard for folks, but as i understand it doesn't have the features like calling/videochat etc that signal does

it does, it's called jingle

nor does it have the same ease of setup & use for the average user

I see this repeated often, never with any examples

Very convenient for someone who wanted to concentrate their attacks on this subpopulation

when I'm feeling more conspiracy minded I'll think moxie is on the payroll of some three letter org

everything is broken

acab - all computers are broken

2

celebratedrecluse OP wrote

it does, it's called jingle

Cool, I'll check it out

I see this repeated often, never with any examples

Well, for most people Signal sets up with a verification text and you're good to go. No troubleshooting or any other issues. Matrix & XMPP require, not much more, but certainly more familiarity. To be more specific, there's options to either encrypt or not encrypt messages to other people instead of everything being encrypted by default on the platform. At least, that's how it appeared to work to me a few years ago

2

engi wrote (edited )

nothing stops you (edit: as in "someone") from writing an xmpp client which insist on omemo and provides a bunch of default servers to register on (or entering one or more existing accounts)

I honestly don't get why signal needs to have any tie with the phone system. it boggles the mind

1

celebratedrecluse OP wrote

For sure, XMPP may be the way to go in the future, but for now Signal has fucked things up a little bit to say the least. nobody is going to install multiple encrypted messengers on their phone just to communicate with everyone else

2