Notices by cherti (cherti@chaos.social)

@dk @clayton

The business model, if you wanna call it that, is a private messenger for evreyone, financed by donations (which has been clearly communicated, particularly lately). In contrast to for example Matrix, there is no venture capital involved, it is a donation-funded non-profit (which has also been clearly communicated).

I would be curious which business model you would recommend instead for a sustainable messaging solution and how you would start such development, if the OTF is evil?

@dk @clayton Oh, I'm sorry, I was thinking because you suddenly brought the question of dissident groups up that you wanted to discuss that. But I can see that you have a very nuanced view on the topic, so I will of course leave it at that. :)

@dk @clayton that's the interesting part of different perceptions, my impression is that it's not the Signal project that's toxic, but more the people who religiously refuse to acknowledge that Signal has made some pragmatic decisions to bring encrypted messaging to the masses (and is extremely successful with it, more than everyone before them) and claim that Signal is either a honeypot or a scam or other things in very… tinfoily ways, because it cannot be (or must not be) that they are …

@dk @clayton

So where does the money come from?

And Signal does by no means insist that they are the only ones being able to run such servers, the code is AGPL, you can take it and build your own messenger solution. They just politely ask that they keep the liberty of choosing how to run *their* instance of a messaging solution.

The Signal server can federate. They implemented that. They might not use it, but you can take it and build a different Signal with it and show that Federation…

@dk @clayton so if Signal is Radio Free Asia 2.0 and malicious US intelligence money, why is it suddenly any better when they remove phone number requirements? sounds very inconsistent to me.

regarding Desktop: you could always use Signal Desktop when the phone is off. It was this way from the start and never has been any different.
Given you weren't aware, maybe some of the other information you've put forward might also not actually be as as accurate and black/white as you make it seem. :)

@dk @clayton with regards to privacy they actually have way more technical guarantees in place than Matrix ever had. Matrix is all about "trust be bro" (with several servers involved of most of which of which I probably don't even know who's behind them), whereas Signal gives actual, tenable cryptographic guarantees on many things.

I think the read "ignoring criticism" is more a read of "they didn't implement the system exactly as *I* wanted", which, quite frankly, is impossible to do when …

@dk @clayton and there are enough solutions fail in having a userbase that makes the messenger practical in the first place. 🤷

and, notably, when phone number leakage is the single worst case scenario, then Signal can't be that bad, because it's neither content leakage, nor social graph leakage, nor usability pattern leakage. I think that's actually a pretty good track record. :)

@dk @clayton It's a question of situation and usability. In some situations, using Signal as a means to hide in plain sight when everybody uses it might be a good approach, in other situations it might not be.

Implying that simply choosing the right messenger would clear out all OpSec-risks and protect that "dissident activist group" is way more likely to make it into a failing dumpster fire.

Seeing things black/white without greyscale is the way higher risk here, because it plainly denies …

@dk @clayton … genuinely successful, even though they are not following the pure teachings. It always feels pretty… dogmatic and everything that approaches things differently cannot be accepted as a possible right way and must have some dirty secrets.

But I'm getting ahead of myself, let's juts keep it here and I wish you a pleasant remaining day. :)

@dk @clayton … does work, and does scale.

I find it irritating that people don't do this and instead just claim that other people should bend to their whims, that other people should run *their* systems *differently* instead of just building a different solution and showing that this different solution actually works better. I'd be very curious if someone did that, all solutions in that direction I have seen so far have, for some reason, dropped the security level, though.

@dk @clayton … which leads to metadata leaks of other sorts (or do the matrix servers actually encrypt the roster by now? I thought they would just save your contacts and room members and such unencrypted severside, but I could be wrong).

Anyways, depends on what you want, one is built primatily for privacy, the other one primarily for interoperability, so it boils down to what your specific usecase is. :)

@dk @clayton Where do you get this info from? as far as I know, the Server code is what they are running upstream, possibly minus a different configuration, of course.
Matrix actually has the very same issue, you cannot know what a Matrix server under your control runs. You need to trust it (particularly as Matrix holds a lot more metadata and information serverside than Signal does), so it's in the end the same situation in that regard.

@dk @clayton The server code is also licensed as AGPL, just like the iOS client and even stronger than the Android-client.

@codewiz @RisottoGateway he's still on the board of the Signal Foundation, just has stepped down as CEO. So it's unplausible it was not his own decision given that he remains on the foundation board. If someone decided he should be kicked it seems unlikely to they'd (whoever they would be) left him on the board of what owned the company he left the CEO position of.

@codewiz is that new with 5.39? Just noticed that as well after the update to 5.39 rolled in here. Pretty neat to see that they consistently improve it!

@dh34r7h @codewiz Session, that messenger that removed Perfect Forward Secrecy from their protocol because they were unable to make state-of-the-art cryptography work in their infrastructure, whereas all the competitors from Signal over Matrix over XMPP over Briar support it without hassle…? I'm not entirely convinced about their capability to build a private messenger if they are willing to just drop privacy tech just because it's inconvenient to implement…