This "security guide" is mind-boggling. Use instead of an /Linux device (ideally with a custom ROM), and even instead of a laptop?!? Use (not Chromium, *Chrome*) and a ?!?
techsolidarity.org/resources/b

Use ? Despite the fact that there any *many* good reasons for anyone with important secrets to protect
*not* to do that (US-based, no warrant canary etc), and Moxie has defended aspects of his centralized set-up by saying people shouldn't use it for that?

@noorul @strypey there is no "safe". There are degrees of safety, and there are very real reasons to doubt the safety of Signal.

@strypey @gentoorebel @noorul the person who wrote this article about Signal didn't actually read and respond to the actual reasons why those choices were made. There's epic Github threads that touch on every nuance.

@strypey @gentoorebel @noorul Sorry I don't have links rn.

Signal is the best of a bad situation. Android is already a somewhat compromised platform with all the Google stuff and proprietary apps that 99% of people use. I think it does a good job of what it was intended for which is provide E2E crypted mobile messaging with a good UX.

All of these criticisms of Signal are addressed by XMPP and OMEMO?

@kawaiipunk @noorul @gentoorebel @strypey The best which could happen with Signal would be if they made their own F-droid repo and had some federation protocol.

But even if that happened all it would achieve would be to reinvent Quicksy-style XMPP but with a standardized server configuration.

@bob @gentoorebel @strypey @noorul I agree Bob. We need to be thinking about next gen P2P projects like Briar et al.

@kawaiipunk I've been thinking about these for years, like , (formerly ), , and others. But I struggle to find people to test them with, and when a "secure" chat app only has clients for iOS and Android, I struggle to take them seriously.
@bob @gentoorebel @noorul

I am really like to hear the list of "secure" app.

@strypey

@noorul secure against what? What kind of app security you need depends on your . But if you're trying to do security of any serious kind, not allowing people to use your app on GNU/Linux without also using an iOS or Android device just seem amateur. As does tying your chat ID to your phone number, which makes it much easier to tie metadata to real humans.

@noorul what's your use case? Who are you trying to chat with? Text or voice/ video? One-to-one or group? How sensitive are the chats likely to be? What kinds of adversaries do you want to be secure against? In my experience it's best to use a non-secure app, and choose what to say on that basis, than to speak freely using an app you think is secure when it really isn't.

FYI I've got various lists of chat apps here:
coactivate.org/projects/disint
coactivate.org/projects/disint

I want app for personal and work communication.

Sensitive data can be personal or work related.

Nothing really big deal.

I like to adapt safer and securer platform for everything

@strypey

@noorul TBH your threat level is about what Signal can cope with. Even if it was a honeypot and Moxie worked for the NSA that's not going to affect you much. I would use Wire instead though. It has all the same pros, plus supports more platforms, doesn't require your phone number, and is developed by a team of professionals who take both software freedom and UX seriously. Swiss-based, so bound by GDPR.

Thank you for the suggestion. I appreciate.

Though, I am skipping #Wire option now as not available on #Fdroid and it's from a corporate.

I like to prefer social business or not for profit org.

And I am will drawing off from #Signal soon as it's founder associates with NSA and honeypot
@strypey

@noorul Wire Swiss GmbH is not a corporation (a publicly-listed company owned by shareholders). It's a self-funding private company, that makes its money from a premium service (based on the same software) aimed at enterprise teams.

@strypey so a privately owned enterprise offering floss service

@noorul yes. So if you're specifically looking for a service offered by a non-profit or a cooperative, Wire isn't that. But if you just want a provider that exists to serve its users, not shareholders, Wire ticks that box (it doesn't have shareholders, just private owners). If you want a non-profit, I suggest you check out like , , etc. Disroot might be the best option for your needs, as they have a big focus on improving the of hosted tech.

@strypey i am using Riseup for long.

Now I am self hosting, matrix and xmpp.

@noorul OK. So why would you use Signal? Contacts on iPhones who can't find a decent XMPP or Matrix app?

Using #Signal because it's advertised secure platform and recommended by Snowden

@strypey
Follow

@noorul
> recommended by Snowden

Yeah, I find that weird. Snowden may, for example, have only endorsed Signal as a good solution for average Jo Users wanting to avoid passive datafarming. I did a web search for Snowden's actual comments, but all I could find was gossip column quality commentary by journalists about what a fan Snowden is of Signal, in which any such nuance is long lost.

@strypey that's nice of you to find out more about it.

Signal website shows as Snowden is endorsing

@noorul if I haven't already mentioned this, I note that the Signal website is *not* blocked by the Great Firewall, while almost any other website that mentions encryption, VPNs etc is blocked. I find this ... fishy, although I guess this could be using domain fronting? Not sure.

@noorul I notice those quotes are not linked to sources. So we don't get to see *when* those things were said, or in what context, without doing a web search on the quote and trying to find the original. How convenient for . If Snowden recanted this opinion later, they could still leave that shining endorsement quote on the homepage, and most people would be none the wiser.

@noorul BTW With all due respect to , she is a journalist not a programmer, and she relies on people like Snowden (or Drew) to tell her which apps are safe to use. is a public figure, and has very little to lose if his encrypted conversations turned out not to be secure. 's quote is just about code quality. None of these endorsements have any bearing on whether the Signal service is safe for dissidents with 3-letter adversaries in their to use.

Are we not going to take BruceSchneier words?

@strypey

@noorul like me, and you, and everyone, Bruce a) has more knowledge about some things than others, and b) comments on things from his own POV. A big part of is figuring out what kinds of adversaries you're trying to secure things against, and what the worst case scenario is if your security measures fail. Like I said, Bruce is pretty safe if any cryptography he uses happens to fail. Not so a dissident in Turkey, or Russia, or China. This distinction is crucial.

@strypey well explained !

πŸ‘πŸ‘πŸ‘πŸ‘πŸ‘πŸ‘πŸ‘

You're great #mentor!
You put me in thinking.

The primary reason I am leaving #Signal

As it's require mobile number,

Naturally, mobile first app

Not decentralised as easy to self host like Matrix xmpp

I did choose signal to move from telegram but now the good oldies xmpp with omemo simplify my need.

Apart from this, my love for p2p is strong.

Love live #Jami #Tox

@strypey

@noorul good reasoning. I'm looking forward to having a chat with you on Jami and Tox after my one month sabbatical.)

@strypey

This is screenshot of text chatting on #Jami 3 days ago.

I can't tolerate the failed messages
My bad, I've introduced #Signal to more than 20 people.

Now i've to unregister for all of them
😬

@strypey

@noorul There's no shame in re-evaluating software choices based on new information, in fact it's something to be proud of. We all make strategic decisions about what apps and services to use, based on what options are available, and what information we have about them. For all its flaws, Signal is a better choice than WhatsApp or Telegram (because Signal publishes source code for its client *and* server software). Before , it was arguably a better choice than . It's always a toss-up.

@noorul I just wanted to remind you of this:
mastodon.nzoss.nz/@strypey/101

Unless you have any evidence of a relationship between OWS / Signal and the NSA that I'm not aware of? I mentioned the honeypot possibility as an example of a worst-case-scenario, I was *not* stating it as a known fact (AFAIK it isn't, and let's remember innocent until proven guilty).

Sign in to participate in the conversation
Mastodon - NZOSS

This Mastodon instance is provided gratis by the NZ Open Source Society for the benefit of everyone interested in their own freedom and sharing with others. Hosting is generously provided by Catalyst Cloud right here in Aotearoa New Zealand.