Because of #Electron abandoning support for 32-bit PCs, this bug in #Wire is unlikely to be fixed, and I may have to give up on trying to use the Wire desktop client on my 32-bit laptop:
So having convinced a bunch of my family and friends to set up accounts on Wire and install it, I may have lost the main thing that made it attractive (a #FreeCode desktop client for 32-bit GNU/ Linux where voice calls work properly). At what point do I just give up on trying to be a #SoftwareFreedom purist, and buy a 2nd-hand MacBook for comms (and video editing, and ... and ... and ...) :(
While I'm on a rant, it annoys me that I might have to retire my laptop in a year or two, even though the hardware is still working fine and dandy, just because even #FreeCode software seems to require more and more hardware power over time to do basically the same tasks. When I bought this laptop in 2010, it could run perfectly good voice and video calls over Skype on Windows XP! We must stop treating complex electronics as disposables.
@strypey That's windows for ya, they don't call it fatware for nothing! Linux Mint runs smooth as on the Dell Inspiron I got back in 2009.
@aran It would be nice to think that, but I've been running GNU/Linux on this laptop since about a year after I got it. Sadly, free code OS also bloat up over time, require more hardware power, and often stop supporting devices long before they stop being usable. Dropping 32-bit support being a classic example. Many #RasberryPi devices are 32-bit!
@strypey @aran Okay, it's just about ia32 - https://twitter.com/felixrieseberg/status/1103356589304512519.
That means raspis are safe.
@strypey I'm still running Debian on a 64-bit laptop from 2010 but modern browsers are too big for its 4GB memory, which I didn't bother to upgrade yet.
@strypey Indeed, Moore's law gets completely eaten by the opposite pull in software. And the hardware manufacturers who externalize waste costs and profit from obsolescence seem perfect happy with that.
@strypey the bad choice was Wire... why not Telegram instead?
@alexl see the 2-3 length discussions I've had here over the year about chat apps. TL;DR Wire is #copyleft #FreeCode on both client and server side, and has plans to support #federation between Wire servers. #Electron is a downside, but they are ok with community-created clients without Electron to connect to their server (unlike #Signal, don't know about #Telegram)
@strypey Telegram made a challenge and the best clients became the official ones: a Qt desktop client for Windows, Mac & Linux, two clients for Android, one for iOS, a web client and one specific for Mac, all Open Source, plus community clients including a CLI one. 200 mln of users, 15 bln of messages/day. E2E encrypted chats (optional) and calls.
@alexl @strypey ...but for some obscure reason, the server code is still closed source, even though they said they would open source it years ago. https://telegram.org/faq#q-why-not-open-source-everything
Obscure reasons? https://telegram.org/faq#q-why-not-open-source-everything
Keeping Telegram fast and secure while switching to a federated architecture is a tech challenge. See Matrix, it's the state of the art of decentralized instant messaging and can't deal with Telegram's performance.
"Our architecture does not support federation yet. Telegram is a unified cloud service, so creating forks where two users might end up on two different Telegram clouds is unacceptable. To enable you to run your own Telegram server while retaining both speed and security is a task in itself. At the moment, we are undecided on whether or not Telegram should go in this direction."
@paulfree14 bullshit and fake news, I'm tired of answering people who share that page on GitLab.
@alexl if parts of what is linked are false, the other arguments still stand.
So it remains: telegram is not to be trusted.
@paulfree14 there is not a single argument against Telegram, they took the best decision in every case.
@alexl @stragu no, it isn't. #XMPP is much more advanced than #Matrix when it comes to server performance. But what's key is whether the company recognises that having servers they control at the centre of the entire service is a bad idea (#SinglePointOfFailure) or not. Wire does. Telegram hasn't even released their server code.
@strypey XMPP and Matrix are two totally different things, check Matrix's FAQ section on XMPP
@strypey there is no point in releasing server-side code for an instant messaging platform if there isn't support for server federation. It's just a marketing thing, no benefit from security point of view
@deejoe @alexl the benefit is it allows the whole system to be studied independently, including for security audits. You can stand up your own version of the server, check it for backdoors, and see whether messages are actually secure when you connect clients to it. It also gives the user community the freedom to run their own service for private use, and to fork if the original developer is exposed as a bad actor. So it's quite important.
@strypey zero, there is no value in Facebook/Twitter codebase... Reddit was Open Source, but its federated version, Prismo, is being built from scratch
About Wire, I specified "instant messaging" because using your own server mean you and your contacts need to trust the same server managed by you or one of your contacts that maybe don't know each other... so at that point is better to trust a third-party company like Wire that has low interest in your conversations...
@strypey ...and even if independent developers can audit the code and make it more secure you still need to trust Wire because you have no idea of what they are running on their servers. They could run a branch of the Open Source repo with optimized performance, with additional security holes... so the important part in e2eE systems is just clients being Open Source and secure
@alexl @strypey open-sourcing doesn't necessarily mean switching to a federated architecture, it should be trivial for the Telegram developers to restrict the official clients to the official servers, even if others open new servers based on the original code. What it _would_ allow though, is some public review of the quality of the code, to check for code quality and confirm the privacy claims. And it would allow others to creatively re-puprose, and learn from their valuable work.
@alexl @strypey sorry for jumping in, but there is general agreement among security experts and cryptographers that telegram rolling their own encryption protocol was a very bad idea: https://www.dailydot.com/layer8/telegram-isis-encryption-cryptography/
@alexl what was the great idea?
@tao rolling their own encryption
@alexl idunno, when it comes to whether that's a good idea or not, i think i'd prefer to trust the entire academic field of cybersecurity instead of a single company
@tao the protocol is not proprietary, everyone can check it, including "experts" that keep repeating "don't roll your own".
Also, those "experts" totally failed when it came to NSA surveillance and Telegram born exactly for the purpose of protecting people from NSA surveillance
@alexl i didn't say it was proprietary. it just hasn't been through nearly the same amount of public scrutiny as others. the public cracking prize they have is a good reason to be a bit cautious: https://www.schneier.com/crypto-gram/archives/1998/1215.html#contests
re: your second point, in what way did they fail? the security field has always been advocating strong encryption. it just took the Snowden leaks for people to start taking it seriously.
@tao some of the points of that article don't apply to Telegram and my point is not "Telegram protocol is secure" but "it's not less secure than the industry ones".
NSA had backdoors built-in into crypto algorithms that was audited by international authorities.
So the most logical way for Telegram was to roll its own assuming they were able to do so, and this was the case thanks to Pavel's brother, Nikolai Durov, being a prize-winner mathematician.
@alexl like anything it security it comes down to who you trust, and i have a hard time believing that any individual or group should be more trustworthy than the field at large (in spite of all its faults). anyway i doubt we'll agree, so let's leave it here :)
@strypey there is nothing wrong with Telegram crypto, that "don't roll your own" is just an excuse
@charlag but you can start a secret chat (e2e encrypted) with 200+ millions of users. Plus calls are always e2e encryped (of course).
@alexl I'm from Russia and I used Telegram a lot because of the network effect, it's very popular here. I used it like 3 times during 4 years or so to send passwords and such.
E2E is possible and should be on by default, like in Signal, Wire and soon Matrix. You shouldn't have to opt into anything.
And let me ask you about Telegram's business model.
@charlag with e2e encryption enabled by default Telegram wouldn't had been able to deliver an user experience that can compete with proprietary services because most feature depends on its cloud-based model. Also Telegram doesn't sell user data or use them in any way.
Improving secret chats would be welcome of course.
Telegram doesn't have a business model.
@alexl well, WhatsApp and Wire are both commercial products and they very much deliver it with e2e.
We don't know what it shares or sells because it's not e2e nor a public entity.
@charlag Whatsapp doesn't have e2e encryption, it claims so, but without the source code of the clients we can't know.
And Whatsapp is a service by Facebook. Its business model is collecting users data. If Whatsapp really has e2e encryption what it collects are metadata, because I doubt Facebook does beneficence.