Why do your organizing over Signal? So that you don't do your organizing on an app that hasn't been tested or reviewed, run by a guy who doesn't tell his users about data breaches and security problems.
Discussion
Loading...
@evacide XMPP is a good alternative. Pick any server or bring up your own (self-hosted or SaaS). Several clients to choose from. Federated and decentralized.
@OG Have you done a lot of large-scale grassroots organizing using XMPP? I'd love to hear about it.
hey guys :)
there's no doubt a single xmpp instance can handle hundreds to thousands of users in a pretty box. ejabberd software is proven support such amount of users without needing to scale....
the main challenge though, is how to avoid government interference in other layers of communication... you can host a xmpp in europe or any other country, but traffic is still flowing through fiber infrastructure, routing... and we don't know how to assure it's not being observed...
for private groups and 1:1 messaging, the end to end encryption will be a great ally, but it's worthy saying transit encryption with TLS is probably vulnerable to government amount of money invested in surveillance, so another layer of security beyond end to end encryption could be using Tor - in this scenario the xmpp service won't be able to federate, but will work fine for local accounts (inside same server).
hope this info could be useful :)
@evacide this is so sad :(
@evacide
Let me guess...no way to sue the operator of the app?
@evacide Using anything else but Signal seems like madness to me nowadays.
@evacide is there a point at which the advice becomes, "stop trying to organize over smartphones entirely"? It seems like it'd be pretty easy (and likely, nowadays) that Google/Apple could extract whatever data the Feds wanted.
@evacide
Signal and similar solutions from-box simply easy for use
Use messagers, similar Matrix - it hard and threatens unexpected encrypt all sending messages
I used Matrix approximately year and half - and absolutely all servers, where i create my accounts, today already down
+
i lost several important correspondence with potential buyers my second hand computer components
And i'm glad, that opensource party started this understand
(Oh, i forgot - certainly: Russian Communication Supervision goverment service BANNED XMPP protocol on territory our country,
while
Telegram available so far
- it superfluous rock to vegetable garden for opensource, which anyway turned out to be worse than closesource solutions, alas...)
@evacide There may be an update to this story:
https://www.risky.biz/risky-bulletin-stopice-blames-hack-on-a-cbp-agent-here-in-socal/
@evacide signal is centralized and depends on phone numbers, there is a lot of room for thr gov to mess around just with amazon's collaboration, not even signal, better to go with something like Delta Chat
there is even a "Signal Contingency Plan" that recommends it:
https://m.youtube.com/watch?v=B7p7plhdADc
@adbenitez "Delta Chat is a messenger application that operates over email and enables opportunistic encryption for its users." I would not recommend any encrypted messaging system that fails open in situations where knowing that every messaging is e2ee encrypted every single time is important.
@evacide @adbenitez@mastodon.social I guess they enforced E2EE somehow. What actually grinds my gears about Delta is that they take proven unsafe crypto and add a bunch of things in order to fix the issues then they slapped a "sandboxed app environment" based on JavaScript!
It's like they don't want to be taken seriously by cryptography and security experts! Even with security audits (I don't recall if they got one, but even if they got one) the design and the management of it looks terrible!
It is like if one found a completely broken house and, instead of making a new one from scratch with a safe foundation, they decided to fix the cracks one by one, then moved an elephant and an entire circus inside.
@evacide
> Delta Chat is a messenger application that operates over email and enables opportunistic encryption for its users."
that are very old news, Delta Chat used to be like that in the past, encryption is not opportunistic anymore, instead it is perpetual, if a chat is encrypted it is encrypted forever and the key of that contact can never be manipulated/replaced by servers, the key is your identity
about email, that is an extra option, you can read your inbox as chat in Delta Chat
@adbenitez Thank you. That is useful.
@evacide @adbenitez I think we have enough proplems in the EMail system, we do not need the chat as a problem on top. We usw for organizing our groups XMPP. A protocol that is getting evolved since 27 years. It just works.
@sven222 @adbenitez I am glad you have found a solution that works for your organizing needs. Most of the people that I am brought in to advise on digital privacy and security in organizing are not very technical and very busy. It is important to me to keep my advice as simple and easy as possible while still allowing them to do their work. Even getting people to download an app onto their phone that they don't already have is a hurdle.
@evacide @adbenitez Yeah, we have on different groups similar experiences. We gladly have the experience at some members to host our own Server. With New Members we sit together and install the Chatclient with them, and do account creation together. It helps to have a small admin team in the groups.
This is exactly the wrong thing to do if you are organising anything that the government might object to. It doesn't matter how good the security of the protocol is (and, for XMPP, it is not great), they don't need to know what the content of the messages are, the simple fact that you're all using the same XMPP server is sufficient to identify everyone in your group. And that's something that a passive adversary who can see packets going to your server can see (they can see that a TLS session was established on the XMPP port and what the remote IP was). This is information that they can get without sending a warrant to you or having any access to your server.
In contrast, Signal has around 100M active users, all talking to the same set of servers. Identifying the few hundred of those that are part of some local activist group is incredibly hard. And everyone sending cat pictures to their parents is adding to the anonymity set. Someone monitoring the Signal servers passively (e.g. by watching every packet that arrives in their AWS hosts) gets almost no useful information. Someone who compromises the server can, if they trigger the fallback to not using sealed sender, see who is sending messages to whom (this is detectable on the client, but the Signal app doesn't warn you. It probably should). Without that, all they get easily is the last time you connected to the network. They probably can also correlate IPs used to send messages with sealed sender and IPs used to log in, but that requires recording state that the Signal server doesn't currently (so requires a full compromise of the server).
@evacide @adbenitez
good thing, then, that deltachat isn't one of those, unless you explicitly set it up to not be like that. With accounts setup in the default way, ie with chatmail relays, the latter refuses messages that are not encrypted
good thing, then, that deltachat isn't one of those, unless you explicitly set it up to not be like that. With accounts setup in the default way, ie with chatmail relays, the latter refuses messages that are not encrypted
@rakoo @adbenitez For non-technical people, I prefer to keep things as simple as possible and avoid recommending solutions that have a setting that fails open, even if it is not the default, in situations where it is important for every message to be e2ee.
@evacide and be careful who you let into your group :/
@evacide wasn't this the guy who didn't understand basic technical questions and made it apple only or was that another guy?
@evacide I got a reason too, so ICE can’t use the power bestowed to them by our god king to breach Signal to track me down and have me go missing in a prison.