PS. With all the Discord stuff, in case you wonder why you never see me promoting Matrix, it’s not because it’s a usability nightmare (which it is) but because it’s made by the kind of people who’d be happy to call ICE a customer.
-
@mpsi @aral @element
I think China has generally benefitted from what is effectively a somewhat benign and competent dictatorship that hasn’t revolved around the personal interests of the dictator.The national government also doesn’t seem to micromanage local affairs.
But we all know that is not a sustainable long term solution. What happens when conditions change or their ruler dies?
@freediverx @aral @element I'd like to write a somewhat detailed reply to your post, but can't do that now. I'll try to share it later. In short: there is a difference between China before and after Xi Jinping.
-
PS. With all the Discord stuff, in case you wonder why you never see me promoting Matrix, it’s not because it’s a usability nightmare (which it is) but because it’s made by the kind of people who’d be happy to call ICE a customer.
The “F” in FOSS doesn’t stand for fascism.
@element https://mastodon.matrix.org/@element/110340953550548309
-
@freediverx @sotolf @aral @element @LukefromDC
AIUI, Signal rely on third-party hosting (AWS I think), so they don't control where their servers are located.
-
@freediverx @sotolf @aral @element @LukefromDC
To some extent, as long as the encryption works, that doesn't matter. I don't want to write them an instruction manual, but if a hostile US government really wanted to break the privacy of Signal Chats, its easier approach would be to use the fact that the Google Play Store and the Apple Store are hosted on US territory to sneak a backdoor into the client apps...
-
@freediverx @sotolf @aral @element @LukefromDC
To some extent, as long as the encryption works, that doesn't matter. I don't want to write them an instruction manual, but if a hostile US government really wanted to break the privacy of Signal Chats, its easier approach would be to use the fact that the Google Play Store and the Apple Store are hosted on US territory to sneak a backdoor into the client apps...
@freediverx @sotolf @aral @element @LukefromDC
... It'd probably only last a few hours before someone compiling from source themselves noticed that the builds on the Play Store and the Apple Store were not reproducible, but those few hours would be enough to harvest a *lot* of data.
-
@freediverx @sotolf @aral @element @LukefromDC
They have, but will they faithfully promise a customer to host stuff only on those servers, and will they be 100% reliable in sticking to that promise?
-
@zzt @Tamtam @aral There are some people working on adding E2EE to Mastodon, but, as far as I read about it, it will be like having Signal but decentralised and with better UX but lacking voice/video calls (so, Mastodon but your instance owner can't read your private messages and you don't need to verify codes or qr codes like Signal).
They are taking their time because once deployed it will be hard to fix things. I know that from experience developing megajs!!! I wish they didn't use RSA — non-standard RSA even, is a pain in the ass to work with — for authentication. Why not Ed25519 which has smaller keys or a post-quantum scheme?! I wish Matrix development was done like Mastodon's E2EE.
-
@sotolf @only_ohm @aral @Element @LukefromDC
It's alarming how much data infrastructure is controlled by Bezos. Europeans should be looking to create their own competing infrastructures instead of wasting money on the AI boondoggle. -
-
@aral @element What we need is effective democratic control over all public institutions and social spaces, not abolishing police or other standard state institutions. And for that effective democratic control, we need open standards and open protocols, among other things. (I would even say they are indispensable, although the public discourse doesn't seem to understand that yet).
@mpsi@toot.lv @aral@mastodon.ar.al I am not an "abolish the police guy", but neither a "let's share everything with the police guy". Least of all an "I've got nothing to hide" guy.
Would you be comfortable with a camera in your home always connected to the local police station? No? Why? Aren't you supposed to collaborate with the police?
That's where I draw the line.
Matrix is my main mean of communication with the world, through my self-hosted server and a bunch of bridges.
Knowing that Element sells my data to whoever they like doesn't make me comfortable. It's exactly the same as "the always-connnected camera in my home". Which sounds as Orwellian as it gets btw. And that's why I don't use Element as a client, and that's why I self-host my own server. Hoping that there are no jerks in my supply chain. But, again, my security is only as strong as the weakest link. So if any of my contacts uses Element with an account on matrix.org it doesn't really help much.
(This is also something worth noting btw: I don't trust the folks at Element a little bit, but Matrix is still an open protocol, so you can still use it if you trust your server, your client and the whole supply chain of dependencies).
About "democratic control": Element's ethics statement is as generic and dangerous as it gets.
-
We don’t sell to governments who are under economic sanctions by the UK/EU/US governments: does it include Israel? Because given our legitimate humanitarian initiatives I wouldn't feel comfortable if anybody's communications are sold to the Israeli government. Do I even have an "opt out" option?
-
_ We don’t sell to organisations who are committing human rights abuses (i.e. abusive organisations within a government, even if the wider government itself isn’t in scope)_: what's their position on ICE then? And, if they want to stop selling data to them now, what about all the data they've already sold?
You see the slippery slope of creating blacklists of "people I don't sell data to"? You have no guarantee of the good intentions of anyone not on that list. You have no guarantee that everyone without those "business partners" have good intentions. You have no guarantee that they will always have good intentions. You have no guarantee of the usage they'll make of the data you already sold to them once they turn rogue.
Btw @element@mastodon.matrix.org could you elaborate a bit more on the value of the "encrypted data" that you sell to governments and police forces? Vodozemac is supposed to be a quite secure E2EE implementation - by your own admission, and by admission of several independent auditors. So I see three possible scenarios:
- There's a market for bulk buyers of encrypted data for "store now, decrypt later" attacks
- You also sniff and share keys for decryption
- You store and share unencrypted content before it gets through Vodozemac
Needless to say, hypotheses 2 and 3 would be huge stains of your reputation - enough to jeopardize any claims of being a "secure and private client".
-
-
R relay@relay.an.exchange shared this topic
-
@mpsi@toot.lv @aral@mastodon.ar.al I am not an "abolish the police guy", but neither a "let's share everything with the police guy". Least of all an "I've got nothing to hide" guy.
Would you be comfortable with a camera in your home always connected to the local police station? No? Why? Aren't you supposed to collaborate with the police?
That's where I draw the line.
Matrix is my main mean of communication with the world, through my self-hosted server and a bunch of bridges.
Knowing that Element sells my data to whoever they like doesn't make me comfortable. It's exactly the same as "the always-connnected camera in my home". Which sounds as Orwellian as it gets btw. And that's why I don't use Element as a client, and that's why I self-host my own server. Hoping that there are no jerks in my supply chain. But, again, my security is only as strong as the weakest link. So if any of my contacts uses Element with an account on matrix.org it doesn't really help much.
(This is also something worth noting btw: I don't trust the folks at Element a little bit, but Matrix is still an open protocol, so you can still use it if you trust your server, your client and the whole supply chain of dependencies).
About "democratic control": Element's ethics statement is as generic and dangerous as it gets.
-
We don’t sell to governments who are under economic sanctions by the UK/EU/US governments: does it include Israel? Because given our legitimate humanitarian initiatives I wouldn't feel comfortable if anybody's communications are sold to the Israeli government. Do I even have an "opt out" option?
-
_ We don’t sell to organisations who are committing human rights abuses (i.e. abusive organisations within a government, even if the wider government itself isn’t in scope)_: what's their position on ICE then? And, if they want to stop selling data to them now, what about all the data they've already sold?
You see the slippery slope of creating blacklists of "people I don't sell data to"? You have no guarantee of the good intentions of anyone not on that list. You have no guarantee that everyone without those "business partners" have good intentions. You have no guarantee that they will always have good intentions. You have no guarantee of the usage they'll make of the data you already sold to them once they turn rogue.
Btw @element@mastodon.matrix.org could you elaborate a bit more on the value of the "encrypted data" that you sell to governments and police forces? Vodozemac is supposed to be a quite secure E2EE implementation - by your own admission, and by admission of several independent auditors. So I see three possible scenarios:
- There's a market for bulk buyers of encrypted data for "store now, decrypt later" attacks
- You also sniff and share keys for decryption
- You store and share unencrypted content before it gets through Vodozemac
Needless to say, hypotheses 2 and 3 would be huge stains of your reputation - enough to jeopardize any claims of being a "secure and private client".
-
