When I said that your discord clone doesn’t need e2ee, I got a lot of comments along the lines of “ then how would I use it to organize the revolution!” The answer is: you don’t.
-
When I said that your discord clone doesn’t need e2ee, I got a lot of comments along the lines of “ then how would I use it to organize the revolution!” The answer is: you don’t. If you have more users than can comfortably share a Signal chat and hence want to use discord or something like it, you cannot POSSIBLY be vetting all of them to a high standard of trust. Your logs ARE leaking. End-to-end encryption between more people than can fit around a dinner table is pointless.
This article confirms what I already assumed, that “open source [information sense, not code sense] intelligence gathering on social media” includes, for the US government, asking for links to join groups that may *feel* private. My own discord has literally like a thousand idlers. It would be very *lucky* if none of them were logging for potentially nefarious purposes! And I remind the active users of this occasionally.
Exclusive: ICE Masks Up in More Ways Than One
Feds could be in your group chat
(www.kenklippenstein.com)
@0xabad1dea I do think there's a point to E2EE that isn't about trying to thwart nation state adversaries. honestly you should probably not talk about your illegal actions on Signal either.
-
@volkris ... social media already is the world's largest and most-used web of trust though?? we just call it the follow graph
I personally don't see how getting more cryptography involved would help anything except making it sound more like a 90s cyberpunk novel. In all seriousness, what exactly are you envisioning here?
-
@5225225 @0xabad1dea matrix tried (and still tries) to make e2ee group chats work but either the problem is significantly harder than people imagine, their developers are incompetent, or both. because it is still a pain with hundreds of people, and a disaster with thousands. SSL/TLS works so well because the clients don’t generally need to auth themselves from the server point of view
i suspect the problems with matrix as opposed to signal(signal group chats do work, subject to their scaling factors) is a fair few factors
wasn't designed as an encrypted tool by default, so features aren't gated on "how does this work in an encrypted room?"
linear, consistent history. you will always see every message(assuming the signal servers aren't fucking with you) in a consistent order, there's no disagreement over message ordering, or discovering messages that are backdated.
there is one client implementation and one server implementation. there's no room for "oops a third party client/server made a bug that broke e2ee" since that doesn't exist.
-
@0xabad1dea I do think there's a point to E2EE that isn't about trying to thwart nation state adversaries. honestly you should probably not talk about your illegal actions on Signal either.
@0xabad1dea but yeah anything that for all practical purposes is basically open to the public anyway doesn't need encryption. I just don't know that that contains all likely use cases.
though I do see the risk of encryption giving folks a false sense of security.example: we're in a signal group with several hundred local folks where people share about events, ask recommendations for doctors and the like. at that point the encryption is basically pointless. this is just the chat app everyone happens to have.
-
@0xabad1dea I do think there's a point to E2EE that isn't about trying to thwart nation state adversaries. honestly you should probably not talk about your illegal actions on Signal either.
@elexia my conversations with my mother-in-law about dogs, horses and babies are e2ee. because e2ee with one other party that a rando couldn't successfully impersonate long-term to you is a pretty solved problem.
many-to-many e2ee does not work. it simply, absolutely does not work, in either a technical or social sense, and accomplishes nothing while introducing significant problems.
-
@elexia my conversations with my mother-in-law about dogs, horses and babies are e2ee. because e2ee with one other party that a rando couldn't successfully impersonate long-term to you is a pretty solved problem.
many-to-many e2ee does not work. it simply, absolutely does not work, in either a technical or social sense, and accomplishes nothing while introducing significant problems.
@0xabad1dea yeah the thing is just, people use discord for (relatively) small groups too. some of those would honestly be fine as a signal group (had one if those before), but for some having something with a bit more functionality would be good and your threat model there probably isn't being targeted by a nation state adversary, but surveillance dragnets and not wanting everything to sit in plaintext on a server in case someone who shouldn't gains access.
-
When I said that your discord clone doesn’t need e2ee, I got a lot of comments along the lines of “ then how would I use it to organize the revolution!” The answer is: you don’t. If you have more users than can comfortably share a Signal chat and hence want to use discord or something like it, you cannot POSSIBLY be vetting all of them to a high standard of trust. Your logs ARE leaking. End-to-end encryption between more people than can fit around a dinner table is pointless.
This article confirms what I already assumed, that “open source [information sense, not code sense] intelligence gathering on social media” includes, for the US government, asking for links to join groups that may *feel* private. My own discord has literally like a thousand idlers. It would be very *lucky* if none of them were logging for potentially nefarious purposes! And I remind the active users of this occasionally.
Exclusive: ICE Masks Up in More Ways Than One
Feds could be in your group chat
(www.kenklippenstein.com)
@0xabad1dea everyone needs to read Little Brother from @pluralistic to see battles with a surveillance state
-
@0xabad1dea to be honest, i disagree, not because it's safe to fedpost in a chat of hundreds of users, but because it makes e2ee itself less suspicious, and more noisy to infiltrate
yes, a fed can lurk in a large member count e2ee chat, but that still involves the effort to join, and possibly even talk sometimes when spoken to. and they'll absolutely not be in every chat.
as opposed to "hey discord let us run
grepacross your message database"like, we're at the point for the web where every website[maintained] is encrypted, even if it would be fine for most to be plaintext. (and we got to that point by making TLS pretty much free)
e2ee is only really considered optional/a misfeature in some cases because it's not free, but it should be.
From what I've seen, org based chats (discord, slack, Zulip, etc where you join a server/organization/community that has channels in it that you can join and leave at will) are a lot more complicated to get E2EE working right on than group based ones (like signal where you just join a group) and solve a different problem.
Getting to "E2EE is normal' can be easily done with just the groups. I'm already in 7 signal groups that are just for talking about parenting toddlers.
-
@ratsnakegames no but this is mastodon so no-one’s sure what other social activities exist
@0xabad1dea @ratsnakegames I don't understand. Are you saying mastodon users are particularly unaware of the existence of Tor, rheticulum, meshtastic, briar, secure scuttlebutt, signal, jitsi, ...
Reading, fishing, mountain biking, horseshoing, needlework, 3d printing, manafesto writing, martial arts, yoga, karayoki....
Than the people who frequent other places like X or whatnot?
Interesting take if so
-
@0xabad1dea @ratsnakegames I don't understand. Are you saying mastodon users are particularly unaware of the existence of Tor, rheticulum, meshtastic, briar, secure scuttlebutt, signal, jitsi, ...
Reading, fishing, mountain biking, horseshoing, needlework, 3d printing, manafesto writing, martial arts, yoga, karayoki....
Than the people who frequent other places like X or whatnot?
Interesting take if so
@crazyeddie @0xabad1dea Generally, yeah, a little bit.
The Fediverse is still by-and-large a place where people REALLY into privacy, F/LOSS, and digital sovereignty come together; I remember a post from someone who tried to get into Lemmy as a Reddit replacement, and lamented the fact that every thread would consistently end up talking about Linux or politics. This is a platform where many don’t realize that their opinions and interests are highly rare IRL.
-
@seliaste ma’am it’s a lot more efficient to block me yourself than to ask me to block you for you
@0xabad1dea I'm mostly saying this for the others reading this exchange and showing support to the one who was sharing an interesting counterargument, which you completely brushed aside and then proceeded to make an unrelated joke that's not even a thing in signal. I really didn't expect to see that kind of behaviour around here.
-
@elexia my conversations with my mother-in-law about dogs, horses and babies are e2ee. because e2ee with one other party that a rando couldn't successfully impersonate long-term to you is a pretty solved problem.
many-to-many e2ee does not work. it simply, absolutely does not work, in either a technical or social sense, and accomplishes nothing while introducing significant problems.
@0xabad1dea @elexia I don't know if you're really understanding what E2EE is giving you.
With E2EE that actually does what it says, the logs of your group chats that the hosting provider keeps can't expose what you said to each other. If you become interesting enough to go try to join they can't just go ask your provider for their logs to see what you've already said before they got in. They actually have to go infiltrate your group.
-
When I said that your discord clone doesn’t need e2ee, I got a lot of comments along the lines of “ then how would I use it to organize the revolution!” The answer is: you don’t. If you have more users than can comfortably share a Signal chat and hence want to use discord or something like it, you cannot POSSIBLY be vetting all of them to a high standard of trust. Your logs ARE leaking. End-to-end encryption between more people than can fit around a dinner table is pointless.
This article confirms what I already assumed, that “open source [information sense, not code sense] intelligence gathering on social media” includes, for the US government, asking for links to join groups that may *feel* private. My own discord has literally like a thousand idlers. It would be very *lucky* if none of them were logging for potentially nefarious purposes! And I remind the active users of this occasionally.
Exclusive: ICE Masks Up in More Ways Than One
Feds could be in your group chat
(www.kenklippenstein.com)
@0xabad1dea it's a very well-made point
-
@elexia my conversations with my mother-in-law about dogs, horses and babies are e2ee. because e2ee with one other party that a rando couldn't successfully impersonate long-term to you is a pretty solved problem.
many-to-many e2ee does not work. it simply, absolutely does not work, in either a technical or social sense, and accomplishes nothing while introducing significant problems.
@0xabad1dea @elexia "many-to-many e2ee does not work." - it's a highly valid insight. It's a notoriously hard problem to solve perfectly, for all use cases and scenarios. There have been several valiant attempts in the #OpenSource world, but some sort of technical problem or other seems to keep "bursting out the seams". The devil keeps being in the details.
-
@0xabad1dea yeah the thing is just, people use discord for (relatively) small groups too. some of those would honestly be fine as a signal group (had one if those before), but for some having something with a bit more functionality would be good and your threat model there probably isn't being targeted by a nation state adversary, but surveillance dragnets and not wanting everything to sit in plaintext on a server in case someone who shouldn't gains access.
@0xabad1dea of course you can argue about whether those different use cases are best handled by the same software
-
@0xabad1dea Reminds me that I sometimes wonder who created this idea that we should encrypt everything, because as more and more time passes it more feels like a way to make people feel safer than they are, and weaken protocols.
If not entirely make things actually unsafe for people if it ends up with verifiable signatures which can't end up plausibly deniable (one reason why I have rotation on my dkim keys).@lanodan @0xabad1dea Because the idea that you can solidify insecure protocols by eliminating the steps you use to secure them externally turns out to be lunacy that doesn't even begin to work.
These keys you make for these purposes can be generated on the fly on your computer without any involvement by others. There's no reason to post things to the same handle in a validated manner if you can just invent new handles on the fly. No more trying "anonymous-douch-317" and finding that taken.
-
@crazyeddie @0xabad1dea Generally, yeah, a little bit.
The Fediverse is still by-and-large a place where people REALLY into privacy, F/LOSS, and digital sovereignty come together; I remember a post from someone who tried to get into Lemmy as a Reddit replacement, and lamented the fact that every thread would consistently end up talking about Linux or politics. This is a platform where many don’t realize that their opinions and interests are highly rare IRL.
@moshimotsu @0xabad1dea So someone shows up and is annoyed that people are talking about unfamiliar topics that go outside of their little box and so they bitch about it and you side with THEM???
While I don't know...I rather appreciate the fact that my really rare hobbies are actually shared by others here and I get to talk about them without people telling me they're stupid and boring and why don't I talk about real wives or what some douchebag streamer said.
-
When I said that your discord clone doesn’t need e2ee, I got a lot of comments along the lines of “ then how would I use it to organize the revolution!” The answer is: you don’t. If you have more users than can comfortably share a Signal chat and hence want to use discord or something like it, you cannot POSSIBLY be vetting all of them to a high standard of trust. Your logs ARE leaking. End-to-end encryption between more people than can fit around a dinner table is pointless.
This article confirms what I already assumed, that “open source [information sense, not code sense] intelligence gathering on social media” includes, for the US government, asking for links to join groups that may *feel* private. My own discord has literally like a thousand idlers. It would be very *lucky* if none of them were logging for potentially nefarious purposes! And I remind the active users of this occasionally.
Exclusive: ICE Masks Up in More Ways Than One
Feds could be in your group chat
(www.kenklippenstein.com)
@0xabad1dea I think that e2ee is good in a group chat (like what discord has where its limited to 10 people) or for direct messages.
For large group chats on the other hand: I have no idea how you would even get it to scale well.
-
When I said that your discord clone doesn’t need e2ee, I got a lot of comments along the lines of “ then how would I use it to organize the revolution!” The answer is: you don’t. If you have more users than can comfortably share a Signal chat and hence want to use discord or something like it, you cannot POSSIBLY be vetting all of them to a high standard of trust. Your logs ARE leaking. End-to-end encryption between more people than can fit around a dinner table is pointless.
This article confirms what I already assumed, that “open source [information sense, not code sense] intelligence gathering on social media” includes, for the US government, asking for links to join groups that may *feel* private. My own discord has literally like a thousand idlers. It would be very *lucky* if none of them were logging for potentially nefarious purposes! And I remind the active users of this occasionally.
Exclusive: ICE Masks Up in More Ways Than One
Feds could be in your group chat
(www.kenklippenstein.com)
@0xabad1dea More important is that the service is anonymous, it shouldnt put your phone number in a database with your contacts.
-
When I said that your discord clone doesn’t need e2ee, I got a lot of comments along the lines of “ then how would I use it to organize the revolution!” The answer is: you don’t. If you have more users than can comfortably share a Signal chat and hence want to use discord or something like it, you cannot POSSIBLY be vetting all of them to a high standard of trust. Your logs ARE leaking. End-to-end encryption between more people than can fit around a dinner table is pointless.
This article confirms what I already assumed, that “open source [information sense, not code sense] intelligence gathering on social media” includes, for the US government, asking for links to join groups that may *feel* private. My own discord has literally like a thousand idlers. It would be very *lucky* if none of them were logging for potentially nefarious purposes! And I remind the active users of this occasionally.
Exclusive: ICE Masks Up in More Ways Than One
Feds could be in your group chat
(www.kenklippenstein.com)
@0xabad1dea I guess the memes of the feds watching us isn’t too far off after all
