this post was submitted on 11 Nov 2024
33 points (97.1% liked)
Ask Lemmygrad
829 readers
42 users here now
A place to ask questions of Lemmygrad's best and brightest
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I aspire to do something like this someday.
It is better than other alternatives, and for the sake that it is more widely adopted and familiar with many people, I would have to agree.
Same and I agree.
Yeah if XMPP were to be adopted in an organization, I would have the accepted clients/servers limited to the most established ones in regards to security and compatibility.
Same with a forum. To answer one of OP's questions, self-hosting forums or chat services would be ideal as long as someone trained in security can keep on top of keeping the server and each of the clients secure. For an ML organization, this is a big cost, so an application like Signal is usually sufficient for most cases in regards to organizing while minimizing the costs and efforts that could have been used for more important matters. Nevertheless, I believe Matrix could be a good alternative as it exists right now.
Radios could be risky, too, especially if not encrypted, though Hamas seems to be handling radio communications effectively. I just mean it would be good for comrades to begin studying effective opsec practices and countering increasing levels of surveillance with high and low tech, progressively moving towards the latter as things get worse.
I just remembered reading something critical about Matrix so I went and dug it up:
https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/
It's worth reading all the way through, even if you (like me) have to skim over the math. There's even a link in there discussing XMPP+OMEMO.
Damn techbros. So frustrating to see critical issues not being fixed due to arrogance, ignorance, negligence, and/or laziness. I wish developers would be more meticulous, especially with projects where security is critical. Then again, if the open source projects received more funding to hire more devs to focus on these security holes, these projects would probably be much better. But it seems to be a common theme that pointing out critical security issue in a project full of evangelists will return a twitter-slop, boomer meme response. Techbros are deeply unserious, and sadly they work on very important projects.
Very interesting read. I feel better about the use of Signal now as Matrix and XMPP appear to be much worse and poorly managed. I do want Matrix to improve since it can be self-hosted, but I believe a fork and a dedicated team, one which is willing to fix deprecated libraries that most clients use, would be necessary. The work has already been laid out since the blog author has already made good suggestions to fix each issue.
I'm glad I chose profanity to use for XMPP and prefer to use pgp encryption, but that doesn't solve the issue when the majority of clients do not. Encryption needs to be baked into a protocol by default, otherwise the least common demoninator which has poor opsec endangers everyone else, let alone the fact that even the best cybersecurity professionals struggle to be secure and private in today's world of surveillance.
I really should study cryptography and cybersecurity.
Yeah, it's kind of a bummer to realize how poor a state those alternatives are in. As much as I like/use/recommend Signal, I do think we need alternatives (even if it was perfect). In a comment in one of those blog posts, the author mentions Ricochet [Refresh] which is a TOR messenger. That looks interesting, but it is desktop-only.
As far as teaching others, something I've learned is that (especially with tech) you always know more than someone. Certainly when it comes to security there's an added weight of responsibility to give accurate information, and you'll want to give the usual caveats.
Define your goals. Define the threat model(s). Research the tools appropriate for the above use cases. Translate your findings into "layman's terms". Make a zine or slideshow or whatever. Practice it and present it! Leave time for questions, and then plan further lessons if people want to get deeper.
Last but maybe most importantly: find a comrade or two to help with all of this! The research, "sanity check", the presentation, the q&a...
I appreciate the advice. Thank you. :)