• 0 Post
  • 59 Comment
Joined 4M ago
cake
Cake day: Jun 28, 2021

help-circle
rss

I’m personally a fan of systemd, but Devuan is a great example of the benefits of open source - they didn’t like the direction a project was moving in and they decided to do something about it. Can’t do that with iOS, macOS, or Windows. If the shit ever hits the fan with any of those operating systems, you’re stuck with it. It’s why I always try to use open source alternatives.


If you don’t trust it, host your own. Zero trust involved. I’ve used searx.be and its been pretty reliable for at least a year now.


Lemmy should reach 100k users when another 82,329 people join.


For anyone interested, there’s also gopass: https://www.gopass.pw/ - pass written in go, with some pretty neat improvements, and compatibility with apps that interface with pass.


Another thing to point out is that he states how the Linux kernel has hundreds of vulnerabilities found compared to other OS’s. Well yeah, Linux is open source and literally any researcher/security expert can read the code to find bugs. Good luck trying to do the same with Windows or MacOS.

Lastly, most Linux distros are “complete” in the sense that you generally (or at least for the majority) don’t have to install much software outside of whats already in your distribution’s repos; you’re not having to google/download sketchy apps, so this threat model of rogue apps trying to hack/steal your data is minimal, if not non-existent.

The real problem is those systems (Windows, MacOS, iOS, Android) all have an app store where a ton of developers are trying to make money off of you in any way possible by stealing your data/invading your privacy, so they had to build a permission system because you can’t trust those random people. You can generally trust your Linux distro to not package malware and can safely install any app that’s available.

Edit: I should add, its still a good writeup. I think he makes some good points and it would be great to see Linux improve in some areas, even if the problem doesn’t really exist as much as it does for the more commercially backed operating systems.


If you’re using Debian/Ubuntu to autostart Syncthing you just run the following lines in a terminal, which are in the doc you posted:

systemctl enable syncthing@myuser.service

systemctl start syncthing@myuser.service

Not sure what’s difficult about that, or any different than the options available on other operating systems. It may be confusing to someone who’s new, but it would be just as confusing for someone who’s new to MacOS.

How would you autostart an app on Mac? Are you familiar with creating a launchagent and how confusing that is for apps that don’t enable autostart by default [0]?

Same issue on Windows - computers are not immediately intuitive, which is why documents/manuals are created. One must familiarize themselves with the system they intend to “own” otherwise be lost and confused when something happens.

[0] https://medium.com/swlh/how-to-use-launchd-to-run-services-in-macos-b972ed1e352


But is briar a single, centralized US hosted service?

No. But Briar runs over the Tor network, another project funded by the OTF [0]. Side note, the Tor Project has received $3 million USD from the OTF/CIA, can you trust it when a researcher was able to identify Tor users 100% of the time in a lab experiment and 81% of the time in real-world tests [1][2]?

Does it require you, like signal, to give it info that links to your real identity

Signal never touted anonymity, only privacy. You need to understand your threat model to make an informed decision. Also, if a single researcher was able to de-anonymize Tor users 80% of the time in real life, what chance do you have with a more powerful nation-state, unlimited funds, and ownership of various exit nodes?

Did it close its server source code off for a year?

“Never attribute to malice that which is adequately explained by stupidity” - in this case, we can replace stupidity with a million things that have nothing to do with compromising your privacy, the client is still completely E2EE, open source and has reproducible builds.

Is it possible to download it from f-droid so you can verify its builds are secure

You can download the app directly from Signal [3] or even build it yourself [4] to verify the build in the play store matches the code on github

Does it depend on google or amazon?

If you’re using an Android phone, you’re likely already depending on Google, although you can still run it on a de-google’d phone. I’m using Signal on a Pixel with stock Android and a OnePlus without any ties to Google using LineageOS, it works great on both phones! It does run on Amazon infrastructure, but again, we’ve seen Tor is not guaranteeing anyone anonymity anyways.

Does it bundle in a cryptocurrency?

How is this a negative? Some people want this and if you don’t want it, don’t use it.

Is it possible to verify what the server is running?

The server is basically plumbing/a router. The bulk of the Signal “magic” happens in the E2EE app. Can you verify that your Briar messages aren’t hopping through government run Tor bridges/relays/exit nodes?

[0] https://www.opentech.fund/results/supported-projects/tor-project/

[1] https://www.vice.com/en/article/4x3qnj/how-the-nsa-or-anyone-else-can-crack-tors-anonymity

[2] PDF warning: https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf

[3] https://signal.org/android/apk/

[4] https://signal.org/blog/reproducible-android/

EDIT: I do want to add - I’m 100% pro-Briar. It’s really easy to attempt to discredit something if you don’t understand a threat model, link legit sources, and speak to real flaws, nothing is 100% secure. That said, in today’s climate, message privacy is something that Signal can provide with very few compromises in usability.

I’ll say it again, I want Briar to succeed and everything I’ve posted above is just a “devil’s advocate” stance to point out that Signal is, today, just as good if not better than most options out there.


Don’t use Briar.

Briar [0] gets funded by the OTF [1]. If you’re unfamiliar with the OTF, they’re publicly listed as a subsidiary of Radio Free Asia, a US state-run organization whose main goal (along with the other “Radio Free” incarnations such as Radio Free Europe, or Free Cuba Radio) is regime change for those Asian governments who don’t align with the US’s foreign policy interests.

The Radio Free agencies underwent a public re-branding in the early 1990s, but they are in effect the same CIA misinformation organizations from the 1950s:

Radio Free Asia began broadcasting to mainland China in 1951 from an elaborate set of transmitters in Manila. It was an arm of the Committee for Free Asia, and the C.I.A. thought of it as the beginning of an operation in the Far East that would rival Radio Free Europe and Radio Liberty.

It was only after Radio Free Asia’s transmitters were operating, according to sources familiar with the case, that the C.I.A. realized that there were almost no radio receivers in private hands in mainland China. An emergency plan was drawn up. Balloons, holding small radios tuned to Radio Free Asia’s frequency, were lofted toward the mainland from the island of Taiwan, where the Chinese Nationalists had fled after the Communist takeover of the mainland in 1949. The plan was abandoned when the balloons were blown back to Taiwan across the Formosa Strait.

What Allen Weinstein, one of the founders of the National Endowment for Democracy (NED), another US “human rights” regime change org said of his organization applies equally to the Open Technology fund: “A lot of what we do today was done covertly 25 years ago by the CIA.”

The fund is designated to: “support open technologies and communities that increase free expression, circumvent censorship, and obstruct repressive surveillance as a way to promote human rights and open societies.”

One should question the commitment of a fund that dedicates itself to “obstructing surveillance”, while being created by a government who runs the most expansive surveillance system in world history. And how the US might define the terms “human rights”, and “open society” differently from those who know the US’s history in those areas.

[0] https://briarproject.org/

[1] https://www.opentech.fund/results/supported-projects/briar/

[2] https://dessalines.github.io/essays/why_not_signal.html#cia-funding

/s

Just a light jab, no harm intended.

All kidding aside, Briar is a great option, but so is Signal.

Signal enforces E2EE, is open source, has reproducible[3] builds (you can trust the app is what’s in public code), and best of all, because it is the gold standard of modern secure messaging apps, is under the scrutiny of many security experts. Finally, Signal has undergone various security audits [4] which they make public.

The reality of the situation is that if you’re a person of significant interest, someone with enough power can theoretically compromise you. The only way around it is to go completely open source hardware AND software, read every line of code, understand it, and compile everything yourself.

I will say, while I’m a Staunch supporter of Signal, Briar is what I’m keeping my eyes on for the future. It still needs to reach feature parity with most modern apps, and make it stupid easy to connect with people who are already in your contacts (I’m not going to ask my grandma to install Briar), but the tech behind it is pretty great [5] and only getting better.

[3] Only for Android.

[4] https://community.signalusers.org/t/wiki-overview-of-third-party-security-audits/13243

[5] https://briarproject.org/how-it-works/



That simply means that development isn’t out in the open

Correct. FOSS doesn’t mean they have to develop it out in the open, only that they have to release the code for everyone else’s benefit.

Why would you not push branches and do code reviews out in the open for an ostensibly open source project

Because open source simply means the code is available. You’re not forced to interact with anyone else just because something is open source.


This is FUD that some people keep on spreading. You can build your own client https://signal.org/blog/reproducible-android/

There’s even these 3rd party clients that have existed for some time now and haven’t been blocked:


Lets look at how they’ve behaved when forced to comply with the law - https://signal.org/bigbrother/central-california-grand-jury/

You’ll see that the only info they can provide is:

  • The day you signed up
  • The last day one of your clients pinged their servers (this is needed to purge abandoned clients)

So what their ToS means is pretty much that they will operate within the realm of reality. Who out there IS providing a warranty of security/safety? And if they fail to ensure your safety/security, how do you go about “redeeming” your warranty? I think you’re reading too much into it.


Its at the right price-point for me. Does exactly what I want, what more can I ask for?


I see it more like a jaded Buzz Aldrin constantly getting hounded by people claiming he never went to the moon. Would you waste any more time after the 100th time someone accused you of something you know 100% to be untrue?


How do you feel about marlinspikes ruthlessly banning all third party clients

False.

There are a few 3rd party clients. They all identify themselves to the server that they’re 3rd party clients and they haven’t been banned.


From the article:

due at least in part to rising supply chain costs due to the global chip shortage

I don’t blame them. I worked in a similar industry affected by corona/supply shortage - and it’s likely going to last well into mid-2022, if not longer, before production lines catch up to meet demand. This is impacting the small players the most unfortunately, the big players will survive but a lot of small companies don’t have the safety nets to survive, I wish them the best and that they can ship my phone out someday haha.


I’m going to disagree again.

I know how easy it is to type “git push”. I’ve worked where we had 200+ things that were that “simple” but just weren’t prioritized because of our small team. Also had to do thorough code reviews before we synced to our public repo. There’s a hundred non-malicious reasons they delayed - including that they didn’t yet want to make the monero stuff public yet. It’s not uncommon to keep things from the public until they’re ready, in case you decide to scrap the project and remove it last minute before you sync to your public repo and have people question something that is no longer valid/important. I guess I try to look at it from a more human perspective than immediately trying to tarnish people’s intentions.


I think the difference is it’s not a federated platform so not many people really care about access to the server-side code. If I was hosting a lemmy instance I would obviously be frustrated if you withheld from all other instance admins as you’d be putting us at a disadvantage. Signal doesn’t allow federation so the consequences aren’t the same.

and then they finally relented

You’re embellishing the story for added emotional value. What if instead you wrote, “users were angry, the Signal devs were busy, but eventually got around to publishing the latest code”. You weren’t there so you can’t say that they didn’t want to - or had the time to - publish the server code. You’re implying malice when it doesn’t have to be. Why? Maybe it was on their backlog and it was a task that nobody ever got around to? I dunno, I’ve been in situations like that before and it just sucks to hear people implying the Signal devs are doing shady things when it may simply be that they’re human and not perfect. I’ve had times where our dev team was accused of being “lax” when we’re all running at 110% but just can’t get to that one thing that a small handful of people really want and are very vocal about.


the server code being not federated means you effectively can’t (or won’t) self host.

Agreed. I hope they change their minds on this, although I’m not holding my breath.

Yeah but you could do that as verification and an additional means to find users, not the primary user ID. Threema has generated IDs, Matrix has usernames, Telegram has usernames. Why can’t Signal?

Agree. The devs have stated that this is coming this year. We’ll see if they can roll it out before the year ends.

Yeah, they let it get out of sync for a while

Why, though?

Honestly, don’t know and don’t care. I suspect because they didn’t want to yet make public their crypto stuff, but I’m not going to assume malice here without evidence.

Good question. Signal obviously didn’t ask about it and wants to become another WeChat/QQ clone where you can pay with your messaging application and circumvent taxes.

Whatsapp also lets you pay - although I believe its only in India. Telegram also attempted to include crypto. Why wouldn’t we want a private way to pay instead of letting Facebook/Google/etc, take over? I fully support them making sending money easier and more private.

I’d agree if you’d add “one of” between “currently” and “the”.

I’ll agree that it’s “one of” the best. Which one would you throw in your top 3?


I go over the untrustworthy history of signal’s founders

The OTF also funds the following: Briar, Tor, Wireguard, Delta Chat, Bind9, CGIProxy, CertBot, K-9 Mail, Tails, NoScript, QubesOS, The Guardian Project

You going to say that Briar is a good alternative despite receiving funding from the CIA just like Signal? How about QubesOS or NoScript. Are they also no longer trustworthy because they’re funded by the OTF?