I use the apps my friends use but it gets tiring to keep up with so many.
Spoken like a real android user. All my iPhone friends (and especially family) refuse to download any other app, they just complain that I physically can’t download iChat.
As an iPhone user, iChat is mid. I think it’s only in the Us that it is widely used.
Embrace the beauty of Signal now
Meanwhile Matrix was built & funded by Israeli Intelligence (to which I’m sure there are anonymous donors today). It’s expensive replication model means only those with the deepest of pockets can run a server leading many to flock to the mother instance of Matrix.org centralizing, replicating the data to a single node (being decentralized in theory, not so much is practice). It’s funny to see them call out Signal, but luckily there are private, free alternatives to both.
Huh, would it be possible to provide a source? I might be bad at searching, I’m not finding anything…
EDIT: Ok I found one with some search operators. I can provide links, most were less trustworthy, I’d reserve judgement.
- An organization which was initially responsible for Matrix, AMDOCS, is allegedly (I say allegedly since I didn’t confirm it to a reasonable extent) an organization based in Israel which appears to have products related to surveillance
- By association, Matrix is tainted, perhaps it has sophisticated backdoors along with the other myriad of issues mentioned by other commenters
To give an alternative explanation with plausible hypotheses
- An organization linked to intelligence surveillance, created and discarded software, which occurs with most software, and I would imagine occurs with software developed at an organization linked with surveillance as well (if it’s publicly funded, i.e. by a government, I’d lean into this)
- Though suspect in origin, the amount of time the software has been independent, and with its open codebase, means any backdoors or other nefarious artifacts can be reasonably said not to exist
- An organization linked to an intelligence agency would perhaps be the one to expect to have a secure messaging platform, one could imagine said organization would develop a solution in-house as even with software audits, they may not be certain of any external software which may itself be compromised by an antagonist or have vulnerabilities which they could not control
Some food for thought. I’m not one to jump to conclusions, I think claims require proportional evidence, and obviously my judgement isn’t the same as a security researcher or clandestine operator, so settling on what ‘appears’ to be true without proper investigation isn’t something I do.
Thanks for the info though!!
I don’t have time to respond to everything, so I’ll just respond to the first one- which is that it’s tankie copium. I don’t deny the Signal Foundation might be taking money from government groups- I believe it is. But looking at the groups its pretty clear what it is, Radio Free Asia, as in the Asia branch of Radio Free Europe. Aka, their goal is to make people living in US adversaries rebel. The US does not censor private communication, it would be very quickly found out if I sent a text to my friend and they couldn’t receive it, or I was sent to jail for the content of that speech.(That’s not to say its not spied on though.) However, in many(most?) US adversaries there is active censorship of opposition communication, the US generally(although not always) supports the opposition by nature of them being the opposition- this is why(if you believe the narrative that everything is a cabal of the powerful) US tech companies supported the Arab Spring. This is why Radio Free Europe broadcast in support of Dubček and the Prague Spring, why they also supported the 1956 Hungarian Revolution. All that is just to say the US can follow the narrative of being 100% power seeking while still supporting open communication platforms. (After all, the US government also either directly created or contributed to SHA-2, Tor, and Ghidra too) And, Signal is open source, read the code and network traffic yourself, they won’t remove encryption for US allies.
That doesn’t mean they’re immune to criticism, they may be able to explain it, but I personally probably wouldn’t donate to an organization that has the money to pay part time developers $450,000 according to their Form 990, but its not my money so not my place to judge how its spent.
I think most of your criticism makes sense.
The part about “not reading private messages” I think is mistaken, or rather, maybe amiss. I mean I don’t have evidence, so this is all conjecture. The sophistication of data surveillance and data gathering makes the content of the message rather meaningless in my view.
EDIT: Oh, I don’t think any adversaries of US, even if working together, make any meaningful threat towards it. It’s really hard to imagine, esp. considering the US has a bunch of successful coups & stuff under their belt.
I wasn’t saying the US doesn’t spy on private messages, I was saying Signal is open source so it would be hard to hide a back door. So I don’t see how any other E2E encrypted messages could be more secret then Signal. I guess obfuscating the messaging servers.
The sophistication of data surveillance and data gathering makes the content of the message rather meaningless in my view.
That’s a fair point but I don’t know if there’s any other good solution to that.
yeah i’m rethinking some stuff too, even in some utopia i think some information related to me might make life inconvenient, so the best way to protect that (e.g. not disclosing it digitally) maybe needs outta the box solutions.
related, does anyone even bother to look at physical mail for stuff? like if i put a cipher in a letter with no return address, using that pen ink that you can erase (which comes back if you put it in a freezer) and only i and my contact have the key to the cipher which we exchanged in-person; could anyone reasonably know it?
it seems digital stuff might be a carrot for surveillance people, maybe it can be made into a honeypot and physical or analog means can make a return.
I think finding novel ways to communicate with a specific person and not be monitored is easy. The difficulty is opening a new line of communication on an already monitored one, communicating to new people, and one of those new people not blabbing.
After all, if you play on a private Minecraft server and spell out text with dirt blocks, I don’t think anyone’s going to bother writing code to analyze your Minecraft network traffic.
Kind of ironic considering that with Matrix…
- Forward secrecy is kinda hosed
- they store metadata permanently on their servers by design
- A ton of stuff that would otherwise be invisible and signal is visible in your Matrix homeserver, including permanent history of all group membership
- Your data does not belong to you, and that’s how the server is built to treat it, e.g.
- GDPR deletion is nonexistent (it won’t delete your username or your messages, making it less effective than on Discord, let alone Signal)
… Etc.
Ironically, older federated messaging systems like XMPP might be better by coincidence. Message archiving was an optional addition and some servers, such as the popular Riseup one, do not implement it.
Yeah, fair. It can’t delete your messages to the extent a centralized system, and that’s an indication of the lack of centralized control? It’s a different threat model I think many find satisfying (though perhaps not most).
All those points are about how one server communicates with itself. Federation doesn’t factor into it
huh, yeah that’s fair i did not actually notice that :/
deleted by creator
Remember E-Mail, everyone?
Beeper!
And other countries don’t understand why US users stick to txt/mms… Its convenient and built into the phone so everyone has it.
Everybody’s got email. Just saying.
Everyone can read your emails, just saying.
Maybe they can but I never do
GPG S/MIME are still a thing…
Well, I run my own email service.
Np, they read your mails on the destination, anyway.
S/MIME says otherwise.
I work on email systems everyday.
Please don’t let this protocol survive.
Forget emails that is functionally a terrible communication tool.
You never know if it will be received by the recipient. There is always false positive false negative classification in spam.
SMTP is an outdated protocol that needs to die.
It sounds like your problem is with the way providers handle email and not email itself. Email is actually a really nice protocol. It’s got so much fault tolerance built into it. I could take my servers down for 24 hours, and none of my customers would miss an email.
Yes, there is definitely a spam problem, but overzealous spam filters are not the fault of email, they are the fault of email providers.
As much as I hate Gmail, at least they are pushing for everyone being required to use SPF and DKIM. That alone will eliminate a huge portion of the spam problem.
Also, email isn’t the only protocol with a spam problem. I get so many spam messages on SMS, Facebook (back when I used it), Telegram, etc. Basically anything that allows someone to send a message without two-party consent first (like scanning each other’s QR codes) is going to have a spam problem if it’s popular enough.
It sounds like your problem is with the way providers handle email and not email itself.
No. Providers handle mail this way because they have no choice to do so.
You are stuck between two major Issues.
On one hand you can have your anti-spam very lenient and receive pretty much everything. But if you do you will get more phishing and malware ridden mails. So the users will be exposed to one of the most dangerous vector of infection.
On the other hand you can have a super aggressive spam filter but some mail will be dropped. Whether an email notifications or the contract of the year for a business. It’s no matter. It might never be delivered.
And since we have to block millions of spam mail everyday we have to block them silently because if you respond to certain malicious SMTP server online they will just spam you.
In reality businesses are used to email so that’s what is commonly used.
But it’s far too unreliable to communicate with clients of that business. You can’t just have an important contract sent as an attachment by mail with some chance that it will be silently dropped at some point.
The simple fact that you can send an information to someone by email and it might be silently dropped without you ever being aware of it should IMO have led to the conclusion that it should never be used for anything remotely critical.
If it’s important it shouldn’t be an email. The reality is millions of dollars worth of business conducted solely through email conversations. And also a very lucrative business of spam.
Even businesses are often spammers or as they may call it “gray mail”.
No email providers will guarantee you a 0% fault spam filtering.
Not Gmail either.
As much as I hate Gmail, at least they are pushing for everyone being required to use SPF and DKIM. That alone will eliminate a huge portion of the spam problem.
It’s a good thing Gmail does that but it helps only their users right now (since February’s changes). If your business communicates with thousands of small domains on small providers it will take another decade for every SMTP server to fix their s***. And even then there will still be spam.
What’s the difference between a spammer going through all the hoops of creating a mail domain and a new business ?
Not much. Both mynewlegitEmailDomain.com and SpammerWho UnderstandsDNS.com are essentially the same for a spam filter.
They both would have “legit DNS records” but would both have trouble sending mail to Gmail at first.
Because Gmail cannot know if you are a spammer that setup a new disposable domain or a serious actor in email that just wants to communicate with you.
Truthfully Email is a terrible protocol that cannot be fixed with yet another layer of duct tape. You will never have any guarantee your mail is delivered. There is plenty of communication systems that’s will tell you it’s delivered or not.
Again, your problem is with the way providers handle email. It would be perfectly possible to deny email that’s flagged as spam, then the sender would get a bounce notification. “Dropping them silently” (which actually means accepting them and delivering them to a spam folder in this context) is a choice that providers make. It’s already general practice to deny email from an IP address that’s been blocklisted.
Also, spammers aren’t going to spend the money to buy and set up domains if each one is blocklisted before it makes a profit. My own email service will mark something as spam if it fails FCrDNS, SPF, and DKIM. Gmail went one step further and doesn’t even consider FCrDNS.
And again, any communication method will have a spam problem if it is popular enough and it allows non-two party consent messaging. Email’s popularity is the reason it has a spam problem, not its protocol design. And any distributed system cannot guarantee delivery. If my server tells your server it’s delivered, you just have to trust it, no matter what protocol you’re using.
By dropping silently I meant really litteraly. If you answer to SMTP commands, you are not silent. You essentially say a spammer server that you are a valid target and that they can go on.
It’s not even a question if spammer buy domains to spam. It’s well known and the reason why commercial products provides a feature to filter too fresh domains.
There are procedures to “warm-up” an IP if you are a large provider and if you don’t do it and attempt to send a lot of mails to Gmail this will not work. It’s not just about DNS records. You could have donne everything perfectly DNS wise and still be blocked by Gmail servers.
You should take a look at the requirements of Gmail for large providers. As far as I recall Gmail does check FcrDNS since last month. On top of more requirements for authentication.
Still you can’t just buy an IP, a server, set MX, SPF, DKIM, DMARC, ARC?, FcrDNS and expect large amounts of mail to go through right away.
And again, any communication method will have a spam problem
The major issue here is that anybody can send any email to whoever. Most communication apps won’t let you do that certainly not like emails.
You can’t open WhatsApp and start spamming the whole world. You basically can only do that with phone calls and emails ?
So no, SMTP/IMF has rotten foundations. No matter how many (optional) protocol you add on top, it will always be such an hassle to maintain and there will be always people who can’t afford that much effort.
Small businesses having to set that up just to reach Gmail is a big problem that they usually externalize with Outlook365 and so on.
Again, Gmail calls the shots because they are the leader. But on paper my fully unauthenticated mail from Barack.obama is perfectly RFC compliant and legit. These protocols that are essential are optional at the end of the day. They became virtually mandatory because of the spam issue and Gmail pushing in the (right) direction because they have leverage.
SMTP on its own is trash.
I don’t see your issue with dropping a connection before issuing any SMTP commands. Your problem is with not being able to determine delivery status, right? If your server never even gets to send the message, then you know with 100% certainty that the message wasn’t delivered. And if it’s denied, you know with near certainty that it wasn’t delivered. (I don’t know of any servers that will issue a hard deny after receiving the message and then still deliver it, but that’s technically possible.)
I have read Gmail’s requirements, and I’m familiar with IP reputation. I didn’t mean that they don’t check FCrDNS, I meant that only having that is not enough. They now require both SPF and DKIM. Whereas my service will still accept your messages and not automatically mark them as spam if you only pass FCrDNS.
Generally if you’re getting your emails denied right off the bat, it’s because your IP or the block your IP comes from already has a bad reputation (basically any IP a cloud provider will give you). But yeah, you don’t want to spin up a server on a brand new IP and start firing off 10,000 emails a day, just like you said you don’t want to fire off 10,000 messages a day on WhatsApp. That’s a bad idea for any platform.
WhatsApp is not distributed, nor is it an open protocol, so that’s right out. It will never be the standard.
Gmail only calls the shots for Gmail users. If you never interact with Gmail users, you don’t have to obey any of their requirements. Like imagine a system that you’ve set up to receive notification emails from your own servers. You don’t have to obey anyone’s rules.
Your spoof mail may be perfectly valid for the base ESMTP spec, but there is not one single email provider on the planet that only considers that spec. Email isn’t just one spec. It’s a system that’s made of many specs and common practices, some required, some de facto required, and some optional.
A chat app for every friend and a launcher for every game. We live in a utopia.
After posting I realized an exported PNG is the same size and looks much better. Enjoy.
You should be able to change the image after posting I think
Interesting. I found the option but despite editing the post and uploading the higher quality image, nothing seems to have changed.
Fuck, I actually do have all of them.
I have 2 more :(
Add SimpleX and Conversations-i2p
Yep SimpleX works great. Although every time I read the name I think of herpes.
Hahaha, SimpleX on Android is fine, the Desktop client is kinda incompatible with anything (no flatpak, the ubuntu version is kinda broken, no repo, their sync requires a random firewall port to be open)
Interesting. For my desktop, I just installed a binary from the AUR and it works wonderfully.
Yeah I avoid installing stuff to my system but I looked into RPM .spec files and that should be possible too. Flatpak would be the way to go though.
Personally, I do the opposite. I try to avoid flatpaks and the like. And the AUR enables that really well
Welcome to security I guess
Security is a compromise between convenience and safety.
However, simply using flatpaks isn’t inherently more secure than using a binary or compiling from source. But it can make it easier to be secure for people that don’t want to manage their own sandboxes.
It’s also easier for devs so they only have to make one version of their app which in theory should work on all systems. But in practice I find it doesn’t always work that way
deleted by creator
Thanks apple!
Guessing you weren’t around when MSN, AIM, IRC, ICQ, Yahoo! Messages and Skype were at the height of their popularity.
I was, and I ignored all of them, and I texted everyone with sms. No problems back then because standards, unlike now.
What is the middle one?
Element.io apparently. I’ve never heard of it before
Element. It’s a popular client for Matrix, which is a federated messaging platform (similar to lemmy and mastodon) with different instances.
Which funnily enough, has bridges to Signal, Whatsapp, Discord, Telegram and some more, meaning you wouldn’t have to have as many other clients installed to chat with contacts on those platforms
Although official tg bridges are meh: they have trouble with sending/receiving pics and loose messages from time to time. Plus those work for chats only (AFAIK)
I remember looking into that a while ago, but it’s not like I can just instantly hook up my WhatsApp or Telegram account into that, right? I’d need a server to act as a bridge.
And I wouldn’t be so keen on giving that kind of access to a random server.
Yes your Matrix homeserver does have to run the bridges. So I agree with you - you have to somewhat trust the admins of your Homeserver, or host your own homeserver and bridges. But I understand that the latter is not for everyone.
Is it cross platform with other major messagers?
Not directly no… But there are bridges you can implement (or use on servers that already have it implemented) to connect to those other services.
Give Beeper a try! It consolidates all the listed apps into one texting app.
Seconded. Good support team too
Beeper is just paying someone else to maintain Matrix bridges for you.
And that’s a bad thing ?
Yes… because you have to trust that person/company. Which you implicitly should not… especially since they’re already shown themselves to be untrustworthy in their previous endeavors.
Beeper is great
Tried it, its bloated and battery hungry. It isn’t also clear how beeper saves and uses/handles your messages.
People really need to consider the pedigree of the guy who created this company and how willing he is to walk away from a company when it becomes unprofitable. Eric Migicovsky sold Pebble when it became unprofitable, promised that people would still have their jobs as devs, and at the last minute, the sale didn’t include their jobs, so everyone was left fucked out of luck and with no job. Also, the fact that he has zero long term plans for how to keep fighting Apple for iMessage access after he used a teenagers reverse-engineered code to make a standalone Beeper iMessage app which Apple promptly broke after only days. If that’s as far ahead as he was able to “plan” in regards to that, it speaks to his weakness on having a long-term business plan. Lack of realistic long-term business plan coupled with how badly he fucked over the developers when he bounced from Pebble screams “Don’t trust this.”
Random hot take, I’m at least grateful that my wife and I use an app that none of our friends use. Removes the “oh shit did I send that to the wrong person” panic.
Do not have Instagram and FB Messenger. Discord and WhatsApp are sandboxed, permission restricted and firewalled.
Signal is a fucking desert despite converting so many contacts. Nobody uses it in the past few years.
i use aliucord on my phone, it has plugins, the old ui, and no telemetry
I do not want to risk an unnecessary ban, and I use an old official version anyway. Discord gives a lot of “freedom” as far as information and insight into internet social activity goes.
i haven’t been banned, and some of the plugins are very useful to me
