Notices by Strypey (strypey@mastodon.nzoss.nz), page 109

@z428 in my defence, I started this discussion with a reference to advice offered to activists ("nonprofits") and journalists, and my criticisms of #Signal were made in the context of a medium-high stakes thread model, where the US government is a potential adversary.
@gentoorebel

@z428 maybe we need to make an effort to have more nuanced conversations about this? Where we specify at the outset whether we're talking about defending the average person's privacy against passive mass surveillance, or defending dissidents against active interception attempts, or something else. Different #ThreatModels require different approaches. As the #EFF quite rightly conclude, there's no silver bullet here.
@gentoorebel

@z428
> but in the end nothing practicable is essentially left.

Right. So if communication secrets across the net is not safe with any known combination of technologies, the only sane security advice to give is "DON'T DO IT!?!". Especially, as I say, when people's lives or freedom is on the line. Yet I regularly see people (including Moxie) recommending Signal for activists, journalists, dissident, and so on, any of whom could be in that situation. This is highly irresponsible!

@gentoorebel

@ultimape my proposal is that users could opt-in to receiving DMs by email. By default, the reply-to address would anonymize the sender, and route any reply via the fediverse server that send the DM to the inbox. Senders could opt-in to allowing the sender to see their email address and reply directly. This is basically how the web forum software the #Trisquel forums uses handles DMs, and #Loomio too.

@ultimape hehe. My point is that we already have a well-established system for federated "direct messages". Email! Why reinvent the wheel? All fediverse apps have a confirmed email address for each user account, and a mechanism to send emails to it. Why not use that for DMs, rather than building yet another inbox to check?

@AmarOk do you know what's happening with the #Ring #PPA with the name change to #Jami? Do I need to change to a new PPA? If so, do I need to uninstall, and reinstall?

@starbreaker ed(!)? What is it? Where do I find information about it? How do I install it?

@priryo compile from source? :-{ I do, vaguely remember how to do that, but unless you're doing a lot of it, and creating an efficient system for regularly updating stuff, it creates a maintenance nightmare. #GhostWriter's #HemingwayMode looks more like what I'm after. Thanks though, I'll certainly keep a weather eye on the development of WordGrinder, and share it with the writers group I'm part of :)

@uranther from memory, I way have used #GhostWriter (or something similar) but I didn't know about the #HemingwayMode. That looks like just what I need. Thanks for the tip!

@jrc03c go for gold! I'm sceptical about #Electron apps for reasons discussed here:
https://sircmpwn.github.io/2016/11/24/Electron-considered-harmful.html

But I would certainly consider using a web app I could visit using my browser. An alternative approach to using Electron is to do what #MailPile does, launch the GUI using the default browser on the system, instead of bundling one with the app.

@priryo
>You mean it literally disables the delete key?

Ideally, yes, but I would settle for disable cut'n'paste and moving the cursor anywhere other than the end of the current text. I want something that forces me to focus on getting my ideas down first. Then come back and edit using a different tool. Thanks for the tip though, I'll check out #Wordgrinder.

@noorul yes. So if you're specifically looking for a service offered by a non-profit or a cooperative, Wire isn't that. But if you just want a provider that exists to serve its users, not shareholders, Wire ticks that box (it doesn't have shareholders, just private owners). If you want a non-profit, I suggest you check out #DigitalCafes like #RiseUp, #FramaSoft, #Disroot etc. Disroot might be the best option for your needs, as they have a big focus on improving the #UX of hosted #FreeCode tech.

@z428 you raise a lot of important points. I just don't agree that the answer to the questions you're asking is centralized silo. I don't think you do either, or we'd be having this debate on the birdsite, not here. There's a lot to unpack here, so I'm working on a blog post #WatchThisSpace

@z428 basically, people with sensitive secrets to communicate shouldn't be trying to do that with networked technologies unless;
a) they have the info and skills to competently assess how secure a networked technology is (either a hosted service or something they self-host)
OR
b) they have access to someone they are sure they can trust who does

Otherwise they *will* get pwned. This is even more important if they are organizing against governments that imprison and kill dissidents.
@gentoorebel

@z428 you missed my point. If they don't have any way to know whether a self-hosted Signal server is set up to spy on them, how are they supposed to assess whether or not OWS set up Signal to spy on them? Are they supposed to just trust Moxie? Or read widely about Signal's security practice, and make the effort to understand what makes a service more or less secure? In which case they could apply that knowledge to a self-hosted server.
@gentoorebel

@Bobo_PK
> thought that some of your arguments are simply not true.

Quite possibly, I'm human and capable of being wrong. Care to go into detail? But first, did you read Drew's blog piece? The rootkit criticism was a reference to the argument he makes there:
https://drewdevault.com/2018/08/08/Signal.html

Yes, Signal can be used without GAPPS etc but everything about the way it's distributed *strongly* discourages that. Even though it obviously reduces Signal's attack surface. Like Drew, I find that suspicious.

@bhaugen my understanding is the phrase "peer-to-peer" was coined as a description of a network topology, and was later applied to human-to-human by analogy. The #P2PF were the first folks I came across using it in that way. I could be wrong though.

@ebel

@bhaugen can you tell me more about the separate of functions between "client" and "scuttlebot"? It could be that the scuttlebots count as servers, which would make SSB a server/client protocol. Or it could be that the scuttlebot is the back-end, and the "client" is the front-end, and together they make a peer in a P2P network.

@ebel

@bhaugen
> Scuttlebutt is client-scuttlebot-scuttlebot-client, with maybe a pub in the mix.

I don't know that much about Scuttlebutt. You say there "maybe a pub", so they are entirely optional? If so, they are supernodes/ relays, not servers.

@ebel

@maiyannah suggestion for a different approach:
https://mastodon.nzoss.nz/@strypey/101376278252374166@lnxw48a1@nu.federati.net @alice @lain