| ▲ | OhMeadhbh 12 hours ago |
| I talked to Moxie about this 20 years ago at DefCon and he shrugged his shoulders and said "well... it's better than the alternative." He has a point. Signal is probably better than Facebook Messenger or SMS. Maybe there's a market for something better. |
|
| ▲ | venusenvy47 6 hours ago | parent | next [-] |
| Is there any reason they didn't use email? It seems like something that would have been easier to keep some anonymity., while still allowing the person to authenticate. |
| |
| ▲ | OhMeadhbh an hour ago | parent [-] | | email is notoriously insecure and goes through servers that allow it to be archived. also, email UIs tend not to be optimized for instantaneous delivery of messages. |
|
|
| ▲ | causalscience 11 hours ago | parent | prev | next [-] |
| I have no idea if that was true 20 years ago, but it's not true now. XMPP doesn't have this problem; your host instance knows your IP but you can connect via Tor. |
| |
| ▲ | OhMeadhbh 43 minutes ago | parent | next [-] | | Tor has the problem that you frequently don't know who's running all the nodes in the network. For a while the FBI was running Tor exit nodes in an attempt to see who messages were being sent to. maybe they still are. | |
| ▲ | ddtaylor 11 hours ago | parent | prev | next [-] | | OTR has been on XMPP for so long now | | |
| ▲ | causalscience 11 hours ago | parent [-] | | Is that good? According to the wikipedia page it seems last stable release was 9 years ago. Is anyone using that? Last time I had a look at XMPP everybody was using OMEMO. | | |
| ▲ | blurb4969 10 hours ago | parent [-] | | OMEMO has its own flaws too https://soatok.blog/2024/08/04/against-xmppomemo/ | | |
| ▲ | causalscience 9 hours ago | parent [-] | | Sorry, I don't pay attention to anyone who disses PGP. I don't care if it's easy to misuse. I focus on using it well instead of bitching about misusing it. If there's one thing we learned from Snowden is that the NSA can't break PGP, so these people who live in the world of theory have no credibility with me. | | |
| ▲ | OhMeadhbh 41 minutes ago | parent | next [-] | | wow. that's a phenomenally bad policy. There are many legit critiques which can be leveled at PGP, depending on your use case. [Open]PGP is not a silver bullet. You have to use it correctly. | |
| ▲ | ddtaylor 8 hours ago | parent | prev [-] | | Before my arrest (CFAA) I operated on Tor and PGP for years. I had property seized and I had a long look at my discovery material, as I was curious which elements they had obtained. I never saw a single speck of anything I ever sent to anyone via PGP in there. They had access to my SIGAINT e-mail and my BitMessage unlocked, but I used PGP for everything on top of that. Stay safe! | | |
| ▲ | OhMeadhbh 38 minutes ago | parent | next [-] | | if you sign PGP messages with a key you associated with your identity, the have high confidence you sent emails signed with that key. i.e. - PGP does not offer group deniable signatures as a default option. | |
| ▲ | michaelmcdonald 6 hours ago | parent | prev [-] | | Would be curious to know (if you're willing to share) how you were found if you were working to obscure / encrypt your communications. What _was_ it that ultimately gave you away or allowed them to ID you? |
|
|
|
|
| |
| ▲ | zxcvasd 11 hours ago | parent | prev [-] | | [dead] |
|
|
| ▲ | ddtaylor 11 hours ago | parent | prev | next [-] |
| Briar and Session are the better encrypted messengers. |
| |
|
| ▲ | Bender 12 hours ago | parent | prev [-] |
| I remember listening to his talks and had some respect for him. He could defeat any argument about any perceived security regarding any facet of tech. Not so much any more. He knows as well as I do anything on a phone can never be secure. I get why he did it. That little boat needed an upgrade and I would do it too. Of course this topic evokes some serious psychological responses in most people. Wait for it. |
| |
| ▲ | ddtaylor 11 hours ago | parent [-] | | > He knows as well as I do anything on a phone can never be secure I assume because of the baseband stuff to be FCC compliant? Last I checked that meant DMA channels, etc. to access the real phone processor. All easily activated over the air. | | |
| ▲ | Bender 11 hours ago | parent | next [-] | | All easily activated over the air. Indeed. The only reason this is not used by customer support for more casual access, firmware upgrades and debugging is a matter of policy and the risk of mass bricking phones and as such this is not exposed to them. There are other access avenues as well including JTAG debugging over USB and Bluetooth. | |
| ▲ | direwolf20 8 hours ago | parent | prev | next [-] | | I don't think the FCC requires DMA channels. That's done out of convenience because it's how PCIe works. | | |
| ▲ | ddtaylor 8 hours ago | parent [-] | | The FCC doesn't require DMA channels, but the baseband processor may have access to it among anything else. | | |
| |
| ▲ | hsbauauvhabzb 11 hours ago | parent | prev [-] | | Any citation on this? I’ve never heard that. | | |
| ▲ | ddtaylor 10 hours ago | parent | next [-] | | 47 CFR Part 2 and Part 15 FCC devices are certified / allowed to use a spectrum, but you must maintain compliance. If you're a mobile phone manufacturer you have to be certain that if a bug occurs, the devices don't start becoming wifi jammers or anything like that. This means you need to be able to push firmware updates over the air (OTA). These must be signed to avoid just anyone to push out such an OTA. The government has a history of compelling companies to push out signed updates. | |
| ▲ | Bender 11 hours ago | parent | prev [-] | | There are hobbyist groups that tinker with these things. They are just as lazy as me and do not publish much. One has to find and participate in their semi-private .onion forums. Not my cup of tea. Most of it goes over my head and requires special hardware I am not interested in tinkering with. |
|
|
|
