Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

250
active users

shakedown.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#techpopulism

0 posts0 participants0 posts today
Public *
Kevin Karhan :verified:

@silhouette @richi @signalapp @torproject

1. You completely miss the points! There is no "#TechnicalNecessity" to demand #PII like a #PhoneNumber - espechally for a "#privacy"-focussed messenger!

2. & 3. #Signal is able and willing to comply with #Cyberfacism and pushing a #Shitcoin (#MobileCoin) makes it trivial to criminalize the App for "illegal & unregilated banking". If #Moxie or @Mer__edith cared they'd yeet that thing (or didn't even integrate it to begin with!) to avoid the attention. And yes Signal does restrict the App functionality when using a phone number from #Russia & #Iran (among other nations), thus affecting not only those in need of safe comms but by sending a verification code to them, earmarking them for police & intelligence. Which bings.me to the 1st agrument.

4. #Tor has a stellar record in terms of stability, integrity and censorship circumvention. DIY'ing something instead if following almost two decades of solid progress is absurd and violates "don't roll your own crypto" as a rule!

5. Only with #SelfCustody can you protect your own data. Or do you really expect Staff from Signal to not talk when facing lifetime in jail? If they have the keys, they can decrypt it, thus their #E2EE is just a "#TrustMeBro!" concept. I mean, what prevents them from being forced into backdooring all comms to @icij as per #NSL? Any "guarantee" without self-custody is worthless by virtue of being unenforceable!

Signal pushing #TechPopulism instead of teaching folks that their #ComSec is worth diddly-piss wothout.#OpSec, #InfoSec & #ITsec is dangerous!

  • And yes claiming "JuSt UsE sIgNaL!" is dangerous in the era of #Trump's #cyberfacist regime acting as it does (like with the #ICC)!

Not to mention there are better options that don't do that shite (i.e. demand PII) and just work. @monocles / #monoclesChat & @delta / #deltaChat for example can adapt way better to said risks and ain't run by a #VCmoneyBurningParty!

dumbfuckingweb.sitePost by sleepy silhouette, @silhouette@dumbfuckingweb.site@kkarhan@infosec.space @richi@vmst.io @signalapp@mastodon.world @torproject@mastodon.social >PII afaik the only info is that you have registered to Signal and the last time you've connected. Other services do this too, for technical reasons. >USA irrelevant given the guarantees of their E2...
Replied in thread
Public *
Kevin Karhan :verified:

@jherazob @leberschnitzel they already exist...

I think it's bad #TechPopulism to think that #Anubis will fix all the issues.

Just block all the #GAFAMs ASNs & #hosters that host #Scrapers so the industry cracks down harder on them than on #IRC, #Tor #ExitNodes, #CSAM & #BitTorrent combined!

Infosec.SpaceKevin Karhan :verified: (@kkarhan@infosec.space)@nixCraft@mastodon.social what we should do is *literally* [block](https://github.com/greyhat-academy/lists.d/blob/main/scrapers.ipv4.block.list.tsv) all the #scapers network-wide (as per IP block allocation) and #DROP all traffic to/from them, because #Anubis requiring #JavaScript makes it #ableist and bricking #TUI browsers like #LynxBrowser... - #OnionServices on #Tor / @torproject@mastodon.social show [how it's done…](https://infosec.space/@kkarhan/114437837120770551)
Replied in thread
Public *
Kevin Karhan :verified:

@dzwiedziu @fj @signalapp not really, as the #Metadata #FUD cited by #Signal is mitigateable with proper measures.

  • You can't even run Signal over @torproject and even if that point is moot when you're forced to quasi-#KYC by virtue of a #PhoneNumber aka. #PII they have neither legitimate interest nor technical reason to demand in the first place!

Every claim that things like #ITsec, #InfoSec, #OpSec & #ComSec can be solved with "Just use Signal!" is "#TechPopulism" at best if not being a "#UsefulIdiot"!

#EOD#thxbye#next
Replied in thread
Public
Kevin Karhan :verified:

@dalias @lauren
@pixelschubsi

Also the blatant dismissal of absolitely basic #OpSec & #ComSec is just flabberghasting.

Only #decentralized, #OpenSource & #OpenStandards can actuall survive long-term and remain #secure.

It's the same reasons we use #PGPG/MIME & #SSH and not #X400 & #X25!

IOW: Think "How can you weaponize Signal?" and see what you csn do just holding key people in contempt...

The less #info a provider has, the less they can be forced to snitch upon customers.

"#JustUseSgnal!" is a form of dangerous "#TechPopulism" aimed at bamboozling #TechIlliterates who don't know better, abusing information asymetry to pull rank instead of investing the time and effort to *explain "how" and "why" this is indeed a good or bad idea.

The only ones that have a chance to beat that are @delta / #deltaChat but that's just #PGP/MIME #eMail in a nice UI...

  • You may now laugh at me and think my "#TinfoilHat sits too tight" but I'm shure sooner or later I'll be evidenced as correct...
Hachyderm.ioCassandrich (@dalias@hachyderm.io)@kkarhan@infosec.space @signalapp@mastodon.world @monocles@monocles.social @lauren@mastodon.laurenweinstein.org Very few systems promoted as Signal alternatives match the cryptographic privacy properties (see: ratcheting, etc.) of Signal. The claims about "located in the USA" and "Cloud Act" are all nonsense because the only threat to Signal users from this is availability (seizure and shutdown of the server infrastructure), not undetected breakage of privacy properties. There are presently no systems with superior privacy properties to Signal *and* level of functionality on par with what general public expects. There are a lot (like the XMPP stuff, *sigh*, and Matrix) that are worse in both regards. If you're happy with reduced functionality, Cwtch (and possibly some other similar Tor-based systems) or VeilidChat are stronger, but it's gonna be a while before you convince normies to use them, and in the mean time they're still going to be on insecure shit like WhatsApp, FB Messenger, Telegram, etc...
#tinfoilhat
Replied in thread
Public
Kevin Karhan :verified:

@claudius @max @signalapp

No problem:

I could go on all night, so please shove that #TechPopulism somewhere the sun doesn't shine!

Infosec.SpaceKevin Karhan :verified: (@kkarhan@infosec.space)@max@gruene.social To [quote you directly](https://gruene.social/@max/113872018769294131): > "[...] easy to use solutions that are at the same time private and secure. [...]" - The fact that @signalapp@mastodon.world requires #PII like a #PhoneNumber which more often than not *cannot be legally acquired anonymously* makes it not #private. It is easier, faster, cheaper and overall simpler to get someone setup with #XMPP + #OMEMO espechally if they don't have a #PhoneNumber and/or #ID to acquire a #SIM. And if you go and say, *"Just buy a [insert country here] [e]SIM!"* and expect #TechIlliterates without a #CreditCard, #PayPal or other means of #OnlinePayment to fiddle around with some #eSIM if not having to get some #eSIMcard because they can only afford to maintain one SIM and can't spend triple-digits on a new devices then you *completely missed the point*! - I can much faster and easier get TechIlliterates setup show them around - either in a @cryptoparty@mastodon.earth / @cryptoparty@chaos.social / #CryptoParty - style #classroom / #seminar or 1:1 tutoring than I can *legally acquire and activate a new SIM in #Germany* [since 07/2017]... It's not that I expect anyone to get #TechLiterate within minutes, but similar to setting up a cordless DECT phone it's something one has to do once in 5 years and just have them put the password in a safe spot to retain... - - - Point is that #Signal #WontFix their setup and that was evidently clear even before @Mer__edith@mastodon.world succeeded #MoxieMarlinspike: Their entire operation has a *distinct #CryptoAG stench* as it's an #unsustainable #VCmoneyBurning party! - #CloudAct and the #NOBUS [hegemony](https://en.wikipedia.org/wiki/NOBUS#Criticism) ain't something that just got executed now (neither was #GDPR & #BDSG!)... A counterexample on how this could've been done are #Tor, #eMail and other *truly #OpenSource* as in #MultiVendor & #MultiProvider standards. - *NOTHING* compells Signal to [demand PII](https://en.wikipedia.org/wiki/Signal_(software)), run a #Shitcoin #Scam [aka.](https://en.wikipedia.org/wiki/Signal_(software)#In-app_payments) #MobileCoin that even seasoned #TechLiterates and #CryptoBros [can't setup properly](https://www.youtube.com/watch?v=0DSGq9FQKU4), and in fact Signal using [phone numbers makes it trivial to discriminate against users and easier for them to identify them](https://en.wikipedia.org/wiki/Signal_(software)#Controversial_use)! - If [my reasoning](https://infosec.space/@kkarhan/113869305765533809) didn't resonate with you, then try helping i.e. undocumented migrants aka. *"#SansPapier|s"* to get setup with it without violating laws and/or ToS and/or needing an imported SIM which I'm shure most folks don't have on hand! Whereas it's trivial to get people setup on [one of many XMPP servers I've personally tested](https://github.com/greyhat-academy/lists.d/blob/main/xmpp.servers.list.tsv)! - Not to mention clients like @monocles@monocles.social / #monoclesChat and @gajim@fosstodon.org / #gajim are way more user-friendly and unlike Signal can also work perfectly fine over #Tor, including #OnionServices as endpoints. AFAIK Signal doesn't even have an #OnionService / [```.onion```](https://en.wikipedia.org/wiki/.onion) for their Website, much less any #API enpoints to use it with! - Them relying on #ClownFlare is just something that makes them even *more #sus* as there is *[no legitimate reason](https://en.wikipedia.org/wiki/Cloudflare#Controversies)* to use a #RogueISP like that. - - - You're free to also provide evidence and supporting data to your arguments, rather then *neighsaying* against *proven to be more secure and reliable [by virtue of decentralization]* options like XMPP+OMEMO and/or #PGP/MIME. - What gets my blood boiling is the constant #disinfo by [Signal](https://mstdn.social/@rysiek/113868777937162686) [Fanboys](https://mstdn.social/@rysiek/113869169340313254) like @rysiek@mstdn.social who sell it like #DigitalSnakeoil akin to #AntivirusSoftware, because it's at best *"#TechPopulism"* and at worst [will mislead "TechIlliterates"](https://infosec.space/@agturcz@circumstances.run/113868748895262202) with a [false sense of security](https://infosec.space/@kkarhan/113868987217053362), which in turn puts more users at risk. The *proper fix* is to actually *assess the situation* and acknowledge the *risks and limitations* as well as the very nature of communications, which means *upgrading later* is exponentially more painful, thus getting people *properly setup once* is way easier. - Just because *WE* [ or rather @rysiek@mstdn.social in this case ] rather *privilegued enough* to not be *hatecrimed in their current location* doesn't mean this is the case for everyone. And having places like Signal rely on a *"#CDN"* is just another *red flag* to me because questions like [this one](https://circumstances.run/@agturcz/113866980398547492) just don't arise with [monocles.chat](http://monocles.chat) as people can just exercise proper #SelfCustody and just use Tor! Speaking of #monocles: That business is at least #sustainable because it's funded by users [(€2 p.m.)](https://store.monocles.eu/produkt/monocles-starter-account/) which they can [pay anonymously](https://monocles.eu/more/#payment-section)
#EOD#thxbye#next
Replied in thread
Public
Kevin Karhan :verified:

@max
To quote you directly:

"[...] easy to use solutions that are at the same time private and secure. [...]"

It is easier, faster, cheaper and overall simpler to get someone setup with #XMPP + #OMEMO espechally if they don't have a #PhoneNumber and/or #ID to acquire a #SIM.

And if you go and say, "Just buy a [insert country here] [e]SIM!" and expect #TechIlliterates without a #CreditCard, #PayPal or other means of #OnlinePayment to fiddle around with some #eSIM if not having to get some #eSIMcard because they can only afford to maintain one SIM and can't spend triple-digits on a new devices then you completely missed the point!

It's not that I expect anyone to get #TechLiterate within minutes, but similar to setting up a cordless DECT phone it's something one has to do once in 5 years and just have them put the password in a safe spot to retain...

Point is that #Signal #WontFix their setup and that was evidently clear even before @Mer__edith succeeded #MoxieMarlinspike: Their entire operation has a distinct #CryptoAG stench as it's an #unsustainable #VCmoneyBurning party!

A counterexample on how this could've been done are #Tor, #eMail and other truly #OpenSource as in #MultiVendor & #MultiProvider standards.

Whereas it's trivial to get people setup on one of many XMPP servers I've personally tested!

AFAIK Signal doesn't even have an #OnionService / .onion for their Website, much less any #API enpoints to use it with!

You're free to also provide evidence and supporting data to your arguments, rather then neighsaying against proven to be more secure and reliable [by virtue of decentralization] options like XMPP+OMEMO and/or #PGP/MIME.

The proper fix is to actually assess the situation and acknowledge the risks and limitations as well as the very nature of communications, which means upgrading later is exponentially more painful, thus getting people properly setup once is way easier.

  • Just because WE [ or rather @rysiek in this case ] rather privilegued enough to not be hatecrimed in their current location doesn't mean this is the case for everyone. And having places like Signal rely on a "#CDN" is just another red flag to me because questions like this one just don't arise with monocles.chat as people can just exercise proper #SelfCustody and just use Tor!

Speaking of #monocles: That business is at least #sustainable because it's funded by users (€2 p.m.) which they can pay anonymously

gruene.socialMax L. (@max@gruene.social)@kkarhan@infosec.space Sorry but no, the correct solution is to push for easy to use solutions that are at the same time private and secure. Hiding privacy and security behind a veil of "you need to know" is discrimination of people that are not able (either mentally, physically or monetary) to gain that knowledge. The correct move here is for @signalapp@mastodon.world and any other service to fix this and for legislators to enact laws enforcing proper security and privacy by design.
Replied in thread
Public *
Kevin Karhan :verified:

@rysiek @agturcz that's not how you fix #TechIlliteracy, espechally since things changed for the better.

@monocles / #monoclesChat & @gajim / #gajim are quite easy, whereas @signalapp / #Signal demands #PII in the form of a #Phone number which is more often than not not legally obtainable without "#KYC" aka. "forced #SelfDoxxing" all whilst being an extremely #centralized, #SingleVendor & #SingleProvider solution that falls under #CloudAct ant thus cannot adhere to #GDPR & #BDSG!

Otherwise we'd only perpetuate the #Enshittification-#Lifecycle as has happened with #AIM, #ICQ, #BBM and so many more...

  • Mark my words, cuz I've been proven correct up to this point.

If #Signal and @Mer__edith actually cared, they would've setup their system truly decentralized as an #OnionService over @torproject / #Tor!

Mastodon 🐘Michał "rysiek" Woźniak · 🇺🇦 (@rysiek@mstdn.social)@kkarhan@infosec.space I ran and hosted a bunch of XMPP servers a while back. It was a pain to use, and it was easy for users to make mistakes and accidentally send messages in the clear. You are making people les safe. Last time: please stop doing this in my mentions and replies. @agturcz@circumstances.run @torproject@mastodon.social
#THXBYE#EOD#ITsec
ExploreLive feeds
About