• 17 Posts
  • 37 Comments
Joined 10M ago
cake
Cake day: Jun 29, 2020

help-circle
rss


uhh, I searched for it by both the title (the earlier lemmy post was longer), and the URL, without finding it, :( Not sure if the search only finds exact matches… I pressed the “delete” button, not sure if ti actually does something…






If there are unofficial LOS, LOS4uG, or /e/ builds, then I would look if there’s any saying on XDA forums for the 1st ones, and on the /e/ forums on the last one.

My phone xiaomi redmi 4x (santoni), more than a year back, was only supported by an unofficial build, but mentioned on XDA forums, and reported working there, and the dev providing those unofficial builds eventually got it into LOS as an official and supported one… It doesn’t mean all devs providing unofficial build are the same, but the forums can help gain some trust…


qTox is just a desktop client. The Tox protocol implemented by c-toxcore is the one with security issues. BTW, part of the issue is precisely that the Tox protocol is not an e2ee one, and in one of the issues referred the axolotl protocol is shown as an example… So, no matter the client, the Tox protocol is lagging behind in terms of security.


I had high hopes on Tox, but now a days I no longer do. Its security status hadn’t change for a while: https://github.com/TokTok/c-toxcore See there:

This is an experimental cryptographic network library. It has not been formally audited by an independent third party that specializes in cryptography or cryptanalysis. Use this library at your own risk.

The underlying crypto library NaCl provides reliable encryption, but the security model has not yet been fully specified. See issue 210 for a discussion on developing a threat model. See other issues for known weaknesses (e.g. issue 426 describes what can happen if your secret key is stolen)

And the 2 issues highlighted there are scary:

https://github.com/TokTok/c-toxcore/issues/210

https://github.com/TokTok/c-toxcore/issues/426

To me experimental, as highlighted in the github repo, is not enough, as mentioned in the 2nd issue.

I really had high hopes on Tox, given its peer-to-peer distributed nature (much better to me than just decentralized by self hosting or so) but I don’t see it improving unfortunately…

Briar is similar, but a 3rd party is just adding support for desktops, and as well as Tox, and I’d guess as any peer-to-peer distributed messaging mechanism, it’s really battery hungry, and phones don’t survive even half a day with them active. I don’t like Briar’s reliance on Tor btw: https://briarproject.org/how-it-works

And on such peer-to-peer distributed systems, it seems really hard to get multi-devices support or syncing. But I’d guess there’s no other choice for some people other than Briar. I’m still looking for a distributed peer-to-peer messenger, not consuming the whole battery at least in a day, and that somehow, through mechanisms like the one keybase uses, allow some sync between devices… But the most important thing of course is battery life… Hopefully supporting as well voice/video calls, and some other common stuff to avoid needing other meesengers to support them…


True, but what made those subreddits really useful is the amount of users, which is hard to match somewhere else. Any ways, time to look for alternatives…


I used to be particularly fond of some subreddits, where it was easy to get support on certain things I use, like Arch, Artix, lineageOS, microG, gnu+linux, keybase (when it was promising), etc… The amount of other users which might be able to help is big on several subreddits. But it’s been a while since privacy has been a concern, and I was waiting for some lemmy features to finally leave reddit, but they do what they can to push me out, :)


why would you remove firstparty.isolate? What if it remains enabled? Does something break?



I don’t like Intel HW, neither Apple hardware in terms of user privacy. But business wise, this looks a bit desperate…


It used to do it with the Enigmail AddOn, TB 78 and later doesn’t, and maybe it will never do it, does TB support autocrypt?:

Thunderbird does not support the Autocrypt philosophy that encryption should be fully automatic.

You have to manually keep [un]specifying you wan to encrypt/decrypt, depending on how you set things, but it’s all manual. And it seems TB doesn’t like autocrypt at all, and if they don’t, they won’t include it… That along with not using GPG, makes me sad I’m still using TB, lacking really working alternative applications…


BTW, I just tried it out, and I couldn’t connect to my email server, nor for cladav/cardav. Weird enough it doesn’t allow almost any settings, for example, I couldn’t configure the ports for the services. And preferences doesn’t allows changing anything.

It might be it’s too early to give it a try, or that’s the plan, inhibiting the user to control anything…


Arch already has FF 85 on its official repos, and voila, the flash plugin is no more… So it happened as advertised…


Well, I mostly use Firefox. I just use Falkon (also Blink based) when Firefox fails on some corporate web pages where I work, and Chromium if nothing else helps. I’ve never used the sync features, and nothing special from Chromium, since I prefer to stick with Firefox.

So to me, the lack of chromium might be an issue on some corporate web pages. Perhaps by not being my main browser, I would think users might still find chromium useful without those features.

But now, 6 days after the discussion started on Arch, at least, it seems Arch is close to conclude Arch will drop Chromium, and proposing to get in talk with other major distros to encourage them do the same…

https://lists.archlinux.org/pipermail/arch-dev-public/2021-January/030295.html https://lists.archlinux.org/pipermail/arch-dev-public/2021-January/030296.html https://lists.archlinux.org/pipermail/arch-dev-public/2021-January/030300.html

Looking at how the Arch thread is trending, Chromium most probably will get dropped from Arch. And I’m not sure about other distros, but the legal limbo seems something most distros would like to protect from.

I’d love to see this as an opportunity to increase the Firefox use base, gaining something against the google monopoly long term, but I’m afraid that’s not what will end up happening…


Well QML != Qt and QtQuick is sort of the framework for QML… So this is not precisely a Qt project. This is closer to Liri DE than to KDE/Plasma.

At any rate I was following the project, since I don’t like where Thunderbird ended up, and I don’t like Kontact (KMail + KOrganizer + KContacts + Akonadi + …) either. But las time I looked into it, GPG wasn’t advertised, and who knows about autocrypt (missing in both, Kontact and Thunderbird). But as it’s right now, it seems I can give it a try, and see how it goes…

I tend to think that though QML gives a modern look, perhaps it has less performance than Qt, but at any rate, as mentioned, I ran out of integrated options (I need to see if web ical calendars works as well as caldav ones, and that cardav also work. On Korganizer, KDE never got web ical calendar to sync, which is really a shame given how long Korganizer has been out there). Perhaps the tool offers a more compact view, and what is shown on the screenshots are the default ones…


https://lists.archlinux.org/pipermail/arch-dev-public/2021-January/030265.html

Just reading the 1st post on the Arch thread is not enough. It’s too early to know what the distros will do. It seems there’s at least one dev willing to adopt chromium without the sync functionality. I was not even aware such thing existed, but I’m not a heavy chromium user any ways, I rather use Firefox for everything, and Chromium for stuff only working on Chrome based browsers, and only if strictly required…


The post indicates FF 85 will also drop it, and that it’s supposedly coming on Jan. 26th. Arch already dropped both flashplugin and pepper-flash plugins from its repos…


I’m also interested on understanding if Moxie and company would eventually request molly to cease connecting to signal servers. Same thing as with signal-gcm-less. I don’t understand why they can still connect to signal servers, since Moxie clearly wants no other clients, than the binaries provided by signal connecting. I don’t know if this would last only until Moxie or signal guys realize, or only while these clients don’t reach certain popularity… Who knows… Moxie’s decisions make signal look like not open source, but who knows, maybe those 2 clients, molly and signal-gcm-less got some approval from signal?


I don’t know much about protonmail and tutanota, since I don’t like that you need your contacts to also use the same provider in order to have the easy encryption they offer (so no federation), and it’s not much different than using any email provider and an email client which uses GPG encryption, or PGP encryptions for that matter (I prefer GPG), given the provider is not one of the giants, and not based in the 5 eyes or extended 5 eyes (in this case that really counts, given most of the email one receives is NOT encrypted, since not everyone uses GPG/PGP encryption). Enigmail used to have an option to full encrypt (included subjects) emails on Thunderbird, and I think the new Thunderbird encryption does the same (just that it doesn’t use GPG anymore, and other subtleties).

If not self hosting (as mentioned by others, keeping your service and host secure and safe when opening it to the internet is hard to accomplish), using /e/ email service might be an option, as long as you encrypt as much as you can what you must. But even encrypted emails are not as secure and private as messengers designed for that purpose. So I wouldn’t use email for confidential or personal stuff, or use it as little as possible, and GPG encrypting of course. And if going the GPG route, you should use ed25519 (elyptic curves) keys, same way those are the recommended ones for ssh keys, but the problem is that nothing forces your contacts to do the same, and they might use weaker keys…


Yeap, I thought Axolotl was promising, and it actually interacts with Signal servers with no issues (calls not encrypted so far), however AFAIK it only works as a secondary device, not the main one (I might be mistaken, but I understood that from another lemmy post). I could live with only a Matrix client (unfortunately only Element.io is as featrure complete) and a Signal/Axolotl client, on a pinephone or similar gnu/linux phone, but it seems not possible, and even a Matrix client for a gnu/linux phone is not that clear to me (the gnu/linux clients are desktop oriented ones).

At any rate, I was hoping one could replace Signal with Axolotl, since it does hook to the Signal servers, and interact with them, but I guess I was just hoping…

BTW, matrix alone, won’t allow me to connect with any but only 3 contacts of mine (whom I personally installed Element.io for on their phones and computers), but NO one else unfortunately, so I guess there needs to be a trade off, and Signal might be the one feature rich enough, and definitely safer and more private than Whatsapp. Other alternatives oriented to security and privacy might be valid as well, but I don’t see them as adopted for a trade off, neither as feature rich. I’m still hopeful a truly decentralized, totally FLOSS, feature rich and easy to use and adopt will get main stream. So far it’s having something (still far from perfect) for just a couple of contacts, and a trade off for the rest you still want to keep in touch.


I guess the whole point of having e2ee, storing as less users metadata as possible, and the not having to trust the service provider model, is the motto for Signal and perhaps Matrix (Signal being the messenger collecting less metadata, while Matrix backend is open sourced). Actually no matter where the service resides on these days, some probably are hosted on Amazon or other processing and storage services, which most probably have head quarters on one of the 5 eyes countries. I definitely like true decentralized and FLOSS apps and services, such as Briar or Tox. However unfortunately AFAIK Tox last protocol never got as audited as the double ratchet one, and besides, both decentralized services are energy hungry. A regular phone’s battery is not enough for a full day of such apps up and running…

The fact of having swiss servers is not fully reassuring, since at least swiss crypto AG company has been exposed to be involved with intelligence agencies agencies (US, Germany and swiss ones at least) as well (https://web.archive.org/web/20201111074303/https://www.parlament.ch/press-releases/Pages/mm-gpdel-2020-11-10.aspx?lang=1033 - https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage). So threema, though interesting, jut by having swiss serves is not totally reassuring, and features wise, it lacks voice and video calls (it does support voice messages, which is not the same), to be in pair with Signal and Matrix, besides the backend and server is not open sourced, just the client (like for Signal, but not the case for Matrix, which is fully open sourced).

I do like it the fact threema doesn’t depend on phone numbers, but Signal is supposed to be working on getting rid of the strict need for phone numbers (https://www.zdnet.com/article/signal-to-move-away-from-phone-numbers-as-user-ids - https://signal.org/blog/signal-pins), and Matrix doesn’t depend on phone numbers at all. I’m using both Signal and Matrix/Element, and if Signal doesn’t eventually come up with a no phone number solution, I’ll then get out of Signal, but I’m patiently waiting, particularly because I guess most people will opt out for Telegram (which is a definite no go for me, and it’s not even open sourced btw), and part of them for Signal, but I don’t see them opting out for Matrix, and even less opting out for Briar or Tox (as Tox is right now, it’s also a no go).

BTW, Signal at least sent a communication last year, sort of indicating that if the US ever approve the “earn it act”, they would move out of the US (https://www.wired.com/story/signal-earn-it-ransomware-security-news - https://signal.org/blog/earn-it), which is somehow nice to hear from it.

XMPP requires a server, and in that sense is not truly decentralized, unless you self host, as you pointed out, but that might be out of scope for some (I at least can’t trust my electricity service, not even the internet one as to be able to self host), or might even be too complex for non tech people, and the alternative for most would be a central server… If I could self host, not only XMMP would be an option, also email and NextCloud (meaning, I would not depend on several services being hosted or not by US or non US service providers)… And I don’t know how many users would be moving to XMMP (and even less self hosting, for a non centralized experience), and I suspect as with the Matrix case, very few would…

Matrix solution, so far has clients and backends fully open sourced, which is a big win compared to other solutions, since it can be explored and audited by any one interested, and not just the protocols it uses or some APIs. Also by being federated, there can be instances everywhere. If someone doesn’t feel comfortable with matrix.org instance, can look for some other instances. And furthermore, as with XMMP, you can self host your own instance as well, and still communicate with the rest of instances, so you can make it non centralized if you and your contacts all self host. I then see Matrix as one of the best options out there, except by 2 major issues. Main one being adoption. As mentioned, I doubt I can make even a fraction of my contact move to a Matrix client, though one of the cool things about being federated is that there’s no only Element, but that’s not the point… And 2nd one being that at least group video calls (not sure if voice calls as well) are not e2ee, but instead are webrtc encrypted, since jitsi is used underneath, and in this regard Signal is better, though currently limited to 5 people video calls (they have in plan to increase that limit).

So to me, it’s not as simple as saying the service provider or the servers are not based on any of the 5 eyes countries, or the extended 5 eyes for that matter, since in the end countries intelligence agencies make alliances, and when there’s money involved as well, then one can’t assure how ethical things are. I’m still to see truly decentralized solutions like Briar or Tox, providing usable solutions on regular users (not just whistle blowers or protesters, on special situations, for which some suppose Briar is made), and becoming, if not main stream, at least easy and energy/battery safe to adopt as well, so it doesn’t become that hard to convince others to also join the decentralized experience.



Well HP also offers 2-in-1 convertible laptos, though not sure if detachable, neither how it compares with lenovo and dell ones, though you might be able to find pretty similar specs in them now a days, and there are comparisons around as well.

For gnu/linux compatibility though (no particular distro in mind, since one can move away to the distro of preference I’d guess), besides Purism and System76, I would also consider the kde slimbook, and actually the specs from the slimbook makes it look pretty competitive…


Wow, thanks a lot to all, for all recommendations. I think there’s enough guidance to start looking for and thinking about options. Thanks again !


Well, TB no longer supports autocrypt, which is really sad, and due to their FAQ, it seems TB doesn’t want it:

Thunderbird does not support the Autocrypt philosophy that encryption should be fully automatic.

And the autocrypt extension for TB is no longer supported either. There’s actually an autocrypt gitgub issue, but it’s been unattended by devs for half a year already…

Don’t know about delta chat, but Kmail doesn’t support autocrypt either. And K9 for android is supposed to support it, but at least the non experimental latest version on F-Droid, though having the option, it doesn’t work (you can check the box, go to read some mails, and go back to the settings, and it’s unset again, meaning it’s not persistent, and when you write a message for another individual for whom you have the public key available with openkeychain and who is also using K9, and nothing, you’ll have to manually set you want to encrypt).

So it seems though autocrypt being a nice idea, it’s not quite adopted, no matter it’s not something new either…


Any GNU/Linux rolling release distro as vanilla as possible, and easy for non tech individuals used to ms-windows?

I’m looking for something my sister can use, but I don’t want her to face trouble when needing to change major releases, like debian or ubuntu do. So I’m thinking a rolling release distro could be of great help for this. …


Would this be just marketing, or a real threat for double ratchet encryption? This sound really sad if true. Not sure if Signal has anything to comment about this announcement…



It seems only affecting windows, through exe downloads, but it affects all browsers, not just edge…