@lucy This is what happens with proprietary software. :)

@hund @lucy well, if you want an app that isn't targeted by malware creators, you have to use something no one else is using.

The more users, the more malware. Doesn't really matter whether it's proprietary or not.

@hund @lucy no, that's just because I'm old and refuse to learn new things ;)

@dnkl @lucy I'm the same! And it only gets worse by time. :D

@hund ...And still most remain using and supporting this thing owned by Fac3book...

Then again Spydows 10 has caused trouble of such scale that at least from that mess many are switching!

@Linux Let's hope that this makes any difference. :)

@hund Telegram is a good choice "along the way", i think, towards the final solutions such as Matrix / Riot.im ...

Just that Riot on mobile is still no 1.0 and in itself very confusing for even seasoned user!

The desktop version of Riot is starting to be spot on :thinkhappy:

@Linux @hund Except that Matrix is a shit protocol with shit implementations =/

@dtluna @hund

How so? Also, it is still very new on this field and improve all the time.

@Linux @kaniini @hund
Have you seen the recent fuckup with matrix.org?
All server and all client implementations are still pure garbage after several years.

@dtluna @hund @kaniini

So this fuck up is permanent or what do you mean? Is it not fixed? Have they not learned?

There is nothing bullet proof in IT in general. Mozilla, a multi million company also recently effed up good.

@Linux @hund @dtluna

while true, there are fundamental design flaws with matrix protocol. in general, matrix protocol assumes all peers are not adversarial which is an untenable stance in a federated environment. this has lead to various security issues where internal state is shared and can be attacked by an adversarial peer. to date, the matrix team are closing internal state trust holes one at a time instead of redesigning the protocol to do away with the holes to begin with.

@kaniini @dtluna @hund

The devs expect decentralization to take off once they figure out a way of migrating existing accounts from one node to another, though?

The future is not here yet and there's no need to go to a "dump Matrix" mode already :thaenkin:

@Linux @hund @dtluna

yes, there is a need to drop matrix. it is of lower quality than alternatives. it has numerous security holes. it is written by people who don't know how to design a secure messaging system and instead cargo cult whatever they read this week on hacker news.

the French government got the messaging system they deserve.

@kaniini @dtluna @hund

Here's how the Matrix team are assessing this for the future:

"We will provide a proper postmortem, including follow-up steps; meanwhile we are obviously going to take measures to improve the security of our production infrastructure, including patching services more aggressively and more regular vulnerability scans."

@Linux @hund @dtluna

that has nothing to do with what im talking about. you are referring to an incident where their IT person was as clueless as the developers.

what I am referring to is that the product itself is deeply flawed. it should be no surprise that a team which doesn't know what it's doing also hires an IT person who doesn't know what they are doing.

I look forward to when some of the IRC script kiddies start playing with matrix. With so much unvalidatable shared state, they will have lots of fun.

@kaniini @dtluna @hund

There's also this:

Only the homeserver was compromised; self-hosted ones were not affected as this was an issue with the infrastructure for their server, not Matrix itself.

@Linux @hund @dtluna

again I am not talking about the matrix.org homeserver or infrastructure. I'm talking about matrix protocol itself, which provides a federated messaging protocol based on distributed merkle trees (they call it a DAG).

@hund @munosendai @kaniini @dtluna

One advantage Matrix though gives over XMPP is the very simple JSON based communication over plain HTTP?

XMPP on the other hand is complex XML?

From a devs perspective JSON is amazing compared to XML and writing custom services on Matrix is a breeze?

@Linux @dtluna @munosendai @hund

according to who? converting structures to XML and JSON is just a matter of marshalling in any sane language.

@kaniini @dtluna @hund @munosendai

That's why i asked :thinkhappy:

So it is not so in your point of view?

@Linux @hund @munosendai @kaniini @dtluna

I'm not sure where this idea comes from that XML is complex TBH. The advantages in parsing it are mostly in javascript bit there are solid libraries to parse either in any language. JSON is probably more compact I suppose but XML processing can be quite powerful with XSLT and so on.

I see no meaningful difference in development effort based on the data format that would justify implementation of a protocol with design flaws.

@Linux @dtluna @hund

in essence, the problem is general security ignorance. they talk big about how the protocol is secured using digital signatures and how events in the DAG can be certified back to previous events (like in a block chain). all of that is great and good, but signatures don't mean that an adversarial node won't sign a message that corrupts the DAG shared state.

notaries may be a solution here, but not having shared state (not necessary for a DAG anyway, AP can do the same type of forwarding without distributing the state resolution) is really the way to go here.
@kaniini @dtluna @Linux @hund >matrix protocol assumes all peers are not adversarial

you what now
@kaniini i knew matrix was bad but theyre treating *federating* servers with a level of trust?
@wowaname @Linux @dtluna @hund

yes. matrix protocol depends on shared state, and there is no guidance on how to prove the state is legitimate. synapse does not validate at all. this is how jzk broke #matrix-hq last year.

Has anybody with sufficient knowledge taken a look on how messaginglayersecurity.rocks/ fits into the image? And how should the approach of gitlab.com/thegridprotocol/hom be judged?
@dtluna @Linux @hund

@hund Big brain: hacking into spyware to install more spyware.

@hund wowww
Thats new to me.
I also try not to use them, but I still use it to talk with people that dine have telegram and signal

@techit I don't use Telegram or Signal either. :D It's not easy being the person outside of the norm though.

Yes, I feel it hard a hit not using Instagram to know whats going on on my friends life.

But in the same time,
They made it very addictive for their silly uses.

I prefer not to give up all my time, like my classmates, who looses all of their time with some high dopamine nonstop addiction.....):

@hund I'd love to use other chat services, but all of my frienda and families still use whatsapp and line 😥

@hund anybody have a good alternative, with many users?

@megriffin @hund OMEMO is preinstalled with Conversations but you can manually install PGP Keychains for OpenPGP as encryption in Conversations.

@hund what i "love" about this is any lack of detectio and removal for this kit. Given this is operated by nation states i guess they don't want people to remove the troyan

I like tox coz it's community project but most client implementations are low quality and they have some known sec
Issues too

Sign in to participate in the conversation

Linux Geeks doing what Linux Geeks do..