https://mastodon.technology/@fdroidorg/101982817496527067
> Heads up to all Riot users: with the recent attack on Matrix' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has always signed all its apps on an inaccessible, offline machine. For more information, see https://riot.im/reinstall
#matrix #riot #im
> Heads up to all Riot users: with the recent attack on Matrix' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has always signed all its apps on an inaccessible, offline machine. For more information, see https://riot.im/reinstall
#matrix #riot #im
Mastodon for Tech Folks
F-Droid (@fdroidorg@mastodon.technology)
Heads up to all #Riot users: with the recent attack on @matrix@mastodon.matrix.org' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has alwaysโฆ
Forwarded from BlackBox (Security) Archiv
Riot Web 1.6, RiotX Android 0.19 & Riot iOS 0.11 โ E2E Encryption by Default & Cross-signing is here!!
Hi folks,
We are incredibly excited to present the biggest change in Riot ever: as of the last 24 hours we are enabling end-to-end encryption by default for all new non-public conversations, together with a complete rework of Riotโs user experience around E2E encryption, powered by a whole new suite of encryption features in Matrix. We have released this simultaneously on Web, Desktop, iOS and RiotX Android!
๐๐ผ Web:
https://riot.im/app
๐๐ผ Desktop:
https://riot.im/download/desktop/
๐๐ผ iOS:
https://apps.apple.com/us/app/riot-im/id1083446067
๐๐ผ RiotX Android:
https://play.google.com/store/apps/details?id=im.vector.riotx
๐ก More info:
https://blog.riot.im/e2e-encryption-by-default-cross-signing-is-here/
#riot #matrix #messenger #e2e #encryption #android #iOS
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
Hi folks,
We are incredibly excited to present the biggest change in Riot ever: as of the last 24 hours we are enabling end-to-end encryption by default for all new non-public conversations, together with a complete rework of Riotโs user experience around E2E encryption, powered by a whole new suite of encryption features in Matrix. We have released this simultaneously on Web, Desktop, iOS and RiotX Android!
๐๐ผ Web:
https://riot.im/app
๐๐ผ Desktop:
https://riot.im/download/desktop/
๐๐ผ iOS:
https://apps.apple.com/us/app/riot-im/id1083446067
๐๐ผ RiotX Android:
https://play.google.com/store/apps/details?id=im.vector.riotx
๐ก More info:
https://blog.riot.im/e2e-encryption-by-default-cross-signing-is-here/
#riot #matrix #messenger #e2e #encryption #android #iOS
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
Forwarded from BlackBox (Security) Archiv
Combating abuse in Matrix - without backdoors
Hi all,
Last Sunday, the UK Government published an international statement on end-to-end encryption and public safety, co-signed by representatives from the US, Australia, New Zealand, Canada, India and Japan. The statement is well written and well worth a read in full, but the central point is this:
"We call on technology companies to [...] enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight."
In other words, this is an explicit request from seven of the biggest governments in the world to mandate a backdoor in end-to-end encrypted (E2EE) communication services: a backdoor to which the authorities have a secret key, letting them view communication on demand. This is big news, and is of direct relevance to Matrix as an end-to-end encrypted communication protocol whose core team is currently centred in the UK.
Now, we sympathise with the authoritiesโ predicament here: we utterly abhor child abuse, terrorism, fascism and similar - and we did not build Matrix to enable it. However, trying to mitigate abuse with backdoors is, unfortunately, fundamentally flawed.
๐ ๐๐ผ https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix-without-backdoors/
#matrix #uk #gov #backdoors #thinkabout
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
๐ก@NoGoolag
Hi all,
Last Sunday, the UK Government published an international statement on end-to-end encryption and public safety, co-signed by representatives from the US, Australia, New Zealand, Canada, India and Japan. The statement is well written and well worth a read in full, but the central point is this:
"We call on technology companies to [...] enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight."
In other words, this is an explicit request from seven of the biggest governments in the world to mandate a backdoor in end-to-end encrypted (E2EE) communication services: a backdoor to which the authorities have a secret key, letting them view communication on demand. This is big news, and is of direct relevance to Matrix as an end-to-end encrypted communication protocol whose core team is currently centred in the UK.
Now, we sympathise with the authoritiesโ predicament here: we utterly abhor child abuse, terrorism, fascism and similar - and we did not build Matrix to enable it. However, trying to mitigate abuse with backdoors is, unfortunately, fundamentally flawed.
๐ ๐๐ผ https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix-without-backdoors/
#matrix #uk #gov #backdoors #thinkabout
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
๐ก@NoGoolag
matrix.org
Combating abuse in Matrix - without backdoors.
Matrix, the open protocol for secure decentralised communications
Forwarded from GJ `ยฐรทยฐ` ๐ต๐ธ๐ (t ``~__/>_GJ06)
WIRED UK (@WiredUK): "How governments and spies text each other https://trib.al/KCgNFeu" | FDNitter โ https://nitter.fdn.fr//WiredUK/status/1404332908354191367
#Matrix
For the Matrix Foundation, a non-profit counting Hodgson and Le Pape among its members which defines and guards the projectโs principles and goals, dealing with high-profile customers is a spur to hold the project to impossibly high standards. โFor a typical consumer messaging app, you might be trying to protect your users from malicious governments attacking them. Here, thereโs scope for malicious governments attacking each other,โ Hodgson says.
#Matrix
Forwarded from GJ `ยฐรทยฐ` ๐ต๐ธ๐ (t ``~__/>_GJ06)
Forensic analysis of Matrix protocol and Riot.im application - ScienceDirect โ https://www.sciencedirect.com/science/article/pii/S2666281721000159
Instant messaging (#IM) has been around for decades now. Over the last few decades IM has become more and more popular with varied protocols, both open source and closed source. One of the new recent open source ones is the Matrix protocol with the first stable version released in 2019 and the IM application based on this protocol is โ#Riot.imโ. . However, because the #Matrix protocol and the Riot.im application are very new, there is a knowledge gap when it comes to investigators in relation to the forensic acquisition and analysis of Riot.im application and the Matrix protocol. Yet, there is very little research in literature on the Matrix protocol forensics. The goal of this paper is to fill this gap by presenting a forensic approach to analyze forensic artifacts of Riot.im and the Matrix protocol..Why disroot.org shutdown their Matrix server:
@takebackourtech | https://takebackourtech.org
Earlier in 2021, I started seeing red flags surrounding the recently popularized Matrix protocol, thanks to a series of papers done by LibreMonde. Although I shared the research, many Matrix users saw it as an unfounded attack. This lead me to find and champion alternatives like XMPP.
Now disroot, an organization who ran a Matrix server for quite some time has shut down their Matrix instance due to privacy concerns.
โ translated from Spanish
the reasons we decided to close our matrix instance were two:
1. the amount of enormous information that data from the users that we were forced to store (initiation and closing of session, interactions, publications and addresses exposed of users in public rooms, etc.) indefinitely and with the aggravation that the information also remains in the participating servers. and also the growing number of bots that polished mapping the network.
2. the ridiculously large amount of resources it required and increased with its use. about closing the instance, less than 100 users were costing us 5 gb of ram (not counting the branch that consumed the database) and 170 gb of space on the users information disk.
summarizing, it seemed to us that the amount of data accumulated was dangerously large and the resources dismedied for what is basically a text chat software.
We never thought that these problems were deliberately planned, but inherent in the matrix structure. And for us, they became unacceptable above all in relation to the commitment we have to the care of the information of the users.
There are six documents confirming that it was the best decision. It is advisable to read them completely and you can find them here:
https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org
in a part of them can be read:
"after a new research and analysis based on our first document, and despite the changes that have occurred since, we believe that new vector ltd and the Matrix.org foundation cic, which represent matrix.org and vector.im:
- they don't meet the gdpr of the eu
- do not follow the guidelines, best practices and explicit requirements described in the ico guide on gdpr for those who have daily responsibilities.
- fail to defend the fundamental principles of gdpr: legality, equity and transparency.
- are not able to process gdpr data requests correctly and in a timely manner.
- discriminate against non-tecnicxs in gdpr-related issues.
- they are trying to retain data and responses from individuals who are entitled to them, removing such data from their system before completing so requests for gdpr, being a lay crime of data protection for 2018.
- they are using misleading communications, capturing policies and terms of services hard to understand to limit the scope of data requests only to home server services, while providing several other independents.
This document includes disclosure of a personal data violation by Matrix.org.
if you currently have a #matrix account on any server, not only in matrix.org, we strongly recommend that you consider whether you need to file a complaint with the English authority of rgpd, regarding the processing of Matrix.org of your data so far. "
In particular, it seems to me that after several years things have not improved too much in the most important aspects: the care and protection of the data of the users.
#im
@takebackourtech | https://takebackourtech.org
Earlier in 2021, I started seeing red flags surrounding the recently popularized Matrix protocol, thanks to a series of papers done by LibreMonde. Although I shared the research, many Matrix users saw it as an unfounded attack. This lead me to find and champion alternatives like XMPP.
Now disroot, an organization who ran a Matrix server for quite some time has shut down their Matrix instance due to privacy concerns.
โ translated from Spanish
the reasons we decided to close our matrix instance were two:
1. the amount of enormous information that data from the users that we were forced to store (initiation and closing of session, interactions, publications and addresses exposed of users in public rooms, etc.) indefinitely and with the aggravation that the information also remains in the participating servers. and also the growing number of bots that polished mapping the network.
2. the ridiculously large amount of resources it required and increased with its use. about closing the instance, less than 100 users were costing us 5 gb of ram (not counting the branch that consumed the database) and 170 gb of space on the users information disk.
summarizing, it seemed to us that the amount of data accumulated was dangerously large and the resources dismedied for what is basically a text chat software.
We never thought that these problems were deliberately planned, but inherent in the matrix structure. And for us, they became unacceptable above all in relation to the commitment we have to the care of the information of the users.
There are six documents confirming that it was the best decision. It is advisable to read them completely and you can find them here:
https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org
in a part of them can be read:
"after a new research and analysis based on our first document, and despite the changes that have occurred since, we believe that new vector ltd and the Matrix.org foundation cic, which represent matrix.org and vector.im:
- they don't meet the gdpr of the eu
- do not follow the guidelines, best practices and explicit requirements described in the ico guide on gdpr for those who have daily responsibilities.
- fail to defend the fundamental principles of gdpr: legality, equity and transparency.
- are not able to process gdpr data requests correctly and in a timely manner.
- discriminate against non-tecnicxs in gdpr-related issues.
- they are trying to retain data and responses from individuals who are entitled to them, removing such data from their system before completing so requests for gdpr, being a lay crime of data protection for 2018.
- they are using misleading communications, capturing policies and terms of services hard to understand to limit the scope of data requests only to home server services, while providing several other independents.
This document includes disclosure of a personal data violation by Matrix.org.
if you currently have a #matrix account on any server, not only in matrix.org, we strongly recommend that you consider whether you need to file a complaint with the English authority of rgpd, regarding the processing of Matrix.org of your data so far. "
In particular, it seems to me that after several years things have not improved too much in the most important aspects: the care and protection of the data of the users.
#im
Take Back Our Tech
Let's use technology that doesn't use us. We publish regular in-depth series about friendly & effective technology, and how it could change our lives.
5 important vulnerabilities were patched in #Matrix
Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients. This includes impersonating users and sending messages as them.
https://www.theregister.com/2022/09/28/matrix_encryption_flaws/
#im
Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients. This includes impersonating users and sending messages as them.
https://www.theregister.com/2022/09/28/matrix_encryption_flaws/
#im
The Register
Matrix chat encryption sunk by five now-patched holes
You take the green pill, you'll spend six hours in a 'don't roll your own crypto' debate
Bros should we use xmpp or simplex?
https://lukesmith.xyz/articles/matrix-vs-xmpp
Matrix initially funded by amdocs which is israeli https://www.hackea.org/notas/matrix.html
sends a ton of metadata to the central server https://github.com/libremonde-org/paper-research-privacy-matrix.org
#im #xmpp #matrix
https://lukesmith.xyz/articles/matrix-vs-xmpp
Matrix initially funded by amdocs which is israeli https://www.hackea.org/notas/matrix.html
sends a ton of metadata to the central server https://github.com/libremonde-org/paper-research-privacy-matrix.org
#im #xmpp #matrix
lukesmith.xyz
Matrix vs. XMPP | Luke Smith
You want to have encrypted, self-hosted and free software chat? Which standard should you use?
#Europol has dismantled #MATRIX, an invite-only encrypted messaging service used by criminals, intercepting 2.3 million messages tied to drug trafficking, arms deals, and money laundering.
Read the full story: https://thehackernews.com/2024/12/europol-dismantles-criminal-messaging.html
Read the full story: https://thehackernews.com/2024/12/europol-dismantles-criminal-messaging.html
๐๏ธ๏ธ Matrix.org (Element) Has Broken the Federation Connection
Several posts ago, people suggested using #Matrix messenger for bots instead of Telegram. Ironically, it seems that the main Matrix server may be exploited by you know who. Or their admins are just playing dirty games, dunno.
TLDR: Matrix.org has stopped key exchange, making it impossible for users of matrix.org to read messages from other servers, thus forcing people from other servers to switch to matrix.org. This problem has existed since at least from the end of July.
For more information, see: https://github.com/matrix-org/matrix.org/issues/2483
https://t.me/nexus_search/239
#im
Several posts ago, people suggested using #Matrix messenger for bots instead of Telegram. Ironically, it seems that the main Matrix server may be exploited by you know who. Or their admins are just playing dirty games, dunno.
TLDR: Matrix.org has stopped key exchange, making it impossible for users of matrix.org to read messages from other servers, thus forcing people from other servers to switch to matrix.org. This problem has existed since at least from the end of July.
For more information, see: https://github.com/matrix-org/matrix.org/issues/2483
https://t.me/nexus_search/239
#im
https://github.com/libremonde-org/paper-research-privacy-matrix.org/blob/master/part1/README.md
TL;DR
matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot that do not promote privacy, and by specific choices made by their developers to not disclose, inform users or resolve in a timely manner several known behaviours of the software.
Data sent on a potential regular basis based on a common web/desktop+smartphone usage even with a self-hosted client and Homeserver:
The #Matrix ID of users, usually including their username.
Email addresses, phone numbers of the user and their contacts.
Associations of Email, phone numbers with Matrix IDs.
Usage patterns of the user.
IP address of the user, which can give more or less precise geographical location information.
The user's devices and system information.
The other servers that users talks to.
Room IDs, potentially identifying the Direct chat ones and the other user/server.
With default settings, they allow unrestricted, non-obfuscated public access to the following potentially personal data/info:
Matrix IDs mapped to Email addresses/phone numbers added to a user's settings.
Every file, image, video, audio that is uploaded to the Homeserver.
Profile name and avatar of users.
See below for a detailed analysis.
#im
TL;DR
matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot that do not promote privacy, and by specific choices made by their developers to not disclose, inform users or resolve in a timely manner several known behaviours of the software.
Data sent on a potential regular basis based on a common web/desktop+smartphone usage even with a self-hosted client and Homeserver:
The #Matrix ID of users, usually including their username.
Email addresses, phone numbers of the user and their contacts.
Associations of Email, phone numbers with Matrix IDs.
Usage patterns of the user.
IP address of the user, which can give more or less precise geographical location information.
The user's devices and system information.
The other servers that users talks to.
Room IDs, potentially identifying the Direct chat ones and the other user/server.
With default settings, they allow unrestricted, non-obfuscated public access to the following potentially personal data/info:
Matrix IDs mapped to Email addresses/phone numbers added to a user's settings.
Every file, image, video, audio that is uploaded to the Homeserver.
Profile name and avatar of users.
See below for a detailed analysis.
#im
GitHub
paper-research-privacy-matrix.org/part1/README.md at master ยท libremonde-org/paper-research-privacy-matrix.org
Privacy research on Matrix.org. Contribute to libremonde-org/paper-research-privacy-matrix.org development by creating an account on GitHub.