Why disroot.org shutdown their Matrix server:
@takebackourtech | https://takebackourtech.org
Earlier in 2021, I started seeing red flags surrounding the recently popularized Matrix protocol, thanks to a series of papers done by LibreMonde. Although I shared the research, many Matrix users saw it as an unfounded attack. This lead me to find and champion alternatives like XMPP.
Now disroot, an organization who ran a Matrix server for quite some time has shut down their Matrix instance due to privacy concerns.
β translated from Spanish
the reasons we decided to close our matrix instance were two:
1. the amount of enormous information that data from the users that we were forced to store (initiation and closing of session, interactions, publications and addresses exposed of users in public rooms, etc.) indefinitely and with the aggravation that the information also remains in the participating servers. and also the growing number of bots that polished mapping the network.
2. the ridiculously large amount of resources it required and increased with its use. about closing the instance, less than 100 users were costing us 5 gb of ram (not counting the branch that consumed the database) and 170 gb of space on the users information disk.
summarizing, it seemed to us that the amount of data accumulated was dangerously large and the resources dismedied for what is basically a text chat software.
We never thought that these problems were deliberately planned, but inherent in the matrix structure. And for us, they became unacceptable above all in relation to the commitment we have to the care of the information of the users.
There are six documents confirming that it was the best decision. It is advisable to read them completely and you can find them here:
https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org
in a part of them can be read:
"after a new research and analysis based on our first document, and despite the changes that have occurred since, we believe that new vector ltd and the Matrix.org foundation cic, which represent matrix.org and vector.im:
- they don't meet the gdpr of the eu
- do not follow the guidelines, best practices and explicit requirements described in the ico guide on gdpr for those who have daily responsibilities.
- fail to defend the fundamental principles of gdpr: legality, equity and transparency.
- are not able to process gdpr data requests correctly and in a timely manner.
- discriminate against non-tecnicxs in gdpr-related issues.
- they are trying to retain data and responses from individuals who are entitled to them, removing such data from their system before completing so requests for gdpr, being a lay crime of data protection for 2018.
- they are using misleading communications, capturing policies and terms of services hard to understand to limit the scope of data requests only to home server services, while providing several other independents.
This document includes disclosure of a personal data violation by Matrix.org.
if you currently have a #matrix account on any server, not only in matrix.org, we strongly recommend that you consider whether you need to file a complaint with the English authority of rgpd, regarding the processing of Matrix.org of your data so far. "
In particular, it seems to me that after several years things have not improved too much in the most important aspects: the care and protection of the data of the users.
#im
@takebackourtech | https://takebackourtech.org
Earlier in 2021, I started seeing red flags surrounding the recently popularized Matrix protocol, thanks to a series of papers done by LibreMonde. Although I shared the research, many Matrix users saw it as an unfounded attack. This lead me to find and champion alternatives like XMPP.
Now disroot, an organization who ran a Matrix server for quite some time has shut down their Matrix instance due to privacy concerns.
β translated from Spanish
the reasons we decided to close our matrix instance were two:
1. the amount of enormous information that data from the users that we were forced to store (initiation and closing of session, interactions, publications and addresses exposed of users in public rooms, etc.) indefinitely and with the aggravation that the information also remains in the participating servers. and also the growing number of bots that polished mapping the network.
2. the ridiculously large amount of resources it required and increased with its use. about closing the instance, less than 100 users were costing us 5 gb of ram (not counting the branch that consumed the database) and 170 gb of space on the users information disk.
summarizing, it seemed to us that the amount of data accumulated was dangerously large and the resources dismedied for what is basically a text chat software.
We never thought that these problems were deliberately planned, but inherent in the matrix structure. And for us, they became unacceptable above all in relation to the commitment we have to the care of the information of the users.
There are six documents confirming that it was the best decision. It is advisable to read them completely and you can find them here:
https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org
in a part of them can be read:
"after a new research and analysis based on our first document, and despite the changes that have occurred since, we believe that new vector ltd and the Matrix.org foundation cic, which represent matrix.org and vector.im:
- they don't meet the gdpr of the eu
- do not follow the guidelines, best practices and explicit requirements described in the ico guide on gdpr for those who have daily responsibilities.
- fail to defend the fundamental principles of gdpr: legality, equity and transparency.
- are not able to process gdpr data requests correctly and in a timely manner.
- discriminate against non-tecnicxs in gdpr-related issues.
- they are trying to retain data and responses from individuals who are entitled to them, removing such data from their system before completing so requests for gdpr, being a lay crime of data protection for 2018.
- they are using misleading communications, capturing policies and terms of services hard to understand to limit the scope of data requests only to home server services, while providing several other independents.
This document includes disclosure of a personal data violation by Matrix.org.
if you currently have a #matrix account on any server, not only in matrix.org, we strongly recommend that you consider whether you need to file a complaint with the English authority of rgpd, regarding the processing of Matrix.org of your data so far. "
In particular, it seems to me that after several years things have not improved too much in the most important aspects: the care and protection of the data of the users.
#im
Take Back Our Tech
Let's use technology that doesn't use us. We publish regular in-depth series about friendly & effective technology, and how it could change our lives.
Konzept Notfunkneu_20211105.pdf
3.8 MB
In germany there is a group called FreieDeutscheGesellschaft.org
Experimenting with the LoRa technology.
https://t.me/FDG_Portal
loRa is super effective in Cities, but not in the countryside.
Therefore we switched to the Reticulum Protocol, which allows us to use litte computers like raspberrypi as Gateways, for connecting Lora, CB, Wifi and even more.
First we tried Meshtastic, but there Were many problems with messaging using many nodes.
Nodes not waking up after sleeping for some time.
And many problems with the APP, and interoperabilities.
So we decided to stop the complete Process, because we needed a strong base first, before expanding.
We found reticulum was better in many ways for this usecase, since then we are using it.
https://github.com/markqvist/Reticulum
#communications #im #lora
Experimenting with the LoRa technology.
https://t.me/FDG_Portal
loRa is super effective in Cities, but not in the countryside.
Therefore we switched to the Reticulum Protocol, which allows us to use litte computers like raspberrypi as Gateways, for connecting Lora, CB, Wifi and even more.
First we tried Meshtastic, but there Were many problems with messaging using many nodes.
Nodes not waking up after sleeping for some time.
And many problems with the APP, and interoperabilities.
So we decided to stop the complete Process, because we needed a strong base first, before expanding.
We found reticulum was better in many ways for this usecase, since then we are using it.
https://github.com/markqvist/Reticulum
#communications #im #lora
Dino 0.3:
Video calls and conferences β encrypted and peer-to-peer
https://dino.im/blog/2022/02/dino-0.3-release/
#dino #im #videocalls
Video calls and conferences β encrypted and peer-to-peer
https://dino.im/blog/2022/02/dino-0.3-release/
#dino #im #videocalls
kMeet
Free and secure videoconferencing solution
kMeet is a videoconferencing solution that respects your privacy for all your discussions.No e-mail address, no advertising and no registration are required. Your discussions are not analysed and are only transmitted through Infomaniak servers in Switzerland.
Features :
- Create online (audio and video) meetings with multiple people
- Excellent audio quality
- Unlimited number of participants (subject to resources)
- No apps required for desktop computers
- Join meetings hosted by Infomaniak Meet or Jitsi
- Protect access to your meetings with a password
- Discuss and share resources via the integrated chat function
- Invite your participants via a URL
Download - https://play.google.com/store/apps/details?id=com.infomaniak.meet
https://github.com/Infomaniak/android-infomaniak-meet
#im #Videocall
@foss_Android
Free and secure videoconferencing solution
kMeet is a videoconferencing solution that respects your privacy for all your discussions.No e-mail address, no advertising and no registration are required. Your discussions are not analysed and are only transmitted through Infomaniak servers in Switzerland.
Features :
- Create online (audio and video) meetings with multiple people
- Excellent audio quality
- Unlimited number of participants (subject to resources)
- No apps required for desktop computers
- Join meetings hosted by Infomaniak Meet or Jitsi
- Protect access to your meetings with a password
- Discuss and share resources via the integrated chat function
- Invite your participants via a URL
Download - https://play.google.com/store/apps/details?id=com.infomaniak.meet
https://github.com/Infomaniak/android-infomaniak-meet
#im #Videocall
@foss_Android
5 important vulnerabilities were patched in #Matrix
Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients. This includes impersonating users and sending messages as them.
https://www.theregister.com/2022/09/28/matrix_encryption_flaws/
#im
Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients. This includes impersonating users and sending messages as them.
https://www.theregister.com/2022/09/28/matrix_encryption_flaws/
#im
The Register
Matrix chat encryption sunk by five now-patched holes
You take the green pill, you'll spend six hours in a 'don't roll your own crypto' debate
British youth faces 100,000-euro bill for bomb threat joke that prompted Spain to scramble a fighter plane to escort easyJet flight
The accused was checking in for a flight at London Gatwick airport when he sent a message to friends via Snapchat. It was picked up by the UK security services when the plane was flying over French airspace
Source: https://www.surinenglish.com/spain/british-youth-faces-100000euro-bill-for-bomb-20240122151721-nt.html
>send a meme on snapchat
>get fined 120k
Would he have been saved by using any chat service with end-to-end encryption? Even Whatsapp? How can one avoid this happening to them?
β‘οΈhidden tech
#why #im #privacy
The accused was checking in for a flight at London Gatwick airport when he sent a message to friends via Snapchat. It was picked up by the UK security services when the plane was flying over French airspace
Source: https://www.surinenglish.com/spain/british-youth-faces-100000euro-bill-for-bomb-20240122151721-nt.html
>send a meme on snapchat
>get fined 120k
Would he have been saved by using any chat service with end-to-end encryption? Even Whatsapp? How can one avoid this happening to them?
β‘οΈhidden tech
#why #im #privacy
Bros should we use xmpp or simplex?
https://lukesmith.xyz/articles/matrix-vs-xmpp
Matrix initially funded by amdocs which is israeli https://www.hackea.org/notas/matrix.html
sends a ton of metadata to the central server https://github.com/libremonde-org/paper-research-privacy-matrix.org
#im #xmpp #matrix
https://lukesmith.xyz/articles/matrix-vs-xmpp
Matrix initially funded by amdocs which is israeli https://www.hackea.org/notas/matrix.html
sends a ton of metadata to the central server https://github.com/libremonde-org/paper-research-privacy-matrix.org
#im #xmpp #matrix
lukesmith.xyz
Matrix vs. XMPP | Luke Smith
You want to have encrypted, self-hosted and free software chat? Which standard should you use?
Secure Messaging (and current attacks against it)
https://media.ccc.de/v/secure-messaging-and-current-attacks-against-it
#im
https://media.ccc.de/v/secure-messaging-and-current-attacks-against-it
#im
media.ccc.de
Secure Messaging (and current attacks against it)
Secure messaging apps are one of the most-used app categories on current mobile devices, and a significant subset of human communication ...
Take action to stop Chat Control now!
Chat control 2.0 is back on the agenda of EU governments. Ambassadors of EU governments are to express their position on the latest proposal on 9 October 2024, and EU Ministers of the Interior are to endorse Chat Control on 10 October. The latest proposal makes a minor concession but still provides for indiscriminate mass searching of private messages and destroying secure end-to-end encryption. Read more about this proposal here.
https://www.patrick-breyer.de/en/posts/chat-control/
#im #censorship #stalking #harassment #surveillance #eu #chatcontrol #why
Chat control 2.0 is back on the agenda of EU governments. Ambassadors of EU governments are to express their position on the latest proposal on 9 October 2024, and EU Ministers of the Interior are to endorse Chat Control on 10 October. The latest proposal makes a minor concession but still provides for indiscriminate mass searching of private messages and destroying secure end-to-end encryption. Read more about this proposal here.
https://www.patrick-breyer.de/en/posts/chat-control/
#im #censorship #stalking #harassment #surveillance #eu #chatcontrol #why
Patrick Breyer
Chat Control: The EU's CSAM scanner proposal
π«π· French: Traduction du dossier Chat Control 2.0, stopchatcontrol.frπΈπͺ Swedish: Chat Control 2.0π©π° Danish: chatcontrol.dkπ³π± Dutch: Chatcontrole
The End of the Privacy of Digital Correspondence
Take action to stop Chat Control now!
β¦
The End of the Privacy of Digital Correspondence
Take action to stop Chat Control now!
β¦
Don't Use #Session (#Signal Fork)
https://soatok.blog/2025/01/14/dont-use-session-signal-fork/
Comments
#im
https://soatok.blog/2025/01/14/dont-use-session-signal-fork/
Comments
#im
Dhole Moments
Donβt Use Session (Signal Fork) - Dhole Moments
Last year, I outlined the specific requirements that an app needs to have in order for me to consider it a Signal competitor. Afterwards, I had several people ask me what I think of a Signal fork cβ¦
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
"Signal instantly dismissed my report, saying it wasn't their responsibility and it was up to users to hide their identity"
#im #signal #cloudflare
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
"Signal instantly dismissed my report, saying it wasn't their responsibility and it was up to users to hide their identity"
#im #signal #cloudflare
Gist
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform - research.md
#xmpp #im criticisms:
You can follow any advise on the client XMPP setup but the main issue with the protocol is not your endpoint. The issue is the is the XMPP protocol and related infrastructure.
There are two things you wana do
1. content of the message (privacy setup),
2. identity (anonymity setup)
Don't mistake those two things!!
Privacy
is ensured on XMPP with the OTR or OMEMO encryption. The issue is that the key exchange in between the communication parties is not foolproof. You both *MUST* check the fingerprints through a separate secure channel. This is in large scale not practiced. If you don't check it right, the underlying infrastructure of the XMPP allows the adversary to MITM you and read your messages.
2 Anonymity
is ensured with Tor here. Tor tries to conceal you IP only and nothing more. But Tor, as a low latency network, cannot protect you from revealing your behavioral patterns, your social graph, your login and log out time, the number of messages sent and received at any time, the sender and receiver of the messages, their precise volume and so on *from the XMPP server* and any adversary that can monitor that server.
Our advice is - don't use XMPP! if possible at all and use something more resistant like SimpleX, Briar, CWTCH... and similar solutions that mitigate those leaks and diminish or even make impossible those related attacks from the active as well as passive adversaries.
You can follow any advise on the client XMPP setup but the main issue with the protocol is not your endpoint. The issue is the is the XMPP protocol and related infrastructure.
There are two things you wana do
1. content of the message (privacy setup),
2. identity (anonymity setup)
Don't mistake those two things!!
Privacy
is ensured on XMPP with the OTR or OMEMO encryption. The issue is that the key exchange in between the communication parties is not foolproof. You both *MUST* check the fingerprints through a separate secure channel. This is in large scale not practiced. If you don't check it right, the underlying infrastructure of the XMPP allows the adversary to MITM you and read your messages.
2 Anonymity
is ensured with Tor here. Tor tries to conceal you IP only and nothing more. But Tor, as a low latency network, cannot protect you from revealing your behavioral patterns, your social graph, your login and log out time, the number of messages sent and received at any time, the sender and receiver of the messages, their precise volume and so on *from the XMPP server* and any adversary that can monitor that server.
Our advice is - don't use XMPP! if possible at all and use something more resistant like SimpleX, Briar, CWTCH... and similar solutions that mitigate those leaks and diminish or even make impossible those related attacks from the active as well as passive adversaries.
Media is too big
VIEW IN TELEGRAM
Why Arenβt You Using XMPP? β #SolutionsWatch
https://corbettreport.com/why-arent-you-using-xmpp/
Hakeem Anwar of TakeBackOurTech.org and AbovePhone.com joins us to discuss the latest TBOT guide to Getting Started with #XMPP. What is XMPP? Why is it superior to the centralized, Big Tech messaging apps? And, most important of all, why arenβt you using XMPP?
#im
https://corbettreport.com/why-arent-you-using-xmpp/
Hakeem Anwar of TakeBackOurTech.org and AbovePhone.com joins us to discuss the latest TBOT guide to Getting Started with #XMPP. What is XMPP? Why is it superior to the centralized, Big Tech messaging apps? And, most important of all, why arenβt you using XMPP?
#im
People think #SimpleX #im Chat is secure. It's not. Truly decentralized services aren't able to moderate anything via a central authority, but SimpleX outright states they do exactly that via their centralized servers that they describe in "how it works" docs as a sort of "data pipe" that just relays data without examining it, yet they explicitly say they can and DO block files from being sent. ALL CENTRALIZED SERVICES ARE ABSOLUTELY CONTROLLED BY SOMEONE AND OPEN TO ANYONE WHO CAN BUST IN THE DOORS. There are no exceptions.
https://simplex.chat/blog/20250114-simplex-network-large-groups-privacy-preserving-content-moderation.html
@Jody_Bruchon
https://simplex.chat/blog/20250114-simplex-network-large-groups-privacy-preserving-content-moderation.html
@Jody_Bruchon
simplex.chat
SimpleX network: large groups and privacy-preserving content moderation
ποΈοΈ Matrix.org (Element) Has Broken the Federation Connection
Several posts ago, people suggested using #Matrix messenger for bots instead of Telegram. Ironically, it seems that the main Matrix server may be exploited by you know who. Or their admins are just playing dirty games, dunno.
TLDR: Matrix.org has stopped key exchange, making it impossible for users of matrix.org to read messages from other servers, thus forcing people from other servers to switch to matrix.org. This problem has existed since at least from the end of July.
For more information, see: https://github.com/matrix-org/matrix.org/issues/2483
https://t.me/nexus_search/239
#im
Several posts ago, people suggested using #Matrix messenger for bots instead of Telegram. Ironically, it seems that the main Matrix server may be exploited by you know who. Or their admins are just playing dirty games, dunno.
TLDR: Matrix.org has stopped key exchange, making it impossible for users of matrix.org to read messages from other servers, thus forcing people from other servers to switch to matrix.org. This problem has existed since at least from the end of July.
For more information, see: https://github.com/matrix-org/matrix.org/issues/2483
https://t.me/nexus_search/239
#im
#Austria Approves #Spyware Law to Infiltrate Encrypted Messaging Platforms
https://ift.tt/JuNIV7j - FOLLOW: @reclaimthenet
#im
https://ift.tt/JuNIV7j - FOLLOW: @reclaimthenet
#im
Reclaim The Net
Austria Approves Spyware Law to Infiltrate Encrypted Messaging Platforms
Austria bets on spyware as a national shield, gambling its digital soul for a sense of safety.
https://github.com/libremonde-org/paper-research-privacy-matrix.org/blob/master/part1/README.md
TL;DR
matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot that do not promote privacy, and by specific choices made by their developers to not disclose, inform users or resolve in a timely manner several known behaviours of the software.
Data sent on a potential regular basis based on a common web/desktop+smartphone usage even with a self-hosted client and Homeserver:
The #Matrix ID of users, usually including their username.
Email addresses, phone numbers of the user and their contacts.
Associations of Email, phone numbers with Matrix IDs.
Usage patterns of the user.
IP address of the user, which can give more or less precise geographical location information.
The user's devices and system information.
The other servers that users talks to.
Room IDs, potentially identifying the Direct chat ones and the other user/server.
With default settings, they allow unrestricted, non-obfuscated public access to the following potentially personal data/info:
Matrix IDs mapped to Email addresses/phone numbers added to a user's settings.
Every file, image, video, audio that is uploaded to the Homeserver.
Profile name and avatar of users.
See below for a detailed analysis.
#im
TL;DR
matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot that do not promote privacy, and by specific choices made by their developers to not disclose, inform users or resolve in a timely manner several known behaviours of the software.
Data sent on a potential regular basis based on a common web/desktop+smartphone usage even with a self-hosted client and Homeserver:
The #Matrix ID of users, usually including their username.
Email addresses, phone numbers of the user and their contacts.
Associations of Email, phone numbers with Matrix IDs.
Usage patterns of the user.
IP address of the user, which can give more or less precise geographical location information.
The user's devices and system information.
The other servers that users talks to.
Room IDs, potentially identifying the Direct chat ones and the other user/server.
With default settings, they allow unrestricted, non-obfuscated public access to the following potentially personal data/info:
Matrix IDs mapped to Email addresses/phone numbers added to a user's settings.
Every file, image, video, audio that is uploaded to the Homeserver.
Profile name and avatar of users.
See below for a detailed analysis.
#im
GitHub
paper-research-privacy-matrix.org/part1/README.md at master Β· libremonde-org/paper-research-privacy-matrix.org
Privacy research on Matrix.org. Contribute to libremonde-org/paper-research-privacy-matrix.org development by creating an account on GitHub.