https://mastodon.technology/@fdroidorg/101982817496527067
> Heads up to all Riot users: with the recent attack on Matrix' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has always signed all its apps on an inaccessible, offline machine. For more information, see https://riot.im/reinstall
#matrix #riot #im
> Heads up to all Riot users: with the recent attack on Matrix' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has always signed all its apps on an inaccessible, offline machine. For more information, see https://riot.im/reinstall
#matrix #riot #im
Mastodon for Tech Folks
F-Droid (@fdroidorg@mastodon.technology)
Heads up to all #Riot users: with the recent attack on @matrix@mastodon.matrix.org' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has alwaysβ¦
Forwarded from BlackBox (Security) Archiv
Riot Web 1.6, RiotX Android 0.19 & Riot iOS 0.11 β E2E Encryption by Default & Cross-signing is here!!
Hi folks,
We are incredibly excited to present the biggest change in Riot ever: as of the last 24 hours we are enabling end-to-end encryption by default for all new non-public conversations, together with a complete rework of Riotβs user experience around E2E encryption, powered by a whole new suite of encryption features in Matrix. We have released this simultaneously on Web, Desktop, iOS and RiotX Android!
ππΌ Web:
https://riot.im/app
ππΌ Desktop:
https://riot.im/download/desktop/
ππΌ iOS:
https://apps.apple.com/us/app/riot-im/id1083446067
ππΌ RiotX Android:
https://play.google.com/store/apps/details?id=im.vector.riotx
π‘ More info:
https://blog.riot.im/e2e-encryption-by-default-cross-signing-is-here/
#riot #matrix #messenger #e2e #encryption #android #iOS
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
Hi folks,
We are incredibly excited to present the biggest change in Riot ever: as of the last 24 hours we are enabling end-to-end encryption by default for all new non-public conversations, together with a complete rework of Riotβs user experience around E2E encryption, powered by a whole new suite of encryption features in Matrix. We have released this simultaneously on Web, Desktop, iOS and RiotX Android!
ππΌ Web:
https://riot.im/app
ππΌ Desktop:
https://riot.im/download/desktop/
ππΌ iOS:
https://apps.apple.com/us/app/riot-im/id1083446067
ππΌ RiotX Android:
https://play.google.com/store/apps/details?id=im.vector.riotx
π‘ More info:
https://blog.riot.im/e2e-encryption-by-default-cross-signing-is-here/
#riot #matrix #messenger #e2e #encryption #android #iOS
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
Forwarded from BlackBox (Security) Archiv
Combating abuse in Matrix - without backdoors
Hi all,
Last Sunday, the UK Government published an international statement on end-to-end encryption and public safety, co-signed by representatives from the US, Australia, New Zealand, Canada, India and Japan. The statement is well written and well worth a read in full, but the central point is this:
"We call on technology companies to [...] enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight."
In other words, this is an explicit request from seven of the biggest governments in the world to mandate a backdoor in end-to-end encrypted (E2EE) communication services: a backdoor to which the authorities have a secret key, letting them view communication on demand. This is big news, and is of direct relevance to Matrix as an end-to-end encrypted communication protocol whose core team is currently centred in the UK.
Now, we sympathise with the authoritiesβ predicament here: we utterly abhor child abuse, terrorism, fascism and similar - and we did not build Matrix to enable it. However, trying to mitigate abuse with backdoors is, unfortunately, fundamentally flawed.
π ππΌ https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix-without-backdoors/
#matrix #uk #gov #backdoors #thinkabout
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@NoGoolag
Hi all,
Last Sunday, the UK Government published an international statement on end-to-end encryption and public safety, co-signed by representatives from the US, Australia, New Zealand, Canada, India and Japan. The statement is well written and well worth a read in full, but the central point is this:
"We call on technology companies to [...] enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight."
In other words, this is an explicit request from seven of the biggest governments in the world to mandate a backdoor in end-to-end encrypted (E2EE) communication services: a backdoor to which the authorities have a secret key, letting them view communication on demand. This is big news, and is of direct relevance to Matrix as an end-to-end encrypted communication protocol whose core team is currently centred in the UK.
Now, we sympathise with the authoritiesβ predicament here: we utterly abhor child abuse, terrorism, fascism and similar - and we did not build Matrix to enable it. However, trying to mitigate abuse with backdoors is, unfortunately, fundamentally flawed.
π ππΌ https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix-without-backdoors/
#matrix #uk #gov #backdoors #thinkabout
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@NoGoolag
matrix.org
Combating abuse in Matrix - without backdoors.
Matrix, the open protocol for secure decentralised communications
Forwarded from GJ `°÷°` π΅πΈπ (t ``~__/>_GJ06)
WIRED UK (@WiredUK): "How governments and spies text each other https://trib.al/KCgNFeu" | FDNitter β https://nitter.fdn.fr//WiredUK/status/1404332908354191367
#Matrix
For the Matrix Foundation, a non-profit counting Hodgson and Le Pape among its members which defines and guards the projectβs principles and goals, dealing with high-profile customers is a spur to hold the project to impossibly high standards. βFor a typical consumer messaging app, you might be trying to protect your users from malicious governments attacking them. Here, thereβs scope for malicious governments attacking each other,β Hodgson says.
#Matrix
Forwarded from GJ `°÷°` π΅πΈπ (t ``~__/>_GJ06)
Forensic analysis of Matrix protocol and Riot.im application - ScienceDirect β https://www.sciencedirect.com/science/article/pii/S2666281721000159
Instant messaging (#IM) has been around for decades now. Over the last few decades IM has become more and more popular with varied protocols, both open source and closed source. One of the new recent open source ones is the Matrix protocol with the first stable version released in 2019 and the IM application based on this protocol is β#Riot.imβ. . However, because the #Matrix protocol and the Riot.im application are very new, there is a knowledge gap when it comes to investigators in relation to the forensic acquisition and analysis of Riot.im application and the Matrix protocol. Yet, there is very little research in literature on the Matrix protocol forensics. The goal of this paper is to fill this gap by presenting a forensic approach to analyze forensic artifacts of Riot.im and the Matrix protocol..Why disroot.org shutdown their Matrix server:
@takebackourtech | https://takebackourtech.org
Earlier in 2021, I started seeing red flags surrounding the recently popularized Matrix protocol, thanks to a series of papers done by LibreMonde. Although I shared the research, many Matrix users saw it as an unfounded attack. This lead me to find and champion alternatives like XMPP.
Now disroot, an organization who ran a Matrix server for quite some time has shut down their Matrix instance due to privacy concerns.
β translated from Spanish
the reasons we decided to close our matrix instance were two:
1. the amount of enormous information that data from the users that we were forced to store (initiation and closing of session, interactions, publications and addresses exposed of users in public rooms, etc.) indefinitely and with the aggravation that the information also remains in the participating servers. and also the growing number of bots that polished mapping the network.
2. the ridiculously large amount of resources it required and increased with its use. about closing the instance, less than 100 users were costing us 5 gb of ram (not counting the branch that consumed the database) and 170 gb of space on the users information disk.
summarizing, it seemed to us that the amount of data accumulated was dangerously large and the resources dismedied for what is basically a text chat software.
We never thought that these problems were deliberately planned, but inherent in the matrix structure. And for us, they became unacceptable above all in relation to the commitment we have to the care of the information of the users.
There are six documents confirming that it was the best decision. It is advisable to read them completely and you can find them here:
https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org
in a part of them can be read:
"after a new research and analysis based on our first document, and despite the changes that have occurred since, we believe that new vector ltd and the Matrix.org foundation cic, which represent matrix.org and vector.im:
- they don't meet the gdpr of the eu
- do not follow the guidelines, best practices and explicit requirements described in the ico guide on gdpr for those who have daily responsibilities.
- fail to defend the fundamental principles of gdpr: legality, equity and transparency.
- are not able to process gdpr data requests correctly and in a timely manner.
- discriminate against non-tecnicxs in gdpr-related issues.
- they are trying to retain data and responses from individuals who are entitled to them, removing such data from their system before completing so requests for gdpr, being a lay crime of data protection for 2018.
- they are using misleading communications, capturing policies and terms of services hard to understand to limit the scope of data requests only to home server services, while providing several other independents.
This document includes disclosure of a personal data violation by Matrix.org.
if you currently have a #matrix account on any server, not only in matrix.org, we strongly recommend that you consider whether you need to file a complaint with the English authority of rgpd, regarding the processing of Matrix.org of your data so far. "
In particular, it seems to me that after several years things have not improved too much in the most important aspects: the care and protection of the data of the users.
#im
@takebackourtech | https://takebackourtech.org
Earlier in 2021, I started seeing red flags surrounding the recently popularized Matrix protocol, thanks to a series of papers done by LibreMonde. Although I shared the research, many Matrix users saw it as an unfounded attack. This lead me to find and champion alternatives like XMPP.
Now disroot, an organization who ran a Matrix server for quite some time has shut down their Matrix instance due to privacy concerns.
β translated from Spanish
the reasons we decided to close our matrix instance were two:
1. the amount of enormous information that data from the users that we were forced to store (initiation and closing of session, interactions, publications and addresses exposed of users in public rooms, etc.) indefinitely and with the aggravation that the information also remains in the participating servers. and also the growing number of bots that polished mapping the network.
2. the ridiculously large amount of resources it required and increased with its use. about closing the instance, less than 100 users were costing us 5 gb of ram (not counting the branch that consumed the database) and 170 gb of space on the users information disk.
summarizing, it seemed to us that the amount of data accumulated was dangerously large and the resources dismedied for what is basically a text chat software.
We never thought that these problems were deliberately planned, but inherent in the matrix structure. And for us, they became unacceptable above all in relation to the commitment we have to the care of the information of the users.
There are six documents confirming that it was the best decision. It is advisable to read them completely and you can find them here:
https://gitlab.com/libremonde-org/papers/research/privacy-matrix.org
in a part of them can be read:
"after a new research and analysis based on our first document, and despite the changes that have occurred since, we believe that new vector ltd and the Matrix.org foundation cic, which represent matrix.org and vector.im:
- they don't meet the gdpr of the eu
- do not follow the guidelines, best practices and explicit requirements described in the ico guide on gdpr for those who have daily responsibilities.
- fail to defend the fundamental principles of gdpr: legality, equity and transparency.
- are not able to process gdpr data requests correctly and in a timely manner.
- discriminate against non-tecnicxs in gdpr-related issues.
- they are trying to retain data and responses from individuals who are entitled to them, removing such data from their system before completing so requests for gdpr, being a lay crime of data protection for 2018.
- they are using misleading communications, capturing policies and terms of services hard to understand to limit the scope of data requests only to home server services, while providing several other independents.
This document includes disclosure of a personal data violation by Matrix.org.
if you currently have a #matrix account on any server, not only in matrix.org, we strongly recommend that you consider whether you need to file a complaint with the English authority of rgpd, regarding the processing of Matrix.org of your data so far. "
In particular, it seems to me that after several years things have not improved too much in the most important aspects: the care and protection of the data of the users.
#im
Take Back Our Tech
Let's use technology that doesn't use us. We publish regular in-depth series about friendly & effective technology, and how it could change our lives.
5 important vulnerabilities were patched in #Matrix
Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients. This includes impersonating users and sending messages as them.
https://www.theregister.com/2022/09/28/matrix_encryption_flaws/
#im
Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients. This includes impersonating users and sending messages as them.
https://www.theregister.com/2022/09/28/matrix_encryption_flaws/
#im
The Register
Matrix chat encryption sunk by five now-patched holes
You take the green pill, you'll spend six hours in a 'don't roll your own crypto' debate