Rick Moen via luv-talk wrote:
a friend [...] wrote about Signal and similar:
friend> signal -- never had any real federation. posting server source is an [...] friend> slack -- offered irc gateways to build network effects then shut them down [...] friend> wire -- this is some proprietary Swiss garbage, right? four legs [...] Do you have a canned rant for this one? https://en.wikipedia.org/wiki/Matrix_(communication_protocol) friend> I've been trying to get normies on riot.im. It uses signal-like friend> insecure web frameworks, but prefers to run them in a browser tab friend> instead of a standalone desktop app, which is more secure because you friend> get chrome sandbox and chrome updates. Although then it can be XSS'd by other tabs, depending on how shitty your main browser is. There was an IEEE Spectrum article a while ago (can't find it now) called something like "the web will be insecure until we break it", advocating that each website looking like a desktop app (with strong separation between them), but still using the kept-up-to-date browser engine. The closest thing I've seen to this is this group policy in chromium (introduced in the wake of SPECTRE): http://dev.chromium.org/administrators/policy-list-3#IsolateOrigins If I actually logged into web pages and didn't e.g. locally NXDOMAIN facebook &c, I'd be turning this on for a bunch of name-brand domains. friend> It has a gateway to irc that is a little flakey but about halfway to friend> ok---I use it with irc.hackint.org which runs their own instance of friend> the matrix gateway. Ohhhhh, so riot.im is basically a matrix server you don't host yourself, so you have less hosting costs, but you have to watch for FISA canaries and stuff. The reason I asked about matrix is I know a couple of people who run their own matrices and then join regular IRC, and they mostly look OK from my end (a dumb IRC client). friend> The server is a single-threaded Python twistedmatrix app that they are friend> rewriting into multiple Go frontends around Kafka. The client is a friend> single javascript blob for android/ios/web. Yeah, that's when I started to tune out during the last round of advocacy, because AFAICT both go and ES are still in the dark ages WRT long-term maintenance and security.
Again, that's _his_ view, quoted. I actually don't personally use any such services. In fact, what I use is a simple flip phone (calls and SMS), and I don't particularly trust it: To the best of my understanding, the baseband processor problem is so pernicious that you really cannot trust any cellular device to not have been hacked from over the air.
100% agree. IME the best way to solve this is to have no friends, so you don't need a phone to organize when to hang out with them.