Robin Humble via luv-talk wrote: Just realise with TPG the only payment option is direct debit; just in case you are phobic about such arrangements , like me  ! (confirmed via their contact number 1300242011) regards Rohan McLeod

On Wednesday, 3 October 2018 4:13:05 AM AEDT Andrew McGlashan via luv-talk wrote: Kogan keeps having these deals. It's like CopperArt. If you miss one deal you get the next one. It seems to mostly work fine. There are many places where Telstra gives better coverage, but a few corner cases where Vodafone gives better coverage (like the basement of the Arts and Design building at Melbourne University). As for personal use, there's nothing stopping you from using it for work. You just have to sign up under your own name. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

Quoting Andrew McGlashan (andrew.mcglashan(a)affinityvision.com.au): FWIW, here's what a friend who's even more jaundiced on these matters than I am wrote about Signal and similar: tj> I've heard talk about people attempting to spend less time on tj> Facebook and more on Signal, Slack or Wire. These are nasty companies. signal -- never had any real federation. posting server source is an irrelevant stunt, similar to wire. posting client source is only useful for someone who wants to fork the whole network, not someone who wants freedom within it. unfriendly to pseudonomy by forcing phone number id, tying keys to phone, not supporting multiple accounts, etc. doesn't support free software. They refuse to allow publication in F-Droid because of $arrogant_rant. Yes, yes, reasons, but don't go full aspie on me. They don't meet the bar, and that's that. Rants are a distraction not an excuse because the issue is control, not why you want control. talks a lot of shit but has had multiple pants-down security moments: the group chat membership bug and the poor-choice-of-framework Blink bug. slack -- offered irc gateways to build network effects then shut them down fucking evil. a closed system designed specifically to poach lazy entitled "maker"-style can't-be-bothered non-player character users from a perfectly adequate open platform, then lock down the playing characters using network effects. Evil! wire -- this is some proprietary Swiss garbage, right? four legs good, two legs bad. Why do we have to go through this over and over? "But if you're not paying for the product you are the [SLAP]." Shut up, Robin. What's worse, unlike Google and Facebook, these "alternative" proprietary companies aren't under government and media scrutiny and don't have valuable reputations-to-lose bonding them. You would be better off protesting by using Bing, Wechat, or Baidu. tj> If so, where did everybody go? I'm wondering what happened to tj> all the people who actually did delete Facebook. still a good question. my nitpicking doesn't answer. I've been trying to get normies on riot.im. It uses signal-like insecure web frameworks, but prefers to run them in a browser tab instead of a standalone desktop app, which is more secure because you get chrome sandbox and chrome updates. It has a gateway to irc that is a little flakey but about halfway to ok---I use it with irc.hackint.org which runs their own instance of the matrix gateway. The server is a single-threaded Python twistedmatrix app that they are rewriting into multiple Go frontends around Kafka. The client is a single javascript blob for android/ios/web. The endpoint identifiers are Jabber-like, but there is a lookup server for verifying & "discovering" phone numbers (not sure how well it works), so theoretically best of both worlds. It's properly federated: you can set up your own domain-namespaced instance, and if matrix.org ceases to exist you can continue chatting. --end-- Again, that's _his_ view, quoted. I actually don't personally use any such services. In fact, what I use is a simple flip phone (calls and SMS), and I don't particularly trust it: To the best of my understanding, the baseband processor problem is so pernicious that you really cannot trust any cellular device to not have been hacked from over the air.

Quoting Andrew McGlashan (andrew.mcglashan(a)affinityvision.com.au): Heh. My attitude with my flip phone (Motorola RAZRv3, with a spare in my kitchen drawer ready for the SIM when this one dies) is that, absolutely, it could have been remotely compromised by the GRU, or these days by practically anyone down to Benny the bookmaker, using its crummy baseband blackbox chipset. So, I am careful not to trust it in any way, e.g., there's no data worth stealing on it, I assume all its channels for communication are insecure, and I authenticate anything on it I see or hear through other means. Reminds me: There was a hardened Android project that did a pretty hardheaded examination of all security risks on Android mobile devices, including the baseband threat. One of their conclusions was that, if you really wanted to be serious about device security, you should have hardened Android running on a wifi-only tablet, which you connect via USB cable to a separate mobile gateway ('modem') hardware widget. That being the only way they figured you could (at that time) ensure decent isolation of the phone processor from the baseband processor. I used to do that, too, and it was fun. I should try it again.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 15/10/18 11:51, Trent W. Buck via luv-talk wrote: Sure, but unless you do as Trent said and have no friends or other contacts, then you can give up on FB entirely too. In any case, whilst I do use FB, I don't use it like the "normies" as Rick puts it. I also use a bunch of other browser add-in features to at least lessen what FB can learn and exploit about myself to a significant but not zero degree. Cheers A.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 15/10/18 20:37, Mark Trickett via luv-talk wrote: Yes, well, I certainly rally against the idea of "allowing" Google to read every single email if it so chooses for whatever reason. I /give/ FB very little and Google much less overall. And there is no way that I'll willingly use Chrome browser. Of course nothing is perfect and we all need to make choices as to what is right for ourselves. This group here is, at least, far better informed than most ... ;-) I do use DDG via their .onion address over Tor .... fwiw. http://3g2upl4pq6kufc4m.onion/ Cheers A.

Rick Moen via luv-talk wrote: friend> signal -- never had any real federation. posting server source is an [...] friend> slack -- offered irc gateways to build network effects then shut them down [...] friend> wire -- this is some proprietary Swiss garbage, right? four legs [...] Do you have a canned rant for this one? https://en.wikipedia.org/wiki/Matrix_(communication_protocol) friend> I've been trying to get normies on riot.im. It uses signal-like friend> insecure web frameworks, but prefers to run them in a browser tab friend> instead of a standalone desktop app, which is more secure because you friend> get chrome sandbox and chrome updates. Although then it can be XSS'd by other tabs, depending on how shitty your main browser is. There was an IEEE Spectrum article a while ago (can't find it now) called something like "the web will be insecure until we break it", advocating that each website looking like a desktop app (with strong separation between them), but still using the kept-up-to-date browser engine. The closest thing I've seen to this is this group policy in chromium (introduced in the wake of SPECTRE): http://dev.chromium.org/administrators/policy-list-3#IsolateOrigins If I actually logged into web pages and didn't e.g. locally NXDOMAIN facebook &c, I'd be turning this on for a bunch of name-brand domains. friend> It has a gateway to irc that is a little flakey but about halfway to friend> ok---I use it with irc.hackint.org which runs their own instance of friend> the matrix gateway. Ohhhhh, so riot.im is basically a matrix server you don't host yourself, so you have less hosting costs, but you have to watch for FISA canaries and stuff. The reason I asked about matrix is I know a couple of people who run their own matrices and then join regular IRC, and they mostly look OK from my end (a dumb IRC client). friend> The server is a single-threaded Python twistedmatrix app that they are friend> rewriting into multiple Go frontends around Kafka. The client is a friend> single javascript blob for android/ios/web. Yeah, that's when I started to tune out during the last round of advocacy, because AFAICT both go and ES are still in the dark ages WRT long-term maintenance and security. 100% agree. IME the best way to solve this is to have no friends, so you don't need a phone to organize when to hang out with them.

On Sunday, 14 October 2018 4:33:45 PM AEDT Andrew McGlashan via luv-talk wrote: There are more than a few people watching TV on public transport on the way to/from work. If you spend 40 hours a month on public transport (which is not uncommon) then that would be 25G of data per month if you spent that time watching SBS on demand (I presume other TV sources have similar data requirements but don't use them so can't easily verify). Sometimes for work I have to download gigs of data. Doing an rsync of a Linux image isn't that uncommon for me. https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authenti… Krebs gave the best write-up of SMS issues. As for Signal, it uses SMS to verify and change encryption settings. So if someone takes over your phone number of SMS I think there's nothing stopping them getting a new Signal key and communicating with people in your contacts list. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

Andrew McGlashan via luv-talk wrote: You can "run your own server", but it can't talk to anyone using the first-party server. https://www.jwz.org/blog/2018/08/signal/ https://www.jwz.org/blog/2017/03/signal-leaks-your-phone-number-to-everyone… Depending on your threat model, the EMV approach might be a further refinement. That uses an applet running on your credit card (i.e. tamper-proof hardware and hardened algorithm), plugged into an airgapped device that looks like a desktop calculator. You manually transcribe data from the untrusted device to the calculator-like device, it generate a magic number, and you manually transcribe that back to the untrusted device. If your bank gives a shit about security, instead of just dismissing bank fraud as "identity theft", this is how you buy stuff online (a.k.a. "card-not-present transcation"). In theory the credit card's secret numbers are initialized by a device that's also airgapped and behind locks and guards. https://en.wikipedia.org/wiki/EMV The US military have something vaguely similar: https://en.wikipedia.org/wiki/Common_Access_Card rja14's mob have also built something similar for a SIM (also tamper-proof), which is DEAD SEXY, but still in proof-of-concept stage: https://www.lightbluetouchpaper.org/2016/10/31/digitally/