Here’s gemini’s attempt:

I’m gonna need some evidence before I believe Google isn’t analyzing all the data that passes through it unencrypted.

For anyone considering Session messenger:

The Session developers dropped Perfect Forward Secrecy because it would be hard to work around it.

First things first, let’s talk about what we’re leaving behind: Perfect Forward Secrecy (PFS) and deniability.

Source: https://getsession.org/session-protocol-explained

In plain English, they dropped a security feature for their convenience to the detriment of their users’ security.

For anyone unsure what PFS provides:

The value of forward secrecy is that it protects past communication.

Source: https://en.wikipedia.org/wiki/Forward_secrecy

The Session devs also claim:

Session provides protections against these types of threats in other ways — through fully anonymous account creation, onion routing, and metadata minimisation, for example.

Reading between the lines, we can interpret that as introducing security through obscurity, which is generally considered bad practice - https://cwe.mitre.org/data/definitions/656.html

What’s wrong with Briar? https://briarproject.org/

Censorship-resistant peer-to-peer messaging that bypasses centralized servers. Connect via Bluetooth, Wi-Fi or Tor, with privacy built-in.

I think the reason these apps don’t take off is the compromises they make in order to work the way they do. When you do need them, you best hope you’re able to get them and get others to use them as well.

Jack doesn’t own bluesky but he is on the board [0] and even working for a public benefit company, is supposed to [1]:

… operate the business with the same authority and behavior as in a traditional corporation

It does go on to state they’re required to consider the impact of their decisions not only for shareholders but also employees, customers, community, etc, but there’s no mechanism that forces them to do “the right thing”. A public benefit company is basically a way to protect decisions made if they were to not align with the concept of “shareholder primacy” [2]. On the other hand, if Bluesky had registered as a certified B Corp [3], that would have more weight to it as they not only have to state their intentions but also provide evidence.

In regards to being federated - are they actually federating with anyone yet? Genuine question, I haven’t kept up.

In regards to being open source, it’s a good start, but like the Chromium project, the company’s needs will drive it forward and the interest of the company will come first, good or bad.

[0] https://en.wikipedia.org/wiki/Bluesky_(social_network)

[1] https://en.wikipedia.org/wiki/Benefit_corporation

[2] https://en.wikipedia.org/wiki/Shareholder_primacy

[3] https://en.wikipedia.org/wiki/B_Corporation_(certification)

Going from one billionaire’s platform to another (Twitter/Musk > Bluesky/Dorsey) is not a smart move. There’s a vast segment of the population that learns nothing and keeps making the same mistakes.

Ooh silverbullet looks nice too, thanks. Link for the lazy: https://silverbullet.md/

If you’re on Firefox on desktop/laptop, check out Bypass Paywall [0]. It was removed from the firefox add-on store due to a DMCA claim [1], but can be manually installed (and auto updates) from gitlab. The dev even provides instructions on how to add custom filters to uBlock Origin [2], so you don’t have to add another extension but still get some benefit.

[0] https://gitlab.com/magnolia1234/bypass-paywalls-firefox-clean

[1] https://winaero.com/mozilla-has-silently-removed-the-bypass-paywalls-clean-add-on-from-amo/

[2] https://gitlab.com/magnolia1234/bypass-paywalls-clean-filters

Because they get your profile picture, name, and email address when you click accept. I went through with it just to test, but definitely getting some data from its users.

You’re right, but security and privacy is about layers, not always 100% effective mitigations, especially not when the mitigation is a function (contact discovery) that requires a private list (your contacts) be compared against another one. For anyone where this is an actual security risk, they don’t have to to share their contacts. They will not know which of their friends/family are on Signal, but they can still use the service.

This feature does protect users in that any legal court order for Signal to present who is friends with who (as almost every other messaging provider has actual access to your list of contacts) is not possible. They’ve been subpoenaed multiple times[0] and all they can show is when an account was created and the last day (not time) a client pinged their servers.

Lastly, I’m not sure if this is even a feature or not but it wouldn’t be too difficult to introduce rate-limiting to mitigate this issue even more. As an example, its very unlikely that most people have thousands (or even tens of thousands) of people in their contacts. Assuming we go just a step beyond the 99th percentile, you can effectively block anyone as soon as they start trying to crawl the entire phone number address space, preventing the issue you’re describing.

[0] https://signal.org/bigbrother/

Not necessarily.

Signal has people who are experts in their field. They engineer solutions that don’t exist anywhere else in the market to ensure they have as little information on you as possible while keeping you secure [0]. This in turn means high compensation + benefits. You don’t want to be paying your key developers peanuts as that makes them liable to taking bribes from adversaries to “oops” a security vulnerability in the service. In addition, the higher compensation is a great way to mitigate losing talent to private organizations who can afford it.

[0] Signal has engineered the following technologies that all work to ensure your privacy and security:

• Post-Quantum Computing Resistance
• Private Stories
• Group calling
• Private admin permissions
• Secure Value Recovery
• Private Stickers
• Sealed Sender
• Private GIF search
• Private Contact Discovery
• Encrypted Profiles
• Reproducible Builds

This is a nice surprise. Didn’t even know this was in development. Can’t wait to test it out!

I plan on making it available inside my own network, not public. This way if someone makes it past my security, I at least have something that might “catch” them in the act and disable my network so I can intervene. Just another security layer.

Fair point, but do note that https://wormhole.app is just a web-client for the wormhole protocol. There’s a reference implementation and there’s - personally - a much better go-based implementation (wormhole-william) that also has a few clients built using its API:

• rymdport: A cross-platform Magic Wormhole graphical user interface
• riftshare: Desktop filesharing app
• tmux-wormhole: tmux wormhole integration
• wormhole-william-mobile: Android wormhole-william app

may not meet your requirements but have you taken a look at https://wormhole.app ?

you could set it up on a non standard port like 99. you have to manually add “:99” at the end of your domain name, but it works.

How are you liking OMV5? Pros/cons?

I used Ubuntu for a while and distro-hopped before deciding to land on Debian. I figured major distros used it as their base for a reason. The older I get the more I appreciate the “it’ll release when its ready” approach that Debian takes. There’s no economic pressure to release with major bugs hoping the next sprint will fix most issues, like a lot of “enterprise” software. The Debian release cycle is not 100% predictable, but it is reliable. I’ve had a server go through a few major upgrades for nearly a decade before the hardware itself gave out. The OS was rock solid the entire time. Additionally, with flatpak, outdated desktop apps are no longer an issue and I use docker for hosting services.

I will admit that Debian is pretty “bland” from a fresh install, but I don’t mind that at all.

I’d say that’s good news, everyone!