/cyb/ - cyberpunk and cybersecurity

>>219

>requires either a phone number or email address to register (both if you want access to the desktop and mobile clients)

Actually, mobile Wire works fine with an email login only, no phone number needed.

What about https://ricochet.im/ as far as desktop goes?

does anyone use silence? it's a foss signal fork that only does encrypted sms/mms. i like xmpp/otr for IM, but there's a bit of a vacuum for encrypted texting (particularly if you are running botnet android).

>signal
i don't like it, but it's inarguably better than nothing and it's the only encrypted IM app that most people i know irl use.

>>223
I'm a huge fan of ricochet, actually. It's distributed, end-to-end encrypted, and tor-anonymized. I only wish there were builds of it for android and other smartphones, because that's where I do most of my messaging.

>>224

I love Silence. Unfortunately I live in a country with an almost 50% iphone marketshare. Unless a messenger app is on both major phone OSs (Silence is android-only), and the person I'm chatting with is willing to install and use it (good luck convincing an iphone user to use anything except imessage), then I can't use Silence's encryption feature.

>>219
>riot/matrix
Working on https://lainchan.jp/μ/res/89.html

Opinions on Tox?
>open source
>P2P
>E2E encryption

>Signal
>first class
>closed source and centralized
That is some soykaf teir opinion anon.
Opensource, p2p, and e2e encryption are a must if you want to be safe. Anything else needs to get derezzed.

>>219
I have converted from Telegram to matrix with Riot. Cross platform clients, offline message support, and riot supports end to end encryption (beta feature). Yes, for best security one should still use XMPP+OTR but I'm putting my bets on matrix being the future. Matrix is an open protocol that supports federation between servers, and has clients friendly enough you can get your non-techie friends on it.

Only thing I'm missing is a native Linux client

>>232

I like Tox in theory, but the main android client Antox is a serious battery-killer. For any messaging program to be useful in the modern era, it needs to be useable on android. Antox ain't this.

And yeah, yeah, android equals google-botnet. But honestly, what's the mobile OS alternative? Everything else is either even worse (IOS, Windows Phone) or an equally unholy semi-closed turd (Jolla/Sailfish). At least with android there's Copperhead and Lineage to help minimize the google-botnet-ness.

>>232
I've been following Tox for quite some time. It's an interesting project that I think really has some great potential. (It's had its fair share of the petty squabbles that seemingly plague every FOSS project, though.) I think that in order for it to become really useable they have to figure out the cross-device profile/contact sync thing. A comms network is only useful when other people actually use it (Metcalfe's Law) and I don't see adoption picking up if people have to create new profiles for each of their devices and then add all of their contacts' profiles for all of their contacts' devices to each of their profiles for each of their devices.

>>232
i think it entirely depends on your target threat. want to get away from malicious third party actors that dont have state level funding? signal is clearly the best option on the market right now.
want to get away from the botnet/police state? you're pretty much fucked no matter what you choose, afaik.

im interested in why you think p2p is necessary. whats the advantage over running an open source server? im not actually sure if metadata is still created with p2p services, though i imagine it would depend on the protocol. p2p also kills battery life on most mobile phones which makes it really hard to get it mainstream, since as other lains have already pointed out, most messaging happens on your phone now.

>>225
this looks really cool. have you used something like tox to compare it to? it certainly looks like a more stable product, but i dont think that counts for much

>>238
Android phone with an unlocked bootloader flashed without the google spyware is the best option. I switched to iOS a few months ago because I figured privacy wise I'd rather apple than google, and at least I'd get privacy updates. I do not recommend this, using it with Linux is a huge pain and the FOSS app selection is much worse.

>>240
p2p is goal, but I'll settle with a open source federated server/client for the time being so long as we have end to end encryption. Sure you'll leak more metadata, but if they have access to the telecoms they can see who you are talking to regardless. So if you control the server I'd say you're nearly as safe as you would be with p2p

>>241

IOS has never even been on my radar, simply because of the walled garden. I'm sure that the security in both software and hardware is very good, but in many ways Apple is even more hostile to open-source software than frickin' Microsoft. (Fun fact: the version of Bash that comes with OSX is ten years old, because Apple is absolutely terrified of GPLv3.)

Android, for all its flaws, at least lets the user easily "jailbreak" it with a toggle in the security settings. Even in a worst-case scenario of a locked bootloader and no alternative ROM, it's dead simple to flip that toggle and load up F-Droid or Amazon's app store or any other app source that one likes.

>>240
A P2P solution is preferable to a client-server solution because it is more robust and censorship-resistant. In a scenario in which a server exists the server becomes a choke point by which a malicious actor could cut off all clients. Even if the software is FOSS and therefore many servers are possible there still exist those same choke points. A P2P solution avoids this possibility. A system in which an attacker needs to take down 100000 nodes to silence 100000 users is preferable to a system in which an attacker needs only to take down 100 servers to silence 100000 users.

I use XMPP and IRC, with OTR.
OTR is great.
>encryption is just a plugin and isn't baked into the protocol (im not sure how much of a problem this is)
It's not a problem.

>>248
To let me clarify on what I said about it not being a problem, OTR being a separate plugin is great since it means there is no way for the people running the server to know what you're saying.

>>219 (OP)
Why aren't we all using Wire?

>open source
>beautiful UI/UX
>audited crypto
>windows client
>macos client
>linux client
>android client
>ios client
>web client
>end-to-end encrypted text chat
>end-to-end encrypted group chat
>end-to-end encrypted audio calls
>end-to-end encrypted video calls
>no opt in or opt out for encryption
>email registration available
>no telephone number required

https://github.com/wireapp
https://wire.com/en/

There is seriously no other messaging client that does all of this.

>>255
IIRC their marketing lied about the features it had when it came out. That's sure to kill momentum. And aside from that, do any of these me-too E2E chat apps have a reason to exist when there's XMPP+OTR? Most of them won't be here in a few years.

>>257
>And aside from that, do any of these me-too E2E chat apps have a reason to exist when there's XMPP+OTR?
I couldn't agree more that XMPP+OTR is our best option, but it is not a very realistic one. It's incredibly difficult to even get a lain to set it up let alone a normal person.

This is our fault though. This isn't how it has to be. There is nothing stopping us from making an open source, beautiful, minimalistic, cross-platform, and easy to use XMPP client with forced OTR encryption and group chat support, but it doesn't exist and probably never will.

Who will rise up and start lainchat.org?

Diaspora, a federated social network, development is active, its chat is an implementation of XMPP+OTR IIRC.

https://diasporafoundation.org/

A nice thing for ease of switch:
>Social network integration
>Use diaspora as your home base to post to your profiles on other major social services. This way your friends will still be able to keep in touch with what you’re up to, even if they’re not yet on diaspora. diaspora* currently supports cross-posting to your Facebook, Twitter, and Tumblr accounts, with more to come.

>>274
I feel like the sorts of people who make heavy use of social networks and the sorts of people who place a high value on privacy and decentralization are almost entirely mutually exclusive.

>>258
Then stop acting like it's a tech issue. If people don't care enough to use OTR, then I don't care enough to talk with them.
It's a cultural issue. You can't force people to care.
It's not OUR fault for not forcing people to care.
It's not OUR fault some retards care more about looks than function.

>>288
You cant force anyone to do soykaf.

The only way to do it is to remove yourself form their ability to communicate with you, if they want to communicate with you bad enough you will gt them using it.

Its hard for most people, because they are retarded sheep simple as that.

>>288
That's not a valid excuse to not pursue this project. Encouraging wider use of encryption benefits everyone. We should care about other's privacy as well.

>>285
I don't think so, you can use it like we use lainchan right now. No reason to use it "heavily", it surely won't force you because noone gets money from you getting addicted to it. You can also use it pseudonimously because it doesn't force you to use your real name or invasive second factor auth. I think privacy-aware people wouldn't have a problem with trying different communication formats (social media-like, twitter-like, IM, videoconferencing, etc) as long as it's built over acceptable technologies.
Diaspora and quitter are the ones I like the most.

>>258
Just use conversations on android or one of many on desktop.

Gawd. Its hard is an unwillingness to learn

>>323
Yeah, it's a true problem that people don't even want to spend 60 seconds to learn something. Learning basic commands isn't hard.

>>219
>what are some you use?
Conversations/Gajim and Signal.

>which ones would you never use?
proprietary apps (facecuck, botsapp, skype etc…)

>where do we draw the line?
Privacy-respecting messengers are no harder to use than botnet soykaf once you set it up (should take about an afternoon for the average lainon)

XMPP + OTR is deprecated btw
the new cool kid in town is OMEMO

>>371
Again XMPP + OMEMO,
Same problem as XMPP+OTR

"Its too hard sempai, i just want to give up my digital rights"

>>371
OMEMO is for phoneposters.

>>375
OMEMO is for everyone. It's an official XMPP extension now and it will be in Pidgin/Tails later this year.

>>375
Why's that?

I use both, they seem to work fine.

>>371
> XMPP + OTR is deprecated btw

Apples and oranges. OMEMO addresses some issues mainly multi-party and multi-device encryption, but is ultimately an XMPP-only scheme and designed as such. Also being the Lovecraftian XML horror that it is, you can't use it everywhere as you would PGP and OTR.

https://xmpp.org/extensions/xep-0384.html

>>374
You don't even have to set up your own XMPP server, there are dozens of free ones out there. With E2E encryption, you don't even have to worry if your provider is botnetted.

Download the app and choose a name + password. Even an IQ100 normal person can manage this.

>>377
>Why's that?
It has misfeatures like giving messages to multiple clients. What if The Bad Guy has access to one of your other clients?

>>414
One would one that some key-revocation feature is part of the spec, it'd be quite troublesome if there was no equivalent.

>>417
one would hope*

>>417
Even if such a feature existed, it'd only be useful if you were constantly aware of the status of all your clients. OTR makes this a non-problem.

>>414
>>417
>>422

You can choose which OMEMO keys (including your own other devices) you trust in Gajim and Conversations, and you can grant/revoke that trust as you like.

It's basically a matter of keeping your devices safe, but that's not an OMEMO problem per se.

>>450
Forgot to add, you can of course use OMEMO like you would OTR, with just one device on each end.

Then you don't have this possible "nonfeature" and you get a superior algorithm too (OTR is still based on SHA1 for example).

>>451
>you can of course use OMEMO like you would OTR, with just one device on each end.
But will the people you talk to take the same amount of care?

I haven't seen anyone mention RetroShare.
From their website: "Retroshare creates encrypted connections to your friends. Nobody can spy on you. Retroshare is completely decentralized. This means there are no central servers. It is entirely Open-Source and free. There are no costs, no ads and no Terms of Service."
Services:
-Chat
-Voice & Video
-Emailing
-File sharing
-Forums
And other minor things.
BEST PART: You can hide your ip by running it through both Tor and I2P. (I2P being my fav)

How does it work?
Retroshare is a network of computers. These computers we call nodes and every user has it's own node. The exact location (the IP-address) of nodes is only known to neighbors. You invite someone to become a neighbor by sending your public key to them.
Forums use pseudonymous nicknames to identify people. The nickname system uses cryptographical keys to verify messages come from specific authors. The nickname information travels wherever the forum post goes.
If you send a message to a user, the system delivers it to his node by searching for a route by forwarding it via a chain of neighboring nodes. If you want a certain file, your node asks your neigbours and they in turn request it from their neighbors.

Extra technical stuff:
Network topology: decentralized Friend to Friend network (F2F)
Transport: IPv4 TCP+UDP, Tor
UPnP / NAT-PMP port forwarding support
Distributed hash table to locate friends
Optionally can use dynamic DNS
Connect to friends behind NAT with UDP
Transport encryption with TLS (OpenSSL)
Authentication with PGP keys
Services: chat, VoIP with video, multi-user chat, file search/file sharing, forums, link sharing, Retroshare mail
Extensible through plugins

As a baseline of what type of software you should use, Peer to Peer, Encrypted, Open Source, and doesn't require bullsoykaf like phone number or email. Feel free to add other requirements.
There have been other anons in this thread which explained the problems of having a central server: "kill 1 server to stop 100 people verses having to get each one by one" (more or less).
Closed source is a VERY obvious issue, no software should be recommended if it is closed source. Although I have seen several in OP's post.

If you want to talk about security and other fun stuff, you can add me on RetroShare or Tox, both are great software.
https://privatebin.net/?9cac8a523e6515bc#EAcWwQbS4AKLVqyKVCs6LUEejSk9Kg+L+q5PGDNnUMs=
Password: lainjpchan

https://lainchan.org/%CE%A9/res/13572.html
> URC + I2P
does any of you know about it?

Based on Ricochet: cwtch.im
Could be a good option.

GNUnet's Secushare also looks good.

Matrix has some good stuff, but it's bad for a lot of reasons. XMPP is still a better option.

Wire is working on federation though. Interested in how that turns out.

>>568
RetroShare is controlled opposition made/infiltrated by the Deep State™ like Diaspora.

Unlike Diaspora, RS does have some form of end-to-end-encryption in some cases, but e.g. file transfer is only encrypted between nodes but each node can read the files that are being transmitted through it on their path from seeder to leecher.

There are more serious problems though:
- remote code execution everywhere
- 500k lines of horrible code
- mixed tabs and spaces which totally fucks up git diff, git blame, etc.
- an incredibly messy git history due to git merge without git rebase
- bad default settings (like immediately pinging some whatsmyip server and often even sharing your list of friends with your friends and friends of friends through 'Discovery' or whatever it was called)
- hardcoded DH params (https://weakdh.org)
- a community (including the devs) consisting entirely of nsa shills, nsa fanboys and morons

The last point is actually the most critical vulnerability of them all.
The devs intentionally add vulnerabilities and deny their existence or claim it's impossible to fix.
Like with unencrypted file sharing, devs claimed that it is literally impossible to create end-to-end encryption on the internet. As if Tor and OTR didn't exist.
And then it turned out that distant chat in RS is end-to-end encrypted, so the devs couldn't even pretend they don't understand the concept.
At that point they did give up because even the retards in the community were wtf'ing at that behaviour.

Oh, and ofc there is censorship and data retention.
Forum owners can set a flag that makes all nodes keep track of which node made which forum post, allowing the persona to be tracked back to the original node which can then be unfriended by everyone for being a vile bait troll.
But even if you don't unfriend the vile bait troll, your friends can downvote his IDs, which means their posts will become entirely invisible to you.
Idk if by now there is a way to make this optional other than patching the code but yeah, enjoy your NSA provided darknet.

>>3817
If you are so confident that it is full of security holes, why not show us some proof of concept exploits?

I use Torchat. Someone needs to make a Torchat mobile app.

>Encryption protocol is known to be broken, since it is home baked and not made by cryptographers. E2E is not enabled by default.

those aren't the same thing. Homebrewing a protocol isn't that hard but theirs is needlessly complicated and I have seen a few amateur cryptanalyses that got too close to breaking it for comfort. Also the people who fund it are shady as fuck, and it's closed source.

>>458
If you're talking to careless people, no protocol in the world can help you.

>>219
I use a Whatsapp bot to redirect people to Signal whenever they send me a message. Sure, it's not the best service in the world, but at least it's somewhat better and userfriendly enough for normal people to figure out how it works.