• 1 Post
  • 433 Comments
Joined 1Y ago
cake
Cake day: Apr 13, 2024

help-circle
rss

And SMTP/IMAP do not support end-to-end encryption, so a malicious server can still spy on you even if it uses TLS.


But I dislike that it requires even going that info

I never understood this stance… do people really think a corporation is going to risk their entire company over your anonymity when their country’s government does not allow this? Nobody is going to jail for you.

Plus, if everyone could easily sign up anonymously, then like they said, it would be overrun with bots and the reputation of their IPs would quickly deteriorate to where most other email providers would just block them, making the service almost worthless.



How would you know?

You probably wouldn’t have heard about it simply because it’s illegal to publicize a secret subpoena/warrant. Such orders are given as National Security Letters with a permanent gag order, going so far as to preventing the recipient from even seeking counsel; it’s a massive abuse of power and due process in the US to get companies to lie and do whatever they want.


I don’t consider those to be useful anymore because a court can compel them to keep the canary up in secret, and I’m pretty sure that’s already happened more than once before.


I think real intelligence by definition requires empathy and humility, which is typically the opposite of such dogmatism in my opinion.

“As a rule, strong feelings about issues do not emerge from deep understanding.” -Sloman and Fernbach


Yes but I think you still need a unique fingerprint in order to tie that data to a single person… and there are much less people who use ad-blockers than those who don’t, so to me it’s an extra bit of identifying information; obviously this puts the privacy-conscious user in a difficult position and I don’t know that there’s a perfect answer.


why change the title

As I mentioned, I felt it was more transparent to say where the money comes from and let people draw their own conclusions. Of course there will always be dissenting opinions no matter which title is used, I think that just comes with the territory, and I’m ok with that; I don’t think there is a single right or wrong answer. I’m sorry that you disagree with my choice. I encourage you to make similar posts wherever you’d like with your own desired title.

Thank you for your perspective.


I don’t think it was meant exactly that literally. If you use online banking then of course you have to allow whatever they require for it to work. But for non-necessary services that have an account feature… any time you use those of course will have more of your information out there to sell and track.


In the context of fingerprinting I disagree. The vast majority of the world population do NOT use an ad-blocker (supposedly maybe 15% do at most)… so having an adblocker can be used to narrow you down even more IMO. Many extensions can have this issue afaik, especially if it modifies the DOM.


Original title was “F-Droid Awarded Open Technology Fund’s FOSS Sustainability Grant”. Not trying to be tinfoily but I thought it would have been even more irresponsible to not make it clear where the money really comes from as I think most people aren’t aware.

Either way, please do your own research and draw your own conclusions and I promise I have no intentional agenda in reporting this… besides transparency.




I have read the spec, used the service and also implemented my own clients before, that is why I’m so confused by what you’re saying, because this has not been my experience at all. If a user joins a channel, whether they are an admin or not, whether it is encrypted or not, then unless the channel is explicitly setup to only allow verified users to talk (not the default), my understanding is there is nothing preventing that new user from seeing all new messages in the chat.


I don’t understand. How would the sender prevent messages from going to the admin user that joined the room? It sounds like you’re implying new users simply can’t join a room? That makes no sense to me… I’ve certainly never experienced that. I see new users join encrypted rooms all the time and they can talk just fine… so what’s the deal? And isn’t verification off by default?


End-to-end encryption ensures that only the intended endpoints can read the messages

But who/what gets to decide who the intended recipients are? Can’t the homeserver admin just join the channel and then the other members would exchange keys automatically and now they can see what people say?


What do you have to say about this then?

In an encrypted room even with fully verified members, a compromised or hostile home server can still take over the room by impersonating an admin. That admin (or even a newly minted user) can then send events or listen on the conversations.

Perhaps we have a different definition of “impersonate”… not everyone will pay attention to unverified warnings, and afaik they can still communicate with people (just maybe not read old messages)… but I would love to be proven wrong.


Unfortunately even with E2EE, the admins of a homeserver can still impersonate you or take over your channel.

Of course you could run your own instance, or maybe none of this is part of your threat model, but I felt like bringing it up either way.



Unfortunately I have found it to be one of the highest concentrations of higher-IQ discussions on the Internet wrt broad ranges of topics, at least historically.


Even if Section 230 didn’t require providers to terminate the user’s service, providers further upstream could technically punish that ISP for breaking their own ToS depending on what it is.

People like Liz Fong-Jones and Keffals have successfully lobbied multiple Tier 1 ISPs to blackhole websites that have posted information about them that they didn’t like based on this fact, behavior which the EFF has specifically called out as a threat to the free and open Internet. Even the CEO of Cloudflare has openly admitted to being personally involved in blocking sites without a really good reason.


I think you’re incorrectly assuming that everyone knows they all do it. I see nothing wrong with raising awareness.


What would you have preferred? “Most apps sell your data, news at 11”? Would anyone care if it was written like that?


Thanks. You’re not wrong, and I appreciate the well-written response. Some might say you are defending/advocating proprietary software with this stance, but I don’t think there is a clear answer either way that applies to every circumstance.


This article is about the app, which does not run the model locally. Why would you doubt that a Chinese app which openly claims they send your data to China, actually does so?


Contains proprietary code. I recommend Molly-FOSS instead.


I would hope the difference is that the f-droid version does not contain any proprietary code.


So far JShelter has been the best single solution I have found, it even prevents creepjs from working at all. Nothing is going to stop casual users from getting TLS fingerprinted though.


Honestly I find his attitude to be quite commendable and I think that speaks much louder than whatever it is you disagree with.

Maybe he should have just left Trump’s name out of it entirely as that seems to be what really pushed people’s buttons.

People are going to twist things around no matter what is said though. Don’t forget hindsight makes everyone look guilty.


What’s the best alternative to Google these days?

I think that’s like asking what’s the best alternative to bread.


Not letting people have opinions you disagree with makes me suspicious of how willing you would be to oppress others.


unfortunately if everyone shouted all the good free stuff from rooftops, they would be gone.



I don’t think it is possible.

I also think people are blowing this WAY out of proportion and don’t even realize their own hypocrisy.

Extreme example: Jewish people happily drive Ford cars, even though Henry Ford was the only American mentioned in Mein Kampf, specifically for his hatred of Jews.


owner of said product has openly stated that they hate your very existence

Of all the things that didn’t happen, this didn’t happen the most.


What’s the benefit for them?

Not being targeted by a President.

https://www.cnn.com/2024/10/29/business/ceos-trump-revenge-nightcap/index.html

https://www.cnn.com/2024/06/05/politics/trump-prosecute-political-opponents/index.html

Why they wouldn’t want to please previous administrations?

Those administrations weren’t targeting them.

I think it’s always about the money, plain and simple. If there is a threat to their gravy train, they will bend over backwards to keep it going. Otherwise, they don’t care about you.


I find it disappointing that people interested in privacy would have such little respect for a private individual’s right to have their own thoughts.

Ding ding ding.

It seems the vast majority of people do NOT want to allow speech they don’t like, no matter the consequences. That requires too much forward thinking. Excuse me while I watch history repeat itself…



F-Droid not being trusted. They build and sign a developer’s code on their behalf, so there is a chance for injection there.

There are reproducible builds, but I would argue it’s not taken seriously enough. Like right now nobody is publicly verifying Signal’s supposed reproducible Android builds and they’ve historically had problems keeping it working.

Also how most (or all?) Play Store apps (including FOSS) contain proprietary code.


I assumed the topic was more about online privacy.