Estudante de Engenharia Informática apaixonado pela área; algures em Portugal.

Administrador da instância lemmy.pt.


Computer Science student, passionate about the field; somewhere in Portugal.

lemmy.pt instance administrator.


https://tmpod.dev

  • 0 Posts
  • 36 Comments
Joined 3Y ago
cake
Cake day: Sep 10, 2021

help-circle
rss

Adding onto what’s already on the thread, you can try look at the newer Element Call, which is an implementation of Matrix’s native calls.
I’ve been using it a bit recently, since Jitsi seems to have stopped working reliably for me (to be frank, I’ve not put much effort into debugging it yet). It works well, but it’s still early stage, lacking some features Jitsi has. If that one works for you, I recommend you stick to it.


Yeah withdraw cash from an ATM and use it. The system sucks, but it’s not trivial to change for a myriad of reasons.


There’s no real way to do it. Unless you know someone who can trade you XMR<->cash and you somehow convince your employer to (break laws and) pay you in those forms, you can’t avoid it. At some point, you’ll have to get money on a real bank account, which requires real information to open.


As far as I know, modern cards don’t just send your CC info to terminals, they do some form of a cryptographic handshake (probably a pubkey signature or similar) which gets confirmed by your bank. I believe Caveman was talking more about online shopping, where you have to enter your card number, expiration date, CVC and often your name too.


That’s why I love virtual card systems like MB NET. You just generate a random virtual card for every purchase (or a recurring one for each subscription vendor, for example) and move on. Your bank still knows what you’re doing, of course, but vendors can’t correlate anything. Preventing your bank from knowing where you’re spending your money is much harder, for very practical reasons: fraud detection. The only real way is to use a secure crypto coin like Monero, but very few places accept it and you still have to deal with volatility.


Ah right, Molly. Have yet to tried it, but looks interesting.

I think I’m too afraid of moving my main stuff to Molly, lest I lose something :P But the UnifiedPush and multiple mobile clients is enticing.


Yeah that’s a bummer. Signal has multi device support but only for desktop and iPad (yeah, not Android tablets), but you always need to have a master phone device.

It’s been an issue for so long, but this is Signal, they do whatever the f they want.


encrypted email

Besides being a form of messaging (so the text somewhat contradicts itself), typical email is a deeply insecure protocol.
In my opinion, it’s probably impossible to secure without making a new protocol or making such drastic changes that it might as well be considered one.

Here are some key concerns regarding the usual PGP-powered encrypted email:

  • Email, at a simple level, works much akin to physical email — there’s an “envelope” containing important info regarding the communicating parties, which can’t be encrypted, otherwise the mailing servers wouldn’t know where to forward the messages. This essentially leaks a lot of metadata that can be almost as valuable as the message body itself.
  • There’s no forward secrecy — one of the best cryptography features that has become pretty much a commodity in modern systems is forward secrecy, which prevents attackers from decrypting older messages after gaining access to one of the keys.
  • While not an issue with the protocol itself, it’s the sad reality and we need to consider — most people use GMail, Outlook and the like, which ultimately need to read your emails in plaintext, for better or worse reasons (search is incredibly useful, but some big players don’t stop there of course :p).
  • Another thing is the fact that it’s incredibly easy to have an imbalance of encryption, i.e. someone is encrypting their messages, but others aren’t. With the very popular email culture of quoting (be it top or bottom posting), an unencrypted party in the the conversation can leak important information.
  • PGP is… peculiar, so to speak. I has a lot of issues, mostly stemming from its age (which could also be a source of robustness and security, due to being very battle-tested, but I don’t think that’s quite the case with PGP/GPG), tries to do too much and typically has a clunky UI, which impedes wider and proper adoption by less technically people.

This isn’t to say people should definitely stop using and promoting encrypted email, since it can be useful.
It’s just it gives, more often than not, a false sense of security and can lead less proficient users to send sensitive data through this medium which isn’t nearly secure enough for such use cases. Preferably, people with such threat models should opt for better alternatives, most suggested in that article (such as, but definitely not limited to, Signal, SimpleX, Matrix+Olm, XMPP+OTR/OMEMO, sharing files via MagicWormhole, encrypting with tools like age).

On a slightly tangential note, I think someone should make a Matrix client with an email client interface. I started working on a new traditional chat client (completely nonfunctional still, very much in-dev), but I’ve been honestly thinking more and more about making one looking like an e-mail client, where there isn’t much focus on instant room-based chats, but rather on longer-lived 1-to-1 and list-like exchange of messages.


Yeah Mullvad’s system is better than Proton’s, since the latter asks you to place your username inside the envelope. Mullvad’s random token is better in that regard.

More info on Proton’s cash payments: https://proton.me/support/payment-options#cash

Disclaimer: I’ve never paid in cash on either of these services.


I believe proton also accepts cash payments. At least I’ve seen that in their mail service.


For hosters, legality has to be considered.


I’m not familiar with any service that works at the international level, but over in Portugal, the biggest ATM network, Multibanco, has had a service called MB NET (now integrated with the newer MB WAY app), which allows you to create temporary cards with 3 different behaviours: one-time, monthly, multiple uses. The first one always has 1 month of validity, while the others only expire after a year, and you can define a maximum capacity.

It works perfectly well in foreign online services, but you have to have a card from one of the associated banks (presumably from their Portuguese branch?).


Can’t use cash online, (nearly*) anywhere.

  • Mullvad is the only service I know that accepts payment through mailed cash.

Another commenter said goldwarden implements that through the Remote Desktop XDG Portal, which only GNOME and KDE support at the moment (wlroots doesn’t implement it yet).


Oooh, that looks very neat, thank you!


BitWarden is really good. Has (nearly*) everything I want, works well across all platforms and the free plan is very featurefull. Even though I don’t really use any of the premium features, I still pay for the plan, to help fund development, it’s only 10€ a year.

  • I say nearly because I’d love to have some form of autocomplete in Linux Wayland, outside of the browser extension. I believe one of KeePass apps does this (but only for X?)

What does Windows do? Genuine question, I’ve not used it since the 7 days. Regarding Linux, that’s true for stuff installed through regular package managers and whatnot, but Flatpak is pushing a more sandboxed and permission oriented system, akin to Android.


This has nothing to do with the mobile app, which also has password/biometric unlocking, it’s about the desktop electron app.


No problem, glad to have more people know about it, it’s very useful!


Unfortunately, no. I believe you can’t really get this level of control without root access.


Ah right, airplane mode makes a ton of difference. I also tend to have it enabled as much as I can, usually when I’m home (and thus reachable through VoIP services) or at work. And I (almsot) never turn it off, I just leave it in airplane mode. I limit the charge to 75/80%, with ACCA, so I get even less juice.

And I’m sorry, I also dislike big phones with huge screens and batteries, there’s no real need for that. But I know that you can fit better batteries in smaller phones as well. My previous device was smaller than the Pixel 4a, but had a bigger battery, while having almost identical weight.
I wish manufacturers would make smaller phones, really. I’m very unsure what other device I will get after this one dies or gets broken…


After my 6 year old Redmi 4X’s screen touch decided to die, I got an opened-not-used Pixel 4a (in perfect condition) at the end of 2022, because it was one of the few small-ish phones that had good modding support (Pixel phones are ofc known to be very good to degoogle). I love it. Feels good, works well, has a great camera (got a GCam mod too), etc. Only downside is the smaller battery (3100 vs 4100 mAh), but honestly it isn’t that big of a deal, I can just carry a powerbank on my backpack or, you know, use my phone less.

Back then, it was the perfect choice for me. Now, I don’t know, haven’t been keeping up with current models.


I understand.
You could look into getting a domain either way, it really is pretty simple — you go to a registrar website (I like porkbun.com), choose your domain name and purchase it. To get the email stuff going, it’s just a bit of copy pasting between their guide and the domain’s control panel.

Like I said, this domain stuff is useful outside of Migadu and similar services, but for a more 0-config option, I think disroot is alright. You also have a mailbox.org and StartMail (from StartPage).


If you have your own domain, I recommend Migadu. They take care of all the boring parts of hosting email, while being cheap and very reliable. All you have to do is[1] follow their guude to setup some DNS records and double check everything is right. After that, you have a working email account with unlimited addresses, inboxes and a bunch more nice features.

[1]: Besides getting a domain name, which you should get anyway, since it gives you more control over your digital identity and makes it much easier to migrate providers in the future.


Yeah I feel you. It’s often hard to be fully alert of what you’re sharing all the time. I have slip ups but it’s usually fine, I’m only mega careful regarding things that could give away the city/town/village I live in, and where I work. If I ever really want to talk about it, I will use a different (often temporary) alias.


While this may be a good end goal, these comments are really more harmful than anything else. Removing your dependency on some proprietary service can be very far from trivial, or even doable, there is a wide-range of internal or external factors preventing you from ditching it.
For example, part of my work and a bunch of good online friends of mine use Discord, so I keep it around. If you do any social gaming as well, you’ll also most likely find it hard to ditch the platform, as it’s grown deep roots in the community.

Anyway, it’s better to take small steps in the right direction than trying to make a U-turn and fail miserably.


Interesting, my Discord profile is also very hardened, and while it prompts me for confirmation, it’s always doable in a moment


If you’re on Tor, that’s the very unfortunate reality atm. If you’re on a VPN, you may try switching providers or servers inside the same provider. I can recommend Mullvad, which works very well, even if you get some CAPTCHAs.


Yeah, they have upped their “paranoia” quite a bit in the past couple of years. A while back, I discovered smspool.net while trying to register for Claude (wanted to give it a shot, was disappointed) and was so satisfied by their interface and prices I’ve used it again in 3 other occasions. There may be other similar services out there, you should give one a try next time Discord prompts you for a number.


Depends a lot on your threat model, of course, but here’s what I do:

  • use a temporary (but recoverable) email
  • use smspool or similar to verify my phone for less than a dollar
  • run Discord in a hardened Firefox profile (hardened browser settings + uBlock)
  • turn everything relevant off in Discord settings just in case
  • don’t share PII in conversation
  • use a VPN (or Tor)

Using a hardened browser and not giving them your real phone are likely the most effective steps, everything else is either less relevant or overkill. As I said, depends a lot on your threat model and on your requirements (some things may be unachievable if you’re forced to use Discord by your employer, for example).


Never heard of Heroic, I just rock the same setup as you. Steam for games I have there, Lutris for everything else except Minecraft (for which I use MultiMC).



Revolt is an amazing project and has a lot of great energy behind it, but one must not forget the issue that is scale. Discord is absolutely humongous, serving millions of concurrent users with pretty good performance overall. I’d love to see Revolt reach such userbase, but realistically, two 2nd year CS students are unlikely to get there. For a platform to reach such volume there needs to be money, which is likely to come with strings attached. Though what you say is true – Revolt has strong open-source roots while Discord has always been a VC fueled company, so I’ll keep my hopes hehe

Regarding Nitro, I agree it is a bit too much, but I actually think a subscription of sorts with bigger upload limits, streaming quality and so on (the original point of Nitro) is a pretty nice model to sustain a platform since it helps cover the cost of all needed infrastructure. Of course, Discord Nitro has since gained a lot of extra fluff and nothing impedes Discord from both selling a subscription and our data (which they’re likely to do), but the premise is quite reasonable.


Like others have said, on Discord the data rests entirely on their servers, without E2EE (so completely visible to them). They claim not to sell any data to anyone on their privacy policy (at least last time I checked, might not be up to date), and if you believe that (which isn’t entirely unreasonable, though I’d find it unlikely) the platform is probably more decent than the other giants. It also lets you browse communities without a real account (you can just open the browser app with a guest temporary account by just giving a name), which is really neat for exploring certain communities, as you were saying.

Now, I’d like to add a couple of points.
First, it’s easy to dismiss this because of the general anti-privacy stance regarding Discord, but it is absolutely undeniable that they have the absolute best platform to run and manage an online community based on chats. They have, in my opinion (and I’ve tried nearly every platform that is remotely known), the best implementation of text and voice channels, reactions, roles, onboarding, events, statistics and bots as well. Guilded was (is?) an excellent platform in terms of features as well, but they lack the massive network effect Discord carries, which is another undeniable big factor. As much as I dislike it, the network effect is really strong and, in my experience, with exception of very close friend circles and generally privacy-oriented folks, realistically adopting other alternatives is really tough.
Second, the corporate feel you mention is a bit lost on me. Certainly they are not as down-to-earth as some community-run projects can be, however they are visibly better than similar platforms like Slack.

Why all this? Am I a Discord shill?
Quite far from it. I don’t like them, nor do I hate them. Hate is a pretty strong word which unfortunately is thrown around quite a lot in topics as this one. Discord is really not ideal from a privacy perspective but let’s not completely disregard its many merits. I find that more often than not, conversations in pro-privacy circles revolve around hating on companies and platforms and dealing with absolutes, but the truth is that privacy need not be dealt in absolutes. It’s all relative and dependant on each person’s needs, and failing to see that more often than not harms the whole cause and people trying to get in.

Anyways, went a bit offtopic, sorry for that. Rant over, I suppose.


I can’t seem to open those links, it says the job offer no longer exists? 🤔