• 2 Posts
  • 298 Comments
Joined 5Y ago
cake
Cake day: Jun 28, 2020

help-circle
rss

One of my banks properly uses TOTP which is independent & the other uses SMS which isn’t secure, but is also independent. I would straight up leave a bank if an app was required since there are always other options.

Family is the easiest to convert since they have unconditional love for you & would me the easiest to understand your concerns. You could even roll out a Snikket instance for everyone to use together.


You can still use cash & websites for banking tasks. You chat should be on an open source protocol so there is bound to be an application or web app for that too.


Cheogram has a better featureset on Android in my experience. Movim has quite a lot of features & good performance for a web app—which covers the folks that “don’t want to install any new apps” (generally the right skepticism, but really most F-Droid ones are safer with less worry), or platforms without good clients. The biggest pushback I have heard was bad iOS clients—but being a self-hostable service with almost exclusively free software clients, it should be of no surprise any iOS dev is lackluster, being an entirely closed platform, anti-GPL, & with a hefty fee just to list an application.


We had this in XMPP a decade ago & they could have readopted the open standard instead of creating a new one. There is no track record of them not bending the rules to benefit just them anyhow—but this time it was developed exclusively by the tech giants which is absolutely for their benefit with nestled enclaves to meet the bare minimum requirements while still building the garden’s walls higher. Cabal-ass behavior.


The adaptors are flimsy and hang funny. Both of these options are putting additional strain on the only port for charging & data transfer—which is also making you choose audio or charging / transfer. Or they want to push you into buying irrepairable, flaky, branded earbuds what generally have worse audio quality & always having latency. When all non-phone devices are still understandably using the standard 3.5 mm jack, why give any money & reward these companies putting out devices with user-unfriendly IO when I can support one that does meet my needs?

You can make Linux more secure by various means, & we will never get to a better state until early adopters start adopting the ecosystems. I would rather do this than support more Google ecosystem stuff.

GrapheneOS doesn’t really give you choice. This isn’t cool to me—& you will have a hard time convincing me otherwise since there are plenty of precautions I can take with my setups & my threat models without being told there is only one option.


I laugh at the folks that think Ladybird will save us. If their project’s developers & contributors & bug reporters require using the data-sucking Discord & MS GitHub with no alternatives, what makes anyone think they would take privacy seriously?


I will never by a portable device without a headphone jack so that completely cuts off GrapheneOS which must follows the whims of Google Pixel designs. Instead I am currently trying out Sailfish OS on a Xperia 10 to use Linux—which hopefully can break me from the Google ecosystem.


Mumble is great for audio chat, but I would not wish its text chat on everyone. For an audio application it is light on your resources, but not good enough to leave on perpetually since it will keep checking the mics which makes it great for idling in when you want to audio chat, but not good if you don’t want that noise. I run & use my server regularly, but I log out when I need to focus or to save battery. I think it works better as an auxiliary place to chill or for meetings & is better paired with a different application for text chat & keeping on more or less always (where that other chat probably shouldn’t be Matrix—not just for installation but the resources required to run it). You will also get iOS folks crying there aren’t any great ports since it costs money to be on the Apple Store, FOSS doesn’t have deep pockets, & GPL is banned.


Less than 30? Self-host an Ejabberd server on an old desktop under some desk for private message & multiuser chats + Jitsi which handshakes over the same protocol as the chats, XMPP. If you need some unified UI for everyone & a bit of posts, Movim can also sit on top of the XMPP server. If need need some low-latency, low-resource audio chat, let folks idle in a Murmur server.

Matrix uses way too many resources & is way too slow/inefficient at the protocol level.


Impossible to take them seriously if they have already started off on the wrong foot using exclusively megacorpo proprietary platforms for coms. If your developer / testers privacy doesn’t matter since they opted for Microsoft GitHub & Discord, what would lead you to believe their project would take privacy seriously?


It is entirely centralized in the US—& there is 100% chance the NSA is tapped in on the metadata they can get a hold of. You can’t self-host. They have been hostile toward alternate clients & are very adamant you use one of the duopoly of Google/Apple mobile OSs as your primary device (screw you if you want to run an alternative OS or no phone I guess). There is a hole in the history for the server that leaves room for conspiracy theories.

Signal is adequate for privacy-focused normies, but does not deserve the pedestal it is put on which is why many folks more serious about the ideals instead of focusing on making concessions are skeptical of Signal. This isn’t a hot take or new stance.




Persistence is for forums. Chat has horrible discovery / search UX which makes it a black hole for knowledge—which is why it should be seen as temporary (I think even Signal sets 4 week expiry as default). Folks often say things the regret 5 years down the line in chat space & that sort of info needs to just fade away than be some target of some weirdo doxxing campaign.

You know you can have archive management & multi-devices without syncing the entire history right? Some protocols think holding onto the last 20 messages in a new group & the last year of private messages is good enough (can be saved local to the device if desired). Copying the Discord/Telegram/Slack model ain’t it.

Synpase is the reference server. It’s Python & slow as balls because of it, but the others are always playing catch-up. With Element moving with it & graceful fallbacks not being a high priority, shit just doesn’t work in practice using anything but Synapse / Element since most other users are using features on that setup. Technically having alternatives is not the same as the current situation in actual practice. Even if they can try to hide the some of the perf issues behind these gland concepts like sliding sync, there are literal fundamental issues with how the protocol is architected that a server of hand-written optimized assembly could never overcome—the eventual consistercy is by design.


That is nowhere near the mass of the centralized community & the fact it can’t be reasonable ran my medium-sized groups on a budget shows it doesn’t scale right & is not accessible. Sure you can run your own ATProto/BlueSky node if you have $80k USD / mo to host it—it’s technically open source! This is the kinda the same thing… costs too damn much so folks flock to the biggest instances.


One of the big flaws of snapshot-based VCSs like get is the patch order mattering—which causes conflicts. I would love to see an alternative built on Darcs or Pijul with their Patch Theory-based VCS system that does not have the flaws Git does.


Matrix literally syncs the entire data/metadata history to all other servers where someone pops in; chat is meant to have an ephemeral aspect to it. The whole network is de facto centralized on Matrix.org or the servers they host for others which means one org has access to almost everything—like the issue with Signal.

What’s scary to me is how expensive it is to run this eventual consistency model, which should not be a protocol requirement for this style of communication. It sucks so much RAM, so much storage, so wasteful—which causes medium-sized servers to shutdown on maintenance costs alone which causes more users to leave for the Matrix.org. These are not the characteristics of a revolutionary protocol—revolutionary is users & collectives to reasonably be self-hosting this stuff for their privacy & autonomy.


Many mail providers give you access to CalDAV + CardDAV which have a wide array of mature technology to sync contacts, calendars, todo lists on basically all platforms. If you move away from Protonmail as primary, you would get access to this normal service as well as being able to use IMAP without paying & using some middleman application just to use email. I do not pay for a lot of services, but I get a lot of value out of keeping email + CalDAV + CardDAV off-premise with the cost of €1 per month.


I am just thankful so far that Signal has let WhisperFish exist as an alternative—even if it goes against what they say—which gives me an alternative to the Android/iOS duopoly.


It takes 2 to tango. It’s like trying to send an email from a self-hosted email server without following all of Google’s rules/guidelines… which means you won’t be able to send a message to most (sadly). Most folks are either on Matrix.org or a server they host in practice… you alone self-hosting will only help if you only communicate to folks also doing similar… to which if just one user from Matrix.org (or a server they host) joins your chatroom, then literally everything that is being & has been said in that room will now be synced to Matrix.org by its protocol design. With the expense it takes to self-host Matrix for a community, almost all medium-sized communities had to drop it on RAM & storage costs alone which caused most of those users to move to Matrix.org. You can run a single-user host with some efficiency, but most users are not technical enough for this. The only option to use Matrix & keep costs down is to unfederate… at least with Matrix.org (& servers they host), but that now defeats a huge part of the argument those saying Matrix is federated/decentralized.

It isn’t decentralized in clients or servers either. Almost all servers must run Synapse which is resource intensive but actually has the features folks expect as the de facto reference server & Element is the only viable client considering most users will be using Element-exclusive features like threading, polls, etc. where protocol hasn’t done a great job of providing a progressive enhancement approach to its features & so folks on alternative clients straight-up just don’t see / can’t interact with this stuff.

The accessibility to small–medium-sized communities matters if you want a healthy federated/decentralized network …but luckily there are alternatives.


AFAIK, chat.mozilla.org was set up on modular.im, now element.io, which if it still using the same host, is owned by Matrix.org. So even using a different host means Matrix.org might still have your metadata.



OMEMO is a mixed bag. Some clients are still preferring older versions that aren’t the best for security & almost every client does a bad job explaining that new keys are being used need to be verified… Gajim only recently gave a decent in-client pop-up for it, but it’s doesn’t work all the time. That said, this is basically the same issue Matrix has in the space. Both are based on libsignal if not outright using it, except Signal gets a point of privilege in basically having just one client …one that must be on Android/iOS according to their statements… so they can do a ‘better’ job managing who, what, & how many keys are being used. Many XMPP clients will recommend blind trust by default just because it can be a real hassle to deal with multiple clients & users coming back to less-often-used devices. There have been proposals to fix it, but I haven’t seen anything really take off (meanwhile considering just using the PGP encryption option as less flaky).


It’s worth following the project but it’s a bit too new & the funding aspect leads me to question how it will work in the long run (& being written in Haskell is neat, but boy does it have a lot of churn & maintenance issues in its ecosystem).


Matrix is centralized too in practice … & syncs even more metadata than Signal so I wouldn’t call that an upgrade—especially when you see how slow the clients & servers are.


Matrix.org is centralized like Signal (you can say Matrix is not centralized on paper, but in practice this isn’t remotely true). Both are stockpiling metadata in the West… what’s worse is Matrix’s eventual consistency model means syncing metadata to all servers is a by-design requirement (& also why all servers & clients are slow). There are options like Snikket to take all the hard parts of self-hosting out of the equation, but finding someone you can trust to host a server might be worthwhile. I would be wary of anything centralized.


Pretty sure that Jasmine scene was the first time I realized I like girls


I use Posteo for their low-emission plan using boring technology that just works. 1€ / to is worth it, but I do wish you could bring your own domain name.


Eventually you will find you want a mail provider that just supports IMAP / POP without some paid middleman application just to use you email with certain clients else me stuck on the slow web UI. Luckily there are alternatives.



Wat. You are saying you can’t package Python application on a system level? That means the language’s package managament is broken. Nix unlike most package managers can do a reasonable job juggling multiple version of packages at the same time & stuff still breaks, & more frequently than anything in any other language other than Haskell.

There was also the SolarWind attack, Colorama, JarkaStealer, Cobo, pywx, Dropbox, PyTorch 2023. Zero-days galore.


Meant to be glue but is used in all sorts of places it probably shouldn’t. The way libraries are handled & pinned leads to lots of breakage—a couple applications I have overlays to disable testing since stuff gets merged into Nixpkgs with failing tests so frequently that I is better to just turn it off & deal with failures at runtime.

The ultralytics thing was massive last month https://snyk.io/blog/ultralytics-ai-pwn-request-supply-chain-attack/. These have been coming with regularity—even worse than npm.

I would at least agree Lua is a better place to start—at least for a dynamic scripting language. It is not a complicated language & it even supports tail recursion which you can’t say about far too many languages.


It is slow. Syntax & community idioms suck. The package ecosystem is a giant mess—constant dependency breakage, many supply-side attacks, quality is all over the place with many packages with failing tests or build that isn’t reproducible—& can largely be an effect of too many places saying this is the first language you should learn first. When it comes to running Python software on my machine, it always is the buggiest, breaks the most shipping new software, & uses more resources than other things.

When I used to program in it, I thought Python was so versatile that it was the 2nd best language at everything. I learned more languages & thought it was 3rd best… then 4th… then realized it isn’t good at anything. The only reason it has things going for it is all the effort put into the big C libraries powering the math, AI, etc. libraries.


D) what is AMD support like or is the Python fan boys still focusing on Nvidia exclusively?


FYI for the other commenters, UnifiedPush can work thru the Prosody mod_unified_push or any server with a up where Conversations (& its forks like Cheogram, Monocles, Blabber) can be a distributor. This has the added bonus of coming with an awesome decentralized XMPP chat server getting to reuse a single connection & single app to server instead of separate ones. Conversations is the most efficient chat client on Android in terms of resources (battery, network, RAM) so might as well keep it lightweight—which you are probably trying to get push notifications from the likes of Signal or Element, but what is the point when you have an efficient XMPP server for your chat needs?

However, I think UnifiedPush might be a bit flawed—as if the startup that created ntfy is pushing others to try to adopt their standard instead of getting folks on board with the older & capable MQTT (which also can be ran thru mod_mqtt on your XMPP server). I am not yet sure if this is a tinfoil take or not.


In XMPP everything is an extension (XEP)

Some can be baked into a server, others use external tools like Slidge or Biboumi


I use a Matrix gateway thru my XMPP server, but they warn you on how expensive it will cost to run


It was called gateway by all sorts of tech til last generation decided to rename the old concept?


It’s still quite immature & I have my reservations that a big Haskell project can be maintained for the long-term seeing a lot of Haskell failings even in the short-term. It is a promising idea, but I am not ready yet to try it.


It is de facto centralized around Matrix.org & the servers they run, which was originally funded by Israeli Intelligence so who knows what they are doing with all the metadata flowing to a single cluster of servers. Also using the eventual consistency model like a blockchain duplicating all data between all nodes while resilient is incredibly wasteful on storage & RAM. The costs are so high, most medium-sized servers with open sign-ups needed to shutdown due to storage costs & scaling up a node costing too many extra resource for CPU/RAM. There also wasn’t anything lacking about the prior arts—but open source & startup like to reinvent more things than they should.

Ejabberd, which I mentioned, can run nodes with 2 million simultaneous connections per node & run on meager hardware in comparison with an extra decade of stability / battle testing.



Ask: How do you handle your résumés?
Usually I rely on my network & haven’t needed this kind of document in ages, but I’ve been tasked with creating a résumé for myself. I’ve grown more privacy-conscious every year & I think it’s weird that we are expected to give out so much information about ourselves to companies that lie about their culture & don’t want you sharing salary information with your coworkers. I have read stories about how these documents & information can sometimes get leaked & shared on the web which is pretty sketch. TIL about “functional résumés” which it appears are usually meant to cover up your lack of work experience, but I like the idea of covering up a lot of my specific history as it is the *skills* that should matter more, no? Do you give out all of your info?
fedilink