These are the same groups that want back doors in encrypted apps so they can catch criminals. And yet, look what happens when they have access to that information. I absolutely encourage people to...
The third has been systems that telecommunications companies use in compliance with the Communications Assistance for Law Enforcement Act (CALEA), which allows law enforcement and intelligence agencies with court orders to track people’s communications. CALEA systems can include classified court orders from the Foreign Intelligence Surveillance Court, which processes some U.S. intelligence court orders.
These are the same groups that want back doors in encrypted apps so they can read our communications catch criminals. And yet, look what happens when they have access to that information.
I absolutely encourage people to use encrypted apps all the time, even when there isn't an attack campaign we're hearing about.
In the call Tuesday, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency — both recommended using encrypted messaging apps to Americans who want to minimize the chances of China’s intercepting their communications.
“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” Greene said.
The FBI official said, “People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant” multi-factor authentication for email, social media and collaboration tool accounts.
The scope of the telecom compromise is so significant, Greene said, that it was “impossible” for the agencies “to predict a time frame on when we’ll have full eviction.”
So what kind of apps should we be using? I wish my country would spend the money and hire experts to come up with nationally defended and secure apps for all citizens to get good news, health...
So what kind of apps should we be using?
I wish my country would spend the money and hire experts to come up with nationally defended and secure apps for all citizens to get good news, health things and socialize without having to rely on / be preyed on by TikTok and Meta et al
Short answer, there's not a ton we can do to mitigate this as individuals. I think Signal is a reasonable choice for end-to-end encryption of text/video/calls. Use of things like signal in a...
Exemplary
Short answer, there's not a ton we can do to mitigate this as individuals.
I think Signal is a reasonable choice for end-to-end encryption of text/video/calls.
Use of things like signal in a business or government environment is hampered by data retention requirements.
We should always keep the limitations of E2EE in mind. As always, when speaking of security matters, it's good to have a threat model in mind.
E2EE of your messages might help keep you from getting caught up in a dragnet data harvest hack. The attack described in the article is fairly broad in scope, but still targeted in specific ways, so something like signal would probably help.
However, using E2EE doesn't matter that much if someone (especially someone with nation state capabilities) wants your specific data. The data is still present and vulnerable on the individual devices, so they would likely choose other, targeted attacks to access that data after it has been decrypted.
That's just messaging. Our lives are tied up in online banking, insurance, and medical apps that we have no choice but to use. I know someone will say there are some choices, but I believe they are meaningless in practice. The bar for security is low across the board, and most organization's security practices are opaque – that is, even if you had the time and expertise to audit five banks security practices before choosing in, you wouldn't be allowed to. So in practice those choices are uninformed.
Caveat: I'm speaking from a US perspective here. I gather things are better in the EU due to better regulation, but I'm not sure how much better.
Only in theory. In practice, everyone (state, companies and consumers) uses all kinds of IT products from the US. There are efforts to mitigate this, but that would cost money and political...
I gather things are better in the EU due to better regulation, but I'm not sure how much better.
Only in theory. In practice, everyone (state, companies and consumers) uses all kinds of IT products from the US. There are efforts to mitigate this, but that would cost money and political effort, and there's always something more important than changing a somewhat working system.
I think the issues are very similar across the world, and they basically come down to this: With physical products, they feel bad if they are creaking, leaking, gunky, etc, even as a complete layman. An IT product can have all kinds of severe issues and still feel fancy and polished. And then there are things like social media or mass surveillance, for which we haven't really understood the large scale consequences they can have on societies, even if they were impeccably implemented.
I’ve read that the US is worse due to starting out with lots of smaller phone companies and lots of mergers. It would make sense to move to not trusting telecom with anything other than encrypted...
I’ve read that the US is worse due to starting out with lots of smaller phone companies and lots of mergers. It would make sense to move to not trusting telecom with anything other than encrypted traffic, so then insecure hardware wouldn’t matter much. (And this is what the web has been migrating towards since the Snowden revelations, so it’s well along there.)
@chocobean, a few other things I thought of: Prefer 2FA apps over SMS/Email as a second factor when available. That way, hacking your email/sim card doesn't gain the attacker access to the second...
Prefer 2FA apps over SMS/Email as a second factor when available. That way, hacking your email/sim card doesn't gain the attacker access to the second factor.
I have been using Authy for a while. I think their practices are not stellar, but I haven't had time to research alternatives. One thing they do is keep an encrypted backup of the secrets, which is nice if you lose your device or the data on it.
Caveat: many services will let you reset your password and 2fa credentials from email, so it may not be as much more protection as it seems. But it is still easy to implement and adds a layer to the attack.
If you need to send credentials to someone, instead of sending them the password by email/text/whatever, use onetimesecret.com to create a single use link. When they click on it, they will get the secret, and then the link will be dead after that, so nothing sensitive hangs around in logs of your email or messaging app.
It feels hinky to put your password or other credential into a random site. They claim they don't access them, but there are no technical limitations in place to enforce that.
The reason I consider it better is that that password is shared out of context, so if you are not reusing passwords, even a leak there doesn't leak much.
If it bothers you a lot, the tool is open source and you can run your own copy.
Interesting. It looks like if I turn disappearing messages off as the receiver, they will not be deleted on my device regardless of the sender's settings. But the docs are not very clear.
Interesting. It looks like if I turn disappearing messages off as the receiver, they will not be deleted on my device regardless of the sender's settings. But the docs are not very clear.
At least pertaining to the official apps (the protocol itself obviously can't enforce it), the disappearing messages setting is bidirectionally communicated/changed in Signal chats unless you use...
At least pertaining to the official apps (the protocol itself obviously can't enforce it), the disappearing messages setting is bidirectionally communicated/changed in Signal chats unless you use a fork to circumvent this. The changed setting also only applies to messages going forward, so you can't retroactively decide to retain a message sent in ephemeral mode.
For now. Von der Lyon really wants to put scanners on all communications on devices "to protect the children". The fight around encryption is ongoing. Edit:...
I gather things are better in the EU due to better regulation
For now. Von der Lyon really wants to put scanners on all communications on devices "to protect the children". The fight around encryption is ongoing.
Signal, iMessage, and I believe WhatsApp are all end-to-end encrypted by default. Signal is the only one run by a nonprofit and is easily the safest widely available option, even if its feature...
Signal, iMessage, and I believe WhatsApp are all end-to-end encrypted by default.
Signal is the only one run by a nonprofit and is easily the safest widely available option, even if its feature set is a little barebones.
I think Apple is pretty trustworthy in this regard (their business model is not built on data collection), but iMessage only works on Apple devices so it's a non-starter for talking to anyone outside that ecosystem.
WhatsApp is owned by Facebook. I don't trust them.
Stay the hell away from Telegram. Chats are not encrypted by default. Encrypted chats are tied to a single device. Group chats cannot be encrypted at all. They also have ties to the Kremlin. The fact that they advertise themselves as a secure messaging platform is downright laughable.
Worth noting that these US government sources don't actually advocate for using truly end-to-end encrypted messengers -- they consider "responsible encryption" to include turning over message data...
Worth noting that these US government sources don't actually advocate for using truly end-to-end encrypted messengers -- they consider "responsible encryption" to include turning over message data to US authorities when requested, which is impossible with truly end-to-end encrypted messaging.
That's totally false. CISA's #1 suggestion "to Communicate Securely on Your Mobile Device" is "Use a properly vetted secure messaging app with end-to-end encryption and Voice over Internet...
That's totally false. CISA's #1 suggestion "to Communicate Securely on Your Mobile Device" is "Use a properly vetted secure messaging app with end-to-end encryption and Voice over Internet Protocol (VoIP) functionality for text messages and voice calls."
#2 is "Place sensitive information in an encrypted file attachment when you send emails."
Since it hasn’t been mentioned yet: Matrix. It is a federated chat protocol, so you can self host to control your own data. Major projects like NixOS use it.
Since it hasn’t been mentioned yet: Matrix. It is a federated chat protocol, so you can self host to control your own data. Major projects like NixOS use it.
It doesn't have any GREAT clients though. I've on boarded some friends over the past couple years and the experience was never great and doesn't show any sign of improving.
It doesn't have any GREAT clients though. I've on boarded some friends over the past couple years and the experience was never great and doesn't show any sign of improving.
I hear this alot about onboarding of matrix clients that it is not so great....while i am 100% biased as a fanboy of matrix (having started using is back in 2016)....would you clarify what is the...
I hear this alot about onboarding of matrix clients that it is not so great....while i am 100% biased as a fanboy of matrix (having started using is back in 2016)....would you clarify what is the main negative? Is it the verification when logging in via a new/different device, or something else? I'm not knocking your perspective (again, i fully admit me being biased)...but i ask because i like to recommend matrix stuff to folks, but want to be sure that i am leading them to something truly useful...I'd hate to be that guy who recommends something, but its actually not a good experience for normies. ;-) Thanks in advance for your feedback!
EDIT: I should add that i am not affiliated with matrix.org nor any of the clients nor Element....basically just a random fanboy user out on the internet. :-)
From my experience, it's the fact that some people can have a very low tolerance for having to do extra things. Including verification. Like I had a friend who lost verification and doesn't...
From my experience, it's the fact that some people can have a very low tolerance for having to do extra things. Including verification. Like I had a friend who lost verification and doesn't understand why. Other pain points
Not everyone has a good password management system and offering native logins during sign-up really through them off when later they were presented with social logins (this might've been fixed now)
They have issues with notifications not appearing correctly on IOS and I don't have any advice for them.
That alone is a much worse experience than the competing platforms.
Yep, fully agreed there! Thanks for the feedback. Even if its not specific to the verification thing, i hear ya. As far as the native login vs social login, i feel that's not just matrix clients,...
...some people can have a very low tolerance for having to do extra things...
Yep, fully agreed there! Thanks for the feedback. Even if its not specific to the verification thing, i hear ya. As far as the native login vs social login, i feel that's not just matrix clients, but many areas of digital life nowadays, where as a tech-literate person i can see through the fluff, but were i to be less tech literate, i would find the world vastly more annoying to navigate...and then resort to fallbacks like poor password management, etc. - and of course can't really blame the normies, since tech is harder than it really needs to be.
Ah, and to the point of notificatins not apperearing for IOS, unfortunately, i have zero advise there because have never used ios device with matrix clients (except for one brief weekend for my offpsirng)...however, i wonder if that has to do with IOS' issues constantly killing background processes and silently suppressing said notificaitons due to that proc. shutdown? If so, i wonder now how other chat clients handle that? Sorry, not giving any answers here.
How well does your government do online services as it is? I'm curious because if the USA made such apps it'd results in terrible apps that barely work with a user interface that looks like it was...
How well does your government do online services as it is? I'm curious because if the USA made such apps it'd results in terrible apps that barely work with a user interface that looks like it was designed by the programmers as an afterthought and it'd cost hundreds of millions, if not billions to create. That's not even getting into how it'd be subverted for political party propaganda and spying.
It's almost a joke how our grossly overfunded federal government has such crappy web services. Makes me worried our leaders are not taking the internet and new tech seriously. Until recently (at least for businesses), to do anything we've had to call or write to the IRS with no website to do things like find out why they think a payment is late or we owe some weird amount (usually due to misapplied payments). This is just sad for one of the supposedly most advance countries, we ought to be rolling in new tech, but we're run by the technologically challenged and technophobes. 😭
We even struggle just to get the government to help file returns (just got a website for that and it's not even fully functional) which could even be automated by now but we're still stuck on phones and paper. They're citing concerns over job loss (not an excuse to bar progress imo) and cost (a few hundred million - my STATE brushed that much off when a past governor flubbed an attempt to make an insurance website and a single fighter jet can cost over $100 million and they plan to purchase 60 next year).
[other Canadians please feel free to jump in / correct. For the purposes of this post I'm not making a difference between browser apps and phone apps] Availability for online provincial (eg State)...
[other Canadians please feel free to jump in / correct. For the purposes of this post I'm not making a difference between browser apps and phone apps]
Availability for online provincial (eg State) government services will depend on whether your province has money (Ontario/BC) or not (Atlantic provinces). Eg I just tried to renew a health card since May, and it's taken me two attempts to fax, two attempts to physical mail, and finally calling them once again to be finally given an email address to do it. So something digital would be great. Not all bad, though: their energy efficiency program was registered online and pain free. They pay for a licensed electrician to come install one each motion sensor light outside and inside, two dimmer switches, smart thermostat per level, one of those under the door air things, door foam things, buncha freebie LED bulbs and other small do it yourself things. For healthcare, my poor province and the rich ones are all using a private virtual doctor app : smooth easy mostly free access and I hope secure. Oh and elderly grants and rebate things are strangely online: Ive been helping a neighbor fill in her things. I'm pessimistically choosing to see this as a ridiculous hurdle rather than a convenience though. In BC, I'm a big fan of the crown car insurance / driver license bureau - most things done/pre-booked online and sleek and efficient. Dad had to renew license and walked out of the appointment in less than 10 minutes.
Nationally we also had a scandal last year where the provincially partnered (eg no consumer choice) medical lab company had a data breach and hackers got all our health records yay, and we got settlement money of $50-150 dollars.
Nationally it isn't too bad: student loans online were fairly straightforward online 20ish years ago. Many other things like unemployment insurance, parental leave benefits, tax return info, pretty painless online. Passports, you can check the renewal status online, and book an appointment to do it in person online as well. The national job search / ads database looks and feels web 1.0 but secretly I'm a fan of old web UI.
I'm sure I'm forgetting a bunch of government things to do online that I've taken for granted. The health card renewal was so surprisingly painful I had forgotten most things could be difficult.
Oh yes! A bunch of interactive maps! . I perpetually have a few bookmarked for [not exclusive list] which beaches are open/closed for shell fish foraging; which pieces of crown land might be open for tree cutting and to submit citizen request for questions; other geology and geographical things like forest density and species / water flow and drainage/ elevation /karst risk / radon risk / 10k satellite / property boundary / bedrock formation etc. The shellfish one is actually maintained and updated pretty frequently, I'm very happy about it.
Most municipal zoning maps are online as well, but some are still awful pdf era. The richer municipalities do tax sales and recreational program registrations online. Libraries are all basically online as well what else....
That isn't a technical challenge, it's because of lobbyists from intuit.
We even struggle just to get the government to help file returns (just got a website for that and it's not even fully functional) which could even be automated by now but we're still stuck on phones and paper.
Building a service that can serve hundreds of millions, many of which have complicated taxes because US tax laws are complicated, seems like a pretty big technical challenge to me. That's probably...
Building a service that can serve hundreds of millions, many of which have complicated taxes because US tax laws are complicated, seems like a pretty big technical challenge to me. That's probably why the IRS is rolling it out gradually.
But it's also true that politics held it back. If it weren't for that, it would probably be done by now.
For this particular threat model where the goal is to not let the Chinese hackers who are in US phone systems see your messages and maybe listen to your phone calls, nearly all websites use...
For this particular threat model where the goal is to not let the Chinese hackers who are in US phone systems see your messages and maybe listen to your phone calls, nearly all websites use encrypted connections nowadays and that is good enough.
Email is complicated; not all email is encrypted in transit, but it often it is if both sides support TLS.
Similarly for chat messages. Messages sent between Apple users and between Google Messages users are encrypted. SMS isn’t encrypted and a likely vulnerability, but can often be avoided.
It seems like the easiest thing to do (if both sides agree) is to pick the same chat app where you know it’s encrypted. I’d trust Signal the most. Others would probably work fine, but it might be easier to slip up.
It seems like the hard thing would be to get out of the habit of using the phone; instead of just talking, you need to agree on a different way to talk, which is hard when the other end is a business. For non-businesses, people can probably switch to some other chat.
Or... now here me out now... we just don't use apps to share our login and other confidential info that can be used by hackers? Also use an authenticator when you can, so it doesn't matter if...
Or... now here me out now... we just don't use apps to share our login and other confidential info that can be used by hackers? Also use an authenticator when you can, so it doesn't matter if someone gets your login.
Always assume anything you text, email, PM, DM, etc... will end up somewhere public for all to see. Even if they don't intercept it, they could hack your phone or the person you're communicating with or the app company itself and get it that way.
This threat isn't about "apps," which mostly do use encryption. It's about making regular phone calls and sending SMS text messages. It's true that most of the time, our conversations are boring,...
This threat isn't about "apps," which mostly do use encryption. It's about making regular phone calls and sending SMS text messages.
It's true that most of the time, our conversations are boring, but depending on who you are and what you're talking about, they might not be.
Oh, right, I forget about how crappy and old security for calls/sms is and with AI being easier to use now they could fish out the good stuff from verbal conversation quite easily. We really need...
Oh, right, I forget about how crappy and old security for calls/sms is and with AI being easier to use now they could fish out the good stuff from verbal conversation quite easily. We really need an infrastructure upgrade to phones. :/
What ever happened to if you have nothing to hide you have nothing to fear? I don't care if the Chinese/Russians/Isralies can read my grocery and amazon lists. What are they going to do? Fulfull it?
What ever happened to if you have nothing to hide you have nothing to fear?
I don't care if the Chinese/Russians/Isralies can read my grocery and amazon lists. What are they going to do? Fulfull it?
It was never true? "Saying you don't care about privacy because you have nothing to hide is like saying you don't care about freedom of speech because you have nothing to say." Edit: missed the /s :(
What ever happened to if you have nothing to hide you have nothing to fear?
It was never true? "Saying you don't care about privacy because you have nothing to hide is like saying you don't care about freedom of speech because you have nothing to say."
Well, yeah, in practice, a lot of people are going to ignore this and they'll mostly be fine. But some people have secrets to keep and reason to be wary, so there are options. Encryption by...
Well, yeah, in practice, a lot of people are going to ignore this and they'll mostly be fine.
But some people have secrets to keep and reason to be wary, so there are options.
Encryption by default (like most of the web) is better. Many vulnerabilities aren't obvious in advance, and people make mistakes.
These are the same groups that want back doors in encrypted apps so they can
read our communicationscatch criminals. And yet, look what happens when they have access to that information.I absolutely encourage people to use encrypted apps all the time, even when there isn't an attack campaign we're hearing about.
I know they have to say that, but I can’t help imagining them trying to keep a straight face while doing so.
Easy when it's not a lie. You just omit the part where you endorse it when it's your own cyber doing the attacking.
Attacks on them, yeah, 100% straight face
Fixed
From the article:
So what kind of apps should we be using?
I wish my country would spend the money and hire experts to come up with nationally defended and secure apps for all citizens to get good news, health things and socialize without having to rely on / be preyed on by TikTok and Meta et al
Short answer, there's not a ton we can do to mitigate this as individuals.
I think Signal is a reasonable choice for end-to-end encryption of text/video/calls.
Use of things like signal in a business or government environment is hampered by data retention requirements.
We should always keep the limitations of E2EE in mind. As always, when speaking of security matters, it's good to have a threat model in mind.
E2EE of your messages might help keep you from getting caught up in a dragnet data harvest hack. The attack described in the article is fairly broad in scope, but still targeted in specific ways, so something like signal would probably help.
However, using E2EE doesn't matter that much if someone (especially someone with nation state capabilities) wants your specific data. The data is still present and vulnerable on the individual devices, so they would likely choose other, targeted attacks to access that data after it has been decrypted.
That's just messaging. Our lives are tied up in online banking, insurance, and medical apps that we have no choice but to use. I know someone will say there are some choices, but I believe they are meaningless in practice. The bar for security is low across the board, and most organization's security practices are opaque – that is, even if you had the time and expertise to audit five banks security practices before choosing in, you wouldn't be allowed to. So in practice those choices are uninformed.
Caveat: I'm speaking from a US perspective here. I gather things are better in the EU due to better regulation, but I'm not sure how much better.
Only in theory. In practice, everyone (state, companies and consumers) uses all kinds of IT products from the US. There are efforts to mitigate this, but that would cost money and political effort, and there's always something more important than changing a somewhat working system.
I think the issues are very similar across the world, and they basically come down to this: With physical products, they feel bad if they are creaking, leaking, gunky, etc, even as a complete layman. An IT product can have all kinds of severe issues and still feel fancy and polished. And then there are things like social media or mass surveillance, for which we haven't really understood the large scale consequences they can have on societies, even if they were impeccably implemented.
I’ve read that the US is worse due to starting out with lots of smaller phone companies and lots of mergers. It would make sense to move to not trusting telecom with anything other than encrypted traffic, so then insecure hardware wouldn’t matter much. (And this is what the web has been migrating towards since the Snowden revelations, so it’s well along there.)
@chocobean, a few other things I thought of:
Prefer 2FA apps over SMS/Email as a second factor when available. That way, hacking your email/sim card doesn't gain the attacker access to the second factor.
I have been using Authy for a while. I think their practices are not stellar, but I haven't had time to research alternatives. One thing they do is keep an encrypted backup of the secrets, which is nice if you lose your device or the data on it.
Caveat: many services will let you reset your password and 2fa credentials from email, so it may not be as much more protection as it seems. But it is still easy to implement and adds a layer to the attack.
If you need to send credentials to someone, instead of sending them the password by email/text/whatever, use onetimesecret.com to create a single use link. When they click on it, they will get the secret, and then the link will be dead after that, so nothing sensitive hangs around in logs of your email or messaging app.
It feels hinky to put your password or other credential into a random site. They claim they don't access them, but there are no technical limitations in place to enforce that.
The reason I consider it better is that that password is shared out of context, so if you are not reusing passwords, even a leak there doesn't leak much.
If it bothers you a lot, the tool is open source and you can run your own copy.
Signal allows you to destroy messages after they have been read and a certain amount of time has passed. This includes images.
Interesting. It looks like if I turn disappearing messages off as the receiver, they will not be deleted on my device regardless of the sender's settings. But the docs are not very clear.
At least pertaining to the official apps (the protocol itself obviously can't enforce it), the disappearing messages setting is bidirectionally communicated/changed in Signal chats unless you use a fork to circumvent this. The changed setting also only applies to messages going forward, so you can't retroactively decide to retain a message sent in ephemeral mode.
For now. Von der Lyon really wants to put scanners on all communications on devices "to protect the children". The fight around encryption is ongoing.
Edit: https://tildes.net/~society/1kie/chat_control_is_back_on_agenda_again
Signal, iMessage, and I believe WhatsApp are all end-to-end encrypted by default.
Signal is the only one run by a nonprofit and is easily the safest widely available option, even if its feature set is a little barebones.
I think Apple is pretty trustworthy in this regard (their business model is not built on data collection), but iMessage only works on Apple devices so it's a non-starter for talking to anyone outside that ecosystem.
WhatsApp is owned by Facebook. I don't trust them.
Stay the hell away from Telegram. Chats are not encrypted by default. Encrypted chats are tied to a single device. Group chats cannot be encrypted at all. They also have ties to the Kremlin. The fact that they advertise themselves as a secure messaging platform is downright laughable.
Worth noting that these US government sources don't actually advocate for using truly end-to-end encrypted messengers -- they consider "responsible encryption" to include turning over message data to US authorities when requested, which is impossible with truly end-to-end encrypted messaging.
That's totally false. CISA's #1 suggestion "to Communicate Securely on Your Mobile Device" is "Use a properly vetted secure messaging app with end-to-end encryption and Voice over Internet Protocol (VoIP) functionality for text messages and voice calls."
#2 is "Place sensitive information in an encrypted file attachment when you send emails."
https://www.cisa.gov/resources-tools/training/how-communicate-securely-your-mobile-device
Since it hasn’t been mentioned yet: Matrix. It is a federated chat protocol, so you can self host to control your own data. Major projects like NixOS use it.
It doesn't have any GREAT clients though. I've on boarded some friends over the past couple years and the experience was never great and doesn't show any sign of improving.
I haven’t had issues with desktop element, but I agree that mobile clients are lackluster.
I hear this alot about onboarding of matrix clients that it is not so great....while i am 100% biased as a fanboy of matrix (having started using is back in 2016)....would you clarify what is the main negative? Is it the verification when logging in via a new/different device, or something else? I'm not knocking your perspective (again, i fully admit me being biased)...but i ask because i like to recommend matrix stuff to folks, but want to be sure that i am leading them to something truly useful...I'd hate to be that guy who recommends something, but its actually not a good experience for normies. ;-) Thanks in advance for your feedback!
EDIT: I should add that i am not affiliated with matrix.org nor any of the clients nor Element....basically just a random fanboy user out on the internet. :-)
From my experience, it's the fact that some people can have a very low tolerance for having to do extra things. Including verification. Like I had a friend who lost verification and doesn't understand why. Other pain points
That alone is a much worse experience than the competing platforms.
Yep, fully agreed there! Thanks for the feedback. Even if its not specific to the verification thing, i hear ya. As far as the native login vs social login, i feel that's not just matrix clients, but many areas of digital life nowadays, where as a tech-literate person i can see through the fluff, but were i to be less tech literate, i would find the world vastly more annoying to navigate...and then resort to fallbacks like poor password management, etc. - and of course can't really blame the normies, since tech is harder than it really needs to be.
Ah, and to the point of notificatins not apperearing for IOS, unfortunately, i have zero advise there because have never used ios device with matrix clients (except for one brief weekend for my offpsirng)...however, i wonder if that has to do with IOS' issues constantly killing background processes and silently suppressing said notificaitons due to that proc. shutdown? If so, i wonder now how other chat clients handle that? Sorry, not giving any answers here.
Thanks again for your feedback!
How well does your government do online services as it is? I'm curious because if the USA made such apps it'd results in terrible apps that barely work with a user interface that looks like it was designed by the programmers as an afterthought and it'd cost hundreds of millions, if not billions to create. That's not even getting into how it'd be subverted for political party propaganda and spying.
It's almost a joke how our grossly overfunded federal government has such crappy web services. Makes me worried our leaders are not taking the internet and new tech seriously. Until recently (at least for businesses), to do anything we've had to call or write to the IRS with no website to do things like find out why they think a payment is late or we owe some weird amount (usually due to misapplied payments). This is just sad for one of the supposedly most advance countries, we ought to be rolling in new tech, but we're run by the technologically challenged and technophobes. 😭
We even struggle just to get the government to help file returns (just got a website for that and it's not even fully functional) which could even be automated by now but we're still stuck on phones and paper. They're citing concerns over job loss (not an excuse to bar progress imo) and cost (a few hundred million - my STATE brushed that much off when a past governor flubbed an attempt to make an insurance website and a single fighter jet can cost over $100 million and they plan to purchase 60 next year).
[other Canadians please feel free to jump in / correct. For the purposes of this post I'm not making a difference between browser apps and phone apps]
Availability for online provincial (eg State) government services will depend on whether your province has money (Ontario/BC) or not (Atlantic provinces). Eg I just tried to renew a health card since May, and it's taken me two attempts to fax, two attempts to physical mail, and finally calling them once again to be finally given an email address to do it. So something digital would be great. Not all bad, though: their energy efficiency program was registered online and pain free. They pay for a licensed electrician to come install one each motion sensor light outside and inside, two dimmer switches, smart thermostat per level, one of those under the door air things, door foam things, buncha freebie LED bulbs and other small do it yourself things. For healthcare, my poor province and the rich ones are all using a private virtual doctor app : smooth easy mostly free access and I hope secure. Oh and elderly grants and rebate things are strangely online: Ive been helping a neighbor fill in her things. I'm pessimistically choosing to see this as a ridiculous hurdle rather than a convenience though. In BC, I'm a big fan of the crown car insurance / driver license bureau - most things done/pre-booked online and sleek and efficient. Dad had to renew license and walked out of the appointment in less than 10 minutes.
Nationally we also had a scandal last year where the provincially partnered (eg no consumer choice) medical lab company had a data breach and hackers got all our health records yay, and we got settlement money of $50-150 dollars.
Nationally it isn't too bad: student loans online were fairly straightforward online 20ish years ago. Many other things like unemployment insurance, parental leave benefits, tax return info, pretty painless online. Passports, you can check the renewal status online, and book an appointment to do it in person online as well. The national job search / ads database looks and feels web 1.0 but secretly I'm a fan of old web UI.
I'm sure I'm forgetting a bunch of government things to do online that I've taken for granted. The health card renewal was so surprisingly painful I had forgotten most things could be difficult.
Oh yes! A bunch of interactive maps! . I perpetually have a few bookmarked for [not exclusive list] which beaches are open/closed for shell fish foraging; which pieces of crown land might be open for tree cutting and to submit citizen request for questions; other geology and geographical things like forest density and species / water flow and drainage/ elevation /karst risk / radon risk / 10k satellite / property boundary / bedrock formation etc. The shellfish one is actually maintained and updated pretty frequently, I'm very happy about it.
Most municipal zoning maps are online as well, but some are still awful pdf era. The richer municipalities do tax sales and recreational program registrations online. Libraries are all basically online as well what else....
That isn't a technical challenge, it's because of lobbyists from intuit.
Building a service that can serve hundreds of millions, many of which have complicated taxes because US tax laws are complicated, seems like a pretty big technical challenge to me. That's probably why the IRS is rolling it out gradually.
But it's also true that politics held it back. If it weren't for that, it would probably be done by now.
For this particular threat model where the goal is to not let the Chinese hackers who are in US phone systems see your messages and maybe listen to your phone calls, nearly all websites use encrypted connections nowadays and that is good enough.
Email is complicated; not all email is encrypted in transit, but it often it is if both sides support TLS.
Similarly for chat messages. Messages sent between Apple users and between Google Messages users are encrypted. SMS isn’t encrypted and a likely vulnerability, but can often be avoided.
It seems like the easiest thing to do (if both sides agree) is to pick the same chat app where you know it’s encrypted. I’d trust Signal the most. Others would probably work fine, but it might be easier to slip up.
It seems like the hard thing would be to get out of the habit of using the phone; instead of just talking, you need to agree on a different way to talk, which is hard when the other end is a business. For non-businesses, people can probably switch to some other chat.
I wonder what US politicians will switch to?
You should be using Briar if you are concerned about message security.
Or... now here me out now... we just don't use apps to share our login and other confidential info that can be used by hackers? Also use an authenticator when you can, so it doesn't matter if someone gets your login.
Always assume anything you text, email, PM, DM, etc... will end up somewhere public for all to see. Even if they don't intercept it, they could hack your phone or the person you're communicating with or the app company itself and get it that way.
This threat isn't about "apps," which mostly do use encryption. It's about making regular phone calls and sending SMS text messages.
It's true that most of the time, our conversations are boring, but depending on who you are and what you're talking about, they might not be.
Oh, right, I forget about how crappy and old security for calls/sms is and with AI being easier to use now they could fish out the good stuff from verbal conversation quite easily. We really need an infrastructure upgrade to phones. :/
What ever happened to if you have nothing to hide you have nothing to fear?
I don't care if the Chinese/Russians/Isralies can read my grocery and amazon lists. What are they going to do? Fulfull it?
It was never true? "Saying you don't care about privacy because you have nothing to hide is like saying you don't care about freedom of speech because you have nothing to say."
Edit: missed the /s :(
I guess I left my /s off.
I just enjoy how the government can flip-flip it's opinion on surveillance so quickly when they're not the ones listening.
Whoops. Apologies, I totally missed it. :/
Related for curious readers: The nothing to hide argument
Well, yeah, in practice, a lot of people are going to ignore this and they'll mostly be fine.
But some people have secrets to keep and reason to be wary, so there are options.
Encryption by default (like most of the web) is better. Many vulnerabilities aren't obvious in advance, and people make mistakes.