this is frankly really scary. if you’re in a socialist org, please make sure that they’re not so lax with security like this. also, why the actual fuck are they using google products. we are fucking doomed here in the west man. To be clear I think this is probably more on the local chapter of your org than the national org, but even then I really think national orgs need to be giving out a lot more training about this kind of thing, and quite frankly booting out the leadership of local chapters if they’re lax like this.
tweet text here
PSL security culture: I left almost a year ago, their members locally know I don’t like them, but I’m still in some shared folder where I can see sensitive event and recruiting information
I highly recommend to the people joining orgs to take serious steps and ask questions around security. What if this got into the wrong hands? Out of courtesy I’m censoring the names. I have plenty more screenshots of events in case they try to refute this but I recommend they just hold this L quietly
*4 images showing proof
Legitimately wondering, if not Signal what should serious activists be using? Not trying to be combative, but I’ve heard this talking point before in more reactionary parts of the net about the CIA “funding” Signal via the OTF - which tangentially, if you look at the rest of the projects OTF supports, it’s basically every moderately-sized privacy or encryption related open source project in existence… so I’m not really convinced that is necessarily a red flag, and if it is then we’re already really screwed. But then these same people typically just go on using something like Telegram which is… definitely not better. lol
It is hard enough to convince most people to use Signal which has relatively good adoption and name recognition, so it puts privacy conscious people in an awkward position when we have to almost every 6 months say to our contacts, “hey bro so please try out this new shiny chat app bro, it’s actually really secure this time I promise bro. please bro”
Matrix. Signal is a centralized, US company. That alone is enough to disqualify it.
Other than current traction towards matrix marketing, why do so few people use XMPP? Most people just sign up for the matrix.org accounts which are hosted in Britain. One can use one of the other Matrix hosts, but I don’t understand why people use matrix instead of XMPP.
Encryption was an afterthought with xmpp, whereas matrix was designed with encryption first. Xmpp has encryption as an extension, but not all clients support it.
XMPP is cool but so many things that you’d expect to be standard are extensions that both the Server and all the Clients need to have installed and enabled. Also some XMPP clients don’t support all extensions and some extensions also require third party software and extra setup. Matrix just works.
That being said signing up to matrix.org is cringe. Absolutely host your own homeserver.
Even Matrix isn’t perfect. I would consider Signal and Matrix to be pretty secure and recommended for activist organization, until the US decides to force Signal to open a backdoor into its end-to-end encryption. Signal only provided the account number, last connection date, and account creation date (in unix time format, lol) when the California grand jury issued a subpoena. Signal has also threatened to leave the US and the UK if they passed their anti-encryption bills.
Signal is not without criticism, though, considering their controversial cryptocurrency project.
Its illegal for Signal to tell you if they have a backdoor, because of US key disclosure laws. Check out the EFF’s article on NSLs, and why every US-based service can’t be trusted.
The data signal gives to state governments, is likely different from the info it gives to the federal goverment.
Signal also has an especially sus history.
Very resourceful links! Thanks! I wasn’t doubting there are issues regarding Signal, especially considering its ties to the US, as I saw a video regarding its controversies. My point I wanted to make is there is no 100% secure application, and there will be bugs and vulnerabilities among applications we think we can trust. I believe Signal is still a major improvement regarding security, at least compared to Discord, but I would prefer XMPP, Matrix, etc. if I had the choice. Though I understand if an encrypted system is compromised, it’s just as a good as being unencrypted, so if it turns out the US is getting sufficient information from Signal through a backdoor and the subpoena I mentioned was just for show, I hope PSL would consider migrating to Matrix or something more trustworthy. Then again, when the going gets tough, we may have to abandon our phones and electronics to stay safe and find ways to make revolutionary change under a police state.
For sure, and thank you for doing this work for your branch. Enough people need to push for the use of more secure platforms, (esp getting off google), and I hope that eventually becomes a mandatory directive, not just for PSL, but all parties.
I don’t know. My own opsec is not great.