Threads for ossguy

  1. 4

    Meh. It’s not mozilla’s job to protect people from the web. This clearly hasn’t worked out so far and the issue isn’t with mozilla but with the economic system. The web is also not structured in such a way that it can be it’s own economic system. I believe the only way is to move the web to a different encoding but I am heavily biased.

    1. 15

      Mozilla, the foundation says explicitly it IS their job. That’s the main purpose of Mozilla’s existence. The browser is just one of the tools to further those goals. Admittedly the most powerful and popular one that Mozilla has :)

      1. 7

        I know they say that, I read the document you linked. I am explicitly commenting on that utterance.

        However, I don’t care what they say because I don’t trust them. They broke my trust repeatedly and even if I did trust them I still don’t think they are capable of protecting anyone from anything while also maintaining the lifestyles / salaries that they do.

        1. 7

          Basically this. They have a declining share of the browser usage for a reason. They have consistently taken away functionality that allowed me to personalize my experience to my needs and forced their vision down my throat. I finally had enough of the abusive relationship and moved on. I don’t want another vpn service or email service either. I agree with a lot of their points, but their actions directly contradict them.

          1. 5

            Moved on to what?

            1. 1

              Vivaldi. The things I really like are vertical tabs and tab stacks.

    1. 2

      How much are you paying Twilio for their service? Did you consider any options for sending SMS?

      I do something similar with a filter that forwards certain emails to <my number>, which sends a text to my phone. Other carriers might have a similar feature.

      1. 2

        Smart idea! I hadn’t thought of that.

        I’d previously done similar where I use Gmail’s SMTP access to send a message to <my number>, but have some other ideas for Twilio projects that made me want to dip my toes in here.

        With my usage patterns this costs no more than a couple dollars a month ($1/month for a phone number and SMS are $0.0075 per message).

        1. 2

          If you’re doing something more involved, it’s better to switch away from Twilio before you get too invested, as they’re probably the most expensive SMS provider out there. For example, I’d recommend looking at Plivo and Vonage instead (particularly for incoming messages):

          And if you want to make your program more general, you can use XMPP as the transport and then plug it in to something like or just use the Conversations or Siskin app on your phone to get the push message instead of your SMS client.

      1. 3

        Google does claim, without evidence, that some of the files in the project were copyrighted by Google

        I’m pretty sure that this is wrong, and that there were copyrighted files straight-up copied into the repository:

        1. 4

          (disclosure: I work at Software Freedom Conservancy)

          The rest of the footnote you quoted contains the response to your comment: “recall that it’s typical for pro-DRM organizations to (incorrectly) claim that databases of keys or even keys themselves are independently copyrightable, and we strongly suspect that’s occurring here”. Just because Google puts a copyright notice at the top of a file does not mean that file is actually copyrightable.

          While we were preparing this blog post, I reviewed the file mentioned in your link and found that it was just a list of key-value pairs. So in the US (which is the relevant jurisdiction here, since we are talking about a DMCA takedown) that file is not copyrightable, per US case law such as,_Inc.,_v._Rural_Telephone_Service_Co. and others.

        1. 9

          I’ve noticed the same issue with Electron apps on my low RAM devices. Anything with 4GB or less of RAM doesn’t allow you to run more than 2 instances of the programs, without chugging into swap space or worse, oom-killing.

          Particularly worrying is most of my messaging apps are exactly like that: Riot/Element, FB Messenger, WhatsApp, Telegram (this last one is actually pretty optimized and doesn’t eat too much). Long gone are the days where an XMPP bridge would solve the issue, as most of the content is now images, audio messages, animated GIFs, emojis and other rich content.

          Thanks for the article, at least I know that i can replace one of the culprits with a daemonized, non-Electron app and just use the phone as a remote control.

          1. 9

            As far as I am aware, Telegram is not Electron, it is actually a Qt based app.

            1. 7

              Long gone are the days where an XMPP bridge would solve the issue, as most of the content is now images, audio messages, animated GIFs, emojis and other rich content.

              I’m not sure what you mean. Most XMPP clients today (like Conversations, Dino, etc.) gracefully handle all of the items you mentioned, and with much less resources than a full web browser would require. I definitely recommend XMPP bridges when possible where the only alternative is an “app” that is really a full web browser.

              1. 4

                Of those listed, I think Riot will maybe disappear at some point. Riot has (amazingly) managed to have native desktop clients pop up, Quarternion, gomatrix and nheko are all packaged for my Linux distribution.

                1. 3

                  I understand the desire to use something browser-ish and cross-platform. I don’t fully understand why Electron (hundreds of mb footprint) is so popular over Sciter (5mb footprint).

                  1. 1

                    Electron is fully free, Sciter is closed-source with a Kickstarter campaign in progress to open-source it.

                    For the large companies, the price of something like Sciter should be a non-issue. If I were reviewing a proposal to use it, though, I’d be asking about security review and liability: HTML/CSS/JS have proven to be hard to get secure, Electron leverages the sugar-daddy of Google maintaining Chrome with security fixes, what is the situation with Sciter like?

                    Ideally, the internal review would go “okay, but if we only connect to our servers, and we make sure we’re not messing up TLS/HTTPS, then the only attack model is around user-data from other users being rendered in these contexts, and we have to have corner-case testing there no matter which engine we use, to make sure there are no leaks, so this is all manageable”. But I can see that “manageable” might not be enough to overcome the initial knee-jerk reactions.

                  2. 2

                    Long gone are the days where an XMPP bridge would solve the issue

                    I use Dino on desktop to replace the bloated Discord & WhatsApp clients, and it works fine (with inline images, file sharing, etc working too).

                    Disclaimer: I did, however, write the WhatsApp bridge :p

                    1. 1

                      Isn’t the reason that XMPP isn’t useful more to do with these services wanting to maintain walled gardens? And further, isn’t that a result of the incentives in a world of “free” services?

                    1. 20

                      Category 5 is cheaper, but can only support speeds of 100 Mbps. Category 6 is slightly more expensive but you will need it to get full gigabit speeds.

                      This isn’t entirely correct: cat5 is only rated for 100Mbps, but cat5e will do 1Gbps just fine and is significantly cheaper than cat6a and more flexible.

                      This is a pretty good read on the differences between cat5e/cat6.

                      1. 7

                        While YMMV, I agree here and offer my experience. My house was built and wired in 1998 just before the change over from cat 5 to cat 5e. I did an addition in 2003 with cat 5e. I run gigabit on a mix of both of those cable types with no problem. I figure that there are two reasons for this. First, as the wikipedia article says, most cat 5 cable actually meets cat 5e specifications even though it wasn’t tested that way. Second, with regard to bandwidth, drop length matters at least as much as the cable you use. My longest drop might be 35 meters. My average drop is probably just under 10 meters. At those lengths, it was a good bet to replace my 100Mb/s switches with Gigabit swtiches and cross my fingers/keep the receipts.

                        1. 5

                          My house was built in the early 90s, probably just after they switched from installing 4-wire copper phone cables to installing Category 3 cables instead. However, these Category 3 cables still support gigabit speeds without issue (I use it every day with our symmetric 300 Mbps Internet connection), despite being stapled to the struts.

                          I’m not saying all Cat 3 will do this, just that some cables do indeed meet higher specifications, per above.

                          1. 3

                            My desktop currently speaks 10GbaseT to my main switch via ~20ft of cat5 (not e). And the other end is a 10GbaseT SFP+ adapter which only claims 30 meters over cat6, vs the 10GbaseT standard 100 meters.

                          2. 2

                            However if you plan to use Type3/4 PoE devices, the thicker wire gauges found in Cat6/6a/7 are recommended.

                          1. 3

                            I wish there were something like this for phone numbers. Of course, they’re more artificially scarce than email addresses, but still.

                            1. 5

                              You can use for this - it supports short codes so should work for most services.

                              There is work being done to facilitate this particular use case, but in the meantime you can use a new trial account for each new number. As you alluded to, phone numbers are scarce, so re-use is much more likely after the number has “expired”. Also, phone numbers cost real money, so it’s harder to offer the service.

                            1. 1

                              This appears to be US-only… Any chance there exists an EU service like that, giving out European phone numbers?

                              1. 2

                                You can view the current research that has been done on this for JMP at - perhaps the biggest issue is that carriers providing an SMS/phone API charge quite a bit more for numbers in Europe so it is much harder to make European JMP numbers price-competitive. Also, it is very hard (impossible?) to get short code and MMS (picture messaging) support.

                                If you know of other carriers not in the list on the above page, please add directly to that wiki page and/or let the JMP people know.

                                1. 1

                                  Well, Canada too.

                                  It appears they’re working on it, trying to make deals with, uh, “carriers”? Whoever needs to be made a deal with so other numbers are available. That’s what they told me in their support chat yesterday.

                                1. 1

                                  As someone who hadn’t heard of Dino before, I have two small suggestions for this blog post. It says that Dino is “a native desktop application” but doesn’t actually say which operating systems it supports. (The answer is Linux and FreeBSD, with prebuilt binaries available for FreeBSD and for Arch, Debian, Fedora, Gentoo, NixOS, openSUSE, and Ubuntu.) For blog posts that are hoping to reach people new to the project, that would be good information to mention! :-)

                                  My second gripe is that there isn’t a download link anywhere; you have to go back to the home page and click Downloads, which takes you to what looks like a separate page (although it’s actually just a section on the front page) with very little information. I think it might be worth it to put the list of packages right there, not just to prevent unnecessary clicking around but also so that it’s more readily apparent which OSes/distributions this works on.

                                  All that said… I use macOS so this isn’t for me right now :-) Anyone have recommendations for an iOS XMPP app though?

                                  1. 1

                                    We currently recommend on after reviewing quite a few iOS clients.

                                    That said, if your XMPP use case depends a lot on being notified as soon as people send you messages (as opposed to just looking at your client occasionally for group chat activity or similar), iOS might not be right for you. See the second half of for details.

                                  1. 2

                                    Combining ZFS and Linux is a GPL violation anyway, so Linus could not include it in Linux without violating the GPL unless Oracle gave explicit permission (or an exemption) for this, as Linus alluded to.

                                    For more details, including why Canonical is violating the GPL by distributing ZFS in Ubuntu, see (disclosure: I work for Conservancy).

                                    1. 4

                                      Combining ZFS and Linux is a GPL violation anyway

                                      That’s a strong statement. From what I understand, it’s not allowed to distribute Linux together with ZFS, but building ZFS yourself and using it on your own machine is not a GPL violation, right?

                                      Linus could not include it in Linux

                                      I’m with you there. But I don’t think anyone here has asked him to include it. Rather, this seems to be about Linus making changes to the kernel that make it harder to get ZFS to work on Linux.

                                      1. 1

                                        Distributing a combination is not the only problem when dealing with the copyright of ZFS on Linux: While I don’t like it, one can also be held liable for copyright infringement that others committed, e.g. by inducement of it. That means this is also a question for when one were to contribute to or distribute ZFS on Linux without combining it.

                                        On a more general matter: It is said, though disputed, that Bryan Cantrill ( on here as @bcantrill ) was one of the biggest proponents of the CDDL. If he were to read this I would like to know from him (and anyone contributing under CDDL, if you care about having/giving a license):

                                        1. Do you suggest anyone to use the CDDL for new software?
                                        2. Would you like to have existing software under CDDL move to a different license if that was easy?
                                        3. Is it worth it to make sure new contributions to existing CDDL software are also available under another license that is less intentionally incompatible with other licenses (like 2-BSD, Apache 2.0 or something)?
                                        1. 1

                                          The relevant Wikipedia pretty much answers your questions, including quotes from @bcantrill.

                                          #3 CDDL is generally not incompatible with any OSS license, except MAYBE the GPL. The FSF thinks it’s incompatible, and Linus clearly has a perspective here, but he isn’t really saying it’s a Legal issue, mostly an Oracle is evil issue (which everyone already knows). See the above wikipedia entry for the details. But either way it’s never been tested in court, so it’s still unknown if it’s actually incompatible. Certainly the spirit of both GPL and CDDL licenses are compatible.

                                          Plus CDDL is an interesting license as it’s file based, i.e. it’s attached to individual files, not to a project as a whole. Which makes it unique in the OSS license tree. So you could only make new files in the repository/project dual-licensed. You can’t really change a CDDL licensed file unless you also happen to own the copyright(s) to the entire file, which in the case of OpenZFS is now quite broad, and not limited to Oracle alone.

                                          Basically there is OpenZFS which everyone uses (across multiple different platforms), except Oracle, which nobody uses (unless forced, for non-technical reasons). Oracle can not import any of the OpenZFS changes back into their tree (legally speaking) because the Oracle version is no longer CDDL licensed.

                                          OpenZFS has a lot of awesome features that Oracle can’t import into their version. The latest new feature Oracle can’t import is data encryption on disk.

                                        2. 1

                                          That the GPL and CDDL are incompatible is mostly legal opinion at this point. Certainly the Conservancy has an opinion and the FSF has an opinion, which coincides with your statement of “fact”, but it’s never been tested in courts, and plenty of other lawyers have an opposing viewpoint to yours, so much so that Canonical is willing to bet their business on it. More about the various opinions can be found on the CDDL wikipedia page:

                                          I think most people can agree that in spirit, both are compatible, to some degree, but there is a difference in that GPL is a project based license, and the CDDL is a file-based license(which makes it unique).

                                          I don’t think either perspective can be called fact until the various court systems have ruled one way or another, and I don’t really see anyone itching to find out enough to dump a team of lawyers in front of the court.

                                          I’m certainly not going to say you are wrong, and Linus has made it very clear he has no intention of incorporating OpenZFS into the Linux tree anytime soon, but I think even if everyone on the planet agreed legally that it could be incorporated I would like to think he(and many others) would hesitate anyway. The Linux tree is already pretty giant, and OpenZFS’s codebase is no slouch either (it’s in the millions of LoC). Plus, there isn’t really a huge benefit in incorporating OpenZFS into the kernel tree, since OpenZFS is cross-OS (Unix, BSD, macOS, Windows, Linux, etc) and the Linux kernel … isn’t.

                                        1. 29

                                          As much as I believe every single last person involved in cryptography yelling “use Signal”, it doesn’t fit everyone’s use case of a chat application.

                                          Signal has a hard requirement that you give them a mobile phone number to tie to an account and register from a smartphone. This number is also exposed to other contacts. As for the alternatives in the article, namely: Wire has monthly fees that may prove difficult to pay anonymously. WhatsApp is owned by Facebook; even if you consider this okay enough somehow, that still requires you to go through your smartphone, on which it requires a phone number for registration; not that you could install it on an OS that isn’t macOS or Windows anyway.

                                          People may suggest to “just get a burner SIM”. But that is not a reasonable option if your goal is to hide your real life identity: For example, in Greece and Spain, you must provide ID and formerly anonymous SIM cards were blocked see COM(2010) 253, p. 69. That’s a non-starter in these scenarios. Of course, you may still argue that people that need to go to such extents to hide are almost certainly criminals, terrorists or dissenters (none of which may be worth protecting depending on your morals), and you’d probably be right. Nonetheless, the increasing disappearance of an untied, non-real-life identity scenario is a worrying prospect to me.

                                            1. 5

                                              Read to the end of the article, where Signal clarifies that they don’t consider it a problem because the goal was never for Signal Desktop to provide at-rest encryption. (I will say however that I too have always wondered why they bothered using SQLCipher to begin with.) If you need that, use full-disk encryption. That will protect you much better.

                                              “But they should be aiming for at-rest encryption.” Let’s play this out:

                                              1. The only way Signal Desktop can accomplish this without some additional support from the platform*, AFAICT, is to require a decryption password that the user types in at startup. Already this breaks a lot of useful things: it breaks the ability for the app to autostart when the user logs in, and that means that if the user forgets to type in the password (and they will) notifications for new messages won’t work, silently. So already we’ve seriously broken the UX.
                                              2. The decryption password can’t even be secured properly. A malicious app on your system can just sniff the keystrokes. Or, it can just record the screen. AFAIK Windows and macOS don’t restrict these operations by default (maybe keylogging, but I’ve never gotten a prompt or anything for screen recording IIRC). Wayland on Linux is supposed to fix this but adoption is “in progress” at best on that front so that doesn’t do us any good.
                                              3. Let’s say that isn’t a problem. Maybe something changed since I used Windows or macOS and they’re better now. The password still isn’t secure. Your disk isn’t encrypted so the attacker can tamper with the Signal binary if they have physical access. Now Signal is malicious. Game over.
                                              4. But let’s say that the attacker doesn’t have physical access, and you’re sure all the apps on your system are trustworthy. Are you sure they don’t have a security vulnerability and won’t get compromised to sniff your Signal password?

                                              The list goes on. This can’t be mitigated at the app level because the platform is fundamentally not designed for this. Mobile devices isolate apps by default; you don’t routinely run processes that aren’t sandboxed. But on desktop, the opposite is true. There are valiant efforts to sandbox apps, like the Mac App Store requiring that all apps distributed through it enable sandboxing, and Flatpak on Linux. But those are still opt-in. Are you sure that everything on your system is sandboxed enough? To actually guarantee this, you need something like Qubes.

                                              Signal Desktop absolutely has problems… but I don’t think this is one.

                                              [*]: keyrings have this same problem. Usually they’re unlocked automatically on login, so any unsandboxed app running in the user’s session can just ask the keyring to give it the Signal password. At least AFAICT… I vaguely recall macOS having some sort of access control.

                                              1. 2

                                                The core premise of the article is completely mistaken. The database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide. Full-disk encryption can be enabled at the OS level on most desktop platforms.

                                              2. 9

                                                I definitely agree that, when possible, people should avoid communication tools that require phone numbers and use something like XMPP with OMEMO instead.

                                                If you do need/want to use Signal or similar, there are phone number options that let you maintain anonymity. For example, gives you a Canadian or US number without requiring any identifying information (you can even signup over Tor). If you want to keep the number past 30 days, you can pay in Bitcoin Cash or Bitcoin, or use to pay with other more anonymous cryptocurrencies.

                                                1. 8

                                                  Yep. I use Signal extensively in my labor activism. This is an example of an activity which is entirely legal in the United States, but where I am putting people in danger simply by talking to them. I agree 100% with all your criticisms, and it’s quite unfortunate that there are many situations in which there isn’t a realistic alternative.

                                                  1. 2

                                                    Is there at least groundwork for such an alternative to Signal that doesn’t require a phone number? I’m in the same situation.

                                                    1. 1

                                                      The protocol is open, although it’s my understanding somebody would need to do a lot of implementation. I’d also suggest that future work should be based around expecting users to explicitly manage their keys, rather than trying to abstract that away.

                                                      1. 2

                                                        I’d also suggest that future work should be based around expecting users to explicitly manage their keys

                                                        Why? To me this is the main selling point of Signal. And from my observations teaching PGP (long ago), key management is one of its biggest downfalls.

                                                        1. 1

                                                          Sure. It’s because the automatic management both introduces insecurities, and makes it so that good key-verification practices are more friction than sloppy practices.

                                                          The most significant insecurity is that anyone with control over your phone number can gain control of your account. A stolen SIM or a number-porting attack could both be used that way. They won’t see message history, but they’ll be able to impersonate you. The only defense against this is that there’s a small notice in each chat about the safety number being reset.

                                                          The point about safety numbers dovetails with my larger point about good practices being hard. When you’re scaling up a large organization, educating everybody about what the safety number means and how to verify it is a constant undertaking. Meanwhile, people are constantly replacing their devices, accidentally reinstalling the app, intentionally reinstalling the app, etc for a variety of reasons. It’s constant tedium, and if you just punt on doing the work, there’s a chance of an impersonation attack being successful.

                                                          What I would like is to put key management front and center, so that everybody gets the message that this is something they should be paying attention to and learning more about. I’m envisioning, for example, a first-start wizard that walks users through creating an offline key and using it to sign a per-device subkey, with alternatives also presented if they want to add a key some other way. Yes, it’s a lot of work which would slow down adoption immensely. Thus, I don’t realistically expect any for-profit entity to be the first to offer a product that works this way. Still, in my ideal world, it’s what I’d like to see.

                                                          1. 1

                                                            Hm. So if I can rephrase this position, basically you’re saying that good practices (i.e. verifying safety numbers) isn’t on a level playing field with unsafe practices, because it’s much easier to do the latter. And basically you want to level the playing field by making both take equal amounts of effort? Did I get that (somewhat) right?

                                                            1. 1

                                                              I think that’s right, yes. I know it’s in some ways a quixotic idea.

                                                  2. 6

                                                    I use Signal constantly, but this is a sound comment and still only covers maybe half the serious concerns I have with Signal.

                                                    1. 2

                                                      We are pseudonymous in Peergos (no phone number or even email required to sign up). At the moment we are focussed on storage and sharing, but we plan to implement a group chat/messaging solution using Messaging Layer Security once it stabilises.

                                                    1. 4

                                                      I got to see Stallman speak the other week in Illinois. His idealism about Free and Open Source is pretty hardcore. The man refuses to buy an AmTrak ticket because you can’t pay in cash and he doesn’t want to be tracked. He pays for his transit cards in cash instead of using a card at the machine.

                                                      During the lecture he said he decided early on, if he couldn’t work and earn a living entirely using free and open source software, he would rather wait tables (emphasizing that waiting tables is a very respectable profession).

                                                      Looking at this background in this article though, he grew up in a different world, got in early on some ground floors and made some early strides that are difficult to achieve today. I recently lost my job and am very reluctant to go back on the market and go through the entire interview process again.

                                                      I would love to work entirely in open source software, and have been working on getting back into a PhD program (I currently hold a masters). I work with a professor a knew from an old startup and he uses some of the software I wrote ( in his classes and we’re currently working on some new tutorials, docker containers and lab manuals. He’s still struggling to get funding though, and even if any of it comes in, I’d be lucky if I got a stipend to that would cover my rent.

                                                      The big question is, now, today, in 2018, how does one live entirely off FOSS development? I feel like the big developers for things like the Linux kernel; over 50%~60% of them probably work in the OSS divisions of Redhat, Microsoft, AMD or Intel (I have several friends I graduated with in Intel’s division out in Hillsboro/Portland).

                                                      What types of grants and fellowships should I be applying for if I want to be able to work on FOSS full-time?

                                                      1. 5

                                                        If you want to apply for a job writing entirely FOSS (or doing other work for a fully-FOSS organization), there are a number of job boards for that:

                                                        You and @zxtx are right about some of the other options: if you start working on a big FOSS project that lots of companies use, if you’re good enough one of those company will eventually offer you a job out of the blue.

                                                        Personally, I would recommend starting your own company that sells FOSS in some way. There are a number of great business models for this (and some not great ones, which are unfortunately used a lot) - I gave a talk about these at LibrePlanet this year:

                                                        My own example is (and to a lesser extent ). I was fortunate enough to have a few months of runway to try it out, and it ended up working out. In general, you do need some runway for any of the options listed above that are not the job boards.

                                                        1. 2

                                                          I think it depends on the kind of work you do. The popular approach is to have an open-source library important to a company so your work is effectively maintaining this library. Many developers use patreon, and for some niches like scientific computing there are non-profits like NumFocus which fund open source projects. It’s not a straightforward path, but there are openings.

                                                        1. 12

                                                          Denver from here (JMP is a free/libre and open source SMS and MMS gateway for XMPP, and a sub-project). Happy to answer any questions people might have about JMP, WOM, or!

                                                          1. 5

                                                            Prosody + a couple of modules with and Gajim can be serious alternative to commercial offerings. End to end encrypted chats, history sync and seamless image / file sharing works as good or even better than Hangouts. I’ve been using this setup with a friend for several months and it works so surprisingly well that I’m seriously considering migrating my entire family to XMPP.

                                                            There is also an option for running connections via Tor (both hidden service for the server and client connections) for the truly paranoid.

                                                            1. 2

                                                              Yeah, I’ve got a big chunk of my family on XMPP and it’s been nice.

                                                              The stragglers I SMS using so that I never need to leave my XMPP client :)

                                                              1. 2

                                                                Wow, looks really useful. Shame it’s US/Canada only (I’m in the UK) :(

                                                                1. 2

                                                                  Feel free to join the low-volume notification list to find out when UK support is added: The UK is likely to be the next country that supports.

                                                                2. 1

                                                         looks very cool. Unfortunately I already have an unlimited everything plan and a number but the idea is really clever.

                                                                  1. 3

                                                                    I had an unlimited everything plan, but I really love the extra freedom I get now to move across devices/plans sims/wifi when I travel or when I’m at my laptop. Ported my number to JMP and got a “tablet” data-only plan for my mobile. Not for everyone, but my wife and I love it.

                                                                    1. 1

                                                                      Data-only plan… that sounds nice. I didn’t think about porting the number to JMP - that’d be convenient.

                                                                      Do you also use SIP for regular calls in JMP?

                                                                      1. 2

                                                                        I do. Works ok over LTE and fine on wifi. If you need more reliability on lower-bandwidth connections supports opus codec for outbound calls and you can set callerid to whatever you want.

                                                              1. 2

                                                                This sounds like it would be a great fit for , particularly the long-range communication part of the project: . If they were suitable for use in most countries, the 433 MHz bands could be a great way to deliver text and even picture messages in the absence of a cellular network.

                                                                Does anyone know off-hand if these bands are generally license-exempt in Canada or the US? It seems that’s probably not the case in the US, per , but I had difficulty finding info for Canada.

                                                                1. 2

                                                                  I think you could use 900mhz for the same purpose?

                                                                  1. 1

                                                                    Yes, after some more research it sounds like we could probably get similar range with 900 MHz. I had assumed that range decreased significantly with higher frequencies (using 150 MHz (MURS) as the benchmark, where I’ve seen 35+ km range in my testing), but I’m not a radio engineer, and my brief search suggested you could indeed get 40km line-of-sight with 900 MHz, too. 900 MHz also tends to have fewer regulatory restrictions than 150 MHz, which would be good for the project, where we may wish to do mesh and similar things not allowed on 150 MHz.

                                                                1. 13

                                                                  For sites that still require you use a phone number as part of 2FA, it’s probably best to not use one of the big carriers (which are quite susceptible to social engineering, per the article). Instead, get a number from or similar, and give the sites that number rather than your cell. This also lets you hide your real number from them.

                                                                  I mention in part because it lets you “login” to your phone number using whatever authentication method you like (since it uses Jabber on the back-end). So you’re free to make your phone number as secure as you want.

                                                                  1. 1

                                                                    Wow, I have been looking for something like this for ages for authentication.

                                                                    1. 1

                                                                      Glad I could help!

                                                                      Also, I’ve noticed a few people use for their primary phone number - they just get a cheap data-only (or “tablet”) cell plan, and then use JMP for SMS/MMS/calls on cellular data (or wifi). A nice way to make your phone number more flexible, and secure.

                                                                  1. 5

                                                                    I’m the speaker in this talk; happy to answer any questions anyone might have!

                                                                    The main project that I discuss (and demo) in the talk is . Since the talk I’ve also made an outline of the overall plan (a more concise and complete version of the slides): . Comments and/or suggestions on that are also welcome.

                                                                    1. 2

                                                                      I find it’s a bit strange you started at the end you did….

                                                                      To me the main problem to freeing the cell phone is the baseband… ie. This step…

                                                                      Once we have the above done, there is still the problem of how to communicate with people when outside of wifi coverage, which is something that a cell carrier normally provides.

                                                                      So I have been doing a fair bit of digesting the standards in this area and poking at cellular modems and the like.

                                                                      And I would say most of the complexity and code in the whole cellular stack is around revenue collection. ie. The carriers will fight you tooth and nail to preserve their revenue stream. ie. The problem isn’t the simcard.

                                                                      ie. They will never let you on their infrastructure if they can’t extract the full amount of revenue.

                                                                      One alternative in this space are these guys….

                                                                      Even then, wifi itself is a vast bundle of incredibly complex proprietary magic..

                                                                      The only guys even starting to step outside of that are and on top of them is

                                                                      I think you’re right in that it should be IP first, voice second… (BTW, it looks like LTE is doing that) but I sure range beyond wifi is the main problem.

                                                                      1. 2

                                                                        It sounds like we mostly agree on the solution here (but correct me if I’m wrong). In particular, the long-term goal is to not need a cellular baseband at all, or any connection to the cellular carriers.

                                                                        The reason I mention some cellular-dependent options in the talk is because we need some interim solutions (ie. ways for people unwilling to switch devices to use non-cellular more easily). But in the long run we can hopefully migrate people to devices that don’t need such workarounds, especially when we have better and longer-range community-run radio networks.

                                                                        1. 1

                                                                          especially when we have better and longer-range community-run radio networks.

                                                                          I guess that’s the bit I’m interested in….. Partly at a professional level since I work with LMR radio. (Hey, I get my pay check from number of handsets and base stations we make… not per call made.)

                                                                          1. 1

                                                                            It would be great if we could chat more about this - we’re always interested to hear from people who work on radio. Feel free to join our XMPP group chat at (you can join via the web if you like) or send me an email using my contact form.