Threads for thang

  1. 9

    Any service that claims to be secure / private and requires a phone number to sign up is a lie. The account creation page tells you everything you need to know about their stance on decentralization.

    My personal flow is to use XMPP hosted on my own server (NethServer) with people I really care about, and a burner phone number through for people I need to fall back to SMS to communicate with.

    1. 1

      No offence but I cant understand why you’ve to go through so much troubles just to communicate with other peoples. And does those people use XMPP mainly or just for contact you?

      1. 4

        Is XMPP a lot of trouble though? I set up a prosody server ages ago, just do type a command every now and then to update/upgrade. It’s how I communicate with family and friends. Conversations on the phones. Pretty straight forward. I am not exclusive on that and use most of the commercial ways to communicate as well. XMPP feels pretty convenient and works for everyone. I don’t even try to convince people. I just sometimes mention Conversations/XMPP as one of the ways to reach me and if they are curious about it I mention it.

        I tried Matrix ages ago. At least back then it was a huge hassle and didn’t work properly. And I wasn’t even self-hosting.

        XMPP/prosody you set up once and as mentioned just do type in your update command every once in a while. Works fine. As do the commercial messengers. At least all but Slack which frequently does weird stuff regarding notifications, doing them late, not at all, alerting me, when I already read it, sometimes multiple times. And other weird things, while being a slow resource hog at times.

        I used to be a fan of Signal, back when it was TextSecure and basically opportunistic encryption of text messages (SMS). Sadly now they turn off this very feature and together with some other decisions they made that I don’t like I think I am going to stop using it.

        1. 1

          I was already running NethServer to host my own nextcloud, e-mails, etc., because privacy is important to me. It was trivial to add on XMPP (with SSO) to let me have a fully-featured chat application and be able to SMS from any device. It’s a lot like what Google Talk was before they killed it.

          The people using XMPP are mostly within my family group. The people who choose to do it are the same people who would create an account on whatever walled garden I chose in order to keep in touch with us and see pictures of our kids. The people who choose not to are the people who don’t remember my birthday unless [social media platform] tells them about it. It’s a win-win.

        1. 2

          Looks like that it hasn’t been shipped on official Fedora 34 repo

          1. 4

            Most, if not all, Linux distros compile their own builds. Depending on the distro, it can sometimes take a full week :(

            1. 3

              Free QA for Mozilla! And it makes sure distributions are actually providing only free software that can compile from source…

          1. 4

            Brave is a very shady company. They were caught adding their own affiliate links, promoting sites that never took part in brave donation program (by showing an icon and people sent money to /dev/null)

            Personally I use Vivaldi. So far they did not make any fuckups. I also really like novative UI: pinned sites, configuration of panels, etc.

            1. 1

              Really? I thought Brave is open source , so anyone can see it source code …

              1. 2


                They also have their own crypto and by default it means they are shady 😄

            1. 3

              Why not just use Chromium, or ungoogled-chromium if you really want to get away from Google?

              1. 2

                Yeah, you’re right. I’ve used ungoogled-chromium. It’s good, really. But sometimes, it’s quite complicated to set up. And, It doesn’t have those nice features like Vivaldi

              1. 6

                Awesome initiative; feel free to share your thoughts on the latest iteration of my website.

                1. 2

                  The font choice gives me LaTeX vibes. Very clean.

                  1. 2

                    I like it VERY much. I like how the code is colored, how smooth it is, like the concept of “News” section.

                    If it were up to me I would maybe just remove, or improve, the “Revisions” expandable - it doesn’t seem to contain anything useful for the reader. Also the bit where you introduce yourself is posted at the end of everything. I would probably move it to a separate section or leave it in home only.

                    And maybe, since Projects is currently empty, it should not be displayed.

                    1. 1

                      Reviewed on iPhone X

                      • the items in the nav bar are squished together for me
                      • some of the article summaries on the home page could use more vertical margin.
                      1. 1

                        Woww, your site is really great!!

                      1. 7

                        Using blowfish is a bit of a concern; I would recommend using something else, like libsodium or something that is a bit less malleable. Looking through the source of blowfish.js it looks ok, even tho it only supports ECB or CBC mode. Note however that it defaults to ECB, which is problematic. If you consider keeping this, I’d switch to CBC (based on what your library supports), but it would be easier to swap for another library, like libsodium.js or the like.

                        Additionally, if you use anything in CBC mode, you do need some sort of HMAC against the cipher to avoid padding oracles and the like. You also want to avoid ECB mode, as that can be hugely problematic. Again, something like libsodium or another library that handles some of these “cryptographic right answers” in an opinionated way would be great.

                        Lastly, you probably want to do some sort of key stretching, esp if you’re going to keep passwords as keys; even the 10 character limit is pretty short (10 chars == 80 bits); there are various algorithms here, but Argon2id is p good in the JS space. There’s quite a few others as well; PBKDF2 is terrible in many ways, but 100k iterations of PBKDF2 would be ok.

                        note: I’m not saying “blowfish” is a concern per se, although I generally would recommend more standard ciphers to clients, it’s more along the lines of “typing the letters ‘A-E-S’ into your program is a code smell:” most developers don’t understand the intricacies of cryptography, and it’s easier to use something opinionated that does “the right thing” for you.

                        1. 3

                          I just looked at libsodium.js library. It seems to be safer than blowfish.js, but more complicated, too. I’ll try to implement it as soon as I can. Thank you for your recommendation!

                          1. 2

                            absolutely happy to help!

                            , but more complicated, too.

                            this is true; most of this is because it’s doing some of the things that you would have to do to implement some of the cryptography in a safe way, but also because it’s a different set of algorithms and libsodium.js is implementing some other moving parts surrounding it. Luckily, getting things right is mostly easier with libsodium.

                            Oh, one other benefit to using libsodium I neglected to mention: it includes an Argon2id implementation if you want to use that for key stretching.