Running your own Matrix server also means running your own host server, database, caches, reverse proxy, firewall, networking stack, etc… Keeping these things running and updated. As well as vetting and updating clients.
How the fuck would you confirm that? Maybe the sysadmin is running a forked version of matrix that just says it’s encrypted but actually logs everything in clear text.
I don’t think that’s how it works? It’s the client application that has the key for the end to end encryption, not the server. I don’t think you need to trust the matrix server you use? I could be wrong, I don’t know matrix particularly well.
How is it a lot harder to track if the FBI can just subpoena the sysadmin for server/room logs?
With respect, this viewpoint is not defensible from an operational security perspective.
It’s like saying they should use GMail because they have hundreds of millions of users. When the problem isn’t being a needle in haystack, but rather the fact that Google will gladly look through your private data and happily hand it over to the authorities.
What would stop them from subpoenaing all information from your personal server?
If you’re a drug dealer and the FBI sends you a subpoena—you could simply….not respond.
There’s no personal information tied to your account.
There is actually a bunch of metadata tied to your account and your room. That’s partly how they caught that kid with the Pentagon leaks.
And again, there may be other services between the clients and the matrix server that collect personal data (e.g. reverse proxies, load balancers).
—
If you are someone who ostensibly cares about privacy and security (like a drug dealer) why would you rely on the benevolence and security hygiene of a stranger you can’t audit? Instead of using a known good actor, like Signal or SimpleX, or no actor, like Briar.
Simpler to manage and smaller attack surface.
Running your own Matrix server also means running your own host server, database, caches, reverse proxy, firewall, networking stack, etc… Keeping these things running and updated. As well as vetting and updating clients.
deleted by creator
At that point if you’re trusting a rando, just use signal
deleted by creator
You’re trusting whoever runs the hardware that they’re not snooping on you
Correct… So put EVERYONE into one basket… Or split everyone up into multiple baskets…
Now I dunno about your mom… But mine told me to not put all my eggs into one basket.
deleted by creator
How the fuck would you confirm that? Maybe the sysadmin is running a forked version of matrix that just says it’s encrypted but actually logs everything in clear text.
I don’t think that’s how it works? It’s the client application that has the key for the end to end encryption, not the server. I don’t think you need to trust the matrix server you use? I could be wrong, I don’t know matrix particularly well.
https://www.wired.com/story/matrix-patches-vulnerabilities-that-completely-subvert-e2ee-guarantees/
deleted by creator
Why do people phish, dumpster dive, or social engineer? So they can snoop and grab anything of value.
What makes a man turn neutral? Lust for gold? Power? Or were you just born with a heart full of neutrality?
Uhh yeah, but is that wise if you’re trafficking drugs?
deleted by creator
How is it a lot harder to track if the FBI can just subpoena the sysadmin for server/room logs?
With respect, this viewpoint is not defensible from an operational security perspective.
It’s like saying they should use GMail because they have hundreds of millions of users. When the problem isn’t being a needle in haystack, but rather the fact that Google will gladly look through your private data and happily hand it over to the authorities.
deleted by creator
If you’re a drug dealer and the FBI sends you a subpoena—you could simply….not respond.
There is actually a bunch of metadata tied to your account and your room. That’s partly how they caught that kid with the Pentagon leaks.
And again, there may be other services between the clients and the matrix server that collect personal data (e.g. reverse proxies, load balancers).
—
If you are someone who ostensibly cares about privacy and security (like a drug dealer) why would you rely on the benevolence and security hygiene of a stranger you can’t audit? Instead of using a known good actor, like Signal or SimpleX, or no actor, like Briar.
deleted by creator