[vox-tech] any OTR preferences?

Fri Dec 2 23:06:12 PST 2016

On 12/02/2016 03:46 PM, T. Mark wrote:
>   Thanks for your erudite observations, Bill.. I agree with almost all of them. 
>   That is indeed a bit troubling that Keybase unnecessarily grabs your private
> key.. I should've paid better attention & noticed that myself.  Looks like I'll
> continue to not really use it (never connected any mobile devices like most
> people do btw.. that thought creeped me out straight away.)  It's an interesting
> idea though, & lots of cool nerds there, 

Indeed, especially the FUSE based filesystem.

>   I'll definitely take your enthusiasm for Signal into consideration along with
> all the various opinions.

It's a hard line.  Would federation be cool?  Definitely.  Do federated
standards slow down innovation, definitely.  See SMTP, XMPP, or HTTP, all of
which have been very slow to change.  None of which bake in e2e, and all of
which have a huge variety of clients that will break if you tried to force e2e.
Not to mention large communities that will split into change nothing and change
everything communities and battle over changes, and ask for committees that will
decide anything at a glacial pace.  Even after the standards committe decides
then software developers will implement suggested changes willy nilly... leaving
a bunch of half functional clients that you can't trust to do encryption right.

Thus the difference between signal and any of the old school federated protocols.

See why Moxie isn't excited about Joe Randoms distributing hacked signal clients
and pointing at whisper systems servers?

>   Where I think you're a bit mistaken is wrt Google Hangouts--  I recall reading

I didn't the mention the word hangout.  I mentioned GCM (google cloud
messaging).  It was a major complaint of the blog post, but seems to miss that
it leaks no message, no meta data, can't tell who you are walking to etc.

> a post by a developer on a Goog forum decrying the fact that Google Voice
> traffic goes over unencrypted (even though the gmail connection spawning it is
> https) ..  and sure enough, when I run Firefox from the command line & fire up
> the Voice Plug-in, it's blurting out stuff all over the place, including my
> gmail address as far as I can tell.  Haven't had the desire to do video (and
> actually find the push to use Hangouts instead of the old Voice to be quite
> annoying) so I have no observations about that.

I didn't mention hangouts.  I mentioned GCM which is not hangouts.

> But I've never trusted that
> megacorporation much, for a variety of reasons, and I must admit I find
> questionable your further assertion that "Google does NOT know who you are
> talking to, or what you are saying .." I mean, if the rest of Hangouts is

I was speaking specifically about signal's use of GCM, not some broad ranging
comment about google.  I trust google to be relatively transparent.  They admit
to tracking your habits, showing you ads, reading your gmail, etc. etc.  It's
what you "pay" for free services.  If you don't like it, don't use their services.

Android is pretty secure, and pretty good about being transparent.  But if you
let it, it will track your position, your email, your commuting routes, your
receipts, your contacts, your routes, etc.  However you can totally use android,
say no, use IMAP, XMPP, some google cal equivalent, and even install your own
app store if you want.

> anything like Voice, they absolutely try to know.  Voice automatically tries to
> convert all your speech-recognize all your voicemails, presenting a usually-iffy
> text of them (and there's no way to turn that off that I could find.)  This is
> consistent with their "free" business model--  free doesnt mean Free As In
> Freedom, to quote stallman.org..  our eyeballs (& vocal chords & probably
> camera-gleaned biometrics) are absolutely The Product--  Goog is an advert
> monster, after all.  If I had the patience to read legalese, I'm sure I could
> provide passages from their ToS that'd leave no question about this.

I don't deny that google collects tons of info if you let it.  If you don't like
it use something else.

>   While I'm ragging on them, it might be worth noting that I heard some definite
> discontent on one or more of the Linux podcasts I consume about Android tending
> more & more toward pushing a proprietary silo sort of environment on
> hardwaremakers & consumers.  They basically bemoan the increasing disappearance
> of AOSP options (
> https://en.wikipedia.org/wiki/Android_(operating_system)#Open-source_community )..

Yeah, the #1 problem is google play services (GPS), which many apps depend on,
but isn't open source.  However the API to GPS is documented, but it would be
challenging to keep up with google.