<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<br /><br /><br />3. Dec 2016 15:06 by <a href="mailto:bill@broadley.org" target="_blank" rel="noopener noreferrer">bill@broadley.org</a>:<br /><br /><blockquote class="tutanota_quote" style="border-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;">On 12/02/2016 03:46 PM, T. Mark wrote:<blockquote> Thanks for your erudite observations, Bill.. I agree with almost all of them. <br /> That is indeed a bit troubling that Keybase unnecessarily grabs your private<br />key.. I should've paid better attention & noticed that myself. Looks like I'll<br />continue to not really use it (never connected any mobile devices like most<br />people do btw.. that thought creeped me out straight away.) It's an interesting<br />idea though, & lots of cool nerds there, </blockquote><br />Indeed, especially the FUSE based filesystem.<br /><blockquote> I'll definitely take your enthusiasm for Signal into consideration along with<br />all the various opinions.</blockquote><br />It's a hard line. Would federation be cool? Definitely. Do federated<br />standards slow down innovation, definitely. See SMTP, XMPP, or HTTP, all of<br />which have been very slow to change. None of which bake in e2e, and all of<br />which have a huge variety of clients that will break if you tried to force e2e.<br />Not to mention large communities that will split into change nothing and change<br />everything communities and battle over changes, and ask for committees that will<br />decide anything at a glacial pace. Even after the standards committe decides<br />then software developers will implement suggested changes willy nilly... leaving<br />a bunch of half functional clients that you can't trust to do encryption right.<br /><br />Thus the difference between signal and any of the old school federated protocols.<br /><br /></blockquote><p><br /></p><p>I continue to procrastinate in finding these posts by "Moxie" et al.. just haven't much spare time. Hopefully that can change. <br /></p><blockquote class="tutanota_quote" style="border-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;">See why Moxie isn't excited about Joe Randoms distributing hacked signal clients<br />and pointing at whisper systems servers?<br /><blockquote> Where I think you're a bit mistaken is wrt Google Hangouts-- I recall reading</blockquote><br />I didn't the mention the word hangout. I mentioned GCM (google cloud<br />messaging). It was a major complaint of the blog post, but seems to miss that<br />it leaks no message, no meta data, can't tell who you are walking to etc.<br /><blockquote>a post by a developer on a Goog forum decrying the fact that Google Voice<br />traffic goes over unencrypted (even though the gmail connection spawning it is<br />https) .. and sure enough, when I run Firefox from the command line & fire up<br />the Voice Plug-in, it's blurting out stuff all over the place, including my<br />gmail address as far as I can tell. Haven't had the desire to do video (and<br />actually find the push to use Hangouts instead of the old Voice to be quite<br />annoying) so I have no observations about that.</blockquote><br /></blockquote><p><br /></p><p><br />Sorry for presuming Hangouts. I don't have service hooked up to my Androids-- no desire to enrich rip-off Wireless Companies nor be triangulated by dirtboxes nor really a pressing need to be online or in-contact all the time. I suppose I could run Android on my laptop & goof around with apps when online, but haven't got 'round to it.<br /> </p><blockquote class="tutanota_quote" style="border-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;">I didn't mention hangouts. I mentioned GCM which is not hangouts.<br /><blockquote>But I've never trusted that<br />megacorporation much, for a variety of reasons, and I must admit I find<br />questionable your further assertion that "Google does NOT know who you are<br />talking to, or what you are saying .." I mean, if the rest of Hangouts is</blockquote><br />I was speaking specifically about signal's use of GCM, not some broad ranging<br />comment about google. I trust google to be relatively transparent. They admit<br />to tracking your habits, showing you ads, reading your gmail, etc. etc. It's<br />what you "pay" for free services. If you don't like it, don't use their services.<br /><br />Android is pretty secure, and pretty good about being transparent. But if you<br />let it, it will track your position, your email, your commuting routes, your<br />receipts, your contacts, your routes, etc. However you can totally use android,<br />say no, use IMAP, XMPP, some google cal equivalent, and even install your own<br />app store if you want.<br /><blockquote>anything like Voice, they absolutely try to know. Voice automatically tries to<br />convert all your speech-recognize all your voicemails, presenting a usually-iffy<br />text of them (and there's no way to turn that off that I could find.) This is<br />consistent with their "free" business model-- free doesnt mean Free As In<br />Freedom, to quote stallman.org.. our eyeballs (& vocal chords & probably<br />camera-gleaned biometrics) are absolutely The Product-- Goog is an advert<br />monster, after all. If I had the patience to read legalese, I'm sure I could<br />provide passages from their ToS that'd leave no question about this.</blockquote><br />I don't deny that google collects tons of info if you let it. If you don't like<br />it use something else.<br /><blockquote> While I'm ragging on them, it might be worth noting that I heard some definite<br />discontent on one or more of the Linux podcasts I consume about Android tending<br />more & more toward pushing a proprietary silo sort of environment on<br />hardwaremakers & consumers. They basically bemoan the increasing disappearance<br />of AOSP options (<br /><a href="https://en.wikipedia.org/wiki/Android_(operating_system)#Open-source_community" target="_blank" rel="noopener noreferrer">https://en.wikipedia.org/wiki/Android_(operating_system)#Open-source_community</a> )..</blockquote><br />Yeah, the #1 problem is google play services (GPS), which many apps depend on,<br />but isn't open source. However the API to GPS is documented, but it would be<br />challenging to keep up with google.<br /><br /></blockquote><p><br />For sure-- I balk whenever someone directs me to The Play Store to get an app.. never felt comfortable Registering My Device with them which is required to gain access. F-Droid is nice, but not adopted widely enough as yet. I eventually found org.aclu.mobile.justice.ca* on one of the 3rd party sites that hosts .apk's, though, so now I guess I can livestream questionable incidents if I happen to be in a free hotspot. (Maybe someone going to the EFF event can ask if they can ask ACLU to get hip to F-Droid? But I wont get my hopes up-- just saw where ACLU did a live q&a on F*book Video.. (don't get me started!))</p><p> <br /></p><blockquote class="tutanota_quote" style="border-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;"></blockquote><p>Thanks again for your technical analyses though-- definitely helpful. <br /></p><p><br /></p><p>--<br /><a href="https://medium.com/@linuxusergroup" target="_blank" rel="noopener noreferrer">https://medium.com/@linuxusergroup</a><br /></p><p><br /></p> </body>
</html>