close
  • Ga chevron_right

    Iran blocks Signal messaging app after WhatsApp exodus... BUT many wonder why WhatsApp and Instagram are not blocked

    Danie van der Merwe · news.movim.eu / gadgeteerza-tech-blog · 11:35

This is pretty puzzling as we know Signal is reputed to be secure (apart from having to provide a phone number to register) and although Telegram's default settings allow access to metadata and even message content ultimately, both have been banned because they have been proven before not to release any user data.

But why was WhatsApp not banned in Iran, and neither in Russia previously either? This is what is really puzzling many people? It would be pure unfounded conjecture to speculate whether WhatsApp provides metadata about who contacts whom, locations, etc to authorities as we've not seen evidence of this yet as far as I know. We do not know this but all the same, the question does need to be asked.

If you are in Iran I'd recommend though that you install XMPP, or P2P apps such as ManyVerse or similar anyway as centralised apps are just too easy to monitor or disable.

See https://www.aljazeera.com/news/2021/1/26/iran-blocks-signal-messaging-app-after-whatsapp-exodus

#technology #privacy #rights #instantmessengers #iran

  • chevron_right

    (brouillon) Messagerie instantanée : comment allier communication et liberté de manière durable / Partie 2 : Comment changer ?

    Baragan · 01:29 · 4 minutes

En cours de rédaction, n'hésitez pas à me faire part de vos remarques, oublis, erreurs éventuelles.

Clients XMPP pour les téléphones

"Quicksy" pour un utilisateur souhaitant une utilisation le plus simple possible sous Android

Utiliser #quicksy et faire basculer son cercle social petit à petit. Si vous y parvenez, cela sera la dernière fois que vous aurez à le faire :)

  • simple à installer et à utiliser à l'image de whatsapp, sans être enfermé dans un réseau centralisé propriétaire :

Vous êtes totalement impuissants face aux choix de #facebook concernant l'évolution de son service. Et si cela ne vous convient pas, vous devrez alors quitter tous vos contacts présent sur cette plateforme : c'est l'effet reseau qui vous rends captifs, par crainte de perdre votre cercle social.

  • découverte automatique des correspondants qui l'utilisent déjà
  • appels audio et vidéo à l'international
  • envois rapides de fichiers sons, images et vidéos avec redimensionnement et ré-encodage automatiques en cas de fichier trop volumineux. Pas d'outils de découpage de vidéo intégré, il faut le faire en amont
  • possibilité de créer simplement des groupes de discussion privés et publics
  • citations d'ancien message, émoticons, accusés, statut en cours d’écriture, etc..
  • disponible gratuitement sur le Play Store et F-Droid

Attention, lors d'une réinstallation de l'application, ne pas oublier de sauvegarder ses anciens messages (paramètres -> sauvegarde), cela vous permettra de sauvegarder la clé de chiffrage associée, permettant de relire son historique.

"Conversations" pour un utilisateur Android souhaitant gérer plusieurs identités

  • L'application "Quicksy" est un dérivé officiel de l'application "Conversations" avec la découverte automatique des contacts. Ces deux applications ont été crées par le même développeur, Daniel Gultsch et ont toutes les deux les mêmes fonctionnalités de base. Mais, par cohérence et simplicité d'utilisation, Quicksy ne permet pas de gérer plusieurs identités.
  • code source libre (GPLv3 niveau client et serveur)
  • sécurisé avec le chiffrage bout à bout OMEMO : votre fournisseur ne pourra pas accéder à vos données
  • à l'installation, vous obtenez un nouvel identifiant valable sur tout le réseau xmpp ainsi que votre inscription sur l'annuaire Quicksy après validation de votre numéro de téléphone

au sujet de son auteur Daniel Gultsch et son modèle économique

  • Il a une politique respectueuse de la vie privée quand à l'utilisation du service de découverte des numéros de téléphone. Quicksy n’envoie pas votre carnet d'adresse sur les serveurs Quicksy : l'application sur votre téléphone interroge l'annuaire Quicksy avec les numéros de votre carnet d'adresse pour trouver un correspondant qui utilise déjà l'application.

  • Son financement se fait grâce aux personnes possédant déjà une adresse xmpp et souhaitant être retrouvé automatiquement par leurs contacts utilisant quicksy. Daniel Gultsch perçoit également des financements grâce à la vente de l'application libre conversations sur le PlayStore et en tant que fournisseur d'adresses xxx@conversations.im

  • Il participe activement à l'évolution de l'écosystème xmpp et à la défense du concept de fédération (réseau ouvert à tous).

Procédure pas à pas

  1. Pour garder la découverte automatique avec des proches utilisant Quicksy, installez celui-ci, notez votre identifiant (+33xxxxxxxxx@quicksy.im) et le mot de passe, puis désinstallez l'application.

  2. installer l'application #conversations, celle-ci est gratuite sur F-Droid, et payante (5€) sur le PlayStore.

#fdroid, est un "store" ou catalogue installable d’applications libres et open-source. Le client facilite la découverte, l’installation et le suivi des mises à jour sur votre appareil Android. Pour l'installer, sélectionnez le bouton "Télécharger" de la page d’accueil de F-Droid et exécutez le fichier sur votre smartphone.

  1. Lors de l'installation de l'application conversation, choisissez une ou plusieurs adresses XMPP "publique". Voici la liste des fournisseurs que je vous recommande :
  • chez Chapril (Association de
  • chez conversations.im (5€, 6 mois d'essai gratuit)
  1. renseignez toutes vos adresses dans votre profile de l'application conversations

"Siskin" pour un utilisateur d'iPhone ou de tablette iOS

Pour un utilisateur qui utilise un téléphone simple sans internet

  1. Si vous n'avez pas déjà une adresse XMPP, voici la liste des fournisseurs que je vous recommande :
  • chez Chapril (gratuit) Association de
  • chez Movim (gratuit)
  • chez conversations.im (payant 5€, 6 mois d'essai gratuit)
  1. Pour être retrouvé automatiquement par vos contacts qui utilisent quicksy et qui ont votre numéro de téléphone, inscrivez-vous dans l'annuaire Quicksy (5€ par paypal)

  2. Pour converser avec vos contacts (texte, images, appels audio et vidéo), connectez vous sur http://mov.im avec votre adresse XMPP depuis n'importe quel ordinateur. Vous ne serez plus mis de côté parce que vous n'avez pas de smartphone !

Clients XMPP pour l'ordinateur

"Movim" solution multi plateforme dans un navigateur web

Pour voir et interagir avec toutes vos conversations sur votre ordinateur, je vous conseille d'utiliser Movim. C'est un client web (comme un webmail externe) qui possède toutes les possibilités de "Conversations" (appel audio / vidéo entre autre) avec des fonctionnalité de blogage supplémentaire.

Vous pouvez vous connecter avec n'importe quelle adresse XMPP.

auteur : Yann, relecture : Ludivine / Hugo, schémas : Mathieu, publié sur le réseau XMPP à partir du client web #movim.

  • Vous pouvez commenter cet article via le réseau XMPP en vous connectant au préalable sur movim (avec votre compte xmpp ou en créant un nouveau) et en vous rendant à cette adresse.

  • De chevron_right

    Mixed Signals Part 2: The Lessons and Redundancy

    pubsub.dcentralisedmedia.com / Decentralized Today · Yesterday - 11:00 · 3 minutes

Mixed Signals Part 2: The Lessons and Redundancy

Last week, I wrote a blog about encrypted messaging app Signal’s 24-hour outage. I rightly pointed out that this outage impressed the need for services of all sizes and purposes to embrace decentralization for the sake of stability to avoid future outages like this one – outages that are undoubtedly devastating to many.

I mentioned how even I had eventually had to switch over to Matrix. Despite mentioning it in the article, there was one more lesson that I failed to address though in retrospect that may have been a good thing as it deserves its own special attention: redundancy.

Redundancy could also be called your “Plan B.” In the case of Signal, what’s Plan B for messaging when it goes out? What about email? This week, I don’t have answers, suggestions, or analysis. Rather I hope to get you thinking about this subject if you haven’t before.

First, let’s talk about actual data. We all have data that would be devastating if we lost it: passwords probably being the most universal among this readership. But it could also include photos, that book you were working on, or pretty much anything else you value in a digital format. So step one: keep digital backups. Lately I’ve heard people mention the “3-2-1 rule.” Three copies of your data (two backups plus your live daily driver), two different medias (USB and Cloud, for example), with one of those copies being off-site (again, the cloud). If your primary device crashes, do you have a backup? Is that backup in your home? What happens if your home burns down?

Next, let’s talk about communications. Think of your preferred messaging app, whether that be Signal, Telegram, XMPP, or whatever. What’s your plan if it goes down? Even with a decentralized messenger like XMPP, what if your server gets seized by authorities? If you self-host, what if it dies? I’ve killed more electronic devices than Neo from The Matrix.

More importantly, what if someone conclusively proves that Signal is compromised tomorrow? Or [insert your messenger here]? What’s your Plan B when that messenger is no longer an option for any number of reasons? Does everyone know your Plan B? When Signal goes down is not the time to be attempting to walk loved ones through downloadeing Element or setting up XMPP. A popular speaker says “dig your well before you’re thirsty,” and I couldn’t agree more. Now is the time to let people know your preferred ways to be reached if your primary method isn’t viable.

Finally, I want to point out control of your data. A popular idea in the privacy community is that you should use your own email domain. The idea is that if your email provider goes away for any reason whatsoever, you can simply point the domain at another provider and keep going. This has been known to happen. Recently, a Redditor had their ProtonMail account suddenly disabled because they were accused of violating terms of service by being involved in a hacking forum. Fortunately the Redditor was able to clear their name and get their account back, but that’s a risky situation to ever put yourself into in the first place. I don’t think you should use a custom domain everywhere. It creates a unique trail for you. But for things that are vitally important and you can’t afford to lose – like banking, hosting, or work accounts (if you’re self employed) – you should definitely be pushing those toward a custom domain. And of course, keep backups of the emails themselves.

This is a short article this week. Redundancy is a very simple concept, but one that is easy to overlook. Even Google was hit by an outage in late 2020 . Nobody is immune to the possibility of losing data or access. So once again, dig your well before you’re thirsty. Now is the time to put solid plans and redundancies in place. I hope this article has given you a starting point to consider.

  • Sc chevron_right

    Insider Attack on Home Surveillance Systems

    news.movim.eu / Schneier · 3 days ago - 15:33

No one who reads this blog regularly will be surprised :

A former employee of prominent home security company ADT has admitted that he hacked into the surveillance feeds of dozens of customer homes, doing so primarily to spy on naked women or to leer at unsuspecting couples while they had sex.

[…]

Authorities say that the IT technician “took note of which homes had attractive women, then repeatedly logged into these customers’ accounts in order to view their footage for sexual gratification.” He did this by adding his personal email address to customer accounts, which ultimately hooked him into “real-time access to the video feeds from their homes.”

Slashdot thread .

  • Ga chevron_right

    OpenBoard is a privacy respecting open source alternative keyboard to Google's Gboard and Microsoft's SwiftKey for Android

    Danie van der Merwe · news.movim.eu / gadgeteerza-tech-blog · 5 days ago - 08:19

I've only been using this keyboard for a day but so far it's been fully usable for me. It does not have swipe yet but that was not something I'm using.

Yes at the end of the day a lot of what you do on your phone is via the keyboard, so it is good to know this is all pure open source. Strictly speaking you anyway do not want to be typing passwords in and should be using an open source password manager like Bitwarden.

Good to see also the app is available directly from F-Droid or the Google Play Store and there is no dependency on any Google binaries.

See https://github.com/dslul/openboard

#technology #opensource #alternativeto #privacy #keyboard

  • Ar chevron_right

    Military intelligence buys location data instead of getting warrants, memo shows

    news.movim.eu / ArsTechnica · 6 days ago - 21:04

If your phone knows where you are, the feds can too.

Enlarge / If your phone knows where you are, the feds can too. (credit: Luis Alvarez | Getty Images )

The Defense Intelligence Agency, which provides military intelligence to the Department of Defense, confirmed in a memo that it purchases "commercially available" smartphone location data to gather information that would otherwise require use of a search warrant.

The DIA "currently provides funding to another agency that purchases commercially available geolocation metadata aggregated from smartphones," the agency wrote in a memo ( PDF ) to Sen. Ron Wyden (D-Ore.), first obtained by the New York Times .

The Supreme Court held in its 2018 Carpenter v. United States ruling that the government needs an actual search warrant to collect an individual's cell-site location data. "When the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user," Chief Justice John Roberts wrote for the majority in his opinion. "The retrospective quality of the data here gives police access to a category of information otherwise unknowable."

Read 4 remaining paragraphs | Comments

index?i=CgDGs92wuRQ:IFJftKrsSUQ:V_sGLiPBpWUindex?i=CgDGs92wuRQ:IFJftKrsSUQ:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Ar chevron_right

    Home alarm tech backdoored security cameras to spy on customers having sex

    news.movim.eu / ArsTechnica · 6 days ago - 20:54

Home alarm tech backdoored security cameras to spy on customers having sex

Enlarge (credit: Getty Images / Aurich Lawson)

A home security technician has admitted he repeatedly broke into cameras he installed and viewed customers engaging in sex and other intimate acts.

Telesforo Aviles, a 35-year-old former employee for home and small office security company ADT, said that over a five-year period, he accessed the cameras of roughly 200 customer accounts on more than 9,600 occasions—all without the permission or knowledge of customers. He said he took note of homes with women he found attractive and then viewed their cameras for sexual gratification. He said he watched nude women and couples as they had sex.

Aviles made the admissions Thursday in US District Court for the District of Northern Texas, where he pleaded guilty to one count of computer fraud and one count of invasive visual recording. He faces a maximum of five years in prison.

Read 5 remaining paragraphs | Comments

index?i=k_bDRTH9Urw:t734cLfldZ0:V_sGLiPBpWUindex?i=k_bDRTH9Urw:t734cLfldZ0:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA