undefined | Better HN

0 pointsmaxidorius6y ago0 comments

I would appreciate if we could stick to the points brought up in the notes instead of trying to discredit the work of several people (writers, reviewers, sanity checkers) who equally contributed to it.

The document is clear that it puts the default behaviour and explanation next to what users understand out of it and expect, just like what the privacy policy of Matrix.org is based of in section 2.1.1. We have asked several technical and non-technical people alike, from our family members to our friends to people in our communities. And the feedback is unanimous: They did not understand nor expect what we described.

In terms of actually of handling the issues, the scalar issue is one we brought up with Ben months ago in private as per your disclosure policy, and yet nothing was done. This is just an example of a long list of issues brought up over the years.

The point of the document is not to find justification for what is happening, but to inform users that it is happening. An attacker got access to your systems which contained logs from which such data can be gathered. It is important that users who self-host and do not expect such data to get out realize that it does so they can take appropriate action.

The document might feel alarmist, certainly. It does not feel alarmist because we wrote it. It feels alarmist because the behaviour described is happening and nothing is done about it. It is not discussed anywhere. Attempts to do so are shut down. But it does not change anything: leaks are happening right now on thousands of servers and for millions of users (up to 9M, as per Matrix.org figure) and every person who we showed this to before publishing had the same reaction: "I never expected such data to go out like this. I am worried".

As for Grid, we made a specific effort out of respect for the Matrix.org people not to mention it or steer towards it. Yes we have forked Matrix. No it is not hostile, despite your continuous claims to label it as such.

We think it is time to stop talking about all the good reasons why, in the 5 years it took to get Matrix out of beta, there was just no time to deal with such leaks. We think it is time to start talking about how we can make sure it stops from happening and which decisions lead to it happening for so long unnoticed.

You wrote the software. Start respecting your users privacy.

0 comments

fock6y ago

And while your comments are valid, a large part of your comments are actual FUD, because every other chat application out there behaves the same (and for a large portion of the user base, matrix probably is just yet another chat app...)?!?

Especially your ongoing notion of metadata as private information which should be hidden is funny: how do you intend to do that? Short of wrapping your application into Tor (which seriously impacts performance letting your average family member happily pass it), I can't think of any method not including any BS-Bingo (how about a blockchain...).

I agree that the vector.im-identity service seems really unnecessary and it reminds of Mozillas approach to sync (yeaah, the ones with your cited manifesto cough); still, I was well aware that this means regularly contacting this server and probably also checking my contacts DB against it (as well as having metadata on my browser, like every other website + it's 23 ad-networks, uuh)? Also for anyone interested in actually hosting a server it's really spelled out plainly, that this is a measure for convenience and you can still host your own server – btw: did you ever try to integrate federation into syndent (you might show the world your archived Issue/PR...).

The part about the integration server is indeed worrying (but not you, putting at the end?!?) because without it, I don't really see the value proposition of matrix compared to plain old XMPP (and I wonder how you intend to monetize on kamax...). And I wasn't really aware of it...

The other parts

- I didn't give an eMail, wasn't a problem for me and I'm seriously not imaging any way to resolve this w/o aforementioned BS-bingo or yet another personal information (private/public key, which is beyond scope for most people + creates its own set of problems (people with unencrypted keys on their machines...)

- so the only way for matrix to read messages is by adding a bot? can the scalar.vector.im server initiate that too? otherwise your claim that vector.im can read all your messages is just BS

- you never mention that encryption by default would be cool. How will kamax.io handle this?

maxidoriusOP6y ago

The document does not try to compare other chat applications with Riot. It does not try to say what is good or bad. We simply take how Riot is presented and understood by non-technical people, and see if its behaviour matches what they understood it does in terms of privacy. There was a mismatch, and people asked to know what was shared without their consent or understanding: we wrote it down.

We did the next best thing after improving sydent: we wrote our own implementation of an Identity server: mxisd. We linked it several times in the doc. You should give it a look. That's one example of how you can be better at privacy.

If the content of the document does not surprise you, and you were fully aware of all that was going on, it is also a win! Sadly, this is not our experience with the many users we came in contact with. They did not know, but wanted to know in details.

We do not mention End-to-End encryption would be cool indeed because it would not change what is happening here. In Matrix, the encryption would only cover the content of the event, but not its metadata (sender, source, timestamp, etc.). The document is clear that the vast majority of the leaks are around metadata (who sent what, who did what, when, from where) and not data itself (the message itself).

This document only scratches the surface of privacy in Matrix, by being specific to Matrix.org and its choice of recommended software. It gets worse as we start investigating the protocol itself. It is your choice to see this as FUD. It does not make it less true, and while you might not care, some do. We published the document for those who care and do not have the means, time or capacity to do such a research themselves.

fock6y ago

Oh yeah I get that you are not comparing with anything else, because then your criticism wouldn't be on matrix but on how about 99% of the internet today work _by design_. With any protocol, where you are expecting any reliable, low-latency 2-way communication, each partner will know about the other, you won't work around that anytime soon. What you can work around is the number/mass of the partner which is acting as your always-on messaging relay, eventually trading convenience for privacy - I agree that vector/riot is not looking too good on this, but I don't see how they're not clear on it/working towards eventual resolution of this problems. One can argue whether this should be the first priority or an afterthought but I've grudgingly accepted the latter being standard today (just look at all those leaky SaaS-apps on hn...).

For the perception/expectations of average Joe on privacy/obscurity on the internet I recommend you read the recurring threads on any platform whenever there is a new "scandal" centered on whatsapp (europe): half of your commenters will just tell you that they are gonna use Telegram (yeah, the ones, where you don't know exactly whose behind and which think that encrypted group chat is too much of a hassle).

Regarding your comments that the protocol is broken, I'm really surprised how you are intending to tackle this? Why the hell are you using the very same protocol which is driven by a body which you claim intransparent and non-cooperative? If all your allegiations are true you would have been better of rolling your own/your software won't be compatible for long if you take your own writing seriously...

P.S.: care to elaborate who's "we"? Your projects have a surprisingly low number of contributors (which hopefully changes now), so I can't really figure out, why you are not just saying "I". Also don't know what's so bad on taking a stand in a civilized public discussion (if "we" decided to be anonymous)?

1 more reply

olliej6y ago

iMessage does not upload your contacts. Don’t claim that uploading/traversing someone’s contact dB is necessary. You only ever need to do a directory lookup when someone messages another person.

rasengan6y ago

BitMessage absolutely obfuscates the metadata FYI.

fock6y ago

from wikipedia

> Bitmessage was conceived by software developer Jonathan Warren, who based its design on the decentralized digital currency, bitcoin.

So, looks like "blockchain"? Anyone else?

From the FAQ: https://bitmessage.org/wiki/FAQ

> On average it should take 8 minutes from the time you click the send button to the time you receive a response.

Whew. Privacy really costs.

j / k navigate · click thread line to collapse

0 pointsmaxidorius6y ago0 comments

You wrote the software. Start respecting your users privacy.

0 comments

fock6y ago

The other parts

- so the only way for matrix to read messages is by adding a bot? can the scalar.vector.im server initiate that too? otherwise your claim that vector.im can read all your messages is just BS

- you never mention that encryption by default would be cool. How will kamax.io handle this?

maxidoriusOP6y ago

fock6y ago

1 more reply

olliej6y ago

iMessage does not upload your contacts. Don’t claim that uploading/traversing someone’s contact dB is necessary. You only ever need to do a directory lookup when someone messages another person.

rasengan6y ago

BitMessage absolutely obfuscates the metadata FYI.

fock6y ago

from wikipedia

> Bitmessage was conceived by software developer Jonathan Warren, who based its design on the decentralized digital currency, bitcoin.

So, looks like "blockchain"? Anyone else?

From the FAQ: https://bitmessage.org/wiki/FAQ

> On average it should take 8 minutes from the time you click the send button to the time you receive a response.

Whew. Privacy really costs.

j / k navigate · click thread line to collapse