Changes to Lemmy/PieFed to adjust to living under fascism

southendsunset@lemm.ee

But do users get fed?

iopq@lemmy.world

Reddit blocks VPNs unless you're already logged on

rglullis@communick.news

No. Nostr is even worse because it ties your identity to your encryption keys.

artificialfish@programming.dev

Secure Scuttlebutt is the way

artificialfish@programming.dev

So something I want to point out: plain text encryption exists. Cyphers and the like. You could have your instance use all the standard stuff but with a really hard cypher, and it would work everywhere. Then you just need a front end to read it… but then the cops could read it… oh public encryption makes no sense.

openstars@piefed.social

OUR NEW AUTHORITARIAN OVERLORDS ARE PERFECT IN EVERY WAY

kichae@lemmy.ca

Yup. Really don't get the constant drumming of "I want to use someone else's website or server while pretending it's a secure platform". Peer-to-peer coms have been around for literal generations now. If you actually care about privacy, e2ee p2p is what you do.

Security runs opposite to convenience.

emmie@lemm.ee

Wait I thought we all use disposable emails. Is there some rule against it oops

povoq@slrpnk.net

I think this is a fallacy, and anyone that is old enough to remember the popular days of Bittorrent will have stories to tell.

Yes, in theory p2p models can be more secure if you really know what you are doing.

But in reality the users' end devices are often the weakest link and most people have bad opsec. A server operator has often a much better idea what they are doing and systems like Tor or xmpp that allow servers to protect their users by not sharing all the metadata with every participant are safer for the majority of users.

docus@lemmy.world

Glossing over the fact that DOJ can’t subpoena instances like world as they are outside the US (but, like world, may be subject to EU GDPR) having an account without PII if your IP address is all over the servers isn’t going to save you.

povoq@slrpnk.net

Ugh, the comments here...

I think these are some good ideas, but e2ee in a browser that depends on server supplied javascript will never be really safe.

I think you would be better off making a nice XMPP integration so that people can use existing native apps with good e2ee for their private messages.

Otherwise the ideas are sensible and worth a shot, looking forward to what you come up with in Piefed

iopq@lemmy.world

How is that worse? You can always prove that you are the same person by encrypting a message with the same key. There is no way for me to prove whether my Instagram account is really me

recklessengagement@lemmy.world

Yep. And besides, the only people actually taking significant risk here are the instance hosters storing the content.

rglullis@communick.news

You don't need to go full p2p. You can still have servers and you can still have operators who work to prevent issues at the edges, but the servers need to be only blind communication relays and routers.

rglullis@communick.news

The problem is the inverse. There are times where you don't want to be connected to any message.

Nostr is being developed by stupid bitcoiners, and it suffers from the same stupid mistakes as BTC. Pseudonymous transactions is not enough for a payment network. Just like pseudonymous messaging is not enough for secure communication.

rglullis@communick.news

This is also why I get so pissed about the Fediverse "don't scrape me bro" crybabies and their whole talk about "consent-based following".

Malicious actors do not ask for consent. Malicious actors know how to bypass authorized fetch. Malicious actors will have absolute no qualms creating accounts on the same server as you just to be able to follow you. You can even argue that malicious actors will even build an instance that you find super appealing in order to be able to collect your communication.

It doesn't matter how you feel you are entitled to a "safe space", if you are talking in public. People might ignore you, but they are never go around with their ears covered just because you are asking them to.

cris_color@lemmy.world

That's very true.

Like I said, I don't think it's really what a platform like lemmy is for

povoq@slrpnk.net

There is no such thing as a blind relay. There will always be meta-data accumulation at such points in the network.

It is possible to try to minimize the meta-data accumulation and obfuscate it further and there are certainly some interesting theorectical concepts for that in systems like SimpleX, Nostr etc. but in the end most of these are just giving a false sense of security.

In addition many of these systems engage in what I call "trust-washing", i.e. them proudly proclaming: "there is no need to trust us, bro!" When in reality there are multiple points of failure in their pretend to be trustless system that they just chose to ignore or try to distract you from.

And when it comes to the real-world, tried and battle tested system like Tor are where I would put my safety, not some brand new crypto-bro dondogle that is funded by venture capital investors (like SimpleX).

rglullis@communick.news

Even with Tor you also have to trust the exit nodes. So, yes, I agree you will still need to trust someone, but we can control/design to have less things depending on this trust.

Specifically with ActivityPub, everything is designed around the idea that the server owns it all. It doesn't have to be all-or-nothing.

rimu@piefed.social

too destructive for compatibility with other ActivityPub software

Yes, but that's Ok, not every community needs to federate outside PieFed. There can be a mix of insecure (widely-compatible) and secure (PieFed only) communities. PieFed does not be need to be held back by the limitations of ActivityPub as we know it today.