Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome

Administered by:

Server stats:

4.8K
active users

techhub.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#OperationIronside

0 posts0 participants0 posts today
Replied in thread
Public *
Kevin Karhan :verified:

@pixelcode @taylan Your nonchalant "So what?" gets people publicly murdered by the state in many juristictions...

  • Which is why there is no substitute to teaching proper #TechLiteracy ffs!

If things were so easy as in "JuSt UsE sIgNaL!" then @signalapp would be shut down.

If you do think so then you should really get some professional help, cuz you seem rather lost...

  • #Signal doesn't even bother to have an #OnionService, much less to provide means to use their service without self-doxxing with a #PhoneNumber, which at best is pseudonymous and requires money to attain and maintain...

It's #centralization is an absolute nightmare and mist be deemed as criminally neglectful!

MastodonPixelcode 🇺🇦 (@pixelcode@social.tchncs.de)@kkarhan@infosec.space @taylan@feministwiki.org For every messenger there's the risk of someone finding out that you use that messenger (for example when you download the app without a proxy or when you rent a server for self-hosting). So what? Nothing and no one stops you from voluntarily using Tor to connect to Signal (Orbot, InviZible, Advanced Privacy etc.). For those oppressed by authoritarian regimes, Signal offers easy-to-use censorship-circumvention proxy support built into the app. https://support.signal.org/hc/en-us/articles/360056052052-Proxy-Support
Replied in thread
Public
Kevin Karhan :verified:

@dalias @lauren
@pixelschubsi

Also the blatant dismissal of absolitely basic #OpSec & #ComSec is just flabberghasting.

Only #decentralized, #OpenSource & #OpenStandards can actuall survive long-term and remain #secure.

It's the same reasons we use #PGPG/MIME & #SSH and not #X400 & #X25!

IOW: Think "How can you weaponize Signal?" and see what you csn do just holding key people in contempt...

The less #info a provider has, the less they can be forced to snitch upon customers.

"#JustUseSgnal!" is a form of dangerous "#TechPopulism" aimed at bamboozling #TechIlliterates who don't know better, abusing information asymetry to pull rank instead of investing the time and effort to *explain "how" and "why" this is indeed a good or bad idea.

The only ones that have a chance to beat that are @delta / #deltaChat but that's just #PGP/MIME #eMail in a nice UI...

  • You may now laugh at me and think my "#TinfoilHat sits too tight" but I'm shure sooner or later I'll be evidenced as correct...
Hachyderm.ioCassandrich (@dalias@hachyderm.io)@kkarhan@infosec.space @signalapp@mastodon.world @monocles@monocles.social @lauren@mastodon.laurenweinstein.org Very few systems promoted as Signal alternatives match the cryptographic privacy properties (see: ratcheting, etc.) of Signal. The claims about "located in the USA" and "Cloud Act" are all nonsense because the only threat to Signal users from this is availability (seizure and shutdown of the server infrastructure), not undetected breakage of privacy properties. There are presently no systems with superior privacy properties to Signal *and* level of functionality on par with what general public expects. There are a lot (like the XMPP stuff, *sigh*, and Matrix) that are worse in both regards. If you're happy with reduced functionality, Cwtch (and possibly some other similar Tor-based systems) or VeilidChat are stronger, but it's gonna be a while before you convince normies to use them, and in the mean time they're still going to be on insecure shit like WhatsApp, FB Messenger, Telegram, etc...
#tinfoilhat
Replied in thread
Public
Kevin Karhan :verified:

@Zoll wisst ihr was deutlich effektiver wäre?

Wenn das Zeug #legal kontrolliert abgegeben würde (bspw. #Apotheke) denn dann würden die Leute sich nicht Dreck reinkloppen sondern sauberen Stoff haben und #OrganisierteKriminalität ginge leer aus.

Cc: @Bundesregierung @bmg@social.bund.de

Apropos "Hinweise aus dem Ausland", wird interessant wie das so #rechtstaatlich aussieht...

#Encrochat#anom#operationironside
Replied in thread
Public *
Kevin Karhan :verified:

@mortn @kyleirl @Andres@mastodon.hardcoredevs.com @spycrab @shipwreckt @Mer__edith

#FACT:

#ToldYaSo guys!

#ProTip: Use #XMPP+#OMEMO!
infosec.space/@kkarhan/1139323

YouTubeWe Tried Signal's MobileCoin So You Never Have To...By Techlore
Replied in thread
Public
Kevin Karhan :verified:

@sylv_a personally, I'd recommend #XMPP+#OMEMO (and #PGP/MIME - encrypted #eMail) for real #E2EE with #SelfCustody of Keys as well as actual #decentralization.

Cuz I noone's gonna risk jailtime for (non-paying!) users - it at all…

In fact I'd call U.S. MIL/INTEL as "criminally incompetent" if they didn't manage to plant multiple people inside @signalapp / #Signal or any other single-vendor / single-provider messenger.

Personally, solutions like Signal & #Threema have a stench like #CryptoAG / #MINERVA / #Rubikon and #ANØM / #OperationIronside / #OperationTrøjanShield.

By contrast: #OpenStandards like XMPP+OMEMO & PGP/MIME are independently verifyable and not dependent on on a single individual/organization for maintenance/survival/implementation/development.

Personally I'd still recommend @monocles / #monocles with #monoclesChat & #gajim...

Twitterthaddeus e. grugq on Twitter“I’m gonna tell you a secret about “logless VPNs” — they don’t exist. Noone is going to risk jail for your $5/mo https://t.co/Q2aOQJkG4g”
Replied in thread
Public *
Kevin Karhan :verified:

@zeank @MastoDenunzianten und wenn der Server ein #OnionService auf @torproject ist, gibt's nichtmals IP-Addressen!

So wie #ANØM aka. #OperationIronside aka. #OperationTrøjanShield...

Infosec.SpaceKevin Karhan :verified: (@kkarhan@infosec.space)@MastoDenunzianten@vivaldi.net *EXAKT DAS* ist die *FALSCHE VORSTELLUNG!* - Ein #zentralisiertes, #SingleVendor & #SingleProvider - System wird *IMMER* #Govware-#Backdoors haben weil es dazu verpfklchtet werden kann. - Ohne #CloudAct-*"Compliance"* wäre @signalapp@mastodon.world seit langem abgeschaltet (wie #EncoChat) und @Mer__edith@mastodon.world im Knast! #XMPP+#OMEMO & #PGP/MIME sind dagegen offene #Standards die anders als #Threema, #Signal, #WhatsApp, #Telegram & Co. komplett auditierbar sind und *KEINE* #PII (Personen-Identifizierbaren Informationen) verlangen. - Vertraust nicht @monocles@monocles.social / [monocles chat](https://monocles.chat) als Betrieiber? Kein Problem: Gibt [drölfzig andere](https://github.com/greyhat-academy/lists.d/blob/main/xmpp.servers.list.tsv) und kannst #SelfHosting machen! - Vertraust nicht #moniclesChat oder @gajim@fosstodon.org / #Gajim als Clients? Auch hier gibt's [diverse Alternativen](https://alternativeto.net/feature/xmpp/) und wenn der #Aluhut zu eng ist, bauste halt alles selbst. Wohingegen der #BND & #CIA berühmt sind für die Faktischer Eigentümerschaft und Unterwanderung einzelner Hersteller die #proprietär|e #SingleVendor & #SingleProvider-Lösubgen verkaufen. - Konkrete Beispiele: #CryptoAG aka. #MINERVA / #Rubikon und #TextLite welche via #Phllips plattgemacht wurden…
Public *
Kevin Karhan :verified:

@zdl @evacide that any the fact that @signalapp is incorportated in the #USA, making them susceptible to #GDPR & #BDSG-incompatible #cyberfacist bs like #CloudAct.

Remember: #KYC IS THE ILLICIT ACTIVITY when it comes to #Communication!

Compare that to @monocles / #monoclesChat which don't demand any PII or KYC and allow people to pay for their services with #Monero and #CashByMail besides #SEPA #WireTransfer, #Stripe & #PayPal whilst supporting both decentralization (#XMPP is not a #SingleVendor / #SingleProvider solution!), implementing real #SelfCustody (#OMEMO, #OTR & #PGP is supported out of the box) for all the keys, and proper #Anonymitiy (using @torproject / #Tor & @guardianproject #Orbot for #privacy), so in case they ever get a duely sumitted warrant by a court they'd have to comply with, they'll most likely have no data whatsoever on clients that could allow identification.

  • And that is a good thing, because whilst very unlikely, one cannot exclude the non-zero chance of i.e. #MLAT|s being filed with knowingly false information by 3rd countries.

Also having no PII is a matter of reducing #liability in the sense of #DataProtection: All data requested and by #monocles is the bare minimum mandated for #accounting (i.e. only linking a payment like a #TxID / Transaction-ID to an account and then adding up validity/activation period).

#service#subscription#services
Public *
Kevin Karhan :verified:

Natürlich ist #OrganisierteKriminalität nicht dumm...

Dementsprechend löst weder der #EncroChat-Bust noch #ANØM aka. #OperationIronside aka. #OperationTrøjanShield das Problem, denn das sind Modalitäten und Incentives.

  • Also passiert das was vorauszusehen ist: Aufrüstung und Paranoia...

Dafür muss mensch weder OK noch -Ermittler*in sein, sondern einfach nur den Raum lesen können...

youtube.com/watch?v=fZO0qz3e8K

YouTubeTrotz EncroChat-Hack: So eskaliert die Drogenkriminalität in Deutschland | STRG_FBy STRG_F
Replied in thread
Public *
Kevin Karhan :verified:

@HonkHase @GrapheneOS +1

Indeed I've to dive deeper into #GrapheneOS's security geatures.

  • Pretty shure you also have a "decoy mode" password implemented that wipes all tue keys if not go as far as to show a fake unlocked android.

Kinda like "#ArcaneOS" (a botched @LineageOS fork) but without #Govware #Backdoors...

YouTubeThis Phone Was Designed By The FBI To Catch Criminals - Anom Phone Hands OnBy Hugh Jeffreys
#ANØM#OperationIronside#OperationTrøjanShield
Continued thread
Public *
Kevin Karhan :verified:

You use XMPP+OMEMO because you think it's neat.

I use XMPP+OMEMO because all centralized, single-vendor and/or single-provider messengers are inherently garbage, collect PII like phone numbers for no "legitimate reason" and don't offer proper End-to-End - Encryption with self-custody of all the keys, making them either honeypots or prime targets for warrants.

  • We are not the same!
Infosec.SpaceKevin Karhan :verified: (@kkarhan@infosec.space)@evacide@hachyderm.io NO, YOU CANNOT USE @signalapp@mastodon.world WITHOUT A PHONE NUMBER!!! * They still require a phone number as they still do restrict the functionality of their App based off the phone number given! Also we've all seen that #centralized, #SingleVendor & #SingleProvider solutions are inherently bad - so why should anyone use #Signal over #XMPP+#OMEMO or XMPP+#PGP/MIME ??? #Signal, like every provider in the #USA, is subject to #CloudAct ** and will obviously hand over the #metadata they collected without legitimate interest if told to do so. *** After all, clients like @monocles@monocles.social ' #monoclesChat **** make XMPP w/ OMEMO and PGP/MIME extremely user-friendly... Im many juristictions, you cannot legally obtain an anonymous prepaid SIM legally! ***** - - - Sources: * https://social.tchncs.de/@kuketzblog/111968247576555678 ** https://en.wikipedia.org/wiki/CLOUD_Act *** https://web.archive.org/web/20220112020000/https://twitter.com/thegrugq/status/1085614812581715968 **** https://f-droid.org/en/packages/de.monocles.chat/ ***** https://infosec.space/@kkarhan/111968383793566135
#XMPP#OMEMO#WeAreNotTheSame
Replied in thread
Public
Kevin Karhan :verified:

@ditol @samueljohn @linuzifer

THIS is where I disagree...

You may think it's elitist, but if people are too lazy to learn even fundamentals like how to use #Tails then maybe they should just not do #tech at all?

  • Like: We expect people to show at the every least theoretical proficiency in terms of #TrafficCode and #VehicleSafety in +every juristiction I'm aware of* and literally mandated #DrivingLicense|s for that reason.

I'll gladly teach #TechIlliterates but I won't waste my time on people that spread disinfo...

It's 2024: @tails_live / @tails has been out for over a decade and there are a shitload of guides ranging from written documentation to Zoomer-friendly TikTok-Style shorts on how to get started.

FOR THE LAST TIME:

*STOP MAKING EXCUSES TO JUSTIFY ESCALATING COMMITMENT TO EVIDENTLY BAD SOLUTIONS!"

Whereas with #SelfCustody of all the keys as well as #ReproduceableBuilds and real #decentralization, this would be evidently impossible even if all the devs wanted to comply honestly and not just because they could be held at gunpoint.

  • #Signal is not your friend. It's merely a tax-exempt "non-profit" corporation, and corporations are explicitly nobodys friend - espechally when they demand #PII like phone numbers for useage.

Compare that to #monocles where you do pay like €2 p.m. but in return get #standard #protocols like #IMAP, #SMTP & #XMPP and can pay anonymously and not have to provide any PII whatsoever!

  • And unlike #Signal they ain't dependent on #VC funding and #grant money to keep the lights on.

Make of that what you will, but just like allowing flatearthers to roam freely without caretaker supervision doesn't make the world less round, so won't the facts change about #ITsec, #InfoSec, #OpSec & #ComSec.

Because all #centralized, #SingleVendor & #SingleProvider solutions are bad, and if they don't even allow for #SelfCustody then they are just a #grift to #scam tech-illiterates that don't know and/or don't care!

Catweazle @Catweazle@vivaldi.net @baeuchle @kkarhan @Linux @torproject @Vivaldi, no, don't misunderstand me, I only said that TOR is for what it is and that you have way more option on the OpenWeb with browsers like Mullvad, which is as private as TOR, but way better and compatible for the OpenWeb. Well, Vivaldi is a good private browser, but it's main feature is it's funcionality which make innecessary the use of most extensions or plug-ins.
Infosec.SpaceKevin Karhan :verified: (@kkarhan@infosec.space)Attached: 1 image @Catweazle@vivaldi.net @baeuchle@chaos.social @Linux@kitty.social @torproject@mastodon.social @Vivaldi@vivaldi.net Claiming that ["[...] Mullvad is as private as Tor [...]"]( https://social.vivaldi.net/@Catweazle/113344664983833218 ) disqualified your for any future discussion. - If you can't distinguish between a #VPN and #Tor then you are either *criminally incompetent* or *acting as a #UsefulIdiot* by *spreading #FUD and known #disinfo*, which *can get people killed* who believe this bs! I'll set you some timeout, so you can think about it and apologize in due time! #thxbye #EOD #next
#thxbye#EOD
Replied in thread
Public *
Kevin Karhan :verified:

@frodo @evacide @monocles

I don't compromise on #ITsec, #InfoSec, #OpSec and #ComSec.

If I were to use #Signal or #Threema or #Telegram or #SimpleX or whatever shit messenger is trendy, I'd indirectly vouch for it and endorse it.

Trust must be earned, and @signalapp didn't even bother to do basic design considerations:

  • All their "but #Metadata" #FUD is horseshite when they demand #PII like a #PhoneNumber and are openly able and willing to discriminate and/or restrict service solely based off said info they have NO "#legitimateInterest" in demanding at all!
#metadata#fud#pii
Public
Kevin Karhan :verified:

@shaknais Yeah, but that's a general issue that won't go away that way.

It your #NatSec can be cormpromised by #SS7 and your military personnel doesn't employ basic #ITsec, #InfoSec, #OpSec & #ComSec, then I'd call that criminal neglect and at that level one may just give up on the entire illusion of NatSec instead.

OFC #GSM itself is full of Govware-#Backdoors ranging from the A5/x - series of ciphers to it's core structure, but sadly we now got that shitshow and have to workaround it.

#volte#emergencyservices
Replied in thread
Public
Kevin Karhan :verified:

@GrapheneOS I think both apps are shit as *both #Telegram and @signalapp demand #PII in the form of #PhoneNumbers.

OFC Telegram is (by my personal observation) almost exclusively being used by #Scammers and other #TechIlliterate criminals.

#Encrochat#anom#operationironside
ExploreLive feeds
About