There’s a vulnerability in Signal. You are developing an alternative. Do you:
A: skim read the report, see it contains the phrase ‘phone number’, and shitpost about Signal, or
B: Analyse the attack and see if it could be adapted to your protocol, then post about how you either were already protected or have deployed a mitigation?
If you chose option A, please don’t expect to be able to convince me that you are serious about security.
Another privacy vulnerability caused by the dependency on phone numbers.
In #ArcaneChat (and other #chatmail clients like #DeltaChat) you don't need a phone number (or any private data at all!) to register, so such attacks are simply impossible, keep your family safe, join arcanechat.me
@david_chisnall by saying "requires phone numbers" I was implying that you can discover people by phone numbers since that is the case in 99% if not 100% of all apps that offer phone number registration, that you can disable this feature is meaningless if it is opt-out and most people will leave it like that, by saying ArcaneChat is immune to this I meant because you can't discover people like that, people must get in contact directly via QR or invite link
@zahox Hey! Thanks so much for sharing your feedback, we do appreciate it. We have plans of redoing it entirely so we will take your pointers into consideration!
At the top it shows Tutanota privacy. done. right - I think your. privacy. matters. would fit better. I like that you offer Bio Merch! Some Clothes and Mugs do have white or black logo. In my opinion just the red logo is better. And I would find it better if the logo from tuta at the moment could be used instead. And privacy. done. right. in my opinion can be taken out too. Some Hoodies and T-Shirts just show the logo. It would be great if you could add Tutanota to it.
I would say you could take out "dance like no one's watching" too. I think that would not have a big impact. Maybe the point about seperating Tuta and Tutanota could be combined too. So it's easier for remembering Tuta to research.
I like: Your. Privacy. Matters. Sticker, Turnbeutel, Your. Privacy. Matters. Tasse and Eco-Friendly Cotton Tote.
Thanks for those great products and the shop. Please mention it more, since it's great! I hope my ideas and points can help you =)
Firstly the logo design of the Tuta Fanshop when you search in Google, it looks not like Tuta. I wish instead the logo from Tuta at the moment could be used for that and that the site name get's changed to something like: tutanotashop.com - because tuta is mail and tutanota is the shop. good to remember and better seperating. And only tutanotashop.com should stay, so it's not irritating to have .com and .de
And tuta.com is also the mail. So both would match better. Look my next post.
I found out about the Shop from your reddit post from 6 years ago about "Tutanota Fan Shop" - for me the Fan Shop here was irritating. I thought it's someone other doing it. So it would be better to take the "Fan" out of it. And I would find it helpful if we could find the Shop on tuta.com in the section below of "Blog" - more people would be interested and word of Tuta would be spread without need of recommeding.
I will tell some Feedback for the website and products in the next post
Another privacy vulnerability caused by the dependency on phone numbers.
In #ArcaneChat (and other #chatmail clients like #DeltaChat) you don't need a phone number (or any private data at all!) to register, so such attacks are simply impossible, keep your family safe, join arcanechat.me
When you post something about a vulnerability in another messenger and completely misrepresent it, in a way that implies that you don’t understand the cause of it at all, it gives me no confidence in your system.
The root cause is nothing to do with phone numbers. It depends on two things:
Being able to send messages to someone from some public identifier. Any messenger that doesn’t require an interactive flow for pairing devices (as some military systems do) has this feature.
Receiving read receipts from messages. Signal allows you to turn off read receipts if you are concerned about information leaks from them.
If you actually wanted to convince people your system was better you would:
Show that you don’t issue read receipts (which will put some people off because they are useful).
Show how you mitigate this kind of attack, by rate limiting this kind of message, adding jitter to responses, and so on.
Email-based flows tend to not be vulnerable to this kind of attack because they do most of the processing on the server, so you’d only be able to probe the server. But you wouldn’t bother because email has so little metadata protection that you don’t need to bother with an attack like this. From what I know of DeltaChat’s group chat protocol, I suspect there is a way of triggering a similar attack by sending broadcast invalid messages and timing the error response. If you really wanted to convince people that your system is better, you’d show a security analysis that explains why I’m wrong, rather than just say ‘I don’t understand this attacks but the researchers who published it didn’t bother trying to attack the protocol I use and so I’m sure it is secure!’ That is exactly the attitude to security that makes me distrust DeltaChat.
Oh and before anyone jumps in with anything about XMPP: this attack is completely trivial on XMPP. Send an invalid iq stanza to the client’s bare JID and time the response. And this is impossible to fix without redesigning the protocol because unknown iq stanzas must be forwarded to the client to enable future extension and clients must respond with errors.
@david_chisnall by saying "requires phone numbers" I was implying that you can discover people by phone numbers since that is the case in 99% if not 100% of all apps that offer phone number registration, that you can disable this feature is meaningless if it is opt-out and most people will leave it like that, by saying ArcaneChat is immune to this I meant because you can't discover people like that, people must get in contact directly via QR or invite link
#DeltaChat is for private chatting, so you normally don't put your link anywhere publicly, you could create a dedicated profile for public interactions tho, which, unlike in signal, it is super easy to do and you can have as many as you want,
and notice the use case I am talking here is family chat, not business and public interactions, that is why I said "keep your family safe" I am talking about family chat solution here
#DeltaChat is for private chatting, so you normally don't put your link anywhere publicly, you could create a dedicated profile for public interactions tho, which, unlike in signal, it is super easy to do and you can have as many as you want,
Okay, so your use case for 'private chatting' excludes journalists publishing contact information for whistleblowers? It excludes union organisation? It excludes protest organisation?
I guess that's fine, but maybe don't claim to be operating in the same space as Signal then.
and notice the use case I am talking here is family chat, not business and public interactions, that is why I said "keep your family safe" I am talking about family chat solution here
Then you need to learn about the concept of an anonymity set. If you have one mechanism for talking to your family and another different one for talking to your union rep, it's really easy for a passive adversary to track when you suddenly start using a different mechanism for high-value conversations.
@david_chisnall what kind of passive adversary are you talking about here? server, provider, global?
Identifying whether you are using this or that chat profile is not necessarily trivial, especially since the 2.33 releases which introduced multi-relay profiles. A single chat profile can jump between using different relays/hosts.
FWIW we share the recommendation of @arcanechat to split between a public profile (invite link published etc.) and private ones (no publishing).
> Okay, so your use case for 'private chatting' excludes journalists publishing contact information for whistleblowers? It excludes union organisation? It excludes protest organisation?
> I guess that's fine, but maybe don't claim to be operating in the same space as Signal then.
the ArcaneChat slogan is "private chats for the family" I don't get why you jump angry into my thread to attack, I never said anything about "whistleblowers" whatsoever, please, calm down 😅
@david_chisnall Sorry for jumping in as a random person here, but I think I have some relevant points. First of all, you admittedly both missed the mark about the cause of the security issue Arcane posted. Delivery receipts are separate from read receipts, and turning off read receipts in signal does not mitigate this issue.
Now as per Delta Chat's FAQ: delta.chat/en/help#what-do-the… It should have the same issue. Delta Chat claims to send "delivery" receipts, but as far as I can tell, there is no UI indication for the sender when a client receives the message (I tested both mobile and desktop). So unless there is an email sent that doesn't result in any UI indicator for the sender, I think Delta Chat is safe from this particular privacy issue. If it is the case that Delta Chat identified this bad decision and fixed it, please also update your FAQ to match!
The rest of y'all's argument seems to hinge on aspects of how delta chat and arcane chat are marketed/presented, rather than the technical details, so I'm not interested. But what I *do* find really interesting is the idea that "private" and "secure" chat programs would ever send automatic responses without user action. To me, it seems painfully obvious that "features" like this just create an attack surface for probing. Look... I use Signal (as well as Delta Chat), and I like it, and I'm not going to stop using either anytime soon. But it was disappointing to learn about this anti-feature. It *is* a legitimate criticism of Signal that needs to be addressed.
Also, while this issue had nothing to do with phone numbers, I think the fact that Delta Chat does not require phone numbers, and allows the creation of more identities than one might even *have* phone numbers, is an enormous advantage compared to Signal for people who want to protect the privacy of their identity and not just the contents of their messages.
What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
@capitalthree ArcaneChat/DeltaChat doesn't have delivery receipts, only read receipts, the only automatic responses the app does in your behalf is to handle invite links, for that you first have to share invite link with the malicious contact, as side effect they also expose when they are online so if you go to your contact list and see them at the top with a green dot while not chatting with them often you can detect this, in thr future this might change
@david_chisnall there is a clever scheme that I know one person does, which is that your public point of contact is an address that starts a conversation with a bot and the bot hands the user a private identity of yours to contact. Then you can have one public facing point of contact but you still gain private 1:1 identities. It's not very feasible for non-technical users but it could be improved
> rather than just say ‘I don’t understand this attacks but the researchers who published it didn’t bother trying to attack the protocol I use and so I’m sure it is secure!’ That is exactly the attitude to security that makes me distrust DeltaChat.
I don't understand why do you seem so upset, #DeltaChat has received several REAL PROFESSIONAL INDEPENDENT security audits, all listed here: delta.chat/en/help#security-au… can you provide a similar list of REAL sec. audits for Signal?
What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
Because you're spreading misinformation to score marketing points and spreading misinformation about secure messengers gets people killed.
I don't understand why do you seem so upset, #DeltaChat has received several REAL PROFESSIONAL INDEPENDENT security audits, all listed here: delta.chat/en/help#security-au
So, none after this particular class of attack was discovered and therefore none that include this in the threat model?
What is Delta Chat? Delta Chat is a reliable, decentralized and secure instant messaging app, available for mobile and desktop platforms. Instant creation of private chat profiles with secure and i...
@david_chisnall being careful of claiming that something is "secure" is good advise/critique. Users are easily misled other ways. As to delivery receipts, it's unlikely there is a big problem with #chatmail clients (of which delta chat and arcanechat are two) because you can not cause a delivery receipt from a peer. But there are likely online-leakage issues with the invite protocols securejoin.readthedocs.io like github.com/chatmail/core/issue… that require work and independent audits.
SecureJoin has two types of tokens: invite tokens and auth tokens. Currently SecureJoin invite token can be used to silently probe device online status. Auth token when successfully used results in...
@delta @david_chisnall Delta(s). Your design -- separation of chatting logic from transport -- is what will allow to overcome this observation and correlation constructions. You can swap to different transport, like ASMail from 3NWeb set, it is web-style federation, reducing metadata on servers, and correlations between servers. And then clients and servers may sit on mixnet, like Nym (say hi to them at 39c3).
@david_chisnall with the latest release and a small modification you could make it so every message you send to someone goes through a new account on a new server which is almost a Sealed Sender, but in a federated network
absolutely losing it. My mom received a spam call that got picked up by Google call screening on her phone, and it ended up responding with one of the more unhinged Asterisk voice recordings before hanging up LMAO
So... I need to do an eyes-free Windows 11 virtual machine install on Mac OS (Parallels). Is Narrator still non-functional on the current latest ISO image(s) from Microsoft? Should I go find an older version?
Parallels has an easy install thing that does the installing for you. When it's done you should be on the desktop of your new VM and you can then enable Narator from there.
@ondrosik Thanks for publishing it online for all of us to enjoy and reuse. It's very important to see an example of real personal creativity these times when AI is dominating the space of background music, jingles and other short tracks.
I've done what I set out to do by the end of the year. I made it to 180 tracks in the collection. I stopped at 171 in May of 2023, then I just couldn't focus on much music for the last couple of years which, as a composer, really depressed me, but this December I decided to really try and sit down to make a go of it, so I did. It may not seem like much, but not being able to write, when it's what I've done for 30 years felt very stifling and depressing in ways I cannot express.
My next goal is to hit 200, so I'll start work on that, hopefully soonest.
I just want to thank every person that favourited, reposted or interacted with me on my self-assigned journey recently. You're all wonderful humans, even those that said they had no use for such a project, which is totally fine. They still shared it most of the time, and I respect that.
Here's a collection of free-to-use short music for any kind of project imaginable. I've been working on this project for over 10 years on and off, and it's a labour of love.
Whether you're doing work for TV, Radio, Film, your next podcast, show reel, powerpoint presentation, youtube video or university assignment that requires something to intro or outro it, there should be something for you, and if not you directly, maybe someone you know.
This is not the final form. I add to it whenever I find inspiration to do so. Check back every so often as you may find more content was added when you weren't looking 🔇
Currently: 1210 items 766 MB download in mp3 over 9 hours of music.
Absolutely no AI was used (or harmed) in the making of this collection.
If you feel so inclined, please do boost for reach. Many thanks. onj.me/shorts
Přede mnou poslední pracovní týden (? možná - si ještě skočím do práce 22. a 23. chystat nové nástupy). Stihnout se toho musí jako obvykle tři prdele. V pondělí IT večírek. V úterý reinstalace notebooku majitelky. Ve středu výměna notebooku. Ve čtvrtek další večírek. A v pátek, aby toho nebylo málo, naaaaa Vsetíně, tam je luka, seče jú syneček.... Od rána až do večera. To bude náročné.
A samozřejmě očekávám uživatele, kteří si podají požadavek 19. prosince a 5. ledna se zeptají, proč to ještě není hotové.
@archos @cynik_obecny @nacelnik01 Taky funguju na solár, ale letos, jak není zima, jako že nemrzne, mi to vadí nějak méně. Ale bylo by fajn, kdyby se přestal posouvat čas, to mi vadí stejně jako nedostatek světla.
@archos Nemám. Hledám. Tak kdybyste o něčem věděli, dejte echo. Dva roky jsem se teď pohyboval v kybernetické bezpečnosti, vím něco o PAMech, sítích, vulnerability managementu, firewallech …
Nice one, just locked myself out of my Raspberry Pi because I apparently forgot the passphrase to my ssh key and back then didn't care so much to, you know, do the logical thing and save it somewhere. A good reason to try out the new imager. It was an almost clean installation anywaay so not loosing anything.
TFW you try to find a spec for something and when you finally found it on the Wayback machine, since trillion dollars corps can keep URL alive, and you go to save it, you are told it's already there...
Really impressed with my Bazzite VR experience today. Was able to play a few hours of Half Life: Alyx and Boneworks today :D The main issue I ran into (with both) is that Steam Link will cut out when you first launch the game when trying to pre-compile shaders. Sometimes this leads to Steam VR bugging out and requiring a reboot in order to reconnect. After the first launch the experience was completely seamless.
You know, I just had the funniest thing happen, I just hear heard part of this story aparently the US has just spent 142 million dollars to, and about that time I hit my down arrow key and my system said, Play the great toy robbery. Made my day.
@BorrisInABox well when I try and toot from it, I get Error while handling "compose post": ('Mastodon API returned error', 500, 'Internal Server Error', None)
their bulk downloader sucks because it fails often so I had to make a custom script to extract all the links I wanted out of their HTML so I could download them with curl
The AI Research Sector Is Being Destroyed by Something Incredibly Ironic The AI Research Sector Is Being Destroyed by Something Incredibly Ironic share.google/ZKLSNO6frU1btoX4h
On a more positive note, it's absolutely heartwarming seeing the number of patches and contributions from community members increasing in Thunderbird.
The massive undertaking of replacing old weird undocumented code with modern coding standards and languages, as well as increasing our documentation is slowly paying off.
Yes, we know, we accidentally broke a bunch of things in the process, sorry. This stuff is hard 🫠
@klittle667 Ray Porter narrating the Bobiverse series does a pretty good admiral ackbar. I don't generally read audio books, but I read that series, at least the first three, like that.
If I wrote an app that projected out your pay and bill schedules, and told you when to expect to come up short and by how much, is that something people would pay for or watch ads to use?
I've done that sort of thing before, for a personal project to help me manage my money better.
I really need an income, so if you have other ideas, please let me know.
Usual reminder that if you have an issue with a software and you open a bug report you can simply write down your problem and ask for help, without needing to sprinkle the usual abuse and telling the folks that caused that problem that they're stupid and should get fired.
Let's see how many "no, I'm entitled to be abusive" messages I'll get
Le gars qui a perdu 20 ans de données et 30 000 boules de matos en se faisant ban par Apple. Bon, ben lui mon empathie est en panne. C'est moche, je sais mais franchement faut vraiment être con pour avoir à ce point tout délégué les yeux fermés.
Et alors la cerise sur le tas de WTF, ouiouiner en argumentant que son expertise devrait lui valoir un réexamen par un humain, mais enfin il a à ce point rien compris à ce qui lui arrive là ?
C'est méchant, vraiment. bien sûr qu'il aurait dû faire une copie de toutes ses données, c'est clair. Mais bloquer absolument tout à cause d'une carte de cadeau… c'est quelque chose d'un autre niveau d'ignominie.
Alors voilà exactement ce que je veux dire. Le pb n'est pas "comment" ça a été bloqué mais le blocage en lui même. Jveux dire c'est l'existence même du blocage par l'opérateur qui est le problème. Et je t'invite à aller consulter ce qui touche ce procureur de la CPI depuis quelques mois pour évaluer l'ampleur de la toute puissance des fournisseurs. Soit le droit est le même pour toustes, soit c'est l'arbitraire. Nous sommes dans le règne de l'arbitraire. dalloz-actualite.fr/flash/l-en…
@menelion demander un traitement de faveur n'est pas une solution. Cela fait partie du problème. Ce monsieur il devrait pouvoir exiger la restitution des produits et services dont il est l'acquéreur sans que ça fasse un pli.
@menelion que s'apelerio l'État de droit... Les implication politiques, dans le sens comment faisons nous société, sont colossales. Sommes nous égaux et en position de demander des comptes, oui y compris à Apple, ou pas ?
ah, maintenant je te comprends. Oui, t'as raison, ce n'est pas un bon argument. Mais il est tout simplement super vexé et, imaginant moi-même à ça place, je comprends ses émotions aussi.
Since taking office this year, Carney has scrapped Canada’s consumer carbon tax, courted the oil and gas sector and axed a scheme to boost electric vehicle sales in response to US President Donald Trump’s sweeping tariffs.
In recent weeks, Carney has also signed a deal to produce an extra million barrels of crude oil a day after pledging to double Canada’s liquefied natural gas production for new markets in Asia.
While Carney’s pact with Alberta includes a plan to secure industrial carbon pricing before April 1, it delays the province’s methane reduction target to 2035. Control of methane, the main component of gas, is regarded as the most effective measure in the short term in tackling global warming.
The plan also suspends clean electricity regulations, cuts a proposed oil and gas emissions cap, and was signed without consulting coastal First Nations, which oppose any new pipeline project.
…
As part of trade negotiations with Washington, Carney is open to reviving the Keystone XL pipeline linking Alberta to Nebraska — cancelled by former US president Joe Biden on environmental grounds — to aid US energy security
…
Mark Campanale, CEO of the Carbon Tracker Initiative, which framed many of the risks expounded by Carney in 2015, said scaling up renewable projects to deliver free daytime electricity — using the Australian example — would be a better government strategy than encouraging the expansion of oil and gas.
“We’re seeing governments like Canada, which are investing money in projects that might never be profitable, that go counter to their own climate objectives, and that’s really concerning,” he said.
Ungewöhnlich für mich, aber offenbar gerade nötig:
Der Sohn einer Bekannten hat Krebs. Leukämie. Die Chemo schlägt nicht an, er braucht eine Blutzellenspende, sonst wird er sterben. Ich selbst würde gerne helfen, darf aber aus gesundheitlichen Gründen nicht spenden. Falls eine Spende möglich ist, geht es um einige Stunden rumsitzen mit Schlauch im Arm. Der Arbeitsausfall wird offenbar erstattet.
Weihnachtswunder im Fediverse? Bitte helft und teilt!
I wonder if @stefano would be interested in hosting one on the BSD.cafe infra?
Note: it adds a custom package repo to fetch a couple things not in the ports tree right now (incl a Dovecot patch I need to see if we can get into the port or as a flavor). It's hosted on my home fiber internet, but it might be slow. I'm going to get it moved somewhere with better bandwidth soon.
edit: also the FreeBSD 14 package set is still building... 15 is ready though
this is extremely interesting. I installed and am hosting a BSD Cafe chatmail relay (chatmail.bsd.cafe) but currently on Debian, planning to move it to a BSD as soon as it can run (reliably). I'll definitely look at it. Thank you!
oh wow 😍, please give mine a spin and let me know!
My method with the Chef cookbook does DNS-01 validation with Lego instead of HTTP-01 so it works behind NAT and other weird setups, even private.
If you spin up a test server and don't want to setup additional DNS records yet just remove the two opendkim lines from the Postfix master.cf, then you should be able to test a few accounts and it will work.
Additionally the FreeBSD deployment expects ZFS, creates a dedicated filesystem for the data, and you can also define a custom quota for it so abusers won't be able to fill up the disk and kill the server completely anyway. Also it uses ZFS compression for the maildir files instead of relying on Dovecot to do it for you.
In theory, you could set it up and sync the files over and it will work (might have to fix UID/GID for /home/vmail/*) as I left the Dovecot config on so it can still read the Dovecot-compressed files
I tried to install the chef client you suggested (cinc) in a BastilleBSD thin jail, but: ln: /usr/bin/cinc-solo: Read-only file system postinst: Cannot link cinc-solo to /usr/bin Installation failed
It tries to write into /usr/bin - so it seems the cinc installation script, despite downloading binaries for FreeBSD (14, even if I'm using 15) doesn't respect the FreeBSD way of installing external stuff.
I tried to install rubygem-chef-bin from ports - but:
chef-client -z -o chatmail -j attributes.json Not applying net/http monkey patch needed for ruby 3.1 [2025-12-14T09:07:58+01:00] WARN: No config file found or specified on command line. Using command line options instead. /usr/local/lib/ruby/gems/3.3/gems/mixlib-log-3.0.9/lib/mixlib/log.rb:119: warning: Logger not initialized properly /usr/local/lib/ruby/gems/3.3/gems/mixlib-log-3.0.9/lib/mixlib/log/logger.rb:35: info: Mixlib::Log::Logger#initialize: does not call super probably Chef Infra Client, version 18.8.11 Patents: chef.io/patents Infra Phase starting /usr/local/lib/ruby/gems/3.3/gems/ffi-yajl-2.3.4/lib/ffi_yajl/encoder.rb:42: warning: undefining the allocator of T_DATA class FFI_Yajl::Ext::Encoder::YajlGen [2025-12-14T09:08:00+01:00] WARN: Run List override has been provided. [2025-12-14T09:08:00+01:00] WARN: Original Run List: [][2025-12-14T09:08:00+01:00] WARN: Overridden Run List: [recipe[chatmail]] Resolving cookbooks for run list: ["chatmail"] Synchronizing cookbooks: - chatmail (0.2.0) Installing cookbook gem dependencies: Compiling cookbooks...
ArcaneChat
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •replied here fosstodon.org/@arcanechat/1157…
ArcaneChat
2025-12-14 10:17:43
❄️SnowyIn🇨🇦❄️
in reply to ArcaneChat • • •@arcanechat @ david_chisnall@infosec.exchange
It's obvious David doubled down on missing the point --thanks for the heads up