..on Sun, Dec 30, 2018 at 06:03:28AM -0800, Kurtis Heimerl wrote:
> This is interesting. I had a discussion with an activist in the past who
> mentioned that telegram offers state actors access to telegram groups if
> threatened with in-country blocks of some kind. While this should be taken
> with a grain of salt, being hearsay and all, it makes sense to me as
> (afaik) the group functions are only client/server encrypted and would be
> pretty easy to share if they wanted. As far as the URLs, my guess is that
> is some sort of local DNS blocking?
> 
> Though this isn't my current area of focus, I understood that Signal was
> the best of the messaging apps, providing complete end-to-end encryption of
> all communications. If other people on the list agree, that might be the
> direction to go.

Signal is great. It's e2e encryption implementation is excellent. It uses a
Double Ratchet Algorithm combined with a 3x Diffie-Hellman handshake/dance which
is, pretty much, incumbent in the scene.

Bear in mind, however, Signal is still very much a centralised service. Open
Whisper Systems (the developers) have a vast database of phone-numbers at their
disposal, a company that resides on US soil under a Trump admin. Signal uses
phone numbers as their primary end-point discovery ID, also for registration.
Phone numbers are increasingly like license plates, in that it's harder and
harder to get a ID-less burner-SIM, which means there's always a meta-data hook
to actual users at device end-points that can then be located and uncloaked
using the cellular network (or a big look up by the vendor/SP). For this reason
it's important to look at the threat model for your community and determine if
it's the right way to go.

Briar looks good, but burns through battery, apparently. It is truly
decentralised. Using Tor however, it does have a central point of failure, as
many routes block Tor nodes, easily loaded into a firewall/iptables from the
public directory. 

Cheers,

Julian

> On Sat, Dec 29, 2018 at 11:30 PM Yosem Companys <ycompa...@gmail.com> wrote:
> 
> > Here's a follow-up email with additional details/questions:
> >
> > Nowadays, Telegram is the main channel for us to coordinate and hold
> >> pro-democracy rallies and protests. We like Telegram because it provides
> >> private messaging. We don't know how, but the regime appears to be hacking
> >> into, censoring, and filtering Telegram. To circumvent the censors, we use
> >> a variety of proxies and VPNs. The regime even created a fake "approved,
> >> fast, sanitized, and safe version" of Telegram that tricked some of our
> >> supporters to moved to it. Beyond that, when our supporters click on the
> >> URLs of our sites on Telegram, they're unable to access them. Is there
> >> anything else we can do beyond telling our supporters not to use fake
> >> versions of Telegram? Are there more secure social media apps than Telegram
> >> that the regime won't be able to hack, filter, and censor? For example,
> >> would Wickr be any better?
> >
> >
> > On Sat, Dec 29, 2018 at 10:43 PM Yosem Companys <ycompa...@gmail.com>
> > wrote:
> >
> >> A pro-democracy activist would like me to inform you of the following:
> >>
> >> Telegram is supposed to be encrypted. Yet the regime appears capable of
> >>> attacking the privacy of our group members, disrupting the ability of our
> >>> members to access news or communicate with each other. For example, one of
> >>> our largest Telegram news groups recently experienced a dramatic decrease
> >>> in membership. It was almost as though members had “left” the group en
> >>> masse overnight. When we contacted some of the members outside Telegram, 
> >>> we
> >>> were told that they could no longer find our news group when they searched
> >>> for it. Such disruptions are undermining our ability to engage in 
> >>> effective
> >>> collective action.
> >>
> >>
> >> Thoughts?
> >>
> >> Thanks,
> >> Yosem
> >>
> > --
> > Liberationtech is public & archives are searchable from any major
> > commercial search engine. Violations of list guidelines will get you
> > moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> > Unsubscribe, change to digest mode, or change password by emailing
> > liberationtech-ow...@lists.stanford.edu.
> 
> 
> 
> -- 
> Public Key: https://flowcrypt.com/pub/kheim...@cs.washington.edu

> -- 
> Liberationtech is public & archives are searchable from any major commercial 
> search engine. Violations of list guidelines will get you moderated: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
> change to digest mode, or change password by emailing 
> liberationtech-ow...@lists.stanford.edu.


-- 
Julian Oliver
https://julianoliver.com
https://criticalengineering.org
PGP https://julianoliver.com/key.asc
Beware the auto-complete life

-- 
Liberationtech is public & archives are searchable from any major commercial 
search engine. Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest mode, or change password by emailing 
liberationtech-ow...@lists.stanford.edu.

Reply via email to