Running your own Matrix server also means running your own host server, database, caches, reverse proxy, firewall, networking stack, etc… Keeping these things running and updated. As well as vetting and updating clients.
How the fuck would you confirm that? Maybe the sysadmin is running a forked version of matrix that just says it’s encrypted but actually logs everything in clear text.
I don’t think that’s how it works? It’s the client application that has the key for the end to end encryption, not the server. I don’t think you need to trust the matrix server you use? I could be wrong, I don’t know matrix particularly well.
Yeah, actually. Will be a lot harder to track it back to you if you’re one of thousands of random users on a public server rather than one you’re hosting using your personal information.
How is it a lot harder to track if the FBI can just subpoena the sysadmin for server/room logs?
With respect, this viewpoint is not defensible from an operational security perspective.
It’s like saying they should use GMail because they have hundreds of millions of users. When the problem isn’t being a needle in haystack, but rather the fact that Google will gladly look through your private data and happily hand it over to the authorities.
How is it a lot harder to track if the FBI can just subpoena the sysadmin for server/room logs?
What would stop them from subpoenaing all information from your personal server?
There’s no personal information tied to your account. The server does not have your IP, your email, your CC, etc.
With respect, this viewpoint is not defensible from an operational security perspective.
“With respect”, ya don’t know what you’re talking about.
It’s like saying they should use GMail because they have hundreds of millions of users.
Except it’s not like that at all because Gmail is going to collect all the information about you they possibly can and Matrix is going to do the opposite.
What would stop them from subpoenaing all information from your personal server?
If you’re a drug dealer and the FBI sends you a subpoena—you could simply….not respond.
There’s no personal information tied to your account.
There is actually a bunch of metadata tied to your account and your room. That’s partly how they caught that kid with the Pentagon leaks.
And again, there may be other services between the clients and the matrix server that collect personal data (e.g. reverse proxies, load balancers).
—
If you are someone who ostensibly cares about privacy and security (like a drug dealer) why would you rely on the benevolence and security hygiene of a stranger you can’t audit? Instead of using a known good actor, like Signal or SimpleX, or no actor, like Briar.
If you’re a drug dealer and the FBI sends you a subpoena—you could simply….not respond.
I mean sure, but then you’d have bigger problems.
There is actually a bunch of metadata tied to your account and your room.
I understand Metadata is a big problem with Matrix (even for me, personally). Metadata is not personal information if it remains detached from your identity.
If you are someone who ostensibly cares about privacy and security (like a drug dealer)
LOL
why would you rely on the benevolence and security hygiene of a stranger you can’t audit?
I’ve already explained why.
Instead of using a known good actor, like Signal or SimpleX, or no actor, like Briar.
Like I said, there are pros and cons of each. I’m not telling you you should use anything specific. You just have to use whatever works for your situation.
Simpler to manage and smaller attack surface.
Running your own Matrix server also means running your own host server, database, caches, reverse proxy, firewall, networking stack, etc… Keeping these things running and updated. As well as vetting and updating clients.
Don’t have to run your own server, you can choose from any of hundreds of public ones.
At that point if you’re trusting a rando, just use signal
Who are you trusting with what?
You’re trusting whoever runs the hardware that they’re not snooping on you
Correct… So put EVERYONE into one basket… Or split everyone up into multiple baskets…
Now I dunno about your mom… But mine told me to not put all my eggs into one basket.
You’re not. Everything is encrypted.
How the fuck would you confirm that? Maybe the sysadmin is running a forked version of matrix that just says it’s encrypted but actually logs everything in clear text.
I don’t think that’s how it works? It’s the client application that has the key for the end to end encryption, not the server. I don’t think you need to trust the matrix server you use? I could be wrong, I don’t know matrix particularly well.
https://www.wired.com/story/matrix-patches-vulnerabilities-that-completely-subvert-e2ee-guarantees/
…why would they do that?
Why do people phish, dumpster dive, or social engineer? So they can snoop and grab anything of value.
What makes a man turn neutral? Lust for gold? Power? Or were you just born with a heart full of neutrality?
Uhh yeah, but is that wise if you’re trafficking drugs?
Yeah, actually. Will be a lot harder to track it back to you if you’re one of thousands of random users on a public server rather than one you’re hosting using your personal information.
How is it a lot harder to track if the FBI can just subpoena the sysadmin for server/room logs?
With respect, this viewpoint is not defensible from an operational security perspective.
It’s like saying they should use GMail because they have hundreds of millions of users. When the problem isn’t being a needle in haystack, but rather the fact that Google will gladly look through your private data and happily hand it over to the authorities.
“With respect”, ya don’t know what you’re talking about.
Except it’s not like that at all because Gmail is going to collect all the information about you they possibly can and Matrix is going to do the opposite.
If you’re a drug dealer and the FBI sends you a subpoena—you could simply….not respond.
There is actually a bunch of metadata tied to your account and your room. That’s partly how they caught that kid with the Pentagon leaks.
And again, there may be other services between the clients and the matrix server that collect personal data (e.g. reverse proxies, load balancers).
—
If you are someone who ostensibly cares about privacy and security (like a drug dealer) why would you rely on the benevolence and security hygiene of a stranger you can’t audit? Instead of using a known good actor, like Signal or SimpleX, or no actor, like Briar.
I mean sure, but then you’d have bigger problems.
I understand Metadata is a big problem with Matrix (even for me, personally). Metadata is not personal information if it remains detached from your identity.
LOL
I’ve already explained why.
Like I said, there are pros and cons of each. I’m not telling you you should use anything specific. You just have to use whatever works for your situation.