Mattermost isn’t e2ee, but if the server is run by someone competent and they’re allowed to see everything anyway (eg it’s all group chat, and they’re in all the groups) then e2ee isn’t as important as it would be otherwise as it is only protecting against the server being compromised (a scenario which, if you’re using web-based solutions which do have e2ee, also leads to circumvention of it).

If you’re OK with not having e2ee, I would recommend Zulip over Mattermost. Mattermost is nice too though.

edit: oops, i see you also want DMs… Mattermost and Zulip both have them, but without e2ee. 😢

I could write a book about problems with Matrix, but if you want something relatively easy and full featured with (optional, and non-forward-secret) e2ee then it is probably your best bet today.

Yes he could be extradited and found not guilty No member of the press deserves to go to jail For doing that’s job

So, I guess you’re either being disingenuous or you haven’t followed the case much. If it’s the latter, I highly encourage you to read the two links in my earlier comment, and/or any of these: 1, 2, 3

Are you aware of anyone besides yourself seriously arguing that he has any chance of being found not guilty in a US espionage trial, while also saying that he doesn’t deserve to go to jail?

As far as I’ve seen, any remotely informed commentator who argues that he could get a “fair trial” in the US is also arguing that it would be “fair” for him to be convicted and spend the rest of his life in prison.

getting a fair trial

🤨 did you read any of the links in my last comment?

(are you suggesting you think that he could actually be extradited and found not guilty, or are you saying you think he deserves to go to prison and that is what you mean by saying he would be “better off” not fighting extradition?)

First amendment is given to us by our creators it says so in the us constution everyone gets it period

Neither the US Constitution, the Bill of Rights, or any of its other amendments use the word “creator”. You’re probably thinking of the Declaration of Independence (the famous second sentence of which is “We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.”). The DoI predates the Constitution and its amendments by over a decade and has no force of law.

There is a strong legal argument to be made, including some historical court rulings, that at least some of the rights in the Bill of Rights do apply to non-citizens - although some of those arguments are limited to when non-citizens are on US soil (which Assange was not when he engaged in the acts of journalism which he is being prosecuted for).

However, one of the US prosecutors (Gordon Kromberg) specifically told the court in his declaration in support of the Assange extradition:

Concerning any First Amendment challenge, the United States could argue that foreign nationals are not entitled to protections under the First Amendment […]

Former Secretary of State and CIA Director Mike Pompeo also wrote in his memoir Never Give An Inch:

Julian Assange has no First Amendment privileges. He is not a U.S. citizen.

Other US officials have made similar statements.

You can read more here:

• https://thedissenter.org/countdown-to-day-x-us-assange-no-first-amendment-rights/
• https://www.jurist.org/features/2023/08/21/law-professor-marjorie-cohn-extradition-of-julian-assange-threatens-first-amendment-and-freedom-of-press/

Last month, the British High Court gave the US prosecutors until April 16 to submit a declaration including assurances that “the applicant is permitted to rely on the first amendment” and that he “is afforded the same first amendment protections as a United States citizen” (those are the British court’s words).

The assurance the US has now submitted did not actually repudiate the prosecutors earlier explicit statement that the “the United States could argue that foreign nationals are not entitled to protections under the First Amendment” but instead said merely that he can “seek to raise” the first amendment in his defense. But, he has already been seeking to raise the first amendment to stop his extradition, and these “assurances” that he can seek to raise it again in the US come from the same prosecutors who explicitly argued (and again, have not repudiated their argument) to the British court that he is not entitled to first amendment protection because he is a foreign national.

You didn’t answer my question: Better off than what?

He is better off in the USA he can clam first amendment rights freedom of the press

The US position is that the first amendment doesn’t apply to non-citizens, and also that it isn’t possible to make a public interest defense to espionage charges.

also he won’t get death the worst is 20 to life

The current set of charges carry up to 175 years and the US has thus far refused to guarantee to the British court that they won’t add more charges after they extradite him.

And even if he was “only” facing 20 to life, what would that be better than? He isn’t charged with anything anywhere else.

Ente doesn’t seem to require a CLA.

It turns out, they do have a CLA (with full copyright assignment 😢).

They’d need to implement something like SRP.

Update: I contacted the developers to bring my comment to their attention and it turns out they have already implemented SRP to address this problem (but they haven’t updated their architecture document about it yet).

It is, but in this case I think it isn’t actually a weakness for the reasons I explained.

That’s complicated to do correctly. Normally, for the server to verify the user has the correct password, it needs to know or receive the password, at which point it could decrypt all the user’s files. They’d need to implement something like SRP.

What I proposed is that the server does not know the password (of course), but that it knows a thing derived from it (lets call it the loginSecret) which the client can send to obtain the encryptedMasterKey. This can be derived in a similar fashion to the keyEncryptionKey (eg, they could be different outputs of an HKDF). The downside to the server knowing something derived from the passphrase is that it enables the server to do an offline brute force of it, but in any system like this where the server is storing something encrypted using [something derived from] the passphrase the server already has that ability.

Is there any downside to what I suggested, vs the current design?

And is there some reason I’m missing which would justify adding the complexity of SRP, vs what I proposed above?

The only reason I can think of would be to protect against a scenario where an attacker has somehow obtained the user’s loginSecret from the server but has not obtained their encryptedMasterKey: in that case they could use it to request the encryptedMasterKey, and then could make offline guesses at the passphrase using that. But, they could also just use the loginSecret for their offline brute-force. And, using SRP, the server still must also store something the user has derived from the password (which is equivalent to the loginSecret in my simpler scheme) and obtaining that thing still gives the adversary an offline brute-force opportunity. So, I don’t think SRP provides any benefit here.

edit: the two issues i raised in this comment had both already been addressed.

this was the developer’s reply on matrix:

1. We do have a CLA: https://cla-assistant.io/ente-io/ente
2. We will update the iOS app to offer you an option to point to your self hosted instance (so that you can save yourself the trouble of building it): https://github.com/ente-io/ente/discussions/504
3. The portion of the document that deals with authentication has been outdated, my bad. We’ve adopted SRP to fix the concerns that were pointed out: https://ente.io/blog/ente-adopts-secure-remote-passwords/

just one? they’re cheaper by the dozen

There is a version of VLC for the Nvidia Shield, but it has a somewhat irritating UI and I don’t know if it can actually read the menus like the desktop version can.

So much for Article 9 of the Japanese Constitution:

Aspiring sincerely to an international peace based on justice and order, the Japanese people forever renounce war as a sovereign right of the nation and the threat or use of force as means of settling international disputes. In order to accomplish the aim of the preceding paragraph, land, sea, and air forces, as well as other war potential, will never be maintained. The right of belligerency of the state will not be recognized.

Did they ever actually have that referendum to change it, or did they just decide to say yolo fuck it? (The last update on Wikipedia is that the PM “renewed calls” for it in May last year.)

Fuck both of these companies, but, how can it make sense to sue Citrix for this? The article says they released an advisory and patch for the problem six days prior to when Xfinity says the breach happened, so, it sounds like Xfinity neglected to install their software updates.

“The ‘good chap’ theory of checks and balances has now been tested to destruction.”

🤡

cloudflare’s service puts them in the middle - so, HTTPS doesn’t encrypt traffic between the browser and your server anymore, but instead between the browser and CF, and then (separately) between CF and your server. CF is an antidote to intelligence agencies’ problem of losing visibility when most of the web switched to HTTPS a decade ago.

cloudflare is an intelligence company who’s flagship product involves them mitming your TLS.

why bother self-hosting, if you do it from behind cloudflare?

Someone was working on porting pmOS to it just a few months ago, so maybe one day that will be an option but it isn’t currently. I’d keep an eye on that repo and the pmOS devices page and hopefully it will run pmOS eventually.

Meanwhile I see Lineage also doesn’t have official support for the Redmi 9A yet (though they do for the Redmi 9) but it sounds like there are unofficial builds which supposedly work on it.

Personally I wouldn’t run an operating system built and distributed by some random forum user, but if you’re feeling adventurous you could try. This page purports to have instructions for installing Lineage on it, as well as several other Android builds, and it ultimately instructs you to download the image from this lengthy forum thread in Russian about the Redmi 9A which also has lots of other images supposedly built for that device. Good luck 😀