Re: Privacy Respecting Replacement for facebook groups

[Jean Louis]

* quiliro@riseup.net <quiliro@riseup.net> [2020-10-06 18:06]:
> Dankon! Thank you very much for this information. It is very useful for
> me. The Internet is flooded with information to be used by a web browser,
> which is now a universal application installer. I am totally freaked by
> that. I like the take you propose: Simple way to exchange files with
> versioning on a safe protocol such as ssh or vpn.

It can be simpler, there are visual, graphical programs for FTP, and
one would use SFTP or secure FTP, and once server have been provided,
each user could submit files into directories ordered by username and
date and time. This allows for easy revision of various versions
without using version control system. Each person is assigned access
as the administrators decide.

We have file permissions in file system, that can be used for access
control and the file system itself with dates and times to be used for
human revision control.

And it can all be done by using some file manager that supports SFTP,
including using similar on various operating systems.

> It looks good. But there is always the problem of privacy and
> anonymity.

XMPP clients offer end to end encryption, normally OMEMO or OpenPGP,
that is already solved and depends of the client.

Connection to server should work over SSL anyway, so that is already
encrypted on the way.

The only problem remains with server, if anybody has access to server,
such person could eventually get access to messages, and if they are
encrypted by using OpenPGP or OMEMO, OTR or other system, even the
person on server cannot read messages.

> guess there are ways to encrypt XMPP and there is Tor for anonymity.

Network provider could see that there is SSL connection to certain
server, but would not see what it is. With Tor, the network provider
spies would not be able to see where the connection goes. I hope that
gnunet https://www.gnu.org/s/gnunet will solve that problem better in
future, so that we get really private Internet with private DNS and
without fascist spies.

Yesterday I have read that US spy agency was asking Google to give
them a list of users who have search for certain keyword, this may not
be, or may be constitutional in the US, but is good advise to stop
using Google for anything: use ad blocks to not use Google, install
Replicant or LineageOS on Android devices to avoid Google spying on you.

> But I am not sure if Tor is very secure. I have heard i2p is more
> secure. Also, I have heard of tox.chat

I have used Tox but client software was never stable as I
wish. Security depends of the plan.

For example, I am European in Uganda, and I often go to Tanzania or
Kenya. We send money here by using mobile phones. East Africans have
their "accounts" in the phone directly, which is well developed system
of banking without a bank. So the money can be sent and received. But
whoever can read SMS messages at network provider, can then find out
to which persons money was sent, for which reasons, and from which
persons money was received. So I have experienced personally that
people can spy on mobile network by paying small bribe to one of
operators that works there. I know it well, as the person blackmailing
me, have told me about list of my friends, mobile money transactions
and similar.

So in that case, I wish to secure my local communication, so I am
using Silence application to encrypt local transmission of
messages. And I advise just any person to use XMPP, now if they use
XMPP, I am protected from local spying, not necessarily from foreign
spying. Yet Internet service provider in Norway may not have any
interest to look into my XMPP messages, so it is enough to protect the
connection with SSL, it need not be end to end encryption.

Even GMail can be good enough, to protect me from local spies, so I
can send email in plain text to Gmail address, but what is important
is that such information did not go over insecure connection and over
local SMS, as that way local spies could read what I was sending.

Security will always depend of many small details, and is never
perfect. One has to consider every single detail, is the local device
secure? Maybe not, maybe there is no PIN, or password, and if there is
such, maybe it can be circumvented, mobile phone can be stolen, that
is easier to do then spying on digital networks. Innocent borrowing of
a mobile phone can be enough to install key logger or other spying
applications that could obtain data in background. Nice girl on the
corner asking man to borrow the phone to call their mother in
hospital, it could be enough to spy on a person for years. If there is
SSL connection to server, the server provider still could have access
to the VPS or dedicated server, maybe even VPS could be broken by
other VPS users, we never know. There are hundreds if not thousands of
attempts to break into the server per every hour, I know it, as I have
the logs. In general, there are too many details that one need to put
attention on for full security, and it is never perfect.

> I think the terminal client can be used even from inside Emacs.

Yes, sure it can.

By the way I am using EXWM or Emacs X Window Manager, so anything I
launch, like movie or graphical software, it is launched within Emacs,
and I am comfortable with any graphical environment, I switch to
others.

> It would be nice to have a manual to mount everything needed in a server
> with what you describe and the required setup on the workstations. The
> best would be serverless, p2p infrastructure on the style wahay.org
> has.

Well, I can say yes and no. It depends of what a group or people want
to do. In East Africa, we do not have fixed line Internet, and
Internet in general is not fast enough, especially if one is outside
of the city, or in the bushes.

My experience with Tox tells me that it will simply not work in such
bad network areas, but Murmur/Mumble server works well.

Wahay is using Mumble in background over Tor. So that is familiar to
me.

Wahay offers integration with Tor, but I need not download Wahay to
use Mumble over Tor.

I do not think that I wish my group to depend on Tor as we have VPN,
thus it is not necessary, and understanding security and planning of
it is more important than blindly believing the websites.

Instead of Tor, I can establish VPN, it works on mobile devices and
without problems.

If the country where I am located would prevent me using VPN to
certain servers, in that case I could use Tor, or I could simply open
up other VPS on other part of the world for VPN.

> No one would need to depend on the internet lords (domain name and
> public IP address) or learn how to set up a server.

In general, the motion not to know is bad direction in
society. Raising technological levels did not raise interest or
knowledge level of society, so that cannot be good.

With arrival of Spectrum, Commodore, Atari, Amiga computers, and then
PC computers, general society became very interested. With arrival of
public Internet access from somewhere 1990-1993 people became more and
more interested in computing and computers, and then somewhere up to
2005, and there were many private websites. Facebook, Google and
other large companies that "make the user not know nothing", disturbed
the natural demand for education and disabled users, effectively
making them dumb to computing. Only smart phones remain smart.

People should learn:

- how to setup their own domains
- their own email system
- how to encrypt emails
- their own XMPP server
- how to encrypt XMPP connections
- their own websites

and other services, that is not hard to learn.

> Failing that, the infrastructure you describe would be nice to set
> up with a complete guide (not pieces with links) in order to have an
> integral and simple configuration. (Please do not feel obliged to
> construct it. It is just an extremely useful thing to have in order
> to build a simple, yet efficient and modern technological
> infrastructure, without the bloat.)

Rather re-ignite again the spark and interest in computing, than
making people not know anything.