
Your Messaging Apps Are Not Private - The Sovereign Computing Show (SOV003)
Tuesday, February 4, 2025
You might think that nobody can read your private messages, but chances are, the apps you are using are not as private as you think. In this episode of the Sovereign Computing Show, Jordan Bravo and Stephen DeLorme discuss how to enhance digital privacy by replacing everyday messaging apps with more secure and sovereign options. They review various messaging applications like Signal, Matrix, and SimpleX, and delve into their benefits and drawbacks.
Chapters
- 00:00 Introduction to the Sovereign Computing Show
- 00:16 Sponsorship and Community at ATL BitLab
- 01:28 Deep Dive into Instant Messengers
- 02:23 The Importance of End-to-End Encryption
- 04:02 Privacy vs. Security: A Complex Relationship
- 06:47 Shifting Perceptions of Encrypted Messaging
- 10:50 Exploring Popular Messaging Apps
- 21:33 Signal: The Gold Standard for Privacy
- 29:07 Managing Sensitive Credentials with Disappearing Messages
- 30:45 The Fun and Practicality of Ephemeral Messaging
- 31:18 Signal in Pop Culture and Username Features
- 32:25 Introduction to Matrix and Element
- 33:47 Self-Hosting and Federation in Matrix
- 35:25 Matrix vs. Other Messaging Protocols
- 37:57 Exploring SimpleX: A Unique Messaging App
- 39:19 Understanding SimpleX's Server Model
- 45:33 Boostergrams and Listener Feedback
- 56:01 Wrapping Up and Final Thoughts
Links
- Jordan Bravo
- Stephen DeLorme
- Boost in on Fountain.FM
- NBC News - U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack
- WhatsApp (questionable privacy)
- Telegram (not private)
- ELEMENT. by Kendrick Lamar
- Signal
- Government Requests to Signal for User Data
- Matrix Protocol
- Element
- SimpleX
Transcript
[00:00:00]
Jordan Bravo: Welcome to the Sovereign Computing Show, presented by ATL BitLab. I'm Jordan Bravo, and this is a podcast where we teach you how to take back control of your devices. Sovereign Computing means you own your technology, not the other way around.
Stephen DeLorme: This episode is sponsored by ATL BitLab. ATL BitLab is Atlanta's freedom tech hacker space. We have co working desks, conference rooms, event space, maker tools, and tons of coffee. There is a very active community here in the lab. Every Wednesday night is Bitcoin night here in Atlanta. We also have meetups for cyber security, artificial intelligence, decentralized identity, product design, and more.
We offer day passes and nomad passes for people who need to use the lab only occasionally, as well as memberships for people who plan to use the lab more regularly, such as myself. One of the best things about having a BitLab membership isn't the amenities, it's the people. Surrounding yourself with a community helps you learn faster and helps you build better.
[00:01:00] Your creativity becomes amplified when you work in this space, that's what I think at least. If you're interested in becoming a member or supporting this space, please visit us at atlbitlab. com. That's A T L B I T L A B dot com. Alright, on to our show.
Jordan Bravo: I'm Jordan Bravo. Welcome to the Sovereign Computing Show.
I'm here today with Stephen DeLorme.
Stephen DeLorme: Hey, how's it going, everybody?
Jordan Bravo: Today we're going to be taking a deep look at messengers, instant messengers. This is a great topic because it is something that's really powerful. We all use messengers in our lives all the time, constantly. And so if we can shift towards using technology that is more sovereign in this particular instance, we're really going to get a lot of mileage out of that decision.
In other words, We're going to make a huge difference in how sovereign our computing is, how sovereign our data is, just [00:02:00] by, by replacing our everyday messaging apps with some more secure and sovereign options. We're going to start today by talking about a news article. This was this was in the news in the past several weeks.
The, and we have here, for those of you watching, this is an NBC news article. But for those of you that are just listening, you can check the show notes for the link. Basically The U. S. infrastructure, telecom infrastructure was hacked by Chinese hackers and the FBI and other U. S. government officials, they went on record as saying that they now are urging Americans to use end to end encrypted messaging. And what's really interesting about this article, or about this whole event, is that for years, if you are in the Sovereign computing space. Maybe you are a privacy advocate or. In that general realm, you might have noticed something, and that is that [00:03:00] these U. S. officials, these same ones that we're now reading about urging Americans to use end to end encryption, they've been very anti end to end encryption because it inhibits surveillance, and they want to be able to surveil people's communications. But now they're upset because the Chinese are doing this an adversarial U. S. Or rather, an adversarial government. And suddenly, it's the cool thing to do, to use end to end encryption. Which, if you are a person who cares about your digital sovereignty, then you've been using end to end encryption for quite a while. What we'll do is we'll talk about some of the apps that we can use.
Which ones are better than others, what makes apps better than others. And we'll we'll get into all those details.
Stephen DeLorme: Wild times we're living in.
Jordan Bravo: Yeah. Do you have anything to comment on this article?
Stephen DeLorme: Yeah, it's it's good advice, I think. It's good advice. They're right. You [00:04:00] should be using end to end encrypted apps.
It's also one of those kind of tricky things that overlap between privacy and security, I think, because they're, depending on your point of view, they might be the same topic or they might be different topics. Like you can imagine that a system could be. In theory, you could imagine a system could be secure without being private, right?
Take like a corporate computer network. And it's a company managed email and, company managed everything. And there's not really an expectation of privacy. It's like the company owns the network. The employees are there to do their work. And so there's not really this, grounds for privacy there.
And then whereas privacy I think of as okay you have this expectation that your you know, communications, your messages, your data are protected in a way to where, you have, only you have access to it or you get to control who has access to it. And there, there's a lot of times I feel like this.
They kind of people tend to talk about them like they're two different things. Like when you're talking about [00:05:00] security or cyber security, a lot of times you're just talking about that idea of just being able to keep the bad guys out, the bad guys out, but there's not an expectation of privacy.
And then when you talk about privacy it's this whole separate other thing. But really the thing about it is like with these kinds of articles, these kinds of situations tell us is that they're not always separate things. If you have a system that's not private, it, that could be a security hole, right?
Like it could be that the, when there's not expectations of privacy is in a system they tend to lead to these security vulnerabilities.
Jordan Bravo: Yeah. And like you said, some, a lot of times privacy and security are looked at as separate properties of a given system. And you we know from there's that, there's the famous line by Nick Szabo in the Bitcoin community, trusted third parties are security holes.
And so when you have a system that might be considered secure, but not private, like you said, a corporate email. That might be it's not [00:06:00] private in that you are not, you're expected that the admin, the sysadmin is able to read all of the messages. So you have a trusted person who is able to have sort of God mode, right?
Almost like a backdoor into it. But the idea is that trusted person is the only one who's allowed to see it. Now, when it comes to messaging for everyday folks like us, outside of some kind of enterprise environment. We don't want any kind of backdoor. We don't want anybody to have God mode into our messages.
The only people that should be able to see the messages are the end users. The people that are sending the message from one end to the other end. And that's why the term end to end encryption indicates that those are the only places where it can be decrypted.
Stephen DeLorme: I think one other thing that might be a good segue from the news article into the actual software we're going to talk about would just be, the the rant that many of my friends have heard me go on about people's shifting [00:07:00] perceptions about encrypted messaging apps over the years.
The story I like to tell people is just how, the idea of encrypted communication or just privacy in general tends to shift with who holds the presidency in the United States. That's what I've observed over the course of my life. And it's 9 11 happened Patriot Act gets passed, and, suddenly, everyone has, people have individual opinions, right?
But if I can just paint in broad strokes the kind of mainstream narrative. It was that like, okay, Republicans are for breaking privacy because it's in the interest of national security and Democrats are opposed to that and, all the privacy narratives that I heard and like high school were coming from the left.
Then Bush goes out of office, Obama comes into office, we have the Snowden revelations and all of that. Then suddenly it was like, oh, this, this happened under Obama's watch. It's a, left wing conspiracy to, break everybody's privacy. And then it's okay then it starts to shift and all [00:08:00] the, the privacy stuff I started hearing in the 2010s was all coming from the right or the kind of libertarian sphere.
And, I heard more almost more apologizing for, not apologize, but I almost heard more, just trying to justify it on the left. And then it flipped again in 2016 or 2017, Trump enters the White House for the first time. And then, suddenly it's like the left is like, Oh my God, we got to, get a journalist using encrypted messaging apps like Signal so that they can, exfiltrate information from the White House.
Whistleblowers could get information out of the White House with, without being caught. And then it was like four years later and it was like January 2021 and suddenly, practically every Gen X Republican that I know was like suddenly asking me about Signal. I was like, because Oh my God, we're getting censored and pulled off of social media.
We need encrypted stuff so that people, can't take us offline. And it wasn't surprised me if now the narrative is going to shift back the other way. And the thing is that being [00:09:00] censored or having your privacy broken or. Having people tap into your messages, this is always a concern on a technical level can happen at any time.
It's just and the privacy always is the better option. It always makes, helps you be more secure, be more safe, keep your data more private your personal information more private. It's always a good thing in my opinion. It's just that the way that we feel about privacy, the emotions that we have about privacy really radically shift depending on how we feel about who's in office.
Jordan Bravo: And so a common sort of what I would argue is a short sighted view might be something like this. You think, Oh, I don't care about privacy. I don't have anything to hide because the people I like are currently in power. And therefore, I don't, it doesn't matter to me whether they know or can stop what I'm doing because they're good.
They're, intentioned and I don't have to worry about being censored or having my privacy violated. But I would argue that the. Longer term [00:10:00] view would be people are going to go in and out of power, different parties, different powers, and you may suddenly find yourself in opposition to the current party that's in power.
You might decide that the current regardless of whether it's party politics or partisan you might just think, hey, I don't want, I don't want any of these people to have access to my data or to be able to censor me. So maybe thinking long term. Whether it's our government or whether it's another government that's hacking our government or our infrastructure.
It might be prudent to think, you know what, let's just remove any back doors. Let's make it so that the only people who can see the messages are those who send it and who are the intended recipients and just leave it at that.
Stephen DeLorme: Yeah.
Jordan Bravo: So let's talk now about the specific apps that we can use. And first, before we talk about the ones that are encrypted, let's talk about what is not [00:11:00] encrypted.
So this article and this story talks about using encrypted messaging. So what is not encrypted messaging? That would be SMS. That would be your regular everyday text messages that. We've been sending for decades now. . Now a lot of people are gonna be using by default, iMessage because there's a lot of iPhone users, especially in the United States, and iMessage does use end-to-end encryption when you are messaging other iPhone users who are using iMessage.
The problem is twofold. One is it's only end to encrypted if you're messaging other iPhone users and. About the last time I checked, roughly 50 percent of U. S. mobile users are not using iPhone. You don't want to only be encrypted when you're messaging other iPhone users. You want to be encrypted all the time with all of your messages.
The second problem with iMessage is that while it is encrypted, [00:12:00] we we have to take Apple's word for how it actually works and whether it's A sound implementation or not, because it's completely closed source and proprietary and we haven't had any security researchers getting eyes on the code and, confirming that they weren't able to backdoor it or brute force it or anything like that.
And then actually I'm gonna throw in a third problem with iMessage here, and that is that the, your decryption keys actually get backed up to your iCloud. And there is a way to lock down your iCloud backups to actually use end to end encryption and be more secure, but by default, it's not enabled.
And I would wager that 99 percent of people don't even know that's an option, let alone have that enabled.
Stephen DeLorme: Yeah. I didn't know that was an option either. Yeah. I think my personal thoughts on Apple are that, I'm an Apple user, I like their products, but, there's certainly the closed source nature of it as a risk.
I think between if you're just gonna go with [00:13:00] an off the shelf Android phone that's just, I don't know some random, pick a random Android phone and you're gonna use it stock off the shelf as is, versus an Apple device. I would personally go with the Apple device because I think that they're, the phone manufacturer that, They actually have an incentive, they have a business incentive outside of selling our data, which I like, but it doesn't mean that, it doesn't mean that's verifiable proof of the safety of the device, it doesn't mean that at all, it's just more of a personal hunch,
Jordan Bravo: yes, and we're going to get into a lot more detail on iPhone, iOS, Android, and how you can be secure on mobile and on a whole operating system level. But today we're going to gloss over that and we're going to focus more specifically on cross platform messaging apps that are secure and private.
So with that, let's go down to WhatsApp. Let's talk about that. WhatsApp is. [00:14:00] It is closed source, it is owned by Meta, aka Facebook. And they do use the Signal Protocol, which is an open source encryption protocol, but we don't know how it's implemented in WhatsApp. We know that we don't know what they're doing besides the Signal Protocol.
So in other words, there might be some really good encryption at the protocol level. At the signal protocol level, but then the way that they implemented, it's decrypted in such a way that their servers can gain all kinds of metadata. We know that WhatsApp is a huge moneymaker for meta, so if they weren't able to glean any data from that, then they would be losing a ton of money on it, and that's just not the case.
WhatsApp is I believe it is the most widely used messaging app in the world.
Stephen DeLorme: Yep.
Jordan Bravo: And. Outside of the US where iPhone usage is not as high it is just the [00:15:00] default messaging app of the world, basically, internationally. Now one last thing that I would say about WhatsApp's inherent problems, just right off the bat, is that similar to the way that iMessage gets backed up to iCloud, WhatsApp by default, it gets backed up to Google Drive, and that is not.
Great for privacy.
Stephen DeLorme: Yeah. And I think when I've used WhatsApp before, and I want to say there's I think I've got an option. I think I have it pulled up on the screen right here. I just have a little screenshot for anybody just listening, but they have a, it's like you have to opt in to that end to end encryption.
From what I remember so yeah, it's a little bit misleading like a lot of your data is getting backed up It's not getting backed up Encrypted by default. So yeah, not great. But yeah for pretty much, Not using whatsapp is a very American thing at this point, it's like it's so widely used.
It's wild
Jordan Bravo: Do you have [00:16:00] Actually, let me ask you this. What messaging apps do you use in your life and with whom? You don't have to get into specific doxing details, but just does your family use a certain app and do you just, does your coworkers use another app? Do your friends use a different app?
What's, what does that look like?
Stephen DeLorme: In the business world, it's just slack all the way. Cause it is good for like companies and organizations and stuff. It's pretty solid piece of software . In the open source world. It's discord because you get many of the perks of of slack in terms of just having these big multi user chat rooms, but it's much better for more like open public communities.
So a lot of open source projects have moved to discord. So I'm on there for that. And then I try to use Signal wherever I can. Whoever is a willing Signal user, I'll usually opt for that. And then, for, everyone outside of Freedom Tech, it's usually defaulting to iMessage or SMS.
So [00:17:00] for me, that's iMessage. But it's yeah, Slack for business, Discord for open source. IMessage for for Normies and, signal for, really cool people.
Jordan Bravo: I have a similar setup as to you. I would say Slack, of course, is for business, that's what my company uses.
I'm on Android, not iOS, so I don't have iMessage and I. I try to minimize SMS, I would say maybe nobody, actually nobody that I message with regularly is insistent on using SMS and I've managed to convince my family to use Signal. I would say most people that I message with on a regular basis are okay with using Signal and then those that aren't, some of my family, like especially group messages, we use WhatsApp.
We, let's talk about signal a little bit more, but before that I want to make an honorable mention or a dishonorable mention rather [00:18:00] of telegram telegram had its heyday. I feel like telegram usage is peaked. And a couple of things about Telegram. One is that it is not encrypted by default.
So just when you join a chat or direct message with somebody. It is not end to end encrypted at all. So that you have zero protection from the server right there and anybody that can access the server. You can create, you can specifically create a direct message that's end to end encrypted. It's called a secret chat, but you have to go out of your way to do that.
It doesn't happen by default.
Stephen DeLorme: Super misleading on their website here. Telegram messages are heavily encrypted and can self destruct. It's like bullshit.
Jordan Bravo: Yeah.
Stephen DeLorme: Bullshit.
Jordan Bravo: Yeah. Telegram has always, I feel like it somehow got the air of privacy about it, but I don't think it ever deserved that. It got really big in the [00:19:00] crypto community, especially but I just, I feel like they were more marketing and less substance.
Stephen DeLorme: There's a Kendrick Lamar song, I think, where he mentions Telegram in one of the songs.
Kendrick Lamar: Thirty millions later, know the feds watchin Auntie on my telegram, like, be cautious. I be hangin' out at Tam's, I be on Stockton.
I don't do it for the 'Gram, I do it for Compton.
Stephen DeLorme: Frustrating to me because especially in the Bitcoin world, people just love Telegram. And it's like, I don't get it. Like, why? And I could say it does have a, it has a delightful UX. It's fun. It's easy to make big rooms and add lots of people.
It feels fast. It feels responsive. The stickers and all that kind of stuff are super fun to work with. But just because it's dark mode by default, when you download it, doesn't mean that it's encrypted, people.
Jordan Bravo: Good point. They do have a nice UX. One, one thing that happened in the past correct me if I'm wrong, maybe in the past 12 months, but [00:20:00] Pavel Durov, who was the creator of Telegram, he was arrested and this was pretty big news.
Because up until then, Telegram had made some statements on its website about how it was private and how Telegram would never cave to the authorities or, and turn over data of users. And then when Pavel Durov got arrested, they, he, as part of his plea deal or whatever deal he made with the authorities.
They had to change that policy and now they no longer say that on the Telegram website. The wording has changed and they do comply with requests from authorities for user data. So if there was any semblance before of privacy from Telegram, I think that's completely gone now. And as a result we've seen a large Number of Telegram users move away from telegram, especially those who are actually concerned about privacy [00:21:00] and move to more private and secure options.
Stephen DeLorme: Yeah, and to and to be fair to them, it's obviously when you have a, huge like le like legal action against you, then you have to do that kind of stuff. That's just the, that's the way the grown up world works, but the better scenario is, I think when you're using a service that will comply with authorities and give them all the information they have on you, but they can't give that, the information they have is so little that even when they do comply and hand over all the information, it's sparse.
It's not much at all.
Jordan Bravo: Exactly. That's a great segue to the next app we're going to talk about, which is Signal. Signal is based in the United States, and so they do have to comply with U. S. laws. But something that's great about Signal is it's end to end encrypted by default. In fact, you can't turn that off, so it's always end to end encrypted.
And they have such little metadata on their users. That they actually [00:22:00] post on their website when they get requests from authorities of turning over user data. They show the letter and their response and the data that they are able to give the authorities. And it's sparse that it's actually worth reading, Stephen.
I don't know if you can
Stephen DeLorme: Yeah, maybe is it on a blog maybe?
Jordan Bravo: Could be. But essentially they show, They, all they know when they have a signal user request is that they can look up when the account was created, the last time that the account was used, and that's it. They don't have the ability to have any kind of metadata in terms of IP addresses.
I suppose they have that technically. They don't have the ability to associate it with an identity, in other words, like your first name, last name, address, any of that kind of stuff. And they don't have it correlated with any of your social [00:23:00] media data.
Stephen DeLorme: And I know I'm having difficulty finding the exact thing, but I know I've seen it with my own eyes too.
I remember seeing that report and I'm not sure if it was like Something that they tweeted out or something like that. But I do know it exists. Like I've seen it before.
Jordan Bravo: They might have a section that's dedicated to it. But what we can do is, I'll pull it up after and put it in the show notes so that people can click that if they want to see it.
Stephen DeLorme: God, their latest website design looks sick. I want to go just download all their brand assets right now. Anyway, sorry, it's the designer and me getting out of control. Anyways.
Jordan Bravo: Yeah on that note, Signal does have a pretty good UX, it's, I would say it's On par with something like WhatsApp or even iMessage where at this point they have feature parity.
I would say, you, there's not really much you can do in Signal, or rather in WhatsApp or iMessage that you can't do in Signal. [00:24:00] And the UX is so smooth that my family has zero issues using it. You can audio call, you can video call. . You can send stickers, emojis. . You can send other files, you can send pictures, videos, et cetera.
So at this point, I think it's pretty easy. I would say, I don't know, let me ask you as a UX guy. Is there anything about Signal that you think is a UX hurdle for people to use?
Stephen DeLorme: Not really. There's, I think there's one caveat to it, which I'll get to that I, but it's actually a good thing. I think overall like signals UX is deeper than just the fact that it's a clean, nice looking app, but it's also just the performance and responsiveness of it.
It just it feels like fast when you're using it, sometimes when an open source project is new and it, might be worked on by a small team, it'll feel a little janky when you're using it, but signal just. It feels like it's functioning. You don't get the impression that [00:25:00] it's like broken or whatever.
When you're using it, it just, it feels nice. One thing I like is that they have this kind of no power users philosophy. The idea is like you shouldn't need to know how it works under the hood in order to be able to use it effectively. So one thing that's interesting about it is a lot of times when we think about cryptographic applications, we're thinking about like backing up keys and seed phrases and stuff like that.
Signal actually doesn't give you the option to export your private key to my knowledge. It's not even buried under the settings or an advanced menu or something like that. They just, they don't do it. And this might, if you're a real technical developer type of person, it might feel prohibitive but the upside to this is that there's no way for the user to foot gun themselves like they can't it's held on the device, presumably it's, wherever, the most secure area to store secrets on the devices, maybe that's the enclave or whatever, [00:26:00] but it's held on the device securely only the signal, app is supposed to be able to access it.
And The user can't just, accidentally leak their key material. Another thing that is weird about it is that if you want to transfer between devices. There is some situations I've had where I've lost chat history because you have to get your new device and you have to scan a QR code from your old device to transfer everything and there's been times when that's worked perfectly and I've gotten all my history.
There's also been times, I think it was in the old days when transferring between Android and iPhone and I've lost chat history or sometimes if you like pair your desktop computer with your mobile signal phone, you'll you'll, you won't get the chat history on the new device, but I think that's interesting.
It's it's a very opinionated design decision. They're saying like. If we can't do this in a way where it's done securely and encrypted, then we're just not going to do it. We're not going to come up with a window to the user saying, Oh, are you sure you want to do this? [00:27:00] There's a, X percent chance that your data might get leaked.
They just make a very strong opinionated choice for the user that if there is a risk of something going wrong in this operation, we're just not going to put your data at risk. I think that's a really cool part of the UX is they don't even bother talking to you about keys or surfacing any of that.
There's no power users in Signal.
Jordan Bravo: Yeah, I agree. I think it, like you said, it removes those foot guns. As far as privacy, they do require a phone number, which is something a lot of people who are really into their own privacy are going to balk at. But one thing you can do is, it only requires a signature, or excuse me, a phone number to register the account.
And then going forward, you can actually you can actually give any of your contacts a username then they can get that by scanning the QR code or just manually typing in a [00:28:00] username. And so you actually never have to share your phone number with anybody. It's really only used to register with the server upon account creation.
So that's pretty cool. The other really great privacy feature is disappearing chats and you can both turn that on manually per chat. You can also have a default. chat time. So you can either have no disappearing chat for new chats or you can set it to something like a minute, an hour, a day, a week, a month.
And that's actually a great feature because a lot of reducing our digital footprint, it goes a huge it goes a long way towards making us more private. And so let me ask you. Again, thinking about your typical messaging, when you have like in your signal setup, what is your go to disappearing message strategy?
Do you have it enabled by [00:29:00] default? Do you manually enable it for certain chats? How does that work?
Stephen DeLorme: Yeah. I usually just enable it when I feel like I need it. Usually that's if something like, I need to like send myself a password or. Send somebody else a credential for something like that.
It's I don't want that like sensitive credential just sitting around for forever. And so I tend to turn it on, send it, and then turn it off for me.
Jordan Bravo: I do the same thing, especially with passwords or any kind of credentials like that I would say I also use it on a longer term disappearing timer for certain chats.
Especially with my wife, we message each other constantly, many times per day. And we have an understanding that after four weeks, the chat is going to be gone. Any message that's sent, and this is fine for us. We treat signal as a. Quick messaging app [00:30:00] for ephemeral conversations, but if it's something like, Hey, here's some, here's a link or something that's important and I want it to be there more than four weeks in the future, I'm going to save it elsewhere.
And this has the advantage of also not bloating our chat history. You've got to think if you're messaging dozens of times per day with somebody and it's not disappearing, it's just piling up forever. And as long as you signals on your phone. That database size is going to be growing and growing.
And to me I think it's just unnecessary. I don't want to worry about the space. I don't want to worry about possible privacy leaks. So for me, for everyday conversations, I feel like disappearing messages are great.
Stephen DeLorme: Yeah. And I think there's also, I don't know, something fun about the ephemeralness of that too, because you got to think about I don't know, being married 30 years ago or something.
And it was just just, the messaging between husband and wife would have been just as ephemeral back [00:31:00] then just because of the limitations of the technology at the time. Unless you want to, really get out and, pen and paper some messages to each other. But, the phone calls, which probably would have been the norm, that, that would be just as ephemeral.
I don't know our little monkey brains aren't necessarily equipped for this world where our data just goes on and on forever.
Jordan Bravo: Yup.
Stephen DeLorme: Two little tidbits I'll inject real quick. Last season of Mr. Robot, very funny, there's a plot arc where they're using Signal, two of the characters in the show are using Signal, and they have disappearing messages turned on for I don't know, like one minute or something like that?
Like some ridiculously low time, and you'll see them in the show like pulling out Signal, checking their phone real quick, and then you'll see the messages like disappearing in like the same scene.
I wanted to point out about the usernames too before I move on to another one. One feature that I like about their usernames is they automatically append a number to the end of their username.
So it'll be like whatever name you choose dot, whatever number, and I know discord does this too, even though they're not private, it's a thing with like scamming and impersonation that happens [00:32:00] online. That's an interesting just getting in the norm of there being a randomized number on the end of your name as a potential, like impersonation prevention strategy, which is interesting, I think.
Jordan Bravo: Yeah. Notably, Telegram does not do that. And the scammers are abundant on Telegram.
Stephen DeLorme: Yeah.
Jordan Bravo: Okay, I think we've covered Signal pretty thoroughly. The next app we're going to talk about is Matrix. And Matrix is actually the name of the protocol and there, there are various apps, clients as they're called, that you can use that implement the Matrix protocol and are compatible with each other.
The reference implementation, in other words, the company that is behind the Matrix Protocol is also the one creating the most popular app for it, is called Element. And let's take a look at that. So if you're looking at the video here, [00:33:00] we have element. io is the domain name. And you can log in via the web, or you can download the client.
Both on mobile and desktop and what's really cool about matrix is by default it uses the third party matrix. org server. So if you just want to try it out, you don't have to worry about hosting your own server. It's just like signal out of the box where you can either sign up for an account using only email and password or something like that.
And if you start messaging, DMing somebody else who's using Matrix, you're getting end to end encryption right away out of the box, basically for free, you don't have to do any extra configuration. But what's cool about Matrix is that you can take it a step further. You can self host Matrix. This is all completely open source and self hostable.
Such that if you're running a server, you are the only person who is able to control the [00:34:00] server data. And therefore, your client, which is pointed at your server, is only going to be storing your chat history on that server.
Which means, if you and another person, if you are talking to somebody with your self hosted matrix, And they are, they have their own self hosted matrix. These two servers are able to communicate with each other because of federation. This is a federated protocol where any server that speaks the matrix protocol can speak to any other server.
I could have Jordan at Bravo. com as my username for Matrix. And then I might be able to talk to Stephen at DeLorme. com where he's hosting his own Matrix server. And our apps are going to be able to speak to each other interoperably with zero issue. And it's end to end encrypted. If you think about it, the only place that data is [00:35:00] existing, it goes from my client.
Let's say I'm talking, I'm using my phone and he's using his phone. It goes from my phone to my server, and that's encrypted. And then from my server to Stephen's server, and then Stephen's server to his phone. There are no third parties in that chain of communication right there, which I think is really cool.
That's about as decentralized and off grid as you can get.
Stephen DeLorme: And I guess since we say federated, that's like a similar concept to what Mastodon uses, right?
Jordan Bravo: Yes. Yeah, federation. Another really common protocol that's federated is email. If you are on Gmail and I'm on Yahoo Mail, for whatever reason those can speak to each other, even though they're two different companies, two different servers, two different domain names.
But they both speak SMTP and IMAP or POP, so that they're able to communicate.
Stephen DeLorme: Yeah. I've used Element before, and [00:36:00] I've never self hosted a matrix server, though we're certainly in the process of setting one up here for ATL BitLab. But I so I've never run a server, but I have used Element before on the desktop and the phone, and it's pretty slick.
I mean It sometimes feels a little slow to me when it feels oh, it's, pulling down a whole chat room full of messages and decrypting it in the background. But, aside from those kind of, very minor performance nets, it feels pretty snappy and it feels, like a competitor to something like Slack.
Jordan Bravo: Yep, and I know what you mean about the loading factor where especially that when the first time you open the app Let's say it's been a while since you logged in or let's say you add a new Chat room. It does seem like it takes a little while to process and decrypt it now I've been following the matrix blog and they've been It seems like they've been really hard at work focusing on that UX problem because they want to have a, that snappy feel where you dive [00:37:00] into a room and your chats are immediately available.
And I think they're using a lot of engineering tricks where to maybe decrypt like the ones that are immediately available and then in the background decrypt the rest of them because the odds are you aren't going to be scrolling back. Really quickly right away. I'm excited to see that UX gap be closed.
And as you mentioned, we are going to be switching over to Matrix for ATL BitLab. Currently, BitLab and its associated communities are on Telegram. And as we talked about earlier, Telegram has its issues, especially now with Pavel Durov arrest and changing their policies. So it just feels like it's not the most sovereign option when really we could be using something like a self hosted Matrix chat.
Stephen DeLorme: Yeah, I'm definitely excited to dive more into the Matrix universe.
Jordan Bravo: The last application that we're gonna talk about is [00:38:00] called Simple X or Simplex. I don't know which way to pronounce it, so I'm just gonna call it simple X. Now, SimpleX is, it's a chat app for mobile and does it have a desktop as well? I actually don't know. Oh yeah, hey look at that.
GetSimpleX desktop app. You have it for desktop, you have it for iOS, you have it for Android, and what's interesting about SimpleX is they use a different server model. They have a D, even when you're using the, Default server, which is, you don't have to self host it. Whereas Matrix has a single centralized server and Signal has a single centralized server, SimpleX actually has multiple servers and it, so it's decentralizing it.
And they also have this concept of instead of having a username, that's the way [00:39:00] we always think of these apps is I have my Signal username, I have my Matrix username, whatever. And then other people find me with that username. SimpleX, it actually sets up an ephemeral user, I guess you would call it, account.
I'm not really sure the proper terminology. But it sets up a unique one for each chat. If anybody was listening or performing surveillance on the servers, they wouldn't be able to correlate one chat with another. If I'm talking to Stephen in one chat and I'm talking to My wife in another chat and brother in another chat.
None of those are correlated with each other. None of them have the same user data. I believe there's a diagram of how it works on the Simplex website.
Stephen DeLorme: Yeah, let's see if we can find that. I think the out of band key exchange is probably a part of the puzzle. Okay, here we go. Simplex explained. Their logo drives me crazy because for anyone who can't see on the the audio version it looks like a hash, like a [00:40:00] pound hash symbol at the end of the logo that's rotated to me.
So I don't know. Anyways, this is a computing show, not a design show. What users experience. You can create contacts and groups and have two way conversations as in any other messenger. How can it work with unidirectional cues and without user profile identity? So we have a little network diagram with people icons.
So how does it work? For each connection, you use two separate messaging queues to send and receive messages via different servers. Servers only pass messages one way without having the full picture of each user's connections. So they took the same network diagram they had before with all these kind of user icons being connected with dotted lines.
But then we can see that one of the users let's call it, user one, they're passing their messages through another user. And then that user is like passing them back through another user, it looks like, so it's yeah, it's each user only passes the messages one way and then what servers [00:41:00] see.
And so then it straightens out the whole diagram for the next picture. And it just shows like message stream one, message stream two, message stream three, has more arrows going through it, but it's still going in one direction. It says the servers have separate anonymous credentials for each queue, and do not know which users they belong to.
Users can further improve metadata privacy by using Tor to access servers, Preventing correlation by IP address. So what it's sounding like to me is you think of typically with a messaging, if you had some server that handles the message queue or whatever, they can see that.
Okay. Alice messaged Bob, Bob messaged Alice, Alice messaged Bob. Whereas this simple X thing seems like it abstracts it into there's unidirectional messaging queues. So all the server sees is that it's like. X is messaging Y. X is messaging Y over and over again. And then there might be another message queue it has where A is messaging B, and C is messaging D, and E is messaging F.
[00:42:00] But it doesn't really know because, maybe maybe A and B. That's, that could be messages going from Alice to Bob, but where are the messages coming from Bob back to Alice? You don't know like which, if any of those messaging streams are going the other way.
Jordan Bravo: So in this most, in the simplest case you would have, so going back to something like, let's say, Signal.
If Signal were somehow the server was compromised and there was surveillance on it, and they could somehow break the decryption or encryption. Then they would see if I'm messaging you, Stephen, with Signal, there's that centralized server, and they would be able to say, Okay, Jordan's sending messages to Stephen, Stephen's sending messages back to Jordan, and we can see that going in both directions.
Now, if it were Simplex, and I'm sending you messages via Simplex, there's going to be server A. Jordan sends A message to Stephen, the server, the message goes from Jordan to server A [00:43:00] to Stephen. Now when Stephen sends a message back to Jordan, it's going from Stephen to server B to Jordan. So if let's say server A was compromised and there's somebody surveilling that, they would see only messages going from Jordan to Stephen.
They wouldn't see any of Stephen's messages going back to Jordan. And so you could see how decentralizing it like that reduces single point of failures.
Stephen DeLorme: And do you know what the expectation is with simplex in terms of these servers and I'm assuming there's public ones, I'm assuming I could probably also run my own, but is this the kind of thing where it's is the architecture imagined to be that everybody runs their own or that there's just tons of public ones or any insight into that at all?.
Jordan Bravo: Yeah. No, that's a great question. I would like to know more about how many servers are running. I do know that it is self hostable and that I think plenty of people do it. For [00:44:00] example, it's available as a service on start OS. So if you have a start nine server, you can easily self host it with a couple of clicks.
And actually more broadly speaking, you can also do that with matrix as well. Both of these things are really easy to self host if you're using a one of these kind of easy mode servers like StartOS and and then obviously if you are a more advanced user and you actually want to run your Linux server by hand or manually, then they have instructions for that as well.
But as far as how many are self hosting versus how many are using the default public servers, I don't know, but that's, that would be interesting to find out.
Stephen DeLorme: I love their placeholder, their delightful placeholder copy and their sample app up here. I think this one chat coming in is a Dune reference, who controls the past, controls the future, who controls the present, it's from some science fiction.
Okay. There's a Fight Club [00:45:00] reference, there's also a Ghost in the Shell stand alone complex reference, that's the laughing man from Ghost in the shell. Just think about it, our whole world is sitting there. Anyways, I'll stop picking apart the
Jordan Bravo: And one last thing on that. The Graphene OS chat is listed as well, which is cool because if you are a person who's into Simplex then you're going to be a privacy conscious individual and you might also be interested in Graphene OS, which is a more private version of Android, which we'll be talking about in a future episode.
Stephen DeLorme: Sweet.
Jordan Bravo: Let's let's move on into Boostergrams. We're going to read out the boosts from a previous show. We're going to hear what you, the audience, have boosted in. And before we read those, we'd encourage you to boost in on this show. Let us know what kind of messaging you use. Do you self host?
Do you use private messaging? Have you had success [00:46:00] getting people in your life to use more private messaging and you can do that by going to atlbitlab. com slash podcast or by going to fountain. fm and searching for atlbitlab. com And boosting in on one of the Sovereign Computing episodes.
Stephen DeLorme: Yeah, and we don't have the ability, you can certainly leave us a tip directly on atobitlab.
com slash podcast. It goes to BTC Pay Server. We don't have the ability to accept the text messages and boost directly on the website, but it's a feature I'd like to get added at one point. I think for the Boostergram segment, I almost feel like we need to come up with some like cool sound effects, like booster grams or something like that.
Jordan Bravo: Yeah. Maybe some bumper music or something.
Stephen DeLorme: Some fire and explosions. Okay. So anyways, we're here looking at the boost. This was from episode one of the Sovereign Computing Show.
Jordan Bravo: Cool. We have a boost for 1000 Sats from Justin Goldberg. And [00:47:00] Justin says. In addition to a password manager, I strongly recommend that if your browser or password manager or Nostr client generates passwords, it's a good idea to add some random text to the end of the generated password.
Alright, thank you Justin for that boost. He is referring to how in episode one, I recommended using a password manager as a first step for anybody that isn't already doing that to take on their sovereign computing journey. And what he says about adding random text at the end of a generated password, this is known in the security field as salt.
So passwords, they are added with this little random text at the end. It's called salt. And by salting passwords, it makes it harder to brute force them. So a lot of password managers will actually do this Automatically for you. But if you are manually typing your password for whatever, or manually generating your password for whatever [00:48:00] reason, then this is certainly a good, some good advice to add some random text at the end.
Stephen DeLorme: Yeah, and I'm wondering I actually, I'm curious what he meant by the random text. So yeah, I'm familiar with salting. And it gets like salting, like definitely, especially when you're dealing with like server applications that has like a kind of special application, but I'm wondering here, if I can read a little into his comment, if he means that it's like a fail safe almost that so anytime you have something that generates a random thing for you, a random key, a random password, you're relying on wherever that thing gets its entropy from.
And there have been cases where for example, there was the milk, sad vulnerability. There was a a Bitcoin library, one made from the early days that was getting its entropy and some not, and this wasn't for Bitcoin core for any is wondering it was for some other Just coding library that people use and it wasn't getting its entropy in the best of ways, so it wasn't really like [00:49:00] good entropy.
It wasn't random enough. And with the milk side vulnerability, people were able to get this library to produce, the same key twice effectively. And so it might be that what he's proposing Is that if you added some if you let it generate a random password for you, if you also take that and add your own extra characters, like a couple of characters, perhaps that might act as a safeguard just in case one day down the line, it's, discovered that this thing, wasn't as random as previously thought.
I'm not sure if that's what he means. That's just my my, my guess there. But you can, there's certainly, it's always a, that's a very deep rabbit hole, like wondering how random, random generators are.
Jordan Bravo: Yeah I tend to trust, so to speak, or I, I tend to rely on the implementation of the random password generation.
For example, I always, I set it to a certain amount of [00:50:00] characters and I set it to use symbols and capitalization, all that. And then I just let the password manager handle it. I don't even try to customize it myself because I figure. However clever I think I am, I'm not going to be beating random entropy that's generated by a sophisticated algorithm.
So for me, I just let the random generator do its work and I save it and I don't ever think about the password after that.
Stephen DeLorme: But yeah, and same here, but always, everyone is going to have their own threat model. So sweet. Thanks for the boost, Justin.
Jordan Bravo: All right. The next boost we have is from Gavin Green.
Gavin sent 500 sats and he says great debut guys on the subject of password keepers What do you think about using browsers to save passwords? Is the data stored locally or in the cloud and I Think that it actually depends. So you have Firefox. Let's [00:51:00] say you have Brave or Chrome if you are not signed in to the sync service, then it's saving it locally And you have the benefit of it's, you don't have to worry about it being in some third party service, but you have the downside of it's not synced.
So if you have different machines, different desktop laptops or mobile you're not going to have it across those devices. So for me, I prefer a tool that's not reliant on a single browser because I like to use different browsers and in different environments. So for me, that's why something like Bitwarden, which is the password manager I use.
That it works really well because you, it's in, it's a Firefox extension, it's a Chrome extension, which also works for Brave, it works on mobile there's even like a desktop app if you want a standalone app. So for me, I like not being reliant on the specific browser implementation, but still having the ability to sync my passwords.
Stephen DeLorme: Yeah, I feel the same way. I remember like once I, I think I don't know 15 years ago [00:52:00] or something like that, my girlfriend at the time was using the Firefox password manager and I ended up like we, we needed to recover a password and we like dug into it and found that it was all just unencrypted on the system.
But I guess, it does, it makes sense if they don't prompt you to make a master password, then it's just stored unencrypted on the system, which again, if it's on your local computer that's fine. I think we're in much more sophisticated territory nowadays where a lot of windows computers and Mac computers like do end to end encrypt things.
Or at least I think the windows computers, they enabled it in windows 10, I think, but I'm not going to say every computer has the hardware for that, but. The point is, could do that. I know there are some services that let you sync to the cloud. I'm pretty sure Chrome will sync your passwords to the cloud.
I haven't vetted this, code of that or anything, but my assumption is that it's probably just going up into the cloud. Like unless there, like your Google account is not. Like when you log [00:53:00] into Chrome, you're just logging in with your like Gmail account, usually, if you use the browser profile thing.
And so that's not an end to end encrypted account. Like you can just reset the Google password. So I don't imagine if you do some kind of cloud sync that it's like fully end to end encrypted. That would be my assumption there. But yeah, I agree with you. I like not having it coupled onto the browser, because you may want to use that in a different context.
You might want to use your passwords in a browser. You might need to use it for desktop applications or. You may want to use it on different devices or whatever. And so like just having it as like a standalone service is good too. And I think there's also just something like we were saying about the psychology of taking over your own passwords.
There's something about the psychology of being like, this is like my super secret, encrypted fault. And it's like separate from the other services I use. It just makes you take it a little bit more seriously and a little bit more empowering, I think.
Jordan Bravo: All right. Our next boost is from M U T U M 8, I'm [00:54:00] going to call him Mutum, or Mutum 8.
Stephen DeLorme: Mutum 8.
Jordan Bravo: Mutum 8, boosted in with 210 sats, and Mutum says, Topic suggestion, how do I decentralize my domain name? That is a great question I, Million dollar question yeah. Based on previous discussions on this topic, that is, it is a very difficult thing. It's actually, it's tricky because DNS is inherently centralized, the domain name system.
And so while there are some experimental ideas for how we could decentralize it. There's it's really tough and it's going to be a whole episode if we get into it. I was, I say,
Stephen DeLorme: that'd be a fun one to get into one episode. Yeah.
Jordan Bravo: Yeah. So thank you for that topic suggestion. That's a great topic. We are going to cover that in a future episode.
Stephen DeLorme: Yeah. And I think that would probably be a more [00:55:00] experimental forward looking future, future philosophy kind of stuff. Cause as you pointed out, there's not like an actionable way you can just like. Completely decentralize your DNS right now. It's all, it's a very experimental space, at least to my understanding.
But it's worth kind of thinking, it's
worth thinking about these things.
Jordan Bravo: Yeah. Yeah that's a great topic. That's it for our boost.
Stephen DeLorme: Oh, I will highlight one other person.
There's no boosts on here, but I saw recently in the backend, the our top supporter is now weird robot. So congratulations, weird robot. You're our top supporter.
Jordan Bravo: Oh, yes. So we, you can also support the show by streaming sats. You don't have to boost in a message. You can just. Set your Fountain app or Podverse or any of the other podcasting 2. 0 apps. You can just set it to stream sats while you're listening. And so we want to thank our streamer Weird, and we appreciate you streaming in those sats.
Stephen DeLorme: Yep. [00:56:00] All right.
Jordan Bravo: All right. That's it for our show today. Thanks again. You can visit us at atlbitlab. com slash podcast for videos, show notes.
Boosts and all of the other good stuff
Stephen DeLorme: Catch you later
Jordan Bravo: Thanks, and we'll see you next time
Stephen DeLorme: Hey, thanks for listening. I hope you enjoyed this episode. If you want to learn more about anything that we discussed, you can look for links in the show notes that should be in your podcast player, or you can go to atlbitlab. com slash podcast. On a final note, if you found this information useful and you want to help support us, you can always send us a tip in Bitcoin.
Your support really helps us so that we can keep bringing you content like this. All right. Catch you [00:57:00] later.