twitter: your mastodon server admin reads every DM you send. they actually read them and assign a score

mastodon admins who roll their own: sorry everyone images aren't going to work for the next sixty-ninety years. what's a DM

99% of mastodon admins who are just normies who pay for shared hosting: we can't read dms. we can't even choose when to update. we can't even turn the lights off in this room

lead mastodon dev: actually they're "mentioned people only posts," hope this helps. Cheers!

@alex the wildest take on the birdsite i’ve seen so far is: ok companies only go into your personal data if they get a warrant but an instance admin is JUST A PERSON? THEY JUST READ ALL OF IT!

and like… wow, i don’t even know where to start when this level of trust is blindly extended to unvetted organisations, in an age where google analysed your ‘DMs’ (emails) for better ads and NSA people used their supersurveillance creepyshit to stalk women.

@cygnathreadbare @alex but their tweets are written all twee! and the UI is cute! and bees!

it’s really disappointing that, in sum, people shy away from something with a learning curve, but the potential to be a real change, for something that’s a bundle of red flags dressed up all shiny.

@gekitsu @alex I would much rather two individuals (my admin and the other person's admin) read my messages than many employees at an organization, or literally any algorithm
what's my admin gonna do with my matrix @ or checking up on moots going through crises? like he could dox me if I put my address but a) he has no reason to and b) I simply don't do that???

@raphaelmorgan right? i mean, it’s a fine thought when people start considering who they trust administrating the infrastructure they use.

but ffs, be realistic and consequent with the application of this newfound notion. just because trust was given without consideration doesn’t mean it was given well.

@gekitsu @alex People think companies are somehow “accountable” which is hilarious because no they fucking are not

@Elizafox @gekitsu @alex yeah theyre accountable... theyre a-counting all the dollarydoos they get from selling your metadata

@Elizafox @gekitsu @alex

"but you have no legal protections" they screamed on a platform that was literally just purchased by a single dude who immediately scrapped all the regulation teams, declared himself the god king, fired everyone on the human rights, accountability and user protection teams, and doubled their working hours

@Elizafox @gekitsu @alex corporations aren’t even people. They’re physical manifestations of Capitalism. Corporations are answerable to no one, can’t go to jail and exist only to extract as much money as possible for stakeholders.

@gekitsu @alex yeah- I just assumed anything I put on any app was accessible by someone (with exceptions for things like signal and telegraph built to avoid that). Just like I assume very keystroke on my work laptop could be monitored if needed.

@alex amusingly gargron also just posted about images not working on

@PennyOaken I am very sorry about your experience. I did not say I am not interested in reading DMs—since I use a hosting service I literally can’t. If you use a shared hosting platform nothing that requires command line access is available to you even if you wanted to. The other two types in the post refer to how mastodon dev often expends energy on renaming features or buttons while the issue page piles up with actual functionality issues. DMs have been renamed instead of fixed

@alex Ngl I very much appreciate not having DMs. Didn’t really need them.

@alex oh and tiwtter DMs aren't encrypted end-to-end either so...

@Kyleric @alex You mean besides politicians asking for money??

@alex I'm busy enough with a $dayjob and other things that I wouldn't have the time to setup and remember how to query Postgres (because most of my experience is with MySQL and MariaDB). I'm pretty sure most people will not have to worry about this...

@alex The most frustrating thing about this utter non-argument ("admins can read your DMs") is that the same really also goes for Twitter or literally every classic internet forum out there.

If you want actually secure messaging, use Signal or idfk WhatsApp (less good cuz Facebook but in some countries that's what you're stuck with...)

@glitch @alex another option is Matrix! it's e2e encrypted *and* it's decentralized *and* you don't need to give your phone number iirc

@raphaelmorgan @alex Matrix is an option, but given the sheer amount of complaining I've heard about signing up for the fedi/discovery, the Matrix experience is that but about 99 times worse.

It also relies on python for it's reference implementation (synapse) which is uhh Not Great due to optimization reasons (there's dendrite but it's not up-to-spec yet).

There's also some deeply related pitfalls in it's design that make me *very* cautious about recommending it, although those mostly pertain to public rooms.

Unfortunately Matrix, as cool as it is, will probably be doomed to obscurity and usage by nerds.

@glitch @alex DOJ has been using ‎WhatsApp and Signal messages as evidence in proud boys and oath keepers trials.

I’m glad the January 6 traitors will be going to prison for their crimes, but how is FBI getting these encrypted messages?

@tolortslubor @alex That is a really good question!

(Un)fortunately the answer is somewhat plain and doesn't really involve encryption or Facebook/Signal working with govt (they infamously oppose it to the point where some lawmakers have considered making encryption backdoor laws in the US) but rather the use of an extremely common flaw with most phone owners (we'll also ignore the fact that most Nazis just have shit phone security, basically if you have good phone security, you're probably just also too smart to be a nazi. You might be an anarchist though, anarchists tend to write a lot of infosec guides for the layman for some reason...): Face ID and fingerprint scanners.

Basically you can negate all the e2ee stuff if you can log in on one the devices sending/receiving messages. While the US courts have generally concluded that you can't compel suspects to hand over passwords as they constitute a "thought" and they can't compel thoughts (there's a better legal argument here, ask your lawyer about it, IANAL, this no legal advice), they have very much *not* extended that courtesy to just... holding a phone next to your face or making you press your finger on the fingerprint scanner.

And well, once they're in, it's just a matter of opening the specific app and taking some screenshots.

If your threat model ever includes entities who have physical access to you and your phone, don't use biometric phone locking. (Basically keep xkcd 538 in mind )

And that's without delving into some notable blunders on basic security like Alex Jones' lawyer accidentally mailing a decrypted dump of AJs phone and messaging history to the opposing lawyer and ignoring the warnings for long enough for it to be publicly entered in case law, which of course granted the government access to a whole bunch of those implicating messages.

@glitch @alex Wow. And of course at least one or more coup plotters didn't set their seditious conspiracy messages to auto-delete.

And that actually doesn't sound as stupid as Stone/others recording their treason like they were gonna be the history-writing victors with a video documentary.

@alex @glitch And Twitter outsources much of that to non-employee temporary contractors. Nobody knows how many people have access to Twitter DMs.

@alex I'm running plerma. I can't read DMs either.

I don't think any fedi admin of any fedi server bothers doing the manual SQL queries it takes to extract and parse anyone's DMs unless they're like, really malevolent. :thonking:

@alex I’m on only user on my instance and I don’t read DMs :)

Sign in to participate in the conversation is a Mastodon instance for dads, running the Hometown fork of Mastodon.