Yog-Sothoth

“work harder for my riches, you MAGA bitches!”

What metadata does XMPP leak?

• Sender’s Full Jabber ID (JID): This is typically in the format user@domain.com/resource. The user@domain.com part identifies the user and their home server, and the /resource identifies the specific client device they are using (e.g., [email protected]/mobile or [email protected]/laptop).
• Recipient’s Full Jabber ID (JID): Similar to the sender’s, this specifies who the message is intended for, including their user, home server, and often the specific resource.
• Sender’s Server: The domain of the sender’s JID reveals which XMPP server the sender is connected to.
• Recipient’s Server: The domain of the recipient’s JID reveals which XMPP server the message is being routed to.
• Timestamp of Message Transmission: Servers record when a message was sent, which can be used to infer activity patterns.
• Approximate Message Size: While the exact content is encrypted, the size of the encrypted stanza can still be observed. This can sometimes give clues about the type of content (e.g., a small text message - versus a larger file transfer).
• Message Type (e.g., chat, group chat, presence, IQ): XMPP uses different stanza types for various purposes. Even with E2EE, the type of stanza (e.g., a “message” stanza vs. a “presence” stanza) is visible.
• Participation in Group Chats: If a user is part of a Multi-User Chat (MUC), the MUC service and the user’s participation in it are known to the MUC server and potentially other participants’ servers.
• Presence Information: XMPP inherently broadcasts presence (online/offline status, “away” messages, etc.) to contacts. This reveals when a user is active.
• Contact List (Roster) Information: While not “leaked” during every message, the XMPP server hosts and manages the user’s contact list, meaning the server knows who a user is communicating with.
• Device Information (Resource): As mentioned, the /resource part of the JID can reveal the type of client or device being used.

I find it strange that Signal somehow doesn’t know when a message was sent

Signal uses Sealed Sender (wired.com). Imagine if letters you sent didn’t require a “from” field - or it was inside the envelope and impossible for anyone to see it. The post office would only know who its going to and only the recipient can decrypt it (open the letter) to see who sent it. Now, you could say, well they have your IP and can correlate it to the account, but the easy way around this is to either use a VPN or Signal proxy (support.signal.org) if you’re that paranoid.

how would they ever make this possible?

Read more about it here: Technology preview: Sealed sender for Signal (signal.org)

How about most e-mail providers? Not Google and Microsoft of course, but most e-mail providers only need a name which can be made up as well

Most email providers suffer similar metadata leaks as XMPP because:

• 1. Email was created in the 70’s and we’ve learned a lot since then about privacy and security.
• 2. XMPP works off a similar concept where you inherently pass data along to another server.

You could host your own email, XMPP, or Matrix server - that’s definitely a win for privacy. But as soon as you interact with someone outside your ecosystem (server), metadata leakage is an issue again. It’s why making end-to-end encrypted email is a hard problem to solve. It’s not that it can’t be secure, its that it has to work with those that aren’t because that’s the expectation.

… host your own email server, then you are in control

Until you interact with others who aren’t using encryption or have it misconfigured.

Removed by mod

Removed by mod

Removed by mod

Removed by mod

Removed by mod

Removed by mod

devil’s avocado: this move has saved many people’s cherished photos from disappearing by having them auto save. before Google photos I’d run into cases (I used to do home IT support) where people had years of family photos disappear because they didn’t back them up properly. Having to communicate what happened was never fun.

is Google photos perfect? No, but it’s a great solution for people who don’t want to manage their data.

fully aware! just don’t care much since its so cheap ($270 for 20 TB!) and my last externals (two 10 TBs) served without issue for ~5 years. Just gotta make sure you have backups and upgrade every few years.

I can see why you’d draw those comparisons to “spontaneous generation” or “God of the Gaps” – it’s a common misconception when people first encounter the idea of emergence. However, that’s not quite what Emergentism, especially in the context of consciousness, is suggesting.

The key difference is that emergent properties aren’t truely “spontaneous” or without a basis in the underlying components. Instead, they arise from complex interactions between those components, often in ways that are not easily predictable from studying the individual parts alone.

Think of it like this:

• Water’s wetness: A single H2O molecule isn’t wet. Wetness emerges from the collective behavior and interactions of many water molecules. We don’t say wetness is “spontaneous generation” of a property, but rather a property of the system.
• A hurricane: A hurricane is a complex, self-organizing system with emergent properties like its destructive power and eye. These properties aren’t found in individual air molecules or even small air currents; they emerge from the large-scale interactions of atmospheric conditions.

In the context of consciousness, an emergentist perspective suggests that consciousness isn’t located in a single neuron or even a small group of neurons, but rather emerges from the intricate network activity and complex interactions of billions of neurons in the brain. It’s not about throwing our hands up and saying ‘it just happens.’ It’s about recognizing that complexity can give rise to novel properties that aren’t reducible to the sum of their parts.

The challenge isn’t a lack of evidence that something is happening (we clearly observe consciousness), but rather the difficulty in fully understanding and mapping the incredibly complex mechanisms that lead to this emergent phenomenon. It’s an active area of research, and while we don’t have all the answers, it’s a far cry from “God of the Gaps” because it proposes a naturalistic, albeit complex, explanation rather than invoking something supernatural.

While theories like Orch-OR offer a different approach, many neuroscientists find the emergentist framework more consistent with how complex systems behave in other areas of science.

I’ve been running my server on an old laptop and a 20TB external hard drive connected via USB. it’s not fast, there’s a multi-second delay when the drive goes to “sleep” if nobody has used jellyfin in a while, which makes it appear to not work, but once it spins up it works like normal. this has let me keep things simple and cheap. I back up to another 20TB hard drive, which I recently bought as I could finally afford it. beefy hardware is great but not necessary, if you’re okay with some limits.

Americans have the right to bear arms just as much as they have the right to shout fire in a crowded theatre — it’s a right that can be regulated and both already are, one needs more regulation, but people don’t seem to understand.

is this not domestic terrorism?

asked this somewhere else, but does anyone know how it compares to Cryptpad which is also developed in France, open source, self hostable, collaborative, and end-to-end encrypted?

XMPP is more comparable to Signal, yes.

XMPP allows unencrypted messages and leaks metadata - Signal does neither.

Signal does need (yes, need) a phone number, and most people only have one so that is identifiable info.

Signal is basically a privacy enhanced text/SMS/phone replacement. I can give my phone to someone in person and they can immediately start “texting” me on Signal - this is a feature (as well as a con to some people).

This puts it at mostly the same level as some competitors, including WhatsApp which is often advised against.

People advise against Whatsapp because while it uses Signal to encrypt message contents, they take no effort to minimize the collection of metadata - Signal’s been compelled by court to present all data it has on its users various times and the only info they have is the day/time you signed up for their services and the last day (not time) one of your clients pinged their servers - Source: https://signal.org/bigbrother/

I have yet to find any other free service that collects this little information and works just as well as a normal non-encrypted messenger. Even Signals sticker packs are end-to-end encrypted - Source: https://signal.org/blog/make-privacy-stick/

While Signal’s home base is the US, they are a non profit org that doesn’t operate in the same way as for-profit corporations. Also, Signal collects basically zero data so there’s no incentive to sell out, and who would want to buy them anyway when they have no data and the server and client are open source.

Matrix is great, but I wouldn’t compare it to Signal. I use both for very different purposes.