That's a logical choice. If you ever get in trouble there, you'll find that unlike in Germany, there won't be any bureaucracy or red tape at all. They'll deal with you very... efficiently.
OnePlus' OTA update soft-bricked my OnePlus 5 on Christmas Eve, so I got a really bad taste in my mouth for their software.
And with the hardware not being budget anymore, I figured I might as well buy an iPhone, since the price is basically at iPhone-levels now anyways. When I bought my OnePlus One, it was basically a flagship device for around 350€. Back then the iPhone 6 was starting at like 699/799€?
Too bad you need external tools anda lot of boilerplate that you must remember to enforce to achieve this, because it's an after thought and not a language feature.
And there's 7-8 different annotations to mark nullability, all slightly different in some detail.
Sure, language-support would be better indeed, but in practice the often encountered annotations are supported by every tool, and the only relevant setting is whether everything is nullable by default or nothing is.
It's still not enforced by the language itself, so nothing stops a third party library (that you have to integrate) from not using the annotations, and then the unknown nullability exerts a domino effect on your own code, "infecting" it with uncertainty.
TBF that is true for the Java-Kotlin boundary as well. You can use values coming from Java (like results from Android platform calls) as non-nullable if you wish, and it will blow up at runtime. The linter will catch those cases, but it's definitely less than ideal.
Bytecode analysis is pretty trivial. I'm not sure if modern tools do it, but figuring out whether that specific bytecode accepts null values or throws NPE with it is not hard (unless bytecode is available in runtime-only and compile-time dependencies contain only interfaces, but that model seems outdated).
It's not worse, aside from chats being unencrypted by default.
I've had suggestions on Instagram of people who I never got in touch with, only because my wife, who has no FB account, is in the same WhatsApp group as these people. They mixed in a bunch of other "you may know" people to make it less obvious, but when comparing her groupchat and my suggestions, it's clear they made links via IPs and phone numbers. At least Telegram isn't big enough (not yet, anyway) to cross correlate data to ID users like that to create such privacy concerns. FB? No, thanks.
Chats are encrypted. The question who can decrypt them by default.
It is a trade-off between security and usability. By default, you get usability (e.g., you can chat across devices easily). But you think it is worth the cost, you can make encryption keys unavailable without corresponding devices (create secret chat).
My guess, most telegram users prefer usability or don't care/ignorant. It would be a mistake to make the experience worse (that people would notice ignorant or not).
It is false that chats are "unencrypted" (I know, it is repeated on every submission about Telegram here but it does not make it true whatever Goebbels said). Here's a quote from the FAQ: "The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data." https://telegram.org/faq#q-do-you-process-data-requests
That is only true for the End 2 End encrypted chats, which are a separate and not very user friendly thing. Regular chats and group chats/channels are by design unencrypted.
Then it is not correct. A security analysis of Telegram has raised doubts about their e2e before. They have (had?) a blogpost up where they pontificate about how it not necessary and would put a burden on their channel feature anyway.
The security analyses I am aware of target MTProto 1 which is not MTProto 2 used for quite a number of years now. MTProto 2 uses standard security primitives.
You cannot say "it is not correct" without proof. We know all messages not just E2EE are wrapped in encryption on their way out a Telegram client and we know they are decrypted on their way in because client source code is available.
Why don't you have a look for yourself then let us know if you've confirmed your suppositions?
> There simply isn't any encryption besides SSL for all the rest, which at one point they were boasting is the cause for their generally excellent performance (no distribution of keys etc). They didn't change that unless they ware uncharacteristically quiet about such a major new feature. It would run counter to their motivation for not doing it in that earlier blogpost. It also doesn't make sense to then have MTproto in parallel especially since they apparently solved key exchange and so on.
At this point you are just willfully throwing around misinformation. A number of commenters have tried to point you directly to the docs to which you've just said, "it's wrong".
> talking about MTproto, which is only used for their e2e chats.
This is also misinformation. [1] Please stop.
I only flag as an absolute last resort here on HN but you are actively harming discourse at this point.
To me a chat app not reading my messages is way more important than a chat app will not use my phone number for advertisement. Ideally I'd have both, but given a choice, the first one is way way more horrific than the other.
Though, for some cases Telegram is definately better, Groups, work related chats don't really need to be private as much and that's where telegram really shines for me. Specially since I can use it without giving my phone number away.
> is way more important than a chat app will not use my phone number for advertisement.
My profile being shown on a different platform to people that I might be close to (co-workers, in-laws, friends of friends) but I'm not interested in having on social media is pretty damn concerning, regardless of ads.
Both are equally bad, for different reasons. As a user, one might be more worried of having their identity tied to their Facebook account (and therefore advertising/tracking), than about their government spying on them.
Having worked with people in totalitarian countries, it's surprising how much protesting people can do in plain sight. Until the regime decides they went too far, and it won't matter what proofs or chats they have on their devices, they'll just randomly arrest a bunch of people and release them after a week of horrible prison conditions. It's usually good enough to scare everyone.
I use Signal 95% of the time, but I understand the appeal of Telegram. The UX is better, it allows pseudonyms, has huge communities in group chats. In a sense, it feels more private than Signal because of the pseudonyms. And for people in non-Western countries, well, Telegram might seem like the only option.
signal and telegram are a no brainer when it comes to totalitarian regimes. i live in Kashmir which has historically and continues to hunt down dissidents with agility. i cannot imagine being tied to my "mobile number" when the government has that data by law, tying a telegram/signal account to it is a gone case by that point.
people who go with signal call it "better whatsapp without facebook tracking" but just like telegram, its Achilles heel is mobile number requirement. matrix has that from the start so its better in that respect. sure, matrix does not have "social graph" out of the box but in a "totalitarian regime", that is precisely what you want.
besides, you can set up your own matrix server, something whatsapp/telegram/signal simply cannot do so its 100% more secure in that sense
Synapse is still one of the worst installation processes[1] I've gone through. I'm extremely comfortable with Ansible and Docker but their install process sucks if you aren't exposing your Matrix instance to the world and don't have a domain pointing at it. On top of that, there are so many moving pieces to it if you want to bridge it to other services.
I got it all installed but ended up dumping it because I felt the complexity wasn't worth it. There are so many moving pieces imo.
Are there alternatives to Synapse for homeserver software? Or is there a less complex deployment method for a homeserver and bridges that I am not aware of?
Oh cool, I had never heard of YunoHost before this.
After my comment, I decided to give Matrix a try again and setup a fresh Arch Linux VPS for it. I didn't run into any snags but it took quite some time to get everything configured. It probably took me a solid 2 hours just to get everything up and running (Synapse + bridges for iMessage, Signal, Discord and IRC).
Not many applications I self host require as much setup as Synapse!
Thanks for giving it another go. Setting up Synapse itself should be super easy though - it’s just an https listener pointed at by an srv record or .well-known uri. We don’t need weird certificates or reverse proxy contortions these days (since Matrix left beta in 2019); it really should be a few minutes max to do it from git or pip, or a few seconds via apt or similar.
Now, setting up a bunch of bridges is indeed harder, but they are deliberately entirely separate apps, each with their own foibles. But just like you wouldn’t blame Apache httpd for some fiddly 3rd party Apache module, I wouldn’t blame Synapse for the complexities of running bridges.
Good perspective -- you are completely right, my perspective was totally off. Part of that reason is probably my only reason for using Matrix is for the bridging as I don't have friends or family who actually use Matrix, unfortunately, so I pretty much just use it for myself to bridge to other messengers.
But again, I appreciate you putting that into perspective. Synapse by itself really isn't too bad. But for it to be actually useful for myself takes a lot of work.
hey... glad you did that... i have been a matrix user for a few years but i have only heard about "bridges" but never really understood it. does a discord bridge mean i give my login/oath to matrix bridge from my discord and i can access those contacts in matrix without having 2 apps? that is my general assumption.
what about whatsapp for example? do i have to have an existing whatsapp account which constantly remains online and interacts on behalf of my matrix?
Bridges allow you to use other external accounts through your Matrix Homeserver. So with the Discord Puppet Bridge[1] I am using I can log into my Discord account from Matrix and handle all my Discord DMs and group chats using a Matrix client. So yes, bridges allow you to use Matrix for all your other chat applications.
The general workflow is after you install bridges that you configure your bridge to your existing account on the other platform. So for Signal, you open a chat with the Signal Bridge bot and issue a command to link to your account and then it walks through that process. Once the bridge is configured with your external account any new DMs and group chats from those external accounts will show up as DMs in Matrix.
Wait for evangelists to come and say that it's simply out of their threat model for Signal, it's actually just no-Facebook Whatsapp with Mobilecoin, you're a 0.0001% privacy geek whose needs are totally irrelevant to 99% of the actual userbase whose requirements are stories and, surprisingly, usernames which are coming the next day, pinky promise! That's what always is being heard in response to unorthodox requests wrt Signal development, chinese users case shining there especially so. But yeah, some people gotta bring some bread to their tables and other to get memed into "use Signal, use TOR".
I think the bigger question is anti-spam in anonymous chatrooms, even with the mobile phone requirements spammers (in particular from Nigeria, why does this country have so many scammers in particular?) are everywhere and spamming all the time, I'm in 5 or so groups and every day 2-3 spam messages have to be deleted. There are millions of fake channels and I wouldn't be surprised if up to or over 10% of telegrams messages sent are spam/scams.
What does matrix do to prevent the tidal wave of spam hitting it?
I would say it's the same question as "what does IRC do?" as the general design is the same - maybe a bit more friction signing up with Matrix than IRC but at the end of the road they operate on the same trust model. The Matrix team blogged about a spambot attack last year on this very question: https://matrix.org/blog/2021/06/30/security-update-synapse-1...
Side comment: because my mobile number was leaked (breached) by T-Mobile which included my name, I get way, way way more spam via it than anything else. Lots of political spam, 95% or greater from the right/repub end of the spectrum.
Edit, side comment #2: I ported my secondary Google Voice number out to Tello (a low cost MVNO in the US) with a SIM in a spare phone, and all the spam I was getting every day to that number simply stopped instantly. I'm a little amazed to be honest, it's very interesting.
Ah sorry that's a spambot attack, the spam on telegram is 99% Indian/Nigerian origin of people literally just signing up to go into group channels and spam whatsapp channels/msg me for how to make riches/join this trading signals channel you'll make millions.
the more public group that i am in, i leave "mentions and keywords only" notifications on so it does not bother me with every buzz. that way, only groups that i know are "relevant" can notify me, these groups i can browse later when i get the time
i am member of a group, public, 876 users as of right now, another openstreetmap india group and that one has 1350.
only the osm-in has some sort of "spam" where i see occasional crap thrown on but that gets flagged and removed quickly.
i don't know about telegram but my matrix account(s) are pretty public but i have basically never gotten a stray spam. as i said, one group has a "couple of spam messages occasionally" but i can "report" the user and check tickbox
"Ignore user
Check if you want to hide all current and future messages from this user." which should be good.
that is what i wrote. matrix does not by design force users to submit a mobile number while everyone else does because they want to use that for social graph, etc etc.
Telegram has a great thing working in its favor: it is mostly free of censorship, particularly of the kind that reacts to Western do-gooder sensibilities. I have learnt more about the Ukraine war from Telegram channels (Gruz 200, Truha, some local ones) than from all of the Western press combined. Analysts like Bellingcat, CIT and ISW keep citing Telegram channels as sources. Both DNR/LNR "separatists" and Ukrainian regular and irregular fighters are putting out a lot of unfiltered info on TG.
The idea that Telegram is in any way safer than the other platforms, I really don't see much to speak for it.
It's similar to ProtonMail: you get it as a backup in case you get locked out of your googlemail; you don't get it to conspire.
Twitter and Youtube are a censorship minefield as it comes to war footage. Russian trolls have been known to mass-report pro-Ukrainian accounts for posting "NSFL" material (and much of the interesting material from the front is NSFL). If you are famous and know the right people in the West, you can get unbanned through your connections, but this is a lot harder for the local sources.
For people looking for privacy: Briar is where it's at. A bit clunky UI (e.g. inviting someone isn't easy) but otherwise really well built client, and top notch network protocol and cryptographic features.
I want to like Briar and Cwtch but neither of them have iOS clients which really breaks the whole friendly to people who use other platforms covenant. If a client doesn't have apps for both of the big mobile platforms I'd say it's very unfriendly because you by omission are creating exclusionary silos.
There's Session, which is iOS and Android friendly and doesn't burn down your battery as messages are privately routed through zero-knowledge nodes: https://getsession.org
I hate to say it, but if the product/service name immediately evokes a "how do I pronounce this" feel, and actually has an entry in the FAQ about it, its facing an uphill battle with mass adoption.
