Conversation

Notices

1. Embed this notice
   Rich Felker (dalias@hachyderm.io)'s status on Thursday, 05-Jun-2025 21:12:08 JST Rich Felker

   Folks have taken exception in the past with my claim that SimpleX is "run by nazis".

   I base that on the fact that it presents popular/recommended "rooms" as part of the UX, and a bunch of those are nazi shit.

   No, "that's just algorithmic outside their control" is not an excuse. If you're publishing an app and find it in any way promoting nazi shit, especially to someone who didn't actually seek that out, and you're not a nazi, that's a maximum-priority bug to be fixed. By removing the recommendations entirely if nothing else.

   If you're ok with it being there, you're fucking nazis.

   SimpleX is fucking nazis.

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 05-Jun-2025 21:18:40 JST Rich Felker

     in reply to

     Hot take: A privacy-conscious messenger does not try to onboard users into "popular rooms". That's how you get popped by state authorities. By getting introduced to people who supposedly share your values, but with no one you know having vetted them and no actual basis for trusting them.

     At best it's engagement farming shit from a wannabe Telegram.

     More likely it's an op by feds.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 05-Jun-2025 22:30:46 JST Rich Felker

     in reply to

     • triskelion

     @triskelion LOL not surprising.

     I just bring this up again and again because I see it (SimpleX) and other similar shit promoted way too often on fedi. Contrarian edgelord brainworms kinda thrive here and we need to be calling that shit out before it takes hold. Nazi bar theory.

   • Embed this notice
     triskelion (triskelion@fosstodon.org)'s status on Thursday, 05-Jun-2025 22:30:47 JST triskelion

     in reply to

     @dalias I recently came to know that the app is freemium, but I haven't been able to confirm it myself, and I don't care about it. Anyway, there are several red flags suggesting that the platform will eventually enshittify :P

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Friday, 06-Jun-2025 06:58:12 JST Rich Felker

     in reply to

     • Altair

     @Altair You have multiple other legitimate cryptographic marvels you could be using to protect yourselves. VeilidChat and Cwtch are the two strongest. Signal is still far better than SimpleX in all ways that actually matter, but if you're opposed to it, use one of the two that's actually legit.

     SimpleX is a fucking honeypot run by nazis. Eventually the client is going to ship malware. If it isn't already. It's going to have intentional "bugs" that compromise your privacy.

     There is utterly no reason to defend using it as self-preservation.

   • Embed this notice
     Altair (altair@raru.re)'s status on Friday, 06-Jun-2025 06:58:14 JST Altair

     in reply to

     @dalias This discussion is taking the focus off of where it belongs: keeping our own safe. 🏳️🌈 🏳️⚧️ 🏴 ☂️ At the end of the day, what matters is queer survival, and at this stage we essentially have a cold war declared on us. We can't afford to be getting distracted with trivialities like the politics of the being who created what we use to protect ourselves; yes, Evgeny is clearly against us, but the security of our communications is just as important to us as it is to them. SimpleX is a free app, using it for free doesn't support bigots or bigotry to any degree more than increasing its popularity — as long as that minuscule boost is outweighed by queer lives protected, that seems like winning to me. :blobcatThinkingSunglass:

     And as for the argument that we should use something else instead… the E2EE messenger space has precious few viable options. 🗣️ Matrix leaks metadata of exactly the kind governments are using to identify and track queer beings, 💧🪣 Session is essentially just SimpleX with weaker encryption and less reliable message delivery, and except for Signal, others are effectively non-viable for various reasons (though the most egregious in my opinion is that some are _proprietary software_, which I would have _hoped_ that everyone would understand is inherently untrustworthy).

     Signal is possibly the only real solid alternative, but Signal is still not viable for everyone, the worst issue being its dependency on phone numbers and phones. Some users' phones or phone number usage are too closely monitored, some can't afford them, some (quite reasonably) don't trust them, and there are probably other valid reasons too. Regardless, Signal's obstinacy on the phone requirement issue seems unshaken, which means that a decent number of users who need protection of the kind it offers **simply can't use it**.

     If you have a problem with Evgeny's politics or what SimpleX's algorithms are promoting, by all means, address that issue in its appropriate context — call them out, aim to prevent his company from actually making money, etc. 💸 If you're aware of a _concrete_ vulnerability in SimpleX that puts its users in danger, by all means, raise the alarm. 🚨 📣 But if a tool can be used to further our survival and eventual liberation, better than other available tools in our own situations, then it should be used. 🔧 Icky feelings about it are a luxury we can't afford when the global right is ramping up towards genocide. ⚠️ Simple as.

     English isn't my first language, but I hope what I wrote sound firm but respectful. :blobcatHeartHug:

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Friday, 06-Jun-2025 07:57:29 JST Rich Felker

     in reply to

     • Altair

     @Altair SimpleX is not even an option. It's in the class of "fake secure messengers that give gullible people a false sense of privacy".

   • Embed this notice
     Altair (altair@raru.re)'s status on Friday, 06-Jun-2025 07:57:30 JST Altair

     in reply to

     @dalias VeilidChat is a _proof of concept_, categorically _not_ real competition at this point.
     Cwtch is good to a degree, and probably the best option for highly specific use cases, but in addition to the fact that it isn't available for iOS users (and while you can say users who care about privacy shouldn't be using iOS and be correct, we're talking about actually protecting beings as they exist here, not what they _should_ be doing — especially if that then leads to "well, buy a new phone then", which would be an incredibly privileged take), the Android version is buggy to the point of unusability, and it always has the pure P2P messenger issue of requiring both contacts to be online simultaneously to function.

     Add that all up, and you get something that is _not_ going to attain wider adoption, nor be practically usable for a majority of possible users. If you argue that VeilidChat, Cwtch, and Signal are the options, well, that's down to just Signal now, and I already explained why that isn't always usable at all.

     The concern about the trustworthiness of SimpleX's codebase is valid, and their code releases should be watched very closely for compromising updates, but saying that an open-source program _is_ unsafe without citation of any specific issues comes across as scaremongering. In particular, I note that throughout the history of the internet, wholly unsubstantiated accusations that such-and-such is a "honeypot" have been _widely_ used to scare users away from secure software so the government can continue monitoring them without issue. I'm not saying that you, in particular, are a fed, but what I am saying is that _that kind of thinking_ is exactly what they promoted and what they want.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Friday, 06-Jun-2025 20:04:19 JST Rich Felker

     in reply to

     • zeh
     • Altair

     @zeh @Altair If it were actually good you should already have forked it. But it's not. They just have a good propaganda team. The claims would be good if true, but they botched way too much stuff and you can't take them at face value.

   • Embed this notice
     zeh (zeh@mstdn.io)'s status on Friday, 06-Jun-2025 20:04:20 JST zeh

     in reply to

     • Altair

     @dalias @Altair
     No it's not. Decentralized, foss, security model includes metadata by avoiding getting it and protecting it. It was audited by trail of bits, well respected. That is just not true.

     And I'm very worried about the Nazis around it. We should be ready to fork it.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Friday, 06-Jun-2025 21:26:52 JST Rich Felker

     in reply to

     • zeh

     @zeh It's not a matter of whether code does a thing, but whether thing gives the privacy and security properties they claim it does. Experts who've looked seem to say it doesn't. I'm not giving nazis a free (or even paid) audit so I have no further technical details to offer here. If you're committed to a sinking ship led by nazis, I can't fix that.

   • Embed this notice
     zeh (zeh@mstdn.io)'s status on Friday, 06-Jun-2025 21:26:53 JST zeh

     in reply to

     • Altair

     @dalias @Altair
     What face value? The code is there, you can and people did verify.
     You're doing hypothetical arguing now.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 07-Jun-2025 01:50:54 JST Rich Felker

     in reply to

     • zeh
     • Altair

     @Altair @zeh I am not here to do technical research for a nazi team to convince people who demand technical arguments to dismiss the idea of trusting nazis not to have fucked up (intentionally or by incompetence that comes with being nazis) making a high stakes cryptographic product that will put in danger people targeted by nazis if anything is wrong with it.

     If you are demeaning technical teardown when there are already abundant human reasons not to step anywhere near SimpleX, that's a you problem I can't fix. And it makes me seriously distrust you as someone I'd want to interact with.

   • Embed this notice
     Altair (altair@raru.re)'s status on Saturday, 07-Jun-2025 01:50:56 JST Altair

     in reply to

     • zeh

     @dalias @zeh "Experts who've looked seem to say it doesn't."
     You're going to have to be more specific. While I acknowledge that the Trail of Bits audit isn't terribly relevant at this point since it was so long ago, and I am aware of some well-founded criticisms of SimpleX as a technology, such as their use of client-side moderation (is this really worse than the server-side moderation most services use?), or the protection provided by their IP-hiding system being overstated (so use a VPN or Tor like with everything else),

     I have yet to be aware of any serious issues that aren't trivially mitigated or present in competitors also. Frankly, if you're aware of serious and relevant issues, you should have _led_ with citing them, as it would have made your message much more effective — which makes the fact that you _aren't_ being specific indicative that you don't actually have any specifics to give.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 07-Jun-2025 01:55:42 JST Rich Felker

     in reply to

     • zeh
     • Altair

     @Altair @zeh If I'm not mistaken, folks more familiar with the technical details have written about some of that and linked it from various crossed threads (either mine or one of the others I replied into or boosted) over the past few days.

     I'm not going to go trying to dig up and evaluate all of those, because I have something of a person rule not to spend my efforts reviewing what's wrong with tech products by bad people in ways that could lead to improving them.

   • Embed this notice
     Alexandre Oliva (lxo@snac.lx.oliva.nom.br)'s status on Saturday, 07-Jun-2025 01:59:30 JST Alexandre Oliva

     in reply to

     • Altair
     you should really give GNU Jami a chance. https://jami.net/
     
     It's Free (as in Freedom) Software, E2EE, P2P, no servers, no intermediaries, messages get to the intended recipient accounts only, works on mobile and desktop
     
     CC: @dalias@hachyderm.io
     
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 07-Jun-2025 01:59:42 JST Rich Felker

     in reply to

     • Altair

     @Altair 🤡

   • Embed this notice
     Altair (altair@raru.re)'s status on Saturday, 07-Jun-2025 01:59:43 JST Altair

     in reply to

     • zeh

     @dalias @zeh A shame, because if the threat you're trying to give warning of is actually as serious as you say, then it would really help you make an effective case against them and do a lot more damage to their prospects. But, as it is, you're just using the word "Nazi" like a magic spell you think will make you correct. I'm 100% against Nazis, Evgeny included, but the fact remains that _technology_ doesn't have any inherent political affiliation, and if we refuse to use an effective tool solely because of where it came from, we're only ensuring our enemies will be better equipped than us.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 07-Jun-2025 02:12:51 JST Rich Felker

     in reply to

     • Altair

     @Altair Sorry for being terse, but I don't really have any other response than that to the premise that the nazi darknet bros have some amazing new technology you're going to be missing out on if you don't use SimpleX.

     That's just not remotely founded in reality.

     Fake secure private messengers from sketchy people are dime-a-dozen.

     I'm sorry you've been bedazzled by their marketing.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 11-Jun-2025 00:08:34 JST Rich Felker

     in reply to

     • Pirate Praveen

     @praveen Why would you want to?

     You use and potentially fork Firefox because it's currently the only non-Chrome option in its domain, and because it's going to take very large amounts of time, money, and effort to build a complete replacement.

     None of this applies to SimpleX. There's no big asset there. It was not some astronomical effort to build. You don't need it for interoperability with the existing web. It's an over-hyped piece of garbage designed to make money and influence for nazis who built it. It does not solve any problem anyone has.

   • Embed this notice
     Pirate Praveen (praveen@social.masto.host)'s status on Wednesday, 11-Jun-2025 00:08:37 JST Pirate Praveen

     in reply to

     @dalias I know that would be an easier response. But easy option is not necessary the best option always. It is not really the first time a Free Software has done something shitty. But Free Software do give us more options than a binary take it or leave it. Take the recent example Mozilla coming up with shiity ToS changes. We have LibreWolf and many other forks that does not have these issues. We still can fork or implement Simplex Chat clients without such shitty features.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 12-Jun-2025 11:16:43 JST Rich Felker

     in reply to

     • Pirate Praveen

     @praveen Even if SimpleX had useful privacy characteristics, folks need to realize that getting people onto the platform is immensely harmful to their safety.

     You're getting them to install a mobile app that a known-bad-actor can publish updates for at any time. Updates that may compromise the privacy of their past or future conversations, add trackers that compromise their identity and location, or try to dupe them into doing things against their interests.

     I don't buy the technical claims to begin with, but if you do, get them verified by someone willing to do that (who's not paid by SimpleX) and fork *now* not later. Or better yet, don't fork but use whatever concepts make sense (I suspect it will turn out to be very few) in a completely new implementation. It's not like they've built something giant and elaborate that's hard to replicate.

   • Embed this notice
     Pirate Praveen (praveen@social.masto.host)'s status on Thursday, 12-Jun-2025 11:16:47 JST Pirate Praveen

     in reply to

     @dalias for example see this answer https://fosstodon.org/@cwtch/114660341630424163

     No other app correctly balances server and peer to peer (no metadata on server) yet. More clients could do that in future for sure, but right now Simplex Chat has a unique proposition and I don't want to give up on that value because I disagree with its founder. Being Free Software means we have more options than a simple boycott when a project we care about does things we don't agree with.

   • Embed this notice
     Pirate Praveen (praveen@social.masto.host)'s status on Thursday, 12-Jun-2025 11:16:55 JST Pirate Praveen

     in reply to

     @dalias I think you are just letting your emotions / hatred cloud your judgement here. I don't disagree with your political opposition to the views of Simplex Chat. I agree with you fully those views should be opposed. But I disagree about the value of Simplex Chat technology. Every other peer to peer option out there lose out on reliability or hard to setup the reliable component. They might eventually mature in time, but right now I don't see another one that can reliably send offline messages

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 12-Jun-2025 20:24:50 JST Rich Felker

     in reply to

     • Prav App
     • Pirate Praveen

     @praveen @prav Uhg this is so frustrating.

     YOU might choose to get SimpleX from fdroid, but if you're promoting it, 99.999% of Android users you convince to use it are going to get it from Play store.

     Even on fdroid tho, Android data permission model is tied to signing key that ships the app.

     Without extreme expertise, you can't get your data out of the app and switch to a fork later.

   • Embed this notice
     Pirate Praveen (praveen@social.masto.host)'s status on Thursday, 12-Jun-2025 20:24:53 JST Pirate Praveen

     in reply to

     • Prav App

     @dalias there are general defences against such moves like using fdroid which builds from source independently. I don't think they can hide such moves easily and that is a big deterrant in itself for trying something like you suggest. This is part of the advantages Free Software provides - we don't have to blindly trust anyone.

     I hope to take those ideas to @prav so we can avoid collecting metadata. But this will take time. A fork or other implementations will also take time.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 12-Jun-2025 20:26:18 JST Rich Felker

     in reply to

     • Pirate Praveen

     @praveen No they have not. That was a paid review whose results were misrepresented by SimpleX.

   • Embed this notice
     Pirate Praveen (praveen@social.masto.host)'s status on Thursday, 12-Jun-2025 20:26:22 JST Pirate Praveen

     in reply to

     @dalias the technical claims can be verified independently. Many of those are built on other commonly understood building blocks - not totally out of the blue. The brilliance is the exact combination they chose.

     https://simplex.chat/blog/20241014-simplex-network-v6-1-security-review-better-calls-user-experience.html

     The people who does auditing has to maintain their reputation. Are you saying this specific company who audited Simplex Chat is unreliable? Now you are going too far, if we can't even trust independent audits.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 17-Jun-2025 05:01:47 JST Rich Felker

     in reply to

     • Divya Ranjan :hilbert:

     @divyaranjan Um, the evidence has piled up extensively since then. If you haven't seen it you're either oblivious, purposefully not paying attention, or just lying to simp for SimpleX.

     The lead dev is on the record spewing vile transphobia (yes this is fundamentally nazi) on birdchan. I'm not going to do your homework for you. Go look.

   • Embed this notice
     Divya Ranjan :hilbert: (divyaranjan@mathstodon.xyz)'s status on Tuesday, 17-Jun-2025 05:01:48 JST Divya Ranjan :hilbert:

     in reply to

     @dalias I think these are baseless claims. I've been using SimpleX for over a year, and I've engaged with the devs every now and then, they are anything but Nazis.