Isn't XMPP the base of all major chat services?
I used my own client (Psi+) for a while with Facebook chat but since I no longer use Facebook I don't know if that still works. Too bad none of them support federation any longer.
Google Talk/Hangouts still uses XMPP and I use that right now.
At least 8 banks in my city use XMPP for internal chats since 2005 at least. Cisco has an xmpp product. Oracle uses xmpp for internal chat communications (i know it because their employees contacted us many times, and we slightly modified our xmpp client so that could connect to it without problems). Fortnite, eve online based their chats on xmpp, WhatsApp runs on a modified XMPP. Quite enough serious organisations, no?
The argument structure of this post comes off as disingenuous. You can't make detailed statements and then hand wave the issues away as FUD. If you make a claim, you need to stand behind it and be prepared to defend your statements.
Rewatching Silicon Valley and the scene where Erlich hijacks Gavin's discussion with some reporters comes to mind.
"Was I brutally assaulted? Yes. Did Gavin Belson have anything to do with it? Unclear. (...) This and all other Gavin Belson rumors are unsubstantiated: the alcoholism, the sexual impropriety at work, the impending crash of Hooli stock."
Calling it FUD while repeating it doesn't nullify the effect it has on the listener.
Information like this is depressing. I feel like privacy and FOSS advocacy is becoming a losing battle. Never before has humanity lived in a time where governments and corporation have such extensive surveillance capabilities.
I had no idea Matrix was created by an Israeli intelligence agency.
It's a spinoff of a company that at the time basically did accounting software for cinemas then went on an acquisition spree because they had more money than they knew how to use.
>XMPP and many other technologies were already there
This is so obviously far from the truth. XMPP is lacking in so many different features that Matrix has.
>Matrix is not a community-based software, it was born [00] in Amdocs [01], a multinational corporation founded in Israel.
>On the Internet we find many pieces information connecting Amdocs with Israel’s Intelligence]
Ah here comes the "its the jews" argument
One thing I never understood. I can run a chat server hosted on the computer next to me. It is e2e encrypted. I can use any number of clients or servers, some developed by New Vector, some not. I can easily send images, text, voice, etc. I can bridge it to dozens of other services. I can federate if I choose to, with other servers. Or, I can not federate if I decide not to.
What the heck is insecure about that? Other than vague promises that the Jews have my data?
Did I simply miss the crux of this entire article?
Who cares about Matrix.org? Seriously. It's a technology. That's one implementation of the technology. It's not mine, though. That's what makes Matrix special. Did people harp on XMPP for Google collecting data over it?
I don't particularly care about that part. It could just as well be any intelligence agency. It doesn't really matter which.
This is the piece I find interesting:
> We do not recommend Matrix because we find unacceptable that a software widely hyped as decentralized is released sending a scandalous collection of private data to their central servers, even if you run your own instance.
If we are bashing "agencies", let's have a look at those tiny little projects like, SeLinux for instance. Or any other from this site https://code.nsa.gov/
> One thing I never understood. I can run a chat server hosted on the computer next to me. It is e2e encrypted.
> What the heck is insecure about that? Other than vague promises that the Jews have my data?
I mean, if it's connected to any intelligence (I'm not saying it is, nor do I know anything about Matrix's history), it being secure may just be a facade.
Funny thing, there are lots of contributors to matrix stack (protocol, sever, etc) and only some part of them are New Vector employees, because it's open source. Again, you can check that yourself in matrix repos
Sure, but open source doesn't mean it's free from bugs, unintended or intended, and if any intelligence is behind it (again, I don't know enough about this, so I'm not saying it is), then you can bet that there are some intended bugs in there that will allow said intelligence to at least listen in.
Government actors are not really interested in what you write (probably because it would be too much information to handle), but they are very interested in where you are located and who you interact with, in order to create a ("terrorist") network graph.
And according to the article that is what Matrix collects (the company behind Matrix - allegedly Israel’s Intelligence according to the article)
TLDR: A combination of false, exaggerated, and out of context. Some of the arguments don't even make sense, like bridges "centralizing" all your data at... a server of your choice? Namely, my server! One of the multiple desktop clients being Electron based, and thus not FOSS, straight up falsehoods about data being sent back to matrix.org, etc, etc
This is a bad and disingenuous article.
Edit: Something really cool about Matrix to consider - not only are there a variety of clients, many written by the community, but there are 3 federating server implementations, one of which (conduit) just recently hit beta and was/is written entirely independently from Element/New Vector, AFAIK.
But how is that connected to bridges? Is the accusation that a self-hosted homeserver reports back information about accounts linked through bridges? I don't think that's true at all.
It's not quite directly connected: only the user on the Matrix side of the bridge has their Matrix home server reporting on their connection.
However, it does see into channels the user joins. When the bridge to Rizon came about, it made people very uneasy that their channels were being broadcast to the Matrix mothership (since Matrix.org runs bridges for everybody to use) just because a user who used the bridge joined.
(Ultimately Matrix turned off that bridge, according to Rizon, and I'm not sure if because of complaints. Other networks discourage bridging entirely, like QuakeNet.)
> Electron was not considered Free Software by the Free Software Foundation.
That is not true. The link shows that a volunteer on the free software directory labeled it as nonfree at one point and later it was changed. However, the FSF did find that matrix in practice leads users to run nonfree software: https://www.fsf.org/news/fsf-and-gnu-move-official-irc-chann... "Doing so would create the unacceptable situation of encouraging a large number of users to run nonfree software in the form of nonfree JavaScript, which is used by the flagship Matrix.org server to authenticate users."
TOR was created by the United States Naval Research Laboratory. Yet none of these criticisms are leveraged towards it. This article definitely feels disingenuous.
Matrix is an open source project where you can inspect, clone and alter the code; write your own clients, write your own servers, and choose to federate or not.
Useful would be "these are deficiencies in the federation system which should be addressed by doing this, that, and the other".
Useful would be "here's a guide to routing your client's connection via Tor or running a homeserver behind Tor".
Useful would be "let's start a project to enable use of Matrix without these things we think are bad ideas".
Useful would even include "here are well-thought out criticisms of Matrix with suggestions on alternatives that don't have those issues, but have these other tradeoffs".
Well, nothing. I mean, nothing will happen, because matrix uses strict versioning of protocol and your server "announces" supported protocol versions, so any client will use supported protocol version with your server.
Btw, there are several server implementations of matrix sever, not related to the New Vector/Element.
> nothing will happen, because matrix uses strict versioning of protocol
Bingo! You've precisely stated the reason, why Matrix is a product and will always be a product, and never a protocol. In real world, third party servers will never be on the same version of protocol.
A few years ago [1] people here explained to Matrix developers that "single monolithic versioned protocol" that is NOT the way to build federation, ant that it is silly to assume that everyone will magically update once the new version comes out, but they were preaching to deaf ears.
OK, let's suppose that the Matrix main organization is irredeemably evil in your eyes.
But not everybody is evil. So, you get together with lots of other people at a conference, and you announce a new code-of-conduct based organization to do mutual interconnection for homeservers that agree to a particular set of rules. The requirement for federation is that they agree, and that they will not federate with anyone who doesn't agree to the same set; the only penalty for non-compliance is not being allowed to federate with the members of the organization anymore.
There you go. Remember to thank the Matrix people for all their hard work, which you have subverted from "evil" to "good".
I didn't understand what you were trying to say. My point is Matrix is not suitable for federation because it has characteristics that prevent creation, deployment and usage of multiple competing implementations.
Not very convincing. Many of the concerns in this post the authors themselves admit are "maybe just FUD", and the few actually concerning issues that were raised appear to have already been fixed two years ago[1] which the post acknowledges but seems to have intentionally ignored, saying only "we do not think it is worth wasting more time".
> What would you think if you discovered that a new messaging software claiming to be decentralized is sending lots of your private data and metadata to their central servers despite you installed your own instance?
It's funny that the article links an early version[1] of the matrix.org website. In the beginnings they didn't even claim Matrix was decentralized, but wanted to be a federated network of servers, similar to how email works now. It's only recently with the new plans for fully p2p clients that they switched to the "decentralized" design. In fact in the pages linked the world "decentralized" never appears.
> Matrix is not a community-based software, it was born [00] in Amdocs [01], a multinational corporation founded in Israel.
> On the Internet we find many pieces information connecting Amdocs with Israel’s Intelligence [02][03][04].
Tor was built by the US navy and the NSA gave us SELinux and Ghidra, so what? If it's an open standard who cares who built it?
> Riot, the Matrix client, was created with Electron
Riot (now Element) is a web client: you don't need electron to use it as much as you need it for any other web application. Moreover there are a dozen[2] of independently developed clients, including native clients built with Qt (Nheko, Quaternion, Neochat), GTK (Fractal), Flutter (FluffyChat), etc.
> Matrix arrived with this plan to interconnect every existing IM and VoIP network through what they call Bridges [10], which could be seen as a centralizing hub where metadata could be analyzed, as well as the right place to try Person In The Middle Attacks.
Agreed, but you can run your own server: it's in fact encouraged, unlike other actually centralized services like Signal. If you're using something like NixOS[3] it's actually relatively easy to configure a homeserver and bridges. Also, if they manage to migrate to decentralized identisies and p2p clients, most of these concerns will be addressed.
> Summary of the Notes on privacy and data collection of Matrix.org
- Matrix IDs are actually intended to be removed from the protocol messages to make identities portable[4];
- email addresses and phone numbers are optional if you don't want to use the identity server (allow people to find you using email, phone etc.)
- IP address: yeah, try to write a networked application that doesn't use them
- Room IDs and other servers are other essential data for the protocol to work
- user devices and system information: I don't know about this, is this collected by some crash reporter?
- Profile name avatars: this is public information, really.
Again, most of this is not a concern if you run your own server now, or with p2p in the future. matrix.org is just a reference homeserver, you are not forced to use it in any way, you don't loose any feature.
I think people didn't understand the article but nothing it says can be considered FUD.
The article is saying a privacy-focused decentralized software is using a central server even when you self-host the software and is collecting data and metadata from users.
If you read the paper it cites as reference and analyze the code yourself, you can found that theses information are accurate.
The author are rambling about a hyped privacy-focused decentralized chat app that are collecting user data and sending to a central server and the app is, in fact, collecting user data and sending to a central server, so what's the point to call the article FUD?
The fact that many users here called the article FUD without even check the references (you can find others on internet) makes the author's point about the peril of well funded, well marketed, super hyped projects.
I hear these criticisms from the suckless crowd, especially on the Luke Smith[0] channel, and to a lesser extent, on the one for Mental Outlaw[1]. These are some of my favorite YouTubers and I really like their perspective on things, but I don't see why it's necessary to go the extra mile and denounce Matrix. Matrix is a great technology that provides a lot of features we can all benefit from. While it may not be perfect, I still believe it deserves support.
Coincidentally, I was dabbling in OpenBSD at the time, so YouTube recommending both videos caught my attention. I noticed that they had been uploaded around the same time, and wondered if there was a connection there.
Matrix proponents like to claim that Matrix is not a product of one company, but a protocol. They say that someday there will be other servers developed by competing commercial companies.
Ok, let's see how it'll resolve a problem of conflicting implementations with other commercial company. Seeing how Arathorn reacts to such questions, I'd say that it is unlikely that such conflict would be resolved successfully. I'd also say that it is unlikely that any other serious company would start building products that are based on the 'protocol' over which they have zero influence and which governance is not mature enough to handle divergence.
Due to this, it would be more appropriate to compare matrix with a product like RocketChat than with true protocols like XMPP or email.
XMPP, on the other hand, is somewhat backwards looking, but it is extremely flexible and extremely durable. Hell, it even survived more than a decade of mismanagement and neglect by FSF! It has a long history and best practices for reconciling conflicting implementations and providing basic compatibility. It is a true widely used protocol, has multiple server implementations, and a few dozen clients.
Disclosure (previously matrix zealots criticized me for not telling it): I am a leader of Xabber project. We are working on making XMPP great for once. (Because it was never great, lol). In the process we broke it to the core and threw away all the inconsistent rubbish that over last 15 years crawled into XSF-approved extensions, and reinvented it the right way so it can work equally well on all platforms.
If Arathorn and co wanted a real distributed protocol, they should have done the same with XMPP when they started, not invent their own protocol. But then, of course, they wouldn't have dictatorial control over it.
52 comments
[ 0.22 ms ] story [ 181 ms ] threadNow I start to see why.
It feels to me that the author would complain about the internet because we already have ordinary mail. Just a tantrum.
Google Talk/Hangouts still uses XMPP and I use that right now.
At least 8 banks in my city use XMPP for internal chats since 2005 at least. Cisco has an xmpp product. Oracle uses xmpp for internal chat communications (i know it because their employees contacted us many times, and we slightly modified our xmpp client so that could connect to it without problems). Fortnite, eve online based their chats on xmpp, WhatsApp runs on a modified XMPP. Quite enough serious organisations, no?
"Was I brutally assaulted? Yes. Did Gavin Belson have anything to do with it? Unclear. (...) This and all other Gavin Belson rumors are unsubstantiated: the alcoholism, the sexual impropriety at work, the impending crash of Hooli stock."
Calling it FUD while repeating it doesn't nullify the effect it has on the listener.
I had no idea Matrix was created by an Israeli intelligence agency.
It's a spinoff of a company that at the time basically did accounting software for cinemas then went on an acquisition spree because they had more money than they knew how to use.
>XMPP and many other technologies were already there
This is so obviously far from the truth. XMPP is lacking in so many different features that Matrix has.
>Matrix is not a community-based software, it was born [00] in Amdocs [01], a multinational corporation founded in Israel.
>On the Internet we find many pieces information connecting Amdocs with Israel’s Intelligence]
Ah here comes the "its the jews" argument
One thing I never understood. I can run a chat server hosted on the computer next to me. It is e2e encrypted. I can use any number of clients or servers, some developed by New Vector, some not. I can easily send images, text, voice, etc. I can bridge it to dozens of other services. I can federate if I choose to, with other servers. Or, I can not federate if I decide not to.
What the heck is insecure about that? Other than vague promises that the Jews have my data?
Did I simply miss the crux of this entire article?
Who cares about Matrix.org? Seriously. It's a technology. That's one implementation of the technology. It's not mine, though. That's what makes Matrix special. Did people harp on XMPP for Google collecting data over it?
This is the piece I find interesting:
> We do not recommend Matrix because we find unacceptable that a software widely hyped as decentralized is released sending a scandalous collection of private data to their central servers, even if you run your own instance.
> What the heck is insecure about that? Other than vague promises that the Jews have my data?
I mean, if it's connected to any intelligence (I'm not saying it is, nor do I know anything about Matrix's history), it being secure may just be a facade.
Funny thing, there are lots of contributors to matrix stack (protocol, sever, etc) and only some part of them are New Vector employees, because it's open source. Again, you can check that yourself in matrix repos
Of course, I'm not employee of any intelligence and can't prove that, but that's just my opinion
If so, I want nothing to do with the Matrix ecosystem and would be searching for alternatives, I hope this isn't the case.
https://github.com/libremonde-org/paper-research-privacy-mat...
https://news.ycombinator.com/item?id=27970298
TLDR: A combination of false, exaggerated, and out of context. Some of the arguments don't even make sense, like bridges "centralizing" all your data at... a server of your choice? Namely, my server! One of the multiple desktop clients being Electron based, and thus not FOSS, straight up falsehoods about data being sent back to matrix.org, etc, etc
This is a bad and disingenuous article.
Edit: Something really cool about Matrix to consider - not only are there a variety of clients, many written by the community, but there are 3 federating server implementations, one of which (conduit) just recently hit beta and was/is written entirely independently from Element/New Vector, AFAIK.
However, it does see into channels the user joins. When the bridge to Rizon came about, it made people very uneasy that their channels were being broadcast to the Matrix mothership (since Matrix.org runs bridges for everybody to use) just because a user who used the bridge joined.
(Ultimately Matrix turned off that bridge, according to Rizon, and I'm not sure if because of complaints. Other networks discourage bridging entirely, like QuakeNet.)
That is not true. The link shows that a volunteer on the free software directory labeled it as nonfree at one point and later it was changed. However, the FSF did find that matrix in practice leads users to run nonfree software: https://www.fsf.org/news/fsf-and-gnu-move-official-irc-chann... "Doing so would create the unacceptable situation of encouraging a large number of users to run nonfree software in the form of nonfree JavaScript, which is used by the flagship Matrix.org server to authenticate users."
Oh, don't dig in details. Article clearly shows the intent to claim matrix as very bad thing, without proof checking. Like "who cares?"
/sarcasm
Useful would be "these are deficiencies in the federation system which should be addressed by doing this, that, and the other".
Useful would be "here's a guide to routing your client's connection via Tor or running a homeserver behind Tor".
Useful would be "let's start a project to enable use of Matrix without these things we think are bad ideas".
Useful would even include "here are well-thought out criticisms of Matrix with suggestions on alternatives that don't have those issues, but have these other tradeoffs".
This post is anti-useful. It's just FUD.
Btw, there are several server implementations of matrix sever, not related to the New Vector/Element.
Bingo! You've precisely stated the reason, why Matrix is a product and will always be a product, and never a protocol. In real world, third party servers will never be on the same version of protocol.
A few years ago [1] people here explained to Matrix developers that "single monolithic versioned protocol" that is NOT the way to build federation, ant that it is silly to assume that everyone will magically update once the new version comes out, but they were preaching to deaf ears.
[1]: https://news.ycombinator.com/item?id=19421634
I understand that's not perfect and such approach has it's own downsides, but for now it's OK.
PS: I'm not matrix developer, so my opinion maybe wrong, but from user and sysadmin perspective I don't see/feel any problems with it
But not everybody is evil. So, you get together with lots of other people at a conference, and you announce a new code-of-conduct based organization to do mutual interconnection for homeservers that agree to a particular set of rules. The requirement for federation is that they agree, and that they will not federate with anyone who doesn't agree to the same set; the only penalty for non-compliance is not being allowed to federate with the members of the organization anymore.
There you go. Remember to thank the Matrix people for all their hard work, which you have subverted from "evil" to "good".
[1]: https://www.matrix.org/blog/2019/09/27/privacy-improvements-...
That being said, I'd welcome Arathorn's thoughts and perspective.
It's funny that the article links an early version[1] of the matrix.org website. In the beginnings they didn't even claim Matrix was decentralized, but wanted to be a federated network of servers, similar to how email works now. It's only recently with the new plans for fully p2p clients that they switched to the "decentralized" design. In fact in the pages linked the world "decentralized" never appears.
> Matrix is not a community-based software, it was born [00] in Amdocs [01], a multinational corporation founded in Israel. > On the Internet we find many pieces information connecting Amdocs with Israel’s Intelligence [02][03][04].
Tor was built by the US navy and the NSA gave us SELinux and Ghidra, so what? If it's an open standard who cares who built it?
> Riot, the Matrix client, was created with Electron
Riot (now Element) is a web client: you don't need electron to use it as much as you need it for any other web application. Moreover there are a dozen[2] of independently developed clients, including native clients built with Qt (Nheko, Quaternion, Neochat), GTK (Fractal), Flutter (FluffyChat), etc.
> Matrix arrived with this plan to interconnect every existing IM and VoIP network through what they call Bridges [10], which could be seen as a centralizing hub where metadata could be analyzed, as well as the right place to try Person In The Middle Attacks.
Agreed, but you can run your own server: it's in fact encouraged, unlike other actually centralized services like Signal. If you're using something like NixOS[3] it's actually relatively easy to configure a homeserver and bridges. Also, if they manage to migrate to decentralized identisies and p2p clients, most of these concerns will be addressed.
> Summary of the Notes on privacy and data collection of Matrix.org
- Matrix IDs are actually intended to be removed from the protocol messages to make identities portable[4]; - email addresses and phone numbers are optional if you don't want to use the identity server (allow people to find you using email, phone etc.) - IP address: yeah, try to write a networked application that doesn't use them - Room IDs and other servers are other essential data for the protocol to work - user devices and system information: I don't know about this, is this collected by some crash reporter? - Profile name avatars: this is public information, really.
Again, most of this is not a concern if you run your own server now, or with p2p in the future. matrix.org is just a reference homeserver, you are not forced to use it in any way, you don't loose any feature.
[1]: https://web.archive.org/web/20141217141653/http://matrix.org...
[2]: https://matrix.org/clients/
[3]: https://nixos.org/manual/nixos/stable/index.html#module-serv...
[4]: https://github.com/matrix-org/matrix-doc/pull/2787
The article is saying a privacy-focused decentralized software is using a central server even when you self-host the software and is collecting data and metadata from users.
If you read the paper it cites as reference and analyze the code yourself, you can found that theses information are accurate.
The author are rambling about a hyped privacy-focused decentralized chat app that are collecting user data and sending to a central server and the app is, in fact, collecting user data and sending to a central server, so what's the point to call the article FUD?
The fact that many users here called the article FUD without even check the references (you can find others on internet) makes the author's point about the peril of well funded, well marketed, super hyped projects.
[0] https://www.youtube.com/watch?v=KkwXtWtVj3w
[1] https://www.youtube.com/watch?v=Ot_EmQ8xdJw
[0] https://www.reddit.com/r/linox/comments/p4z7or/this_is_prett...
[1] https://youtu.be/tW2CFZ9SyMU
[2] https://youtu.be/KkwXtWtVj3w?t=689
Here's a video showing Mental Outlaw's face: https://www.youtube.com/watch?v=6Y2Jmn5Mxxk
I personally don't think Mental Outlaw is a deepfake, and he looks nothing like Luke Smith. That would be a funny meme though.
Ok, let's see how it'll resolve a problem of conflicting implementations with other commercial company. Seeing how Arathorn reacts to such questions, I'd say that it is unlikely that such conflict would be resolved successfully. I'd also say that it is unlikely that any other serious company would start building products that are based on the 'protocol' over which they have zero influence and which governance is not mature enough to handle divergence.
Due to this, it would be more appropriate to compare matrix with a product like RocketChat than with true protocols like XMPP or email.
XMPP, on the other hand, is somewhat backwards looking, but it is extremely flexible and extremely durable. Hell, it even survived more than a decade of mismanagement and neglect by FSF! It has a long history and best practices for reconciling conflicting implementations and providing basic compatibility. It is a true widely used protocol, has multiple server implementations, and a few dozen clients.
Disclosure (previously matrix zealots criticized me for not telling it): I am a leader of Xabber project. We are working on making XMPP great for once. (Because it was never great, lol). In the process we broke it to the core and threw away all the inconsistent rubbish that over last 15 years crawled into XSF-approved extensions, and reinvented it the right way so it can work equally well on all platforms.
If Arathorn and co wanted a real distributed protocol, they should have done the same with XMPP when they started, not invent their own protocol. But then, of course, they wouldn't have dictatorial control over it.