Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@lucasmz" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>lucasmz</span></a></span> <span class="h-card" translate="no"><a href="https://ioc.exchange/@Avitus" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Avitus</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@david_chisnall" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>david_chisnall</span></a></span> the benefit of <a href="https://infosec.space/tags/XMPP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>XMPP</span></a>+<a href="https://infosec.space/tags/OMEMO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OMEMO</span></a> is that there are <a href="https://github.com/greyhat-academy/lists.d/blob/main/xmpp.servers.list.tsv" rel="nofollow noopener" target="_blank"><em>several providers</em>, including free options</a>...</p><ul><li><span class="h-card" translate="no"><a href="https://monocles.social/@monocles" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>monocles</span></a></span> also supports <a href="https://infosec.space/tags/Monero" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Monero</span></a> and <a href="https://infosec.space/tags/CashByMail" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CashByMail</span></a> for those that can't use <a href="https://infosec.space/tags/PayPal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PayPal</span></a>, <a href="https://infosec.space/tags/Stripe" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Stripe</span></a> or <a href="https://infosec.space/tags/SEPA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SEPA</span></a>.</li></ul><p>All <a href="https://infosec.space/tags/PII" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PII</span></a> incl. <a href="https://infosec.space/tags/PhoneNumbers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PhoneNumbers</span></a> can and will be abused by existing governments and <em>if users don't pay, then they are the product and their data is the one to be sold</em>.</p><ul><li><a href="https://infosec.space/tags/KYC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KYC</span></a> <em>IS</em> THE <a href="https://infosec.space/tags/IllicitActivity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IllicitActivity</span></a> WHEN IT COMES TO <a href="https://infosec.space/tags/ComSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ComSec</span></a>!</li></ul><p>After all, you have the same <em>cost problem</em> with phone numbers. Even if one doesn't pay per line/number and never pay for calls and texts, they still have to top it up to extent validity.</p><ul><li>And again: It's way easier for a government to demand an ID for a <a href="https://infosec.space/tags/SIM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SIM</span></a> that works in networks around their country (i.e. <a href="https://infosec.space/tags/Turkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Turkey</span></a> demands registration on a per-<a href="https://infosec.space/tags/IMEI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IMEI</span></a> - basis *with <a href="https://infosec.space/tags/ID" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ID</span></a>) than to tunnel XMPP+OMEMO through <span class="h-card" translate="no"><a href="https://mastodon.social/@torproject" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>torproject</span></a></span> over <a href="https://infosec.space/tags/EDGEland" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EDGEland</span></a>-speed <a href="https://infosec.space/tags/2G" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2G</span></a> networks.</li></ul><p>Plus you relying an <em>unfixably insecure</em> <a href="https://infosec.space/tags/Telephony" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Telephony</span></a> makes a system inherently unsafer than it needs to be...</p><ul><li>This is how people get caught!</li></ul><p>Also <a href="https://infosec.space/tags/Signal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Signal</span></a> is <em>able and willing</em> to use said PII to <em>restrict and ban users</em> and if I were some dissident in Cuba or North Korea or even just Eritrea or Yemen I'd not rely on non-enforcement of <a href="https://infosec.space/tags/OFAC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OFAC</span></a> / <a href="https://infosec.space/tags/USML" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>USML</span></a> / <a href="https://infosec.space/tags/ITAR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ITAR</span></a> since Signal can obviously distinguish &amp; identify accounts by virgue if their <a href="https://infosec.space/tags/PhoneNumber" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PhoneNumber</span></a>! </p><ul><li>Always think <em>"How can this be weaponized against someone?"</em> when it comes to <a href="https://infosec.space/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a>!</li></ul>