“We’re not going to apologise for responding appropriately to racism, hate crimes and antisemitic behaviour,” Acting Assistant Commissioner Hudson said.

Sounds to me like they dont give a shit about presumption of innocence when they put it like that.

Yes of course you CAN make it safe in theory, but unless you run the web interface locally or on your own server, you cant be certain that the javascript delivered to you from the hoster hasnt been modified. Its like having autoupdates on but you have zero control over when or how the updates take place, because every time you open the page it could be different code from the last time.

So as long as you trust the encryption algorithm (which in elements case you definetly can, because it is OSS)

How do you know that the code on elements github repo is actually the same code that you get delivered from your homeserver that is hosting the web client? Your homeserver can just modify the web clients code however it wants and deliver a backdoored or faulty version to you. Which means you dont just have to trust the open source code, but also the admin who is managing the homeserver and also the hosting provider.

Is this really so hard to understand? Literally the entire client is delivered on demand from a remote server, obviously that is insecure if you dont control that server.

Just set it up so that the resulting .kdbx database file is always instantly synced between your devices whenever you make changes. Everything is in that file and all keepass versions can open it. I use syncthing for this because it doesnt require a server, but you can use nextcloud or whatever you have available. With syncthing it always just keeps the most recently modified version.

This is the kind of thing that machine learning is very very good at. Its never going to be perfect but its definitely gonna outperform humans.

KeepassXC is the goat :)

The database file is encrypted so its fine to sync it however you like. I use syncthing for it which is p2p. Obviously set a very good password on it if you sync it through unsecure channels.

Bro i have my bank details, all my private 2FA, work 2FA, health insurance access, my families master passwords, steam access, and more in there. Its literally the most important piece of software that can exist in this day and age. No im not taking chances with that. The only thing you can do with my physical wallet if you rob me is buy something up to 20€ beyond which you need the cards pin. Everything else i can just deactivate by calling the relevant parties.

But on another note, websites have never really been resistant to MITM attacks. So you dont just have to trust the hoster but also everything in between you and them.

There is no way to patch the inherent flaw that comes with delivering client software through a web browser. If the entire client is delivered as a web page from a server you dont control, then that server can modify the software however it pleases. Same applies to e2ee encrypted chat clients that run as a web page like element-web (browser based matrix client).

Yes, if you arent self hosting the web interface or using the desktop client.

OMFG can people please fucking go away with this stupid “password managers are worthless” bullshit today. They are exactly as secure as promised, unless you went to the obviously shady ones that use web interfaces. People have been saying this for years, if you want security, keep your password manager offline.

I mean the fact that they dont have any access controls on their servers should tell you how technically competent those cops are.

In germany its also catastrophic. I remember three stories off the top of my head where security researchers were raided or sued after properly reporting massive security issues in company software.

Yeah i saw that back then, it happened multiple time with different organizations iirc.

How is a fucking URL all you need to access confidential evidence on a police server. Lets bruteforce some URLs i guess?

To understand the “title text” section: https://en.wikipedia.org/wiki/Foe_(unit)

Foe is a unit to describe the amount of energy released by supernovae.

And if the client software itself is compromised then all that is meaningless.

Im really annoyed that they didnt post the link to the original in the post and even slapped a false watermark on it. And even some people in the comments misattributed it.

They already have been doing it. This is just an upgrade to what they were already doing. Ring cameras were already being used by the police for years.

Ok so terminology wise:

• Discord Server = Matrix Space
• Discord DM = Matrix Chat (these usually exist separately from Spaces/Servers)
• Discord chat room = Matrix Room
• Discord video/voice channels = Matrix Video Room (these still have an optional text chat FYI)

If you just want to create something resembling a discord server, you first create a Space.
You can decide if it should be public or private (public = anyone with the address can join / private = invite only)

Then you add rooms to it, normal rooms for text channels and video rooms for voice/video channels. During the creation of each of these rooms (or after) you decide if they should be visible to all space members, or be invite only (think mod channels).

Afterwards just invite people to the Space and they will be able to join the rooms you set up.

There are 3 predefined permission levels: Default, Moderator, Admin but you can also define numeric power levels for more fine grained control over what people can do. You can set permissions for users on the Space level and on the room level separately. So you can give someone mod powers for the entire Space or only for a single room. You can also set the default power level very low (think Guest/Applicant) so that people can only join the space itself and nothing else (or only a guest room) until an admin or mod changes their power level to something higher (think member) that allows them to join other rooms.

To me a major issue (besides the client feature parity) right now is history sharing in encrypted rooms being non functional. At the moment when you invite someone new to an encrypted room, they wont be able to read the historic messages in it, even if you specifically toggled that on, because the toggle currently doesnt do anything after the old insecure implementation was removed. They are working on it and its probably not super far away, but currently you basically have to use unencrypted rooms if you want new people to be able to see old messages.

https://github.com/element-hq/element-meta/issues/2829

Ooh nice to see, thanks for the link. Once all the major matrix clients support livekit, matrix will be much more recommendable imo. Element works okay on a modern computer, but it really is insanely bloated when you look at what other clients achieve with less than 1/10th of the application size.