I am a daily user, family and friends chatting on Matrix.
My take is that there are two layers of friction:
a) people that care about chat encryption and would be willing to change, already did, to Telegram and/or Signal. "I'm not going to install yet another chat app" is a real answer by a friend of mine
b) no one wants to either host their own server, nor pay someone to host it for them. If it wasn't for me and a one of my friends, none of the people I chat with daily would be on Matrix.
And yes, there is the matrix.org server. Out of the ~13 people I chat frequently with, 1 is on matrix.org. "What's the point of changing apps if I'm still going to be using the centralized server" is another answer I've gotten.
I don't know what the solution to this dynamic is other than us, the power users, setting it up and paying for the group of people around us.
> a) people that care about chat encryption and would be willing to change, already did, to Telegram and/or Signal.
It continues to baffle me that the "telegram is encrypted" spin is still widely believed, even on a forum like this. Telegram is for 99.9% of intents and purposes not encrypted.
And even when you do enable encryption of the chat contents, the unencrypted metadata is often enough for security services to make a suspect out of you. Granted, this is mostly a concern for Russian and Belarusian users.
What is encrypted and how is public information. If it doesn't fit your use case don't use it. There is no "spin".
People were spreading this kind of FUD until last week when all of a sudden people started claiming it was self evident that "of course Meta can read your WhatsApp messages". I don't get this kind of weird fixation with a product. I suspect it's two things. Perceived Russian origin and that one guy dared write a crypto library rather than using their own. I agree with the latter. The prior is not even true the way people understand it to be. I for one like the stickers. Shoot me :)
We even give companies like Google which we know for a fact is looking at all of our data a free pass with the super western "privacy policy" cop out while judging other tools with a different set of rules.
Another darling is Signal who refused to stop collecting phone numbers until recently even though they never needed it, does not allow open source or other clients to use their servers (and won't release the actual server code) and frankly does not work half as well as Telegram in terms of UX.
The problem with Telegram is that it is not an E2EE messaging platform, period. It is a non-E2EE platform that has an option to encrypt 1:1 messages with a criticised algorithm. Whoever uses Telegram does it for all the nice features that are not E2EE.
> all of a sudden people started claiming it was self evident that "of course Meta can read your WhatsApp messages".
Because some people say stuff like this doesn't make it right. WhatsApp messages are E2EE encrypted, unlike Telegram. There are other things to criticise with WhatsApp, but not that.
> Signal who refused to stop collecting phone numbers until recently even though they never needed it
As you said, you're confused. Signal needed the phone numbers for convenience, so that you could reach your friends. Exactly the same reason as WhatsApp. Could they have done without it? Yes, but maybe Signal would not be as popular. That's a valid tradeoff, and Signal never lied about it. Also having to share your phone number with Signal is still better than any of the other popular platforms. Anything that is "more private" than Signal hasn't managed to get on the map.
> There are other things to criticise with WhatsApp, but not that.
Nitpick: Facebook can obviously grant themselves the ability to read your WhatsApp messages, by pushing out a new client. What they can't do is covertly read your WhatsApp messages: WhatsApp is well-studied enough that people would notice the malicious client update within a year.
Google or Apple can also grant themselves the ability to read your WhatsApp messages. Someone grabbing your phone while it's unlocked has the same ability.
Absolutely, and this is why one of the only viable options for truly private communication is Signal on a degoogled ROM like Graphene. Matrix also works, but you need your server.
> Because some people say stuff like this doesn't make it right. WhatsApp messages are E2EE encrypted, unlike Telegram. There are other things to criticise with WhatsApp, but not that.
Is this verifiable fact or Meta's claim? As far as I know neither the server nor the client are open source.
> As far as I know neither the server nor the client are open source.
That is correct. I have a few things to add:
- Meta employees (and there are many of them) have access to the sources. So if Meta was downright lying about it, chances are that someone would leak it.
- Thanks to the Digital Markets Act, we see that the encryption protocol exposed by Meta for interoperability is based on Signal. If Meta wanted to lie, they would have to either use a different protocol internally (but again, we know that the Signal authors contributed to integrate the Signal protocol in 2016, and a Meta employee could relatively easily see if WhatsApp had removed Signal and re-added it just for interop recently) or use the Signal protocol but have the app send the content of the messages to the Meta servers after decryption (which would be fairly easy to see by a Meta employee).
- People who don't want to trust WhatsApp should use Signal. Moving to Telegram because of a lack of trust would be weird, as Telegram is most definitely not E2E encrypted.
In other words, the WhatsApp situation is not perfect, but telling people to move to Telegram because "it's safer" is actually dangerous. Telegram is strictly less private, period. Signal is strictly more private.
I am not saying people shouldn't use Telegram. As far as I'm concerned, people can do whatever they want (and I hear that the Telegram UX superior). What I do not tolerate is wrong statements about the privacy situation. Telegram is strictly less private, Signal is strictly more private.
> What is encrypted and how is public information. If it doesn't fit your use case don't use it. There is no "spin".
Correct way of speaking about Telegram is - nothing* is encrypted. (encrypted chats are not more than 0.5% of all chats). That would be a "no spin" take.
> one guy dared write a crypto library rather than using their own
Red herring. This library is NOT used for more than 99.95% of chats on Telegram. It is applied only to "secret chat", which is a torture device with horrible UX. I guess that horrible UX is the result of choice of using custom crypto library instead of going with something capable of working when addressee is not online.
> Another darling is Signal who refused to stop collecting phone numbers until recently even though they never needed it, does not allow open source or other clients to use their servers (and won't release the actual server code) and frankly does not work half as well as Telegram in terms of UX.
Phone numbers are still used as anti-spam measure. You are free to get a burner, register an account and throw away the SIM card.
> does not allow open source
Signal client is open source.
> frankly does not work half as well as Telegram in terms of UX.
It works well where it does matter. Vide Telegram's "secret chats".
> All of this is really confusing for me.
You are clearly misinformed. That explains the confusion.
- Messages by default are encrypted in transit. Client to server. Yes Telegram does have access to those messages. (I don't believe we had any e2e encrypted chat service before the likes of signal, matrix etc. Whatsapp added it after Telegram too if my memory is right.)
- The library IS used for all encryption including the above client to server encryption. As far as I can tell from casual use the other end does not need to be online for secret chats per se. There's a key exchange with picture verification that requires the party on the other end to accept the chat request.
- The phone bits in your and the other commenters response sound a little bit handwavy to me.
- Telegram client(s) are also open source. The comment was about the server and interoperability with other clients.
After all it doesn't seem to me that I am more misinformed than yourself.
> - Messages by default are encrypted in transit. Client to server. Yes Telegram does have access to those messages.
No connection over the internet is not transport encrypted these days, but that is not what this conversation is about. It's about whether messages are encrypted so the server cannot read them. And Telegram is commonly mistaken to have this property, including OP I was responding to.
If you go around telling people that telegram is "encrypted", please stop. You are spreading disinformation.
> Messages by default are encrypted in transit. Client to server.
By this metric Facebook and Google are encrypted, because TLS. Sorry, Telegram's messaging is an attempt to mislead users, plain and simple.
> The library IS used for all encryption.
They could chose to use TLS for for almost all chats, and instead they've "invented" MTProto. Why go with MTProto?
> As far as I can tell from casual use the other end does not need to be online per se.
You are wrong. Phone on other side has to accept "secret chat request" (no user interaction is needed). Until its accepted, initiator's app interface is blocked with a spinning circle. And to add insult to injury, one can't initiate secret chat from desktop client.
> Telegram client(s) are also open source.
Yes, it is very refreshing to be able to verify that they can read all of my messages. /s
> The comment was about the server and interoperability with other clients.
Signal leadership explicitly stated that they care about secure comms and don't care about ecosystem around the chat. You can create your own client, you can't market it as Signal because that might "endanger lives".
> - The phone bits in your and the other commenters response sound a little bit handwavy to me.
I issue you a formal apology on behalf of HN hive mind. /s
On serious note - palata's point is right, but a bit outdated. Functionality is still there, but it became opt-in. New users have phone number automatically hidden and phone number is collected only as an anti-spam feature.
I'll repeat my point again. Telegram is a honey pot of messengers and nobody should use it.
- iMessage & SMS for most US based family, casual friends and co workers.
- WhatsApp for European Family
- Signal for one group of friends
- Telegram for another group of friends
Every time I message someone I have to remember what app to use. It’s annoying. This in addition to random threads that pick up with the same people on instagram, discord, etc., which I try to redirect to our “standard” channel as aggressively as I can.
While I knew that one off the top of my head... one of the neat "Show HN" that I recall from a bit ago: Show HN: Find the relevant Xkcd comic for your post using RAG https://news.ycombinator.com/item?id=44799291
> How it works - Simply paste your entire message or post into the search box to get the most relevant xkcd for it. No need to search by keywords, etc.
> no one wants to either host their own server, nor pay someone to host it for them.
I hear this every time anyone brings up a federated chat/social media/anything service, and I just don't get it. If you don't want to host it, don't. There are plenty of servers out there, and a lot of them are free. Yeah, you have to trust the person hosting it, but why is that only a problem for federated services?
- are willing mostly to harvest data at scale, mostly for ad target or whatever political agenda owner that can pay bills
- will make big breaking changes only if more money is expected in a some quarters
The local/small benevolent geeks:
- aren’t entangled into micro-management policies and might just be logging everything to target individual as seen relevant by someone that could be whatever evil profile one can think of
- are possibly going to do their best for free, but could well end the experiment tomorrow without prior warning as they burn out into a growing discontent user base despite best efforts (and few to no recognition for that), or simply because they found a new hobby to spend attention to
And of course hosting all at home is taking the burden on one self. For people in IT, that might be something affordable, but otherwise this is like baking your own bread, sewing your own garment, producing and storing your own electricity, cultivate your own garden. Yes all of them are doable by an individual, especially those already proficient in the field. But obviously, this is not going to scale easily, and it’s not the general tendency of most contemporary societies. Doing otherwise would require humankind to make a giant leap in civilization tendencies.
No but hosting a small server is much more manageable financially than hosting the whole world. One geek can host hundreds of people for pocket change.
There are two things: trusting the person's intentions and trusting the person's competence. Federation makes both problems worse, because you need to trust an unbounded number of organizations rather than a single organization. Even if you take it for granted that I trust all of those orgs intentions, there's no way they are as competent as the multimillion and multibillion dollar organizations running the big names.
I use matrix. Every chat room I use is unencrypted and all have at least one matrix.org user. I assume it can be encrypted but the usability is such that in practice it's cleartext.
As a counterexample: I use Matrix along with ~30-50 people, on a federated server, and every room is encrypted. After sufficiently stressing to people that they need to save their secure backup key, we've had few problems with encryption usability.
(3) With sufficient thrust, pigs fly just fine. However, this is
not necessarily a good idea. It is hard to be sure where they
are going to land, and it could be dangerous sitting under them
as they fly overhead.
They come from science. Engineering applies laws, concepts and knowledge discovered through science. Engineering and science are not the same, they are different disciplines with different outcome expectations.
My take on this is that, from a SW development POV, user stories are not the right unit of work. Instead, I treat user stories as "Epics". Stake holders can track that Epic for progress, as the unit of work from their POV.
Internally, the team splits Epics into "Spikes" (figure out what to do) and "Tasks" (executing on the things we need to do).
- Spikes are scoped to up to 3 days and their outcome is usually a doc and either a follow-up Spike or Tasks to execute.
- Tasks must be as small and unambiguous as possible (within reason).
Well OK, but that's just the same thing with extra steps.
The point I'm making is that there are large cross-cutting concerns that shouldn't be sliced up by feature, but rather that the features should arise out of the composition of the cross-cutting concerns.
A single user story commonly requires the holy trinity of UI, 'business logic' and data storage, and my contention is that it's more efficient and robust to build those three layers out holistically rather than try to assemble them from the fragments required for all the user stories.
Our job as SWEs is to convert the vertical slice of functionality into something that fits well and robustly in the various technical layers that need to be touched.
The process that I outlined above explicitly creates the space for SWEs to consider the wider implications of the required changes in the architecture and make robust.
Part of that is understanding what the roadmap is and what is the product vision in the mid term, so that the tech layer can be built, step by step, towards what fits that vision.
Hasn't balancing quality (in this context due diligence) and speed (AI code gen.) been the name of the game in the industry for ever? Management should have enough experience by now to understand the trade-off.
Sure, but for the most part people don't use them, because you don't have to; Python method calls are always potentially polymorphic, unlike Golang method calls.
I have said many times to teammates: the only code that is perfect is the one that hasn't left our minds. The moment it's written down it becomes flawed and imperfect.
This doesn't mean we shouldn't try to make it as good as we can, but rather that we must accept that the outcome will be flawed and that, despite our best intentions, it will show its sharp edges the next time we come to work on it.
Math can be greasy and messy. Definitions can be clumsy in a way that makes stating theorems cumbersome, the axioms may be unintuitive, proofs can be ugly, they can even contain bugs in published form. There can be annoying inconsistencies like optional constant factors in Fourier, or JPL quaternions.
Yes, prototypical school stuff like Pythagoras are "eternal" but a lot of math is designed, and can be ergonomic or not. Better notation can suggest solutions to unsolved problems. Clumsy axioms can hide elegant structure.
I think applied mathematicians started to encounter this reality of the impure world the first time someone taped a dead moth into the logbook of the Harvard Mark II.
Do you like writing all the if, def, public void, import keywords? That is what I’m talking about. I prefer IDE for java and other verbose languages because of the code generation. And I configure my editors for templates and snippets because I don’t like to waste time on entering every single character (and learned vim because I can act on bigger units; words, lines, whole blocks).
I'm not bothered by if nor def. public void can be annoying but it's also fast to type and it doesn't bother me. For import I always try my best at having some kind of autoimport. I too use vim and use macros for many things.
To be honest I'm more annoyed by having to repeat three times parameters in class constructors (args, member declaration and assignment), and I have a macro for it.
The thing is, most of the time I know what I want to write before I start writing. At that point, writing the code is usually the fastest way to the result I want.
Using LLMs usually requires more writing and iterations; plus waiting for whatever it generates, reading it, understanding it and deciding if that's what I wanted; and then it suddenly goes crazy half way through a session and I have to start over...
This is how I feel. I mentioned this to a couple of friends over a beer and their answer was that there are many not "decently competent programmer"s in the industry currently and they benefit immensely from this technology, at the expense of the stability and maintainability of the system they are working on.
My take is that there are two layers of friction:
a) people that care about chat encryption and would be willing to change, already did, to Telegram and/or Signal. "I'm not going to install yet another chat app" is a real answer by a friend of mine
b) no one wants to either host their own server, nor pay someone to host it for them. If it wasn't for me and a one of my friends, none of the people I chat with daily would be on Matrix.
And yes, there is the matrix.org server. Out of the ~13 people I chat frequently with, 1 is on matrix.org. "What's the point of changing apps if I'm still going to be using the centralized server" is another answer I've gotten.
I don't know what the solution to this dynamic is other than us, the power users, setting it up and paying for the group of people around us.
reply