HACKER Q&A
📣 sysadm1n

Now that Mallory will be in our comms, how do we prepare?


After reading this[0] I can't help but wonder how Alice talking to Bob will now be compromised by a third actor: Mallory[1]. From the Wikipedia article on Alice & Bob:

> Mallory: A malicious attacker. Associated with Trudy, an intruder. Unlike the passive Eve, Mallory is an active attacker (often used in man-in-the-middle attacks), who can modify messages, substitute messages, or replay old messages. The difficulty of securing a system against Mallory is much greater than against Eve.

I had a look at Matrix[2] and it's developed in the UK, per their site ('a non-profit UK Community Interest Company') so since the UK is no longer a member of the EU I presume they're immune from the EU backdooring Matrix, unless I'm mistaken?

Then there's Session[3] & Cwtch[4] which look promising too. I can't imagine how Matrix, Session, or Cwtch could be backdoored since they're designed differently than other apps.

Are these chat systems immune from Mallory? Can we use them going forward when all the mainstream messenger apps are compromised in the near future (Whatsapp, etc)?

[0] https://tutanota.com/blog/posts/eu-surveillance-csam/

[1] https://en.wikipedia.org/wiki/Alice_and_Bob

[2] https://matrix.org/

[3] https://getsession.org/

[4] https://cwtch.im/

  👤 h2odragon Accepted Answer ✓
I don't think we have sufficient control of the base client hardware to the point where locking down higher layers can help. Nothing wrong with the effort even if it's only a theoretical; but if I really wanted to communicate something without being overheard I would not use modern networks or things capable of connecting to them.
👤 leakbang
Matrix is the most mature and feature complete. I personally use it day to day through Element. However, if it comes down to talking about something that could get me into massive trouble, I won't trust any single entity. I'd probably use XMPP, or Onionshare in Tails OS, preferably not even on my own PC. The bottom line is that a computer connected to the internet is not totally secure and anonymous, there can be backdoors in every nook and cranny. For example if you are using Element + Matrix on Windows 11/Android, to spy on you, they don't need to have backdoors in Matrix itself. A simple automatic screenshot will do! The OS will take care of that :D

But I don't think the Matrix organization can be pressured into adding backdoors into their systems.

Our best bet is to use free and open source software as much as possible.