What is Nostr?
µPD7220 Enthusiast /
npub1rlj…k3mm
2023-03-06 05:58:08

µPD7220 Enthusiast on Nostr: So here's a reminder to anyone on the fedi; DIRECT MESSAGES ARE NOT PRIVATE! Never, ...

So here's a reminder to anyone on the fedi; DIRECT MESSAGES ARE NOT PRIVATE! Never, ever, use the fedi chat as a private secure chat.

It's been commonly talked about about how fedi DMs are insecure because some admin on a power trip can easily get the SQL database (on either instance, mind you) if he has a grudge against you and leak them. So many shitty fedi instance operators are notorious for petty grudges.

However recently something else happened; an entire instance (Chudbuds.lol) just got hacked with the database leaked and DMs and everything posted. Even worse, the site got hacked via the owner being utterly inept with computers, you know the classic "click an .exe file and run some nicephoto.jpg.exe" trick people used back in the 00s that somehow big corporations have issues with. Of course that instance was a high profile target, being next to the "dramasphere" on the fediverse.

Now here's the thing; even if you didn't have an account on said instance, any message you sent via DM to a user of this instance got leaked as well.

It's vastly more secure to do any sort of chats offline with people, maybe just use DMs to share messenger IDs. There's Matrix, XMPP, or even Telegram or Discord (still less leak prone than fedi DMs) that exist and can be used to talk about something off site, away from admins. This is especially true if you're on or talking to a user from a high profile or notorious instance where the owner/some users have attracted the attention of raging shut-ins who will stop at nothing to take said instance down.

Don't get me started on if the datacenter is raided and the server is raided. I'm actually seeing people talk about using the fedi as a decentralized communications platform in Ukraine, which is a bad idea if someone else were to take the servers and dump the DB, let alone hackers.

Tl;dr fedi DMs are not secure and don't use them as such.
Author Public Key
npub1rljjaydd2ghhx4ezu0cd3nku8m7jzu57y6h6hfmsn9z5u07q75mspwk3mm