It's good to see this happening. One of the biggest German healthcare contractors - famous for terrible code - had managed to creep their S/MIME demo implementation derivative code as a standard for secure communication in the healthcare world. With a MITM at each Kassenaerztliche Vereinigung(i.e. the people that represent the doctors and that charge ~2% per transaction for charging the public insurance companies). So it's unaudited "E2E" with a MITM by design. Given the complexity of this codebase, I do hope that they just use it unmodified.
EDIT: one of the reasons why the KVs rolls/ed their own is because of inherent distrust between the physicians or the institution representing them and the governments health ministry getting that data. They believe that the government is incentivizing hospitals to take over physicians share of the cake. I wouldn't say that the distrust is misplaced, but unfortunately these crappy half baked own solutions born out of nepotism don't help their case.
None of the managers are willing to risk losing an IT contractor/or product no matter how terrible they/it are/is. There are basically two IT choices that they do:
1. Choose a really big expensive company that is in Gartner(they do have the best dinners though, also you get to travel business class to visit them for seminars).
2. Choose someone that they know through somebody. It's quite amazing that Matrix has managed to get as much government traction as it has. I've seen a person not willing to kick out a product where I had to walkthrough the creator of it on a Teamviewer on how to debug his own app in the web inspector, and it was unable to display pdfs if they were in landscape(for years). And everyone knew they were bad, the managers would joke about it.
As they say, nobody ever got fired for buying IBM. These people are absolutely terrified of making a bad decision that may cost them a promotion in the future.
BTW my favorite Matrix feature from the concept paper: "Integrität dank hohem Out-of-the-box-Sicherheitsniveau" - dank, hohem out-of-the-box Sicherheitsniveau sounds pretty great. (Wonder why they didn't say "aus der Box"?)
“Mein Schedule ist arsch-tight”
Realistically there weren't a lot of choices other than Matrix though, looking at what the law demands.
(Source: I'm working in that project as a consultant)
Thanks for your work!
(and yay for Ben - he gets everywhere!)
If not, where can this project be publicly inspected?
I'm really glad that at least someone here might have learned from those mistakes.
So use client software that isn't attacker controlled easily, keep your keys private, only encrypt to trustworthy keys and you'll be fine. Matrix ticks all those boxes if you don't use the web client. And the only legal way in for German law enforcement would be to infect your device with some trojan ("Bundestrojaner", like e.g. NSO Pegasus).
In this case law enforcement can simply request the data (as long as such a request is legal) at either end. No need to attack the connection in between.
> Secretary: "IT said we should use matrix".
> Minister: "Whatever. I'm busy with other things. Do I need to sign something?"
> [Bundesdatenschutzbeauftragte Ulrich] Kelber verweist auf die Entwicklungen in Frankreich. Dort wird eine Whatsappalternative auf Basis des Open-Source-Team-Messengers Matrix und dessen Client Riot entwickelt. In Frankreich "geht man aktuell einen hervorragenden Weg, um sich aus der faktisch in weiten Bereichen der Verwaltung bestehenden Abhängigkeit von Produkten großer amerikanischer IT-Firmen zu lösen", sagte Kleber.
or in English:
> Federal Data Protection Officer, Ulrich Kelber refers to the developments in France. A Whatsapp alternative based on the open source team messenger Matrix and its client Riot is being developed there. In France, "there is currently an excellent way to free oneself from the fact that many areas of administration are actually dependent on the products of large American IT companies," said Kleber.
I tend to think the political machinery isn’t afraid of proprietary/monopoly dependency in general, the issue is rather with those companies not being domestic.
> Open standards must be used in the implementation and operation of digital offerings. The source code from the realization of digital offerings by the administration (in-house development) is made available as open source, i.e., in reusable form, wherever possible.
They are also starting a project to host public, open source code which is backed by the federal CIO and many state and local governments: https://www.cio.bund.de/SharedDocs/Kurzmeldungen/DE/2021/pm_...
This is not something sneaked in by some techies. Every decision maker is probably aware by now what "open source" means.
If they had of just set up XMPP as a messaging system we would of never heard of it. It would of been an entirely routine thing to do.
Synapse feels like a bloated monster that I'm afraid to touch in case it goes bang and I can't recover.
Prosody felt like a simple light weight service that I could easily recover no matter how much I broke it.
The consumer-facing client ecosystem for XMPP has indeed seen less rapid development than Matrix (the latter probably benefits from a more cohesive approach), but the server ecosystem for XMPP is very mature, and servers such as Ejabberd are known to scale to hundreds of thousands of connections on a single, modest host. Obviously, that's only one part of the puzzle, hence why Matrix was chosen here.
Still, it'd be interesting to see how the two evolve and compare down the line.
(It's true that many contributions to Matrix come from Element, though, the VC-funded for-profit founded by the original Matrix team in order to pay for us to keep the lights on and keep working on Matrix. Just as VC-funded Jabber Inc contributed massively to XMPP, back in the day).
Is one of the best ways to support Matrix and grow the influence to hire Element’s team as consultants to build custom implementations and use cases?
One drawback I've been suffering is that I can't figure out how to keep logs. Our server had a failure and was down for a day, so Element on my phone decided it should forget all its keys (and also my password). Now I've lost access to all the past channel logs on our E2E channels, and it seems like nobody on the channel has a version they can usably copy and paste; Element in particular doesn't allow you to copy and paste large chunks of chat history because, when you scroll back a lot, the chunks that are scrolled out of view cease to exist (from the point of view of the copy-paste buffer).
Also gomuks deleted all my session information when my local disk got full. Maybe I should try Bitlbee?
So, there are still a lot of rough edges! But there's a path to getting them fixed, since it's free software and an open protocol spec. Hopefully the German government will be a good collaborator in contributing improvements!
(In that particular case, it resulted in me losing the address where I had to go that afternoon, which was in a Matrix chat message on my phone, before Element peremptorily deleted all my past messages with no confirmation. Fortunately I was able to remember enough of the address to get close enough...)
Of course a DHTML web page is a server agent; it's just a convenient way for the server to get better responsiveness and resilience against network failures. It relies on the server completely for its integrity—the server can inject whatever code it wants. So the server-agent mindset is understandable for a team that started out developing a DHTML web page. But a phone or desktop app doesn't have to work that way; it can protect the user from malicious servers. And, I think, it should.
Generally, though, regardless of how it happened, from my perspective it's a security vulnerability if there's anything the server can send that will wipe data from the client. So the spec doesn't seem reasonable to me. I want to use a client that keeps my data safe from server malfunctions, whether accidental or intentional.
The crazy thing is how happy lots of companies seems to be to giving slack access to all of their communication and API access to all of their other tools. And I’m very excited for when the tool that connects all these tools, which matrix should be, can be owned by the people using it rather than the company providing the service.
Germany has health insurances, both private and public but there is not one unified system really.
I can go to a doctor and pay the bill on my own without getting in touch with any government organization.
Gematik also is a private company according to their website. So nothing that is associated with the government.
When you go to the doctor you are presumably insured. So your doctor needs to communicate with your insurance. Insurers might need to communicate with government agencies and regulatory bodies, and so on. If you've seen Covid data in Germany, that data comes from every corner in Germany, and all those institutions need to be able to talk toe each other.
Why in the world do I get a piece of paper from my doctor that I'm supposed to mail to my insurance provider (or scan and upload if you're lucky) when I'm being diagnosed with something?
Doctor's offices are the least digitized businesses around.
There's first signs of this getting better, but I can't wait for things to change...
>Doctor's offices are the least digitized businesses around.
Oh? Here in the US I can't remember the last time I had to take a prescription on paper from a doctor. Whether CVS, Walgreens, or Amazon PillPack, when my doctor prescribes medication, the pharmacy receives it very quickly, sometimes within minutes. Same with lab work; whether my health system's own labs or a third party like LabCorp or Quest, it's all electronic.
(The process is not all electronic. When a prescription expires, if I request that the pharmacy renews it (as opposed to requesting a renewal from the prescribing doctor), I believe the pharmacy calls the doctor. But either way, I don't otherwise get involved other than, in both cases, requesting it via a website.)
Gematik is completely owned by public institutions (including medical self-governing institutions) except for a very minor stake of the PKV-Verband.
>Germany has health insurances, both private and public but there is not one unified system really.
Correct. Far too often, people in the US and UK think that
1) every developed country other than the US has "national health care" or "universal health care"
2) every such country does it like the UK, a monolithic system in which the government owns both the biller (single payer) and provider (hospitals)
Regarding 2), the UK system is unusual in being so monolithic. Canada has single payer but neither the national nor local government owns and operate all hospitals. Australia's system puts significant emphasis on private insurance as the alternative or preferred option to public insurance. Germany, Switzerland, Austria, and others have a variety of private and public insurance companies and hospitals, typically differentiated by income level or profession. France's system is somewhere in the middle.
Regarding 1), since Obamacare there is essentially no difference between the US's system and Germany's or Switzerland's. The US has always had a mix of public (Medicare/Medicaid, military, VA, IHS), nonprofit (Kaiser), and for-profit (Anthem) insurance providers, as well as public (military, VA, and various state- and local government-owned), nonprofit (Kaiser again, university hospitals), and for-profit (various hospital chains) deliverers. Obamacare merely mandated that the 15% of Americans pre-Obamacare that did not have health insurance get it or pay a penalty. The figure is 8% now.
And before you say "Well, that's not 100%", while the penalty for Obamacare noncompliance is not high enough, 92% of Americans having health insurance is not very far from the 95-97% elsewhere. There are always people who fall between the cracks, whether a German who neglects to sign up for a new sickness fund after changing jobs, or a Canadian who neglects to sign up for a new provincial health care card after moving. The only way to get actual 100% coverage is to use the UK NHS model of having no membership card at all.
 Yes, 85% of Americans before Obamacare had health insurance. How many of you non-Americans (heck, many Americans) thought that "0% of Americans have healthcare" before or after Obamacare? It's OK; you're not alone in believing everything you read on Reddit.
Just for the record: There is nothing you have to do when switching jobs in Germany - you just keep your previous health fund. There is a very small amount of people without health insurance but once you are in the system (which I think is fair to call "national healthcare system") you will find it very hard to leave even if you try.
The "public" is private anyway, as the Krankenkassen are all private companies (although strictly regulated by BMG).
But yes, there's concept of public (statutory) and private (voluntary) insurance plans.
On top of that, as you said, most (all?) Arztpraxen are also private entities. Same goes for hospitals (I guess excluding places like universities and Bundeswehr).
Many hospitals are part of a municipality or a university (again, established by public law), many others are organized as private companies (either publicly or privately owned). Non-hospital doctors are almost completely private entities.
This is not so clear-cut as in other countries.
Translated from Wiki:
> As a public corporation with self-administration, a health insurance fund regulates its budget on its own responsibility. In doing so, it must fulfil legislative performance requirements (compulsory benefits) and may in some cases go beyond this (statutory benefits). According to § 260 para. 2 SGB V, its operating funds should not exceed one monthly expenditure.
Health care might be organized differently than in most other countries but that does not imply that those institution are private.
Is the City of Munich also a private company? It has self-administration, is responsible for its own budget which can't be negative, has to operate within legislative bounds including giving compulsory benefits to its residents (which are exactly the criteria you quote). Of course not, that's a city. What about the Technical University of Munich? They even have "members" instead of residents in addition to the things above. It's all the exact same kind of legal entity. Saying one is public and the other one private doesn't make any sense. What's the difference between those in your eyes?
Anyone can comment on how this is going to be used ? What are people using matrix for in the German healthcare system context ? The full plan document is in German (which I don't speak).
 and you can check out my history to see I am not a die hard matrix fan, far from it.
The only thing I can think that you're referring to is the question of how you track the keys used by servers to sign the events they send. If the server is offline, and you've never heard of it before, you still need a way to check their key. We don't currently use CAs for this, but instead you grab a cached copy of the key from a trusted server: https://github.com/matrix-org/synapse/blob/a743bf46949e851c9.... This is a bit of an edge case, as in general servers whose events you care about will typically still be online - or you'll know their signing key back from when they were on line.
The longer term solution for this is https://github.com/matrix-org/matrix-doc/blob/rav/proposal/r... which includes the sender's public key in the event (by making it the sender's identity) - and we're working on this as part of P2P Matrix currently.
I think he refers to state reset issues in the currently used room versions.
If you just want to have your own homeserver, and users there to be identified as @whoever:example.com, then this just works, is fully federated, and has been like this since forever.
The only unfederated part is, from what I know, the Identity Server, which is run by Vector.im to allow discovering Matrix identities by phone number or email addresses.
You best make a separate ID for mapping your users to Matrix. And don’t show it to the user nor use it for anything else, also stay unfederated.
Say you're running Matrix for any kind of official or business purpose. You still want privacy, security, and ownership of your data. But you also actively DON'T want anonymity, instead you want publicly-verifiable user identities, linked to public information like company email addresses and company phone numbers.
Same goes for the push service for the iOS app, but that isn't really their fault as Apple makes it impossible for federated systems to do push without each homeserver having their own app. All notifications for a single app need to come from one centralized push certificate holder.
We have a separate bug to defer the server validation check until the user actually tries to talk to the identity (or home) server, but it hasn't got to the top of the todo list yet; patches welcome!
Edit: To clarify: this behaviour only occurs with Element Web (rather than Matrix clients or servers in general)
I don't use Matrix because I have not seen anything that suggests that you or the dev team are interested in building software that maintains end user privacy.
All of it phones home by default.
Everyone I have seen try to set up a selfhosted homeserver ends up with a config that has users phoning home back to Vector. At some point the "you can configure it however you want!" line to dodge this issue doesn't hold up.
Defaults matter. Your ignoring this means that the software is, in my view, insecure out of the box.
Matrix uses SRV records and .well-known for discovering the homeserver for a domain.
More details here: https://matrix-org.github.io/synapse/latest/reverse_proxy.ht...
Either add an DNS SRV record to example.com pointing matrix to matrix.example.com, or server a single JSON under .well-known pointing matrix to matrix.example.com.
In my instance, my root domain is served from CloudFront, so in this instance I could add an A record to a homeserver VPS and use a SRV/.well-known to point to it :)
So when you want to compare it to anything else: it's much rather like XMPP than it is like IRC.
XMPP MUC rooms are, IIRC, dependent on the server hosting them and generally coordinating exchange.
Each event is also signed by the homeserver of the originator of the messages, so missing messages (due to partial netsplits) can be routed through third-parties, around the netsplit.
For full split-brain scenerios, after a merge, the two DAGs get joined and the effective room state is reconciled.
The big picture is that Matrix rooms are best seen as eventually-consisted distributed event log . :) https://matrix.org/docs/spec/#event-graphs
Technically, every message you send in Matrix is a mini-netsplit which then resolves as soon as it's received by the other server(s). So you don't tend to notice partitions, unless they go on for minutes on end and disrupt the conversation, but even then the history syncs up afterwards.
Clients don't currently make it clear when messages came from the other side of a long netsplit, but the data is there on the server so in principle they could. I think the client API might need some changes before that'd be possible though.
So Matrix is like XMPP, except that XMPP is really federated, but Matrix's "federation" is partial and therefore it's mostly marketing.
Matrix is really mostly marketing overall. That's part of why it's so popular here; HNers love shiny bullshit. Honestly XMPP is a better protocol, it's even still being updated and has many more server and client implementations, including modern ones, but Matrix has great PR.
This is completely and utterly false.
The identity server is a completely optional directory service used to resolve email addresses and phone numbers to matrix IDs.
Honestly, I wish we'd never bothered with them - they are rarely used today, and cause more confusion than they add value.
It doesn't. Matrix identities (like @q3k:hackerspace.pl) are resolved to homeserver instances via DNS or HTTPS .well-known requests.
$ curl https://hackerspace.pl/.well-known/matrix/server
$ dig +short SRV _matrix._tcp.asra.gr
10 0 443 synapse.asra.gr.
This statement is almost entirely wrong. The identity server is A) only for mapping 3PID (3rd Party Identities, i.e. email addresses or phone numbers) to matrix usernames, B) can be self-hosted, and C) not required at all for federation. Federation does not in anyway require services provided by Matrix.org
Uh, no? Federation certainly does not fail if the identity server goes down. You won't be able to invite someone to a room by email address or phone number if whatever identity server you're using goes down, but it's nowhere near the critical path for federation.
Long answer: there’s not even a simple native client that can even try to replace these apps. Often you see recommendations about some cartoonish app called Fluffy. No it’s no good. Every client is half baked, half cooked other than main client which was a electron monstrosity last time I checked. So the client space is still a mess (other than the org changing the name of its main client something -> riot -> element -> next name change awaited) compared to other personal messaging cum audio/video call apps. But a promising mess. Or so I hope.
1. Press voice button next to text box on the bottom
2. Say what you have to say
3. Press "Send"
Incidentally and possibly unrelated, the project was abandoned after Microsoft moved their headquarters back into Munich.
Sounds familiar? ;)