@61 @Purism Purism is doing incredible work integrating Matrix as a first-class citizen on the Librem 5 phone and that is our main focus.
Signal serves a "bridging" purpose: users who are currently in the privacy/digital rights space will expect it to run or have to use two phones (making long-term commitment to Purism very unlikely). This is especially true for our early adopters.
We can't tackle network effects overnight and force people into our choice of E2EE client.
@freakazoid @61 @Purism @diggity I believe they are using [Fractal ](https://wiki.gnome.org/Apps/Fractal) and are the ones adding encryption support to it.
@philippemargery @61 @Purism Signal isn't "bad". In a nutshell:
OpenWhisperSystems / the devs behind Signal made the choice to centralize the service and build identity around the phone number system, instead of doing the federated / decentralized approach.
They did this consciously to encourage widespread adoption without the traditional difficulties associated with a decentralized, multiple-client approach.
That makes it different from approaches by Matrix.org, XMPP, and so on. 1/2
@philippemargery @61 @Purism OWS has had a contentious relationship w/ FOSS devs who want alt. clients/forks of Signal that interop w/ OWS network
From the OWS perspective, it's important to keep the UI/UX consistent; alternative clients degrade the user experience for everyone on the network, and use expensive resources. Security and QC are impossible to verify for apps out of OWS control
The FOSS-y arguments are familiar, and include the fact that centralization is dangerous for freedom. 2/2
As for the OWS perspective, we're going to have to file that under #utterbollocks.
For the record, I have nothing against closed source per se. It's specious arguments, outright lies and #antisocial behaviour that gets in my tits. And that's the things that #signal truly are experts on.
@diggity @philippemargery @Purism
Just for the record.
* First things first, the #wikipedia advertised “Open Whisper Systems” does not actually exist. Prove me wrong with an official incorporation document.
* The also #wikihyped “Signal Foundation”, AFAICT does not exist either, according to people who should know, namely https://www.irs.gov/charities-non-profits/tax-exempt-organization-search
See next message for what *does* exist…
@diggity @philippemargery @Purism
* What does exist is SIGNAL MESSENGER, LLC, a #Delaware company incorporated in January 2018 (yep, date is correct) https://icis.corp.delaware.gov/Ecorp/EntitySearch/NameSearch.aspx
* It is also registered (at a mail drop address) in #California since March 2018 (https://businesssearch.sos.ca.gov/CBS/SearchResults?SearchType=LPLLC&SearchCriteria=Signal+Messenger&SearchSubType=Keyword)
@diggity @philippemargery @Purism
* Previously, when this guy came up with his previous product iteration, he had set up another #Delaware entity, WHISPER SYSTEMS TECHNOLOGIES, INC. This was in 2011.
* In 2012, a #California #LLC (https://businesssearch.sos.ca.gov/CBS/SearchResults?SearchType=LPLLC&SearchCriteria=Riddle+Quiet&SearchSubType=Keyword) was selling his software on the #apple store (https://news.ycombinator.com/item?id=8105849)
@diggity @philippemargery @Purism
The #California entity QUIET RIDDLE VENTURES, LLC is still active (as is the 2011 DE corporation) with a modest income and one employee on file (www.buzzfile.com/business/Open-Whisper-Systems-415-267-1806).
@diggity @philippemargery @Purism
For the Delaware entities, if someone wants to shell out $20 you can get the tax returns which should give an idea to what extent the claims made in #wackypedia and the press are true or not, and where any money has been coming from and going to.
For the “foundations”, please someone publish their articles. And obviously, as for any other private non-profit, their finances.
@diggity @philippemargery @Purism
Not even getting into the technical aspects of it. #Security? Your own phone number as your ID, what could possibly go wrong?
It could be a decent closed source app if it weren't for the #bullshit security #hype.
But the obvious disparity between the public claims and the hard data that can be found with just a casual search, are no journalists wanting to dig a bit into that? @maxeddy?
@philippemargery
#xmpp user since 2001.
I've changed JID (Jabber ID) exactly once, around ten years ago.
@philippemargery @61 @Purism @maxeddy on F-Droid, Conversations.im or Xabber are the popular apps, but there are many: https://search.f-droid.org/?q=jabber&lang=en
You have to get an XMPP account somewhere first (my preferred method is donating to the FSF!)
Conversations will offer to set you up with Daniel's own server (conversations.im) by default, or you can use your own.
This is no different than setting up a new email address though and people manage to do that every time.
Obviously, it's also as good an excuse as any for supporting the great job the #FSF do.
@61 @philippemargery @diggity @Purism @maxeddy
What about all the metadata that your XMPP server (and the others you contact to) can see and manipulate? I was using Conversations.im but just leave it after discover about this.
https://infosec-handbook.eu/blog/xmpp-aitm/
Yes, what about it? That is known as the data at rest problem and is precisely one of the things that makes electronic messaging (and data processing in general) a poor choice from a security standpoint. In practice, your security management policy will determine acceptable risks, implement risk minimisation strategies and put in place appropriate contingencies.
@Gorio @philippemargery @diggity @Purism @maxeddy
That is to say, no serious organisation will knowingly run an inadequately secured server (be it xmpp, email, DB, …) such as what is presented in the link you've shared.
@Gorio @philippemargery @diggity @Purism @maxeddy
From a consumer point of view, the considerations are different: first, what level of security do you need? The best you can expect is to avoid casual disclosure of information, and for that most solutions currently on the market (xmpp, email, and proprietary implementations such as WhatsApp, signal and telegram) are probably ok if not necessarily at par with their hype
@Gorio @philippemargery @diggity @Purism @maxeddy
Now, if we start to talk about upping the stakes, you as a consumer will find yourself in a hopeless situation with the huge amount of information a) leaked by modern communication systems and b) captured by anyone who may possibly have an interest.
In this respect, you may find something like a semester course in digital forensics quite enlightening.
@Gorio @philippemargery @diggity @Purism @maxeddy
One last observation, as it occurred to me that some vendors may seek to exploit consumers very legitimate concerns about mass surveillance: if you are dealing with a loss of trust between people and government
an appropriate response cannot be primarily technological. It must necessarily be social and political.
@Gorio Sorry I went off in a tangent and didn't see the bit where you say you were actually using Daniel's server.
There is no real technological impediment to admins intentionally or negligently accessing your data. In your case however, you do have the protection of #Germany's strong #privacy laws and efficient enforcement.
While I do host my own #xmpp servers, I wouldn't mind using conversations.im
@61
I realy like the concept behind #XMPP, federation is the best way, but i can't recomend it to friends yet becouse this things about an admin or an adversary. I can use it but can't recomend it for every one. I don' t belive the capitalist privacy laws too mutch, I belive more in code. Signal apear to be more efecient at this moment but I would love if xmpp evolve in this questions.
@philippemargery @diggity @Purism
Err... Do you use #email? Are you registered on any websites whatsoever? Mastodon?
The principle is exactly the same.
There is a fundamental trust problem with #signal, in that there is what they say they do and what they actually do. The difference here is that the main figure behind signal has been dishonest in the past (use Google) and operates in a regulatory environment that does not currently offer an adequate level of protection. Though this may change if California go through with their new privacy law.
@stevenroose @Gorio @61 @philippemargery @Purism XMPP is great but we're putting our focus on Matrix as the default and are supporting development of apps for that purpose. We want to see others develop chat clients for XMPP etc for Librem 5.
My interest in Signal is to meet user expectations, as a "bridging" technology... we want the people who buy our phone to use it and not have two phones. Signal may be contentious, but I'd like to see the option (just like a "Conversations.im clone" etc).
@philippemargery @61 @Purism @maxeddy I've actually found Wire to be the lowest friction E2EE messenger, with the friendliest interface, for friends and family in one-to-one conversations (though they have Wire Teams too).
So I looked up #wire, a messenger that supports video/voice calls.
Sadly, it has built-in tracking and a number of proprietary dependencies, which is why it's not on #fdroid yet. https://gitlab.com/fdroid/rfp/issues/108
That said, the developers seem very frank when talking about their software and open to cooperation and constructive criticism. They deserve credit for that.
@61 @philippemargery @Purism @maxeddy I'm very much aware of the tracking issues with Wire and have engaged with them directly about it. Basically, if you don't check two boxes about user metrics and stats reports upon first startup, the settings are disabled.
Still, it means you're putting trust that the UI is doing what it says it does.
Yes they are very open to working with the community but have a small team... there hasn't been enough support for making a libre version without that code.
So the tracking is opt-in? If so, that deserves recognition.
To clarify, I have no issue with tracking per se, provided there is clear and transparent information on what is being sent, a reasonable excuse for doing so, and an easy way to disable it.
Case in point: I do enable #Nextcloud's usage report and, back in the day, #Debian's. Both allow you to review the payload.
@61 @philippemargery @Purism @maxeddy yes it's opt-in, but you can't review the payload.
It is an improvement over the usual behaviour but still clearly not adequate.
@61 @philippemargery @Purism @maxeddy "Your own phone number as your ID, what could possibly go wrong?"
I agree, but this is also why it's been adopted so widely, so quickly. The app just bootstrapped onto address books already in phones. Sure, Kontalk would be better, but it doesn't have the critical mass of users to keep people in the network, which is something Signal picked up very quickly via hype, as you said.
https://f-droid.org/packages/org.kontalk/
1/2
@61 @philippemargery @Purism @maxeddy As for the 501(c)(3), it's probably taking time to set up (I've been involved in one org that made the transition and it is not fast). We'll see what happens with that; it sure is premature to announce with a website if there's no foundation yet.
But I don't think it's a scam.
There is this filing from 2016, which may or may not be the same people: https://frama.link/UhcVjfPR
XMPP is great, Matrix is great, we're investing heavily in the latter at Purism.
What I find unbelievable is that some bloke says "I have 50 mill and a foundation!" and everyone goes to print with that. Is it really that difficult to ask a pertinent question or two, do a little research?
I do not think it is an outright scam either, but we've seen in the past that you can only trust this guy as far as you can throw him.
Just been able to check the link you provide. I saw it the other day, but those are these guys: https://www.signalwirelesstrust.com/
There is no problem with using phone numbers as user IDs or making the onboarding as simple as possible so that you can get more customers.
The problem is doing that while hyping (but carefully avoiding making any explicit claims, let the journos do that) your app as the last word on secure communications.
Hi there. I'm not clear on what you're claiming about Signal. Its initial release as RedPhone and TextSecure, as well as it being briefly pulled from the appstore in 2011 when Marlinspike took a job at Twitter, may be throwing off your research. The Signal Foundation was announcement wasn't made until earlier this year. (https://signal.org/blog/signal-foundation/)
@maxeddy
What I am pointing out is that the public statements do not square with the facts. Why are they being obtuse as to who is behind it? Open Whisper Systems doesn't exist, as we have seen. It's not even declared as a DBA name for the company that they started earlier this year. Back when you could still see owner information in whois, the domain records for signal.org led to a block of flats in the canary islands, etc.
Too much trust too little verification going on.
@61 I've been in contact with the devs over the years, and they've given interviews to other publications as well. The code appears on Github (granted, that's not my expertise) https://github.com/signalapp. The TOS lists the company as Privacy Signal Messenger, LLC and an address in CA. I've seen a few researchers find issues with Signal, which have been addressed. To me, it's been nothing but on the up and up.
@maxeddy
Do you have an entity number for "privacy signal messenger, llc"?
And what exactly is the legal personality of "Open Whisper Systems", which appears on the github repo as the copyright holder for 2013-2017 and to whom (since January 2016) contributors assign copyright according to https://signal.org/cla/?
@61 @philippemargery @Purism my guess on this is that it's still incorporated as "Whisper Systems".
> encourage widespread adoption without the traditional difficulties associated with a decentralized, multiple-client approach.
Ah yes, that insurmountable problem that stopped #RFC822 adoption dead on its tracks back in the day.
Not a commercial strategy at all, you understand. 🙄
@diggity
Anything to do with #Signal do not count with me.
Why not opt for an #open solution, as opposed to an "open" one?
@Purism