Follow

People constantly ask why I refuse to use Signal.

I have been meaning to do a detailed write-up for this, however in researching for it I discovered this post which covers several of my biggest issues well.

drewdevault.com/2018/08/08/Sig

@lrvick its hard to reconcile the incremental improvements of easy to use applications with the difficulty of migrating groups of people. Not to mention how difficult it is to convince people to care about privacy/security. When Elon says "use signal" and people follow blindly, it looks more like a marketing issue. FOSS doesn't have a marketing budget.

@Inpharmaticist I literally spend a good chunk of a podcast I did yesterday saying the biggest problem with FOSS is they don't have marketing budgets.

I am starting to understand it is critical to get funding for OSS projects to do exactly that.

Giving that a shot with my own projects now...

@lrvick a big chunk of these seem to be petty issues that wouldn't affect signal and its security

@Crylo

1. Signal Foundation owns the only keys that sign the only client binaries allowed on their network, that in turn control they keys that encrypt all messages.

2. Signal Foundation owns the only keys that encrypt all metadata in a centralized and weak SGX enclave.

3. Signal Foundation owns the central network infra that has plaintext access to all TCP/IP metadata.

Those are pretty serious security and privacy issues.

What happens if someone at the foundation is pressured?

@lrvick oh damn, i didn't see those mentioned in the article.

also looking at some of the cited stuff, this guy is a dick

@lrvick @Crylo I had never heard of any of this before, that’s interesting and I’ll definitely be researching more (not least because it’s way too technical for me at this stage, I’ll be honest). Do you know of any chat apps that might be better than Signal to your judgement?

@lrvick @Crylo

1. Means its a good idea if someone(tm) would regularly check the playstore app against a reproducible build from the open source repo.

2. The SGX enclave indeed is a weak spot. But they are using it for metadata encryption that others are not even trying to do, so I guess it's still best effort ...

4. So does every other service, your provider and any switch in between you and your partner. Is there an alternative except blind broadcast floods to layer2 metatdata exposure?

@Chaos_99 @Crylo 2 the damage and risk of abuses in #2 and #3 are spread with a federated server where no one party gets the full picture of the network.

As a user you can even spin up your own server for extra privacy. Smaller the targets the better.

E.g. if you setup a home server for your family and your family on that server, then no third party is getting chat metadata information revealing when your family is home or remote talking to you.

@Chaos_99 @Crylo the reality is that the complex SGX security theater is the best attempt Signal has to say centralized services can avoid bulk user tracking, but this is smoke and mirrors.

Small targets outside the control of any one party is much simpler and more effective.

@Chaos_99 @Crylo as for someone checking the play store build... F-Droid offered an entirely alternate build and release channel to remove the SPOF of #1 and add reproducible build accountability.

Moxie refused saying he wants the centralized tracking Google Play offers and doesn't want any clients in the wild not signed by his key. :/

@lrvick @Chaos_99 @Crylo the geekproblem mixed with #NGO thinking, but it is #4opens so on balence pleace critazing this need to make there tools work for normal people - I just failed to get 4 people signed up to Jabber chat for example. could go on for hours on this issue. please think about this for a moment :)

@Hamishcampbell @lrvick @Chaos_99 @Crylo

thinking "normal" ppl as a class of ppl with inferior knowledge and skills IS elitist thinking. leads to taking decisions for them.

Thinking of "easy"/"user-friendly"/etc. leads to making compromises, by forcing choices on ppl, often to justify weakening privacy.

Comforts elites, while avoids to ask "what do we do wrong? what can be improved in ways we share knowledge+joy of learning?"

Had 100x examples of noobs learning jabber when stakes were high.

@jz @lrvick @Chaos_99 @Crylo humm this goes both way you understand. you are arguening that a tiny subculture (less than .0001%) can shape the #openweb expirences for the rest of the 99.999% of the people. Which one of these groups are the elitist? worth a moments thought?

@Hamishcampbell @lrvick @Chaos_99 @Crylo i never mentioned shaping anything homogeneously (where this 99.999% comes from?).

Just my personal reasons to NOT use Signal AND my belief that thinking in terms of "dumb/normal users" is an excuse for the unjustifiable.

Also mentioned my personal experience, and things around me: 100s of journalists, activists, etc. who got convinced AND trained + accompanied in using jabber+OTR when it was needed.

"easy to use" complex things is ALWAYS a trap imho.

@Hamishcampbell @lrvick @Chaos_99 @Crylo

just imagine this reasoning, but not applied to tech:

"learning a language it TOO COMPLICATED for 'normal ppl'. So instead of learning a language learn an "easy language" designed just for ppl like you". What could go wrong?

or "Understanding a complex contract is TOO COMPLICATED for 'normal ppl', dont bother, leave everything to me when I tell you it's OK and just *sign here*" :)

This would sound dangerous/suspicious/right?

@Hamishcampbell @lrvick @Chaos_99 @Crylo

Politics: "reading all these programmes/platforms is TOO COMPLICATED. Just see how this person's smile is beautiful and vote!"

Food: "Understanding where all the ingredients in this industrial product come from, how they were processed and what they contain is TOO COMPLICATED. just eat the shit.."

On all, if ppl dont make the actual effort of learning and understanding by themselves, they get screwed over+ enable harmful patterns.

@jz @lrvick @Chaos_99 @Crylo

We live in a complex social world.

If we went your direction, at speed where you would notice the change, billions of people would die in the first 6 months.

Please reread the first sentence before replaying, then the paragraph after twice then in good judgment you can be a power mad technocrat and kill all these billions of people for you desired world view.

or make a cup of tea.

@Hamishcampbell @lrvick @Chaos_99 @Crylo

OK you got me with the "your opinion will make billion people die" argument!!! ;))))

I make tea anyways...

@jz @lrvick @Chaos_99 @Crylo

Am having tea and cake :)

The billions of people is in the first sentence. Am taking you point of view and expanding it out to the rest of the world - as you do yourself.

Yes it's a balance between complexity and 'KISS am building a project out based on the second but with a strong drag from the first, my comment is about the drag.

tea solves all issues :)

@jz @lrvick @Chaos_99 @Crylo

on this one for #indymediaback which is a #KISS outreach project we decided to go for Jabber as it was the right fit for a federated network. BUT the project over all would be much easer if we have choicen signal as everyone and their dog is moving there now.

all choices are complex, aspersaly the simple ones - keep it #KISS

@jz @lrvick @Chaos_99 @Crylo

if anyone is interesting in helping out with than hand holding outreach for jabber and #indymediaback you can sighn up and get involved here unite.openworlds.info/Open-Med the world only changes if you push as hard as you can for the change you won't (and likely compromise for the change you get).

@lrvick @Crylo

I agree i that I very much would prefer a federated solution and I think most of the arguments for centralization are quite arbitrary and don't really are exclusive to centralized solutions.
But comparing currently available messengers with large user bases, sadly none is federated.
Matrix is the best contender there, but it's still quite ab bit away from being usable for non-technical folks.

@Chaos_99 @Crylo what is missing to make it usable?

You create an user/pass, type in a box, hit send.

Am I missing something that makes it harder than slack?

@lrvick @Crylo
Matrix? For a start it used to work with just a name, now it asks for 'signing in' and 'creating an account' which raises the bar for someone who just wants to check it out. (Once a very nice feature of matrix, that IRC-like, you could just join without an account.)
Then if you don't save a backup of you encryption key somewhere and log out, you burnt your whole account. Manual key handling and backup is not something I can explain to my 75+y old parents.

@Chaos_99 @Crylo the reference server, given the large size, does not enable guest access anymore given the expense and abuse potential IIRC.

Many smaller servers enable guest account access still though. This is a feature each admin can decide on.

Also, how do your 95yo parents keep track of their SSN? Paper, right? Matrix backup key could be stored on paper too.

@Chaos_99 @lrvick @Crylo
@lrvick

My main reasons for NOT using Signal (summary):
mamot.fr/@jz/10040650553305833

I'd favour anything that allows creation of numerous random/disposable accounts AND store contact informations... over something that (pretends only to) not store contact informations (while running on Amazon infrastructure, enabling others to access the RAM...) while forcing you to use a strong selector (phone#) for an account.

Esp when it comes to *recommending* something to others..

@lrvick @lazarski Some genuine questions from a Signal user who also has his own Matrix Server. 1) The article says "In fact, there are no third-party applications which can interact with Signal users in any way." You can bridge to Signal from Matrix, can't you? 2) Re: Centralisation. Yes, matrix federates, but in reality aren't most users on matrix's own servers? 3) For most lay ppl, impacted by the network effect, isn't Signal still the best option?

@lrvick I currently use Signal because on the plus side the client is open source. (The Android client also acts as the default SMS client, which is nice), however I am planning on moving across to a federated solution (the main drawback) using Matrix. Soon. When I get the time.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!