Link to article from main Lemmy❤️ developer about Signal privacy. Mostly fair points. I kinda distrust so centralized services but basically we have no other options (Matrix is buggy in many aspects). What can you say about this article?

  • Melpomene@kbin.social
    link
    fedilink
    arrow-up
    76
    arrow-down
    10
    ·
    1 year ago

    This is posted relatively often, and every time it is posted I feel compelled to note that said dev has not articulated any real reason to consider Signal insecure beyond an implicit conspiracy theory with no real meat to it.

    “Signal’s use luckily never caught on by the general public of China (or the Hong Kong Administrative region), whose government prefers autonomy, rather than letting US tech control its communication platforms, as most of the rest of the world naively allows.”

    When you’re holding up China as an example for the world to follow for privacy, I have a hard time taking ANYTHING else you’re claiming seriously.

    • 133arc585@lemmy.ml
      link
      fedilink
      arrow-up
      27
      arrow-down
      1
      ·
      edit-2
      1 year ago

      “Signal’s use luckily never caught on by the general public of China (or the Hong Kong Administrative region), whose government prefers autonomy, rather than letting US tech control its communication platforms, as most of the rest of the world naively allows.”

      When you’re holding up China as an example for the world to follow for privacy

      I interpret that quote to say that China doesn’t trust US tech like the rest of the world does. It’s not saying that China has more privacy and the rest of the world should follow, it’s saying that the rest of the world also shouldn’t be so naively trustworthy of US tech either.

      • Matricaria@feddit.de
        link
        fedilink
        arrow-up
        5
        arrow-down
        2
        ·
        1 year ago

        I don’t think the problem is that China doesn’t trust the US but rather that China wants to spy on their citizens.

        • 133arc585@lemmy.ml
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          1 year ago

          Ok then you’re wilfully misreading the quote. That quote is not cryptic in the least. I have no clue why the parent comment is framing it as “holding up China as an example for the world to follow for privacy”. It doesn’t follow from the quote in any way.

      • Melpomene@kbin.social
        link
        fedilink
        arrow-up
        2
        arrow-down
        2
        ·
        1 year ago

        And they offer no reasonable basis for distrusting Signal, the tech that they attempt to vilify. Given said dev’s past comments, it is reasonable to infer that the reference to China presents them as an example to be followed here.

        • 133arc585@lemmy.ml
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          Ok, two things are happening here.

          they offer no reasonable basis for distrusting Signal, the tech that they attempt to vilify.

          One, is that they did provide what they considered reasonable basis for distrusting Signal. Given that they thought Signal should not be trusted, the quote you posted is pretty obviously to be interpreted as: thankfully China hasn’t naively adopted a compromised communications platform with a USA intelligence backdoor. Now, if you want to say their basis for distrust is not reasonable, or is false, that’s completely fine. But in doing so it doesn’t change the author’s intent behind the quote which you posted.

          Given said dev’s past comments, it is reasonable to infer that the reference to China presents them as an example to be followed here.

          Two, is that it should be pretty clear they are saying China should be followed here in a very specific and explicit way: they aren’t saying follow China in every way under the sun. It’s very obvious from context and from what is explicitly said that they mean: China’s distrust and refusal to adopt (what they consider) a platform with USA backdoors should be followed. And I think that’s an entirely reasonable statement to make. No one should naively adopt compromised communications platforms.

          There is no honest reading of the quote (especially given the rest of the context of the essay leading up to the quote) that could lead someone to conclude that this particular essay is (1) advocating for and supporting China spying on its citizens and (2) advocating for other countries following China in spying on citizens. It’s pretty obvious the only honest reading of this is: “I believe Signal has USA backdoors. Given that, I’m glad China hasn’t adopted its use heavily. I also think other countries should follow China in not naively accepting such technologies”.

          Again, you can disagree with the foundational reasons for distrust, and that could be very useful. But painting the essay and quote the way you (and others here) are is just intellectually dishonest. Disagree with what is actually said, not with what you imagine (or wish) was said.

          • Melpomene@kbin.social
            link
            fedilink
            arrow-up
            1
            arrow-down
            3
            ·
            1 year ago

            Key of the previous comment is reasonable. One might as well say that Trump provided a reasonable basis for denying the election results, or that climate deniers are being reasonable in denying the wealth of evidence supporting the idea of man-made climate change. If we’re willing to reject abjectly idiotic claims in one case, we should be rejecting them across the board whether we like the politics of the person in question or not.

            TL;DR: The author is engaging in agenda driven conspiracy porn which they know or should know is false. As such, it is reasonable to assume that they’re either willfully ignorant or acting in bad faith.

    • ᗪᗩᗰᑎ@lemmy.ml
      link
      fedilink
      arrow-up
      21
      arrow-down
      1
      ·
      1 year ago

      100% agree. I appreciate the guys work on lemmy and the jerboa (the android app) but he’s got some weird ideas.

    • Tangent5280@lemmy.world
      link
      fedilink
      arrow-up
      18
      arrow-down
      4
      ·
      1 year ago

      Yeah that china comparison majorly derails this argument. When I read it earlier I just glossed over that but now it stands out like a sore thumb.

      I don’t know what to think about signal anymore. I suppose as laymen we are pretty much non-players as far as the interest of government groups go, but still I suppose I need to learn a lot more about privacy best practices and threat assessment because some of the article was just difficult.

      • Melpomene@kbin.social
        link
        fedilink
        arrow-up
        13
        arrow-down
        1
        ·
        1 year ago

        TLDR, the thought is that the USA is spying on users of Signal because some early funding came from the US government. But the evidence suggests not; indeed, governments worldwide are targeting Signal et al because they don’t LIKE that they can’t just demand access from providers.

      • Calzone8585@lemmy.ml
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        I dunno if Moxie Marlinspike is still behind Signal, but I’ve met the dude. He eats, sleeps, and shits privacy.

    • !ozoned@lemmy.world@beehaw.org
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      I don’t agree with the Lemmy dev and won’t read his stuff, but I also stopped using Signal years ago. First they won’t allow third party appa or self hosted servers, then they got into Crypto and were building a wallet and currency, which is their right, then they announced a proprietary closed source part of their application that can’t be auditted in the name of fighting spam. Yes there’s a blog post out there about it that they themselves posted and no I can’t look it up atm. I’m personally tired of sacrificing privacy for the name of security so I left.

      I moved to Matrix and Element. I have my entire family on it, all nontech folks except me, and none of them have any issues. We use it for text and video constantly and have for years. It’s gotten very intuitive.

      To each their own, but Signal isn’t the bastion of free open source privacy anymore imo.

    • FarLine99@lemm.eeOP
      link
      fedilink
      arrow-up
      14
      arrow-down
      8
      ·
      1 year ago

      He said it long time ago, is he still, maybe it is pr for money, we don’t know 🤷

        • 133arc585@lemmy.ml
          link
          fedilink
          arrow-up
          18
          arrow-down
          2
          ·
          1 year ago

          Snowden doesn’t make any public statements any more without express permission from the Russian government.

          Can you provide sources for this?

          It might make sense for him to self-censor to avoid angering one of the few places that are allowing him to stay but even that’s not a given: if he felt something needed to be said badly enough, he’s shown to be the type of person who would rather something be said and take the repercussions on the nose than to leave something unsaid.

          • Shit@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            5
            ·
            1 year ago

            I mean he fled the country to not deal with the repercussions of what he said? Self censoring speaks volumes.

            • 133arc585@lemmy.ml
              link
              fedilink
              arrow-up
              8
              arrow-down
              2
              ·
              1 year ago

              Can you provide sources for this?

              The source is that Russia murders its own oligarchs the second they fall out of Putin’s favor, and ships anyone who holds up a blank sign in protest of the regime gets shipped off to the front lines. No way that man would survive a second if he ever went against the party line. Which means he hasn’t done so.

              A simple no would have been sufficient. I’m not interested in baseless speculation. I had hoped you had actual evidence, which would intrigue me greatly. As it is, I have someone’s imagination put to paper.

              If I were him, I’d get on the next plane to the US and happily spend the rest of my life in Leavenworth rather than allow myself to become a propaganda tool for a bunch of genocidal fascists.

              He’s not saying anything. He’s not being a propaganda tool. You can make a rather weasily attempt to say his not denouncing something is in essence supporting it and thus being a propaganda tool, but that’s a stretch and rather disingenuous.

        • figaro@lemdro.id
          link
          fedilink
          arrow-up
          8
          arrow-down
          1
          ·
          edit-2
          1 year ago

          All of these comments are completely off the rails. He informed us about one of the largest violations of privacy in the history of mankind. For that, he had to go on the run. He ended up in Russia, but not by choice.

          If he wants to retire there and just keep his mouth shut, he should have our fucking blessing. The one thing he did was bigger than anything we could ever hope to accomplish lol.

        • Rose@lemmy.world
          link
          fedilink
          arrow-up
          3
          arrow-down
          5
          ·
          edit-2
          1 year ago

          I wouldn’t go as far as to say he asks for permission, but it’s very clear that he is effectively a Russian propagandist now that he’s choosing to be left alone in exchange for focusing on bashing the US and being quiet about Putin’s regime even despite the invasion.

    • ErevanDB@lemmy.zip
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      Though it is REALLY hard to get the data of what was sent, or who it was sent to, as they’d have to get inside your pc, log in, unlock signal and hope you don’t have disappearing messages.

      • ReakDuck@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Except you installed Signal on your PC, if not encrypted, its pretty easy to get all messages that are synced from the day you setup the sync with your phone.

        Except you use a Luks encrypted device or somethinf similar. Bitlocker failed way too many times in history to be actually secure.

  • Midnight@slrpnk.net
    link
    fedilink
    arrow-up
    20
    ·
    1 year ago

    I think a lot of these points have been made better elsewhere.

    The extended discussion of hypothetical US interference just because of a tenuous chain of connection to the CIA is just typical US-badism. The US frequently funds tools which they think further geopolitical goals and this doesn’t inherently mean its untrustworthy, just that their methodology of control is more resilient to uncensored speech; the best example of this is TOR, decentralized, anonymous, and created by Naval Research and DARPA. The author can’t concede this point as it’d bring up they’re unsubtly simping for a different colonial power, one who does require such censorship.

    Signal’s centralized nature has always been a major criticism (and it’s reasonable), however as a trade off it’s easy to on-board the tech illiterate. It’s nontrivial to set up a Matrix server and I’ve seen the difficulty of migrating activist groups there. It’s good as a long term goal, but one also has to recognize that a person struggling with housing has different concerns and will prefer to use whatever their friends and family do.

  • elouboub@kbin.social
    link
    fedilink
    arrow-up
    17
    arrow-down
    1
    ·
    1 year ago

    I’m just waiting for the EU’s Digital Markets Act (DMA), that requires interoperability between protocols (messenger, whatsapp, that apple thing, signal, matrix, etc., to kick in. Once that happens, I’ll take a closer look at matrix.

    Matrix is also being rewritten in Go and one day, they’ll hopefully support decentralised identities (aka your identity isn’t tied to a server). When both are implemented, I think they’ll be superior to many things out there.

    As to the article: yawn. Proof is lacking everywhere and the “it requires a telephone number” argument just keeps cropping up. Without a telephone number, what is the best way to discover your friends and family on a new network? If someone can respond with a viable alternative that doesn’t involve sending a message to everybody over some insecure medium, I’m all ears.

    • mb_@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      1 year ago

      As much as I love and follow matrix closely, I can’t fully trust developers who aren’t capable of deploying SSO in their product (look at dendrite mess). Unfortunately, following their SSO ticket chain was a mess and disappointment.

    • FarLine99@lemm.eeOP
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      Matrix evolution is REALLY cool. Can’t wait for new mobile clients because old have problems with notifications on iOS devices (relatives are using them).

  • cjf@feddit.uk
    link
    fedilink
    arrow-up
    15
    arrow-down
    2
    ·
    1 year ago

    In January 2021, after WhatsApp, the most popular messaging app in the world, became acquired by Facebook, and announced its sharing of data with its new parent, Signal became the top downloaded app in > 70 countries.

    Errr…

    WhatsApp was acquired by meta back in 2014.

    2021 was when WhatsApp released updated terms of service that allowed them to connect to Facebook servers and share the data they needed/wanted to.

    This article seems like the average low effort hit piece against signal that keeps on popping up.

    I still think signal is the easiest messaging app out there for the average user to gain a little more privacy in their digital lives.

  • Kekzkrieger@feddit.de
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    I disagree with a lot of things in this message, a server will always know who communicates with whom and when, because it needs to deliver these messages.

    We know that Pegasus can infect any device without anyone really noticing and fully taking over. No message service could ever get around that meaning that as long as you use a phone you could always be the target of surveilance.

    That means there is an inheritated problem with privacy on phones because no matter what a app will never be safe.

    End to end encryption just ensures that there wont be a party constantly monitoring all data and enable mass surveilance.

    In theory they infected everyone with Pegasus send the traffic somewhere whwre they could analyze that traffic.

  • JoeKrogan@lemmy.world
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    https://www.politico.eu/article/eu-commission-to-staff-switch-to-signal-messaging-app/

    The EU commission who are actually targets of nation states recommend to switch to signal. Also it was tested in court and the data wasn’t there to give.

    If you are a target they will go for the weakest link either hack the device or they will go for the other participants device to get the conversation there. They don’t need to break the encryption.

  • TCB13@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    Watch out… last time I liked to this article people started to say that I was spreading misinformation…

  • birdcat@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    Many great answers in here but can someone address this point?

    Signal could very well be another Crypto AG-style honeypot: the Swiss company which provided secure communications services to ~120 governments throughout the 20th century, and was secretly ran by the CIA and West German Intelligence.

    • FarLine99@lemm.eeOP
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      I think if we assume that we run on our devices code that is public we are safe (without additional built in things, backdoors). This code is checked many times so it is good. If you use Android you can use some forks of official Signal client (Molly, Signal-FOSS) and be safe 🙂

    • BitSound@lemmy.world
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      i.e. Matrix with the client of your choice, if anyone’s confused, they both speak the same protocol

  • Evoke3626@lemmy.fmhy.ml
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    I personally recommend Session. Which is like signal but better. It is 100% zero user knowledge with no accounts emails or phone numbers. It just goes “here’s your ID have fun” and that’s it. Love it.

    • ᗪᗩᗰᑎ@lemmy.ml
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      Sessions developers dropped Signal’s Perfect Forward Secrecy (PFS) and deniability [0] security features. Personally I would not trust a product that drops an end-user security feature for the sake of making the developer’s life easier [1] .

      Using existing long-term keypairs in place of the Signal protocol massively simplifies 1-1 messaging.

      For those unaware, PFS protects your data/messages from future exploits and breaches. With PFS, each message’s encryption is isolated, preventing compromise of current and past interactions [2].

      A simple example to illustrate why PFS is beneficial. Lets assume any 3 letter agency is collecting all Signal/Session messages - on top of the tons of data they’re already capturing. The great thing is that your messages are encrypted, they can’t see anything - YAY - but they’re storing them basically forever.

      Two ways they may be able to compromise your privacy and view ALL your messages:

      1. A flaw is discovered that allows them to crack/brute force the encryption in weeks instead of years/decades/eternity. If you were using Sessions, because you use the same key for every message, they now have access to everything you’ve ever said. If you were using Signal, they have access to that one message and need to spend considerable resources trying to crack every other message.

      2. Your phone is compromised and they take your encryption keys. If you were using Sessions, this again gives them access to your entire message history. If you were using Signal, because the keys are always rotating (known as ephemeral) they can only use them to unlock the most recent received messages.

      It’s important to state that both cases above only really matter if you delete your messages after a certain time. Otherwise, yes, all they have to do is take your phone and get access to your entire message history - which is why ephemeral messaging (i.e. auto deleting messages after a certain time) is crucial if you suspect you may be targeted.

      [0] https://getsession.org/blog/session-protocol-explained

      [1] https://getsession.org/blog/session-protocol-technical-information

      [2] https://www.signal.org/blog/advanced-ratcheting/

    • FarLine99@lemm.eeOP
      link
      fedilink
      arrow-up
      5
      arrow-down
      2
      ·
      1 year ago

      Calls are in beta and buggy. Lacks features, translations. Good concept but not mature realization.

  • Lengsel@latte.isnot.coffee
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    If someone wants to use Sigbal without Google dependancies, have a look at Molly.

    Does anybody know what’s happening about Signal creating usernames to add people instead of numbers?

          • Lengsel@latte.isnot.coffee
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            I’m a big fan of the concept of Obtainum, but to insure anonymity with apps, Obtainum is not an option due to not knowing if apps use GCM or Firebase, that’s why F-Droid is safer because of removing any dependencies or not allowing an app like native Signal, because of it’s dependencies, that’s why I suggested Molly app as a safer modified version of Signal.

        • FarLine99@lemm.eeOP
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          It’s latest release matches with latest release from GPlay so it is not abandoned in any way. Look at version-FOSS branches, not main (it was not updated a year already).

  • Tangent5280@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    What’s the argument against allowing anyone to host their own signal server? I mean, the code is open sourced, why not allow people to set up their own servers too?

    • BarbecueCowboy@kbin.social
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      The argument from Signal seems to be that they don’t want to expend resources supporting it or potentially federating with them. They do seem to have past experience doing this with CyanogenMod, and it sounds like it went poorly.