#Signal turning into a crypto-ponzi currency scheme?
- isn't really free/libre software (as Moxie denied freedom to redistribute modified version)
- would *never* federate (political choice of centralization)
- updated server software wasn't published
- invaded people's phonebooks
- runs on Amazon+NSA's infrastructure
- is virtually impossible to use out of Google's infrastructure -
...didn't seem to be enough to alarm Signal users.
AH also forgot what is probably the most important from a privacy/information-security perspective:
- impossible to use without a *phone-number*!
Now the true objective of all these political choices (strong identifier + centralization + control of the distribution, etc) becomes clear: there is a financial interest to keep the users captive, to get rich with ponzi-crypto....
... well done, Moxie, many of us didn't see it coming! :)
@jz Sadly for regular people, it's the only option beyond whatsapp
It's basically the only one with a clean UI and E2EE that is on google play afaik
I use Element with many friends, both those proficient and non-proficient with technology. It was a bit of a pain at first, but now it works smoothly.
The fact that is pretends to "just work" is horrendous with a "multiple devices" model activated by default.
Think about it: Matrix/Element will accept new keys/devices without even asking, thus encrypting for 2, 3,.. 15 keys, that the user doesnt have to verify! The attack surface is immense!
"multiple device" model is a rich kid's dreams.. not really a feature for strong privacy. sad default :/
(paraphrasing Franklin) “Those who would give up essential privacy to purchase a little temporary comfort, deserve neither privacy nor comfort.”
making tech choices based on comfort, "user-friendliness", "ease", etc. because "the users"/"normal people"/etc. are allegedly "stupid", can't learn and we know what they really *want*, right?... is always wrong imho.
have seen some UI (but only valid for short term keys) that tell the user:
"say 'XBZ', they say 'ZWP'" as short hashes-of-hashes of keys pronounceable at beginning of a session. It can be done with emojis also.
What it requires is not as much UI work as collective knowledge-building (hate to speak of "education" that is usually top-down) about the value (mostly political) of doing key verification.
btw #Signal kept pushing key verification further away in its UI...
"We store your code encoded so we can't read it. You send it to you 'as is', and you need another secret code (a password) to decode it. In order to protect your privacy from permanent record, it must actually be secret and difficult to guess by computers, which means it will be difficult to remember. However, passwords managers take care of this : you only need to remember a single password. Alternatively, you may chat without using the internet (by writing a letter, or by scheduling a meeting)."
YES. now apply this to language:
"Oh learning how to read is just *boring* and takes too long. + i am not a _language expert_....
Just hand me this piece of paper you call contract already and i'll sign it!"
would be shocking right? everybody understands the value of spending 100s hours learning how to read and write.
it's s question of social+cultural+political perspective, not that ppl would be inherently more "stupid" than tech-elite (that had privilege to learn..)
I dont believe in the myth of "regular people":
- it's elitist and classist, and used by tech-elite to justify not doing efforts to teach; denying others' agency and ability to learn;
- it's wrong: i have witnessed 100s of journos and activists just LEARN "complicated" technology (tails+OTR+GPG, etc.);
- it justifies to take decision FOR the users, assuming that all face the same risk;
- it negates the political nature of tech choices, reading them only from comfort/easy angle.
@jz I guess it's a poor wording, I didn't intend to sound elitist, what I mean are people such as my parents who would be willing to use something more private, but don't want to have to learn any more technical knowledge
@SigmaOne there can only be poor wordings: "normal users", "noobs", "non-tech ppl", "my parents", "my wife", etc. it's *always* the same pitfalls i described, i think...
Your parents learned complicated things in their lives: to read, to write, maybe to drive and/or a technical job, etc.
Assuming tech things could "just work" without needing to learn anything is wrong, only favours domination.
Imagine someone saying "you dont need to learn how to read, just sign here". would you trust them?
@Fritange @jz @SigmaOne Delta.Chat is 100% free / libre software.
It comes with a user-friendly interface.
It ciphers every communications between two Delta Chat clients.
It relies on emails, a somewhat famous software federation.
hmm. t is based on protocols (SMTP/IMAP) that were never thought for privacy/confidentiality, that inevitably leave traces of metadata on multiple points of the network, and can (as a default!) send unencrypted messages.
+ the question of account creation is left to the user, and in most cases it's rather hard to get free email address without leaving identifying traces, thus pushing the problem of identification under somebody else's carpet.
not my 1st choice :)
@jz @Fritange @SigmaOne Seeking free email addresses looks like a trap for me. The good relation with a service provider is to be the client, paying for the service. If it's free, you're the product, sold to real clients.
So I recommand to get a domain for less than 10€/year and to use the email address packaged with it.
At some point, freedom comes with a cost when other are involved.
Then, Delta.Chat don't produce "perfect" forward secrecy. Ok. So What else ? (I'm using it meantime).
yep. meta-data is the *real* data, in most cases!
"We kill people based on metadata" - (then) General M. Hayden https://www.techdirt.com/articles/20140511/06390427191/michael-hayden-gleefully-admits-we-kill-people-based-metadata.shtml
@jz @matiu_bidule @Fritange @SigmaOne
So, what about Briar ? https://f-droid.org/en/packages/org.briarproject.briar.android/
I managed to lost my password at each try (and there is no work around this). Regular backups are very importants…
I don't know if desktop clients exists…
But it's not leaking meta-data.
Yep, losing one's key, and that's it. That's what happens when you have high expectations of privacy!
Was the case with Pond (unfortunately discontinued), obscure (yet genius!) protocol and software that provided splendid secure+anonymous messenging with very forward-thinking counter-measures, etc.
Designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate.
If the Internet's down, Briar can sync via Bluetooth or Wi-Fi, keeping the information flowing in a crisis. If the Internet's up, Briar can sync via the Tor network, protecting users and their relationships from surveillance.
As i said, Delta is OK if you don't have to trust on your life. I'm not international spy, it's enough for me (and no, this is not another version of "i've got nothing to hide", it's trying to choose a tool on the level of the threat, and level of the friend i'm using it with. If my life was in question i for sure would use something else).
@Siltaer @Fritange @SigmaOne
I think people can ONLY benefit from life-preserving or life-threatening technologies IF they take enough time to learn about them.
It doesnt mean becoming cryptographers. But at least learn what is a key, what it's useful for, how to verify and renew one. Otherwise you assume other people who offer to do it for you are good actors and.... History. :/
It's sad at first but once admitted empowering: solution is through collective teaching/learning read/write, w/o hierarchies! <3
@jz: I don’t believe in it either.
However, I believe in: everyone has 24 hours in a day and most people (i.e. who are not born in an ultra-privileged environment) need to spend time in things to get on with their lives and do what actually interests them. That allocation of their time will depend on many variables. The level of geekiness/nerdiness will impact the choice they make. Turns out, you and I have rather high levels of such. Most don’t. Why?
@hugo fully agreed!
i had quite some privilege, including:
* early access to a computer when it wasn't so common
* access to teachers who would really stimulate the curiosity of kids
I have no universal recipe, but i think that
1/ sharing the privilege and using it to enable others to get same levels of access
2/ stimulating curiosity in collective ways
3/ political framing showing everyone's own interests in learning
=> better than waiting for some saviour/company to do the job for us
@jz True. Problem is: nobody was waiting. There has been countless projects for this.
The truth is, Signal did it first and better than anyone else at the right time... And still now is probably the best solution considering the above.
I have tried alternatives. Even for the nerd that I am they were too much
@jz I feel that, if we had more (not less) consideration for users who are not huge nerds, maybe the community would have brought something like signal.
Do you remember when signal introduced groups and multiple devices? Xmpp and OTR with popular clients like pidgin were barely working at all.
@jz Thanks to /e/ OS really everybody can use it without using Google's ifrastructure. I use it everyday - degoogled :)
Are you sure you also got rid of:
* firebase-messaging for push notifications
* play-services-maps for maps and sharing location
* play-services-auth for performing reCaptcha checks during signup
* firebase-ml-vision for face detection for the ‘Scribbles’ feature (?)"
As all these proprietary Google libraries seem to be included in #Signal...
@jz No, you are absolutely right! Thanks for the interesting link with the discussion.
In fact I really dislike the fact, that Signal is just available in the PlayStore or on the website as apk and not e.g. on F-Droid.
Nevertheless I used Riot / Elements a lot with a group chat and with encryption there it's unfortunately a mess - people who are not into IT are just lost.
Nice, thanks for the information! Since /e/ is Goole Play service free I guess that these services won't load then :)
At least location sharing in Signal is working on /e/ (never used it, just tested it for this post) - but I believe it's because of installed MicroG
@jz I didn't notice any issues with Signal. Push notifications are working and everything works just as it should (or as it worked on my old, "normal" Android device) - but withoug Google Play Services or Google Apps.
It might just be because of MicroG, I'm not really into the details and didn't want to take care of - that's why I just use /e/.
Mamot.fr est une serveur Mastodon francophone, géré par La Quadrature du Net.