Follow

turning into a crypto-ponzi currency scheme?

stephendiehl.com/blog/signal.h

Surprise!

That Signal:
- isn't really free/libre software (as Moxie denied freedom to redistribute modified version)
- would *never* federate (political choice of centralization)
- updated server software wasn't published
- invaded people's phonebooks
- runs on Amazon+NSA's infrastructure
- is virtually impossible to use out of Google's infrastructure -
- etc.

...didn't seem to be enough to alarm Signal users.

AH also forgot what is probably the most important from a privacy/information-security perspective:

- impossible to use without a *phone-number*!

Now the true objective of all these political choices (strong identifier + centralization + control of the distribution, etc) becomes clear: there is a financial interest to keep the users captive, to get rich with ponzi-crypto....

... well done, Moxie, many of us didn't see it coming! :)

@jz
To your credit, you've been calling them out since a long time now. Good on ya.

@jz Sadly for regular people, it's the only option beyond whatsapp

It's basically the only one with a clean UI and E2EE that is on google play afaik

@SigmaOne

I dont believe in the myth of "regular people":

- it's elitist and classist, and used by tech-elite to justify not doing efforts to teach; denying others' agency and ability to learn;

- it's wrong: i have witnessed 100s of journos and activists just LEARN "complicated" technology (tails+OTR+GPG, etc.);

- it justifies to take decision FOR the users, assuming that all face the same risk;

- it negates the political nature of tech choices, reading them only from comfort/easy angle.

@jz I guess it's a poor wording, I didn't intend to sound elitist, what I mean are people such as my parents who would be willing to use something more private, but don't want to have to learn any more technical knowledge

@SigmaOne there can only be poor wordings: "normal users", "noobs", "non-tech ppl", "my parents", "my wife", etc. it's *always* the same pitfalls i described, i think...

Your parents learned complicated things in their lives: to read, to write, maybe to drive and/or a technical job, etc.

Assuming tech things could "just work" without needing to learn anything is wrong, only favours domination.

Imagine someone saying "you dont need to learn how to read, just sign here". would you trust them?

@jz @SigmaOne

Still, UI/UX is really important. People will, most of the time, go the easy way.

@Fritange @jz @SigmaOne Delta.Chat is 100% free / libre software.
It comes with a user-friendly interface.
It ciphers every communications between two Delta Chat clients.
It relies on emails, a somewhat famous software federation.

grimoire-command.es/2019/delta

@Siltaer @Fritange @SigmaOne

hmm. t is based on protocols (SMTP/IMAP) that were never thought for privacy/confidentiality, that inevitably leave traces of metadata on multiple points of the network, and can (as a default!) send unencrypted messages.

+ the question of account creation is left to the user, and in most cases it's rather hard to get free email address without leaving identifying traces, thus pushing the problem of identification under somebody else's carpet.

not my 1st choice :)

@jz @Fritange @SigmaOne Seeking free email addresses looks like a trap for me. The good relation with a service provider is to be the client, paying for the service. If it's free, you're the product, sold to real clients.

So I recommand to get a domain for less than 10€/year and to use the email address packaged with it.

At some point, freedom comes with a cost when other are involved.

***

Then, Delta.Chat don't produce "perfect" forward secrecy. Ok. So What else ? (I'm using it meantime).

@Siltaer @Fritange @SigmaOne

Exactly! So you pay for a reliable email service... and therefore are leaving 100% identifiable meta-data all over the Internet, while Delta-chat makes you wonderful promises of security/privacy/etc... I find it misleading at best.... :/

@SigmaOne

I think people can ONLY benefit from life-preserving or life-threatening technologies IF they take enough time to learn about them.

It doesnt mean becoming cryptographers. But at least learn what is a key, what it's useful for, how to verify and renew one. Otherwise you assume other people who offer to do it for you are good actors and.... History. :/

It's sad at first but once admitted empowering: solution is through collective teaching/learning read/write, w/o hierarchies! <3

@jz: I don’t believe in it either.

However, I believe in: everyone has 24 hours in a day and most people (i.e. who are not born in an ultra-privileged environment) need to spend time in things to get on with their lives and do what actually interests them. That allocation of their time will depend on many variables. The level of geekiness/nerdiness will impact the choice they make. Turns out, you and I have rather high levels of such. Most don’t. Why?

@hugo fully agreed!

i had quite some privilege, including:
* early access to a computer when it wasn't so common
* access to teachers who would really stimulate the curiosity of kids

I have no universal recipe, but i think that
1/ sharing the privilege and using it to enable others to get same levels of access
2/ stimulating curiosity in collective ways
3/ political framing showing everyone's own interests in learning

=> better than waiting for some saviour/company to do the job for us

@jz True. Problem is: nobody was waiting. There has been countless projects for this.

The truth is, Signal did it first and better than anyone else at the right time... And still now is probably the best solution considering the above.

I have tried alternatives. Even for the nerd that I am they were too much

@jz I feel that, if we had more (not less) consideration for users who are not huge nerds, maybe the community would have brought something like signal.

Do you remember when signal introduced groups and multiple devices? Xmpp and OTR with popular clients like pidgin were barely working at all.

@jz meanwhile WhatsApp was already going to a billion registered users...

@ping357 @SigmaOne recommended by whom?

i heard its crypto is absolute rubbish...

@autodigestivo @jz Can we really trust Snowden? A former secret service agent ... You know what we said, it's like mafia, you can't quit secret services ... Unless you're dead 😉

@jz Thanks to /e/ OS really everybody can use it without using Google's ifrastructure. I use it everyday - degoogled :)

@matse @masstransitkrow

Are you sure you also got rid of:
"
* firebase-messaging for push notifications
* play-services-maps for maps and sharing location
* play-services-auth for performing reCaptcha checks during signup
* firebase-ml-vision for face detection for the ‘Scribbles’ feature (?)"

As all these proprietary Google libraries seem to be included in ...

forum.f-droid.org/t/signal-wic

@jz No, you are absolutely right! Thanks for the interesting link with the discussion.
In fact I really dislike the fact, that Signal is just available in the PlayStore or on the website as apk and not e.g. on F-Droid.
Nevertheless I used Riot / Elements a lot with a group chat and with encryption there it's unfortunately a mess - people who are not into IT are just lost.

@jz @matse these items won't load without Play Services, and are rendered inert due to my DNS-level blocking of g----- domains.

@masstransitkrow
Nice, thanks for the information! Since /e/ is Goole Play service free I guess that these services won't load then :)

At least location sharing in Signal is working on /e/ (never used it, just tested it for this post) - but I believe it's because of installed MicroG

@jz @matse any app that depends on their APIs will fail to install because they will look for the permission "G----- Play License Check".

If anyone tries to use their apps without GMS, the app won't run.
Signal does not have access to Location under any circumstance as it isn't needed.

I am aware of some Firebase APIs in use by 17 apps, but because I also prevent googleapis.com from resolving, I'm not too worried.

@jz I didn't notice any issues with Signal. Push notifications are working and everything works just as it should (or as it worked on my old, "normal" Android device) - but withoug Google Play Services or Google Apps.
It might just be because of MicroG, I'm not really into the details and didn't want to take care of - that's why I just use /e/.

@masstransitkrow @matse

good for you, you made it, you're great! how about everybody else, including the people you're chatting with in Signal?

also there are *many* more domains than that...

@jz @matse nobody else is using it.

I use Signal for the aesthetic and backup functionality.

As for domains, I used a modified version of the one from someonewhocares to make a zone record. I will eventually harshen it to incorporate more severe blocks.

@jz As I said, Signal is of couse not perfect - but IMHO the best messenger at the moment. Name me any other alternative that my mother can install and use, that is free (as in freedom), end to end encrypted and can make encrypted video calls and I will switch.
But at least I didn't find such a messenger yet. Closest is riot, but as I said, with E2E it's a nightmare to use for an average user.

@jz Remember that TextSecure did at one point federate in practice, when CyanogenMod ran their own infrastructure?

signal.org/blog/cyanogen-integ

...and then there was signal.org/blog/the-ecosystem-

@galaxis yes clearly went backwards on so many levels..

Like giving up on making crypto-over-SMS because... er... reasons? (like if everyone in the world had a plentiful data access...?)

Way before the outrageous bullshit blog post (and CCC talk) there was the f-droid/LibreSignal debacle:

github.com/LibreSignal/LibreSi

Basically saying "i deny YOU the freedom to distribute modified version of my 'free software'" should have been enough to alarm everyone..

@jz @galaxis That discussion there is terrible. That's the point when I started disliking Signal.

I installed Signal recently because of two people who wouldn't use anything else, but I just convinced one of them to set up XMPP over Matrix (iOS user and all XMPP clients we tried are 💩).

Gaaaawd I wish there was something like Conversations on iOS!

@jz I don't use Play Services and Signal works fine.

It requires background access due to this.

If Signal updates stop working on my device I will let you know.

@jz #signal Aren't forkes actually allowed? I remember somehow that he just doesn't want forks to use their ecosystem.

@jz I know about that case, but indeed, the F-Droid build in this pipeline is a fork, the binary misses all the google stuff for sure. I'm also not happy with this situation, believe me.

@jz Comment traduiriez-vous vos propos en français afin de faire suivre à des non initiés ? Merci !

@jz @rysiek (boosted)
That guy goes on multi-tweet Twitter tirades but doesn't let anyone say anything back.
So no, I think I won't read that, actually.

Sign in to participate in the conversation
La Quadrature du Net - Mastodon - Media Fédéré

Mamot.fr est une serveur Mastodon francophone, géré par La Quadrature du Net.