• ᗪᗩᗰᑎ@lemmy.ml
    link
    fedilink
    arrow-up
    6
    arrow-down
    5
    ·
    3 years ago

    A quick rebuttal of some points you made. Not going too in depth as I just want to provide my perspective:

    • CIA Funding:
      • This is a non-issue. The OTF also funds: Briar, Tor, Wireguard, Delta Chat, Bind9, CGIProxy, CertBot, K-9 Mail, Tails, NoScript, QubesOS, The Guardian Project, and a host of other essential privacy tools/software. You’re telling me they’re all compromised just because they’re getting funded? I don’t buy it.
    • A Single, Centralized, US-based service
      • The Code is open source and Android has reproducible builds, iOS would have them too, but it’s impossible based on the way Apple’s build process works. Lastly, Signal’s devs/infra exist in the US, they have to exist somewhere, why not the country of origin? With the code being open/reproducible, you don’t have to trust them.
    • Phone # Identifiers
      • This is to make onboarding easier and minimize spam - I got my grandma to install it and find the rest of the family on Signal VERY easily. Trying to get her onboard with Matrix/Element or even Briar would have been a struggle. I like Briar, but its not ready for mainstream yet. I also like Element, but I don’t believe it’s quite a text/sms replacement like Signal is - in addition to leaking metadata.
    • Social network graphs
      • Here you mention metadata, so I’ll ask which other provider goes to the lengths that Signal does to minimize the collection of metadata? And please read over how Sealed sender works before you claim its easy to circumvent. You deride their implementation and claim how easy this is to collect without understanding what’s going on under the hood.
    • Abandonment of Open source
      • This is a stretch. Signal is a non-profit. They don’t have the same funding or staffing as their competitors and all their code is current. Yeah, they let it get out of sync for a while, they’re human, not robots. Don’t let perfect be the enemy of good.
    • Bundling a Cryptocurrency
      • What does a messaging platform have to do with crypto/payments? I don’t know, you should ask every other big player who is also trying to get in on the game hoping to siphon even more data from everyone’s purchases.

    I do want to close by saying that Signal is definitely not the end-all-be-all of secure messaging platforms, but it is currently the best for mass adoption. I’m keeping my eyes on Matrix, Sessions, and Briar, but can’t say they’re ready to “go mainstream” yet.

    • Helix 🧬@feddit.de
      link
      fedilink
      arrow-up
      6
      ·
      3 years ago

      The Code is open source

      the server code being not federated means you effectively can’t (or won’t) self host.

      Phone # Identifiers – This is to make onboarding easier and minimize spam

      Yeah but you could do that as verification and an additional means to find users, not the primary user ID. Threema has generated IDs, Matrix has usernames, Telegram has usernames. Why can’t Signal?

      Yeah, they let it get out of sync for a while

      Why, though?

      What does a messaging platform have to do with crypto/payments?

      Good question. Signal obviously didn’t ask about it and wants to become another WeChat/QQ clone where you can pay with your messaging application and circumvent taxes.

      Signal is definitely not the end-all-be-all of secure messaging platforms, but it is currently the best for mass adoption.

      I’d agree if you’d add “one of” between “currently” and “the”.

      • Dessalines@lemmy.mlOP
        link
        fedilink
        arrow-up
        10
        ·
        3 years ago

        Also, its not that signal just got lazy with letting their code get out of sync. They chose not to publish updates for their server for a whole year, until the open source community got really angry, and then they finally relented. If I or any open source maintainer did that, we’d rightly be abandoned. Some here are giving signal a pass for it tho.

        • ᗪᗩᗰᑎ@lemmy.ml
          link
          fedilink
          arrow-up
          1
          arrow-down
          4
          ·
          3 years ago

          I think the difference is it’s not a federated platform so not many people really care about access to the server-side code. If I was hosting a lemmy instance I would obviously be frustrated if you withheld from all other instance admins as you’d be putting us at a disadvantage. Signal doesn’t allow federation so the consequences aren’t the same.

          and then they finally relented

          You’re embellishing the story for added emotional value. What if instead you wrote, “users were angry, the Signal devs were busy, but eventually got around to publishing the latest code”. You weren’t there so you can’t say that they didn’t want to - or had the time to - publish the server code. You’re implying malice when it doesn’t have to be. Why? Maybe it was on their backlog and it was a task that nobody ever got around to? I dunno, I’ve been in situations like that before and it just sucks to hear people implying the Signal devs are doing shady things when it may simply be that they’re human and not perfect. I’ve had times where our dev team was accused of being “lax” when we’re all running at 110% but just can’t get to that one thing that a small handful of people really want and are very vocal about.

          • Dessalines@lemmy.mlOP
            link
            fedilink
            arrow-up
            7
            ·
            3 years ago

            I can tell you, publishing source code is as easy as typing git push. That they needed to “clean things up” at all in an ostensibly open source codebase is sus.

            • ᗪᗩᗰᑎ@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              3 years ago

              I’m going to disagree again.

              I know how easy it is to type “git push”. I’ve worked where we had 200+ things that were that “simple” but just weren’t prioritized because of our small team. Also had to do thorough code reviews before we synced to our public repo. There’s a hundred non-malicious reasons they delayed - including that they didn’t yet want to make the monero stuff public yet. It’s not uncommon to keep things from the public until they’re ready, in case you decide to scrap the project and remove it last minute before you sync to your public repo and have people question something that is no longer valid/important. I guess I try to look at it from a more human perspective than immediately trying to tarnish people’s intentions.

              • Dessalines@lemmy.mlOP
                link
                fedilink
                arrow-up
                2
                ·
                3 years ago

                That simply means that development isn’t out in the open. Why would you not push branches and do code reviews out in the open for an ostensibly open source project?

                • ᗪᗩᗰᑎ@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  2
                  ·
                  3 years ago

                  That simply means that development isn’t out in the open

                  Correct. FOSS doesn’t mean they have to develop it out in the open, only that they have to release the code for everyone else’s benefit.

                  Why would you not push branches and do code reviews out in the open for an ostensibly open source project

                  Because open source simply means the code is available. You’re not forced to interact with anyone else just because something is open source.

      • Dreeg Ocedam@lemmy.ml
        link
        fedilink
        arrow-up
        3
        arrow-down
        2
        ·
        3 years ago

        the server code being not federated means you effectively can’t (or won’t) self host.

        This doesn’t matter if the app is designed to not require a trusted server

        Threema has generated IDs, Matrix has usernames, Telegram has usernames. Why can’t Signal?

        Because they originally worked by encrypting SMS, which required phones numbers. Internet messaging arrived later, and they are working on usernames in a similar way to how Telegram does it if I understand correctly.

      • ᗪᗩᗰᑎ@lemmy.ml
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        3 years ago

        the server code being not federated means you effectively can’t (or won’t) self host.

        Agreed. I hope they change their minds on this, although I’m not holding my breath.

        Yeah but you could do that as verification and an additional means to find users, not the primary user ID. Threema has generated IDs, Matrix has usernames, Telegram has usernames. Why can’t Signal?

        Agree. The devs have stated that this is coming this year. We’ll see if they can roll it out before the year ends.

        Yeah, they let it get out of sync for a while

        Why, though?

        Honestly, don’t know and don’t care. I suspect because they didn’t want to yet make public their crypto stuff, but I’m not going to assume malice here without evidence.

        Good question. Signal obviously didn’t ask about it and wants to become another WeChat/QQ clone where you can pay with your messaging application and circumvent taxes.

        Whatsapp also lets you pay - although I believe its only in India. Telegram also attempted to include crypto. Why wouldn’t we want a private way to pay instead of letting Facebook/Google/etc, take over? I fully support them making sending money easier and more private.

        I’d agree if you’d add “one of” between “currently” and “the”.

        I’ll agree that it’s “one of” the best. Which one would you throw in your top 3?

    • altair222@beehaw.org
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      3 years ago

      "Signals database, which we must assume is compromised due to its centralized and US domiciled nature, has a few important pieces of data;

      Message dates and times
      Message senders and recipients (via phone number identifiers)"
      

      I have a problem with the article’s claims on metadata too, hasn’t there been too many transparency reports and subpeonas that prove that they literally have nothing to offer to the government except the last time someone used signal and the date of joining?

    • Dreeg Ocedam@lemmy.ml
      link
      fedilink
      arrow-up
      3
      arrow-down
      2
      ·
      3 years ago
      • CIA Funding:
        • This is a non-issue. The OTF also funds: Briar, Tor, Wireguard, Delta Chat, Bind9, CGIProxy, CertBot, K-9 Mail, Tails, NoScript, QubesOS, The Guardian Project, and a host of other essential privacy tools/software. You’re telling me they’re all compromised just because they’re getting funded? I don’t buy it.

      Even if it were not the case, Signal was founded 3 years before it started receiving funding from the OTF.