• kbal@fedia.io
    link
    fedilink
    arrow-up
    110
    ·
    4 months ago

    I wish Signal was developed more openly, more like the linux kernel for a “critical infrastructure” example. I wish it had more features, so it could take the place of something like Slack. I wish it supported interoperability like fedi.

    But it’s good for what it is and I sure am glad it’s around. People who disrespect it don’t know what they’re talking about.

      • BassTurd@lemmy.world
        link
        fedilink
        English
        arrow-up
        45
        arrow-down
        2
        ·
        4 months ago

        I think yours is the first comment I’ve read that has Proton hesitancy. I’m curious what your reservations are.

        • ElectroLisa@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          13
          arrow-down
          2
          ·
          4 months ago

          Not OP, I’ve heard criticism of their recent Duo subscription and their bitcoin wallet.

          I use Proton services and my biggest gripe is their mediocre Linux VPN app. No binaries to download/Flatpak, advertised port-forwarding isn’t fully implemented and requires playing around in a terminal, and UI feels less polished than it’s Windows counterpart.

          There’s a community made Flatpak of ProtonVPN though, in case it helps anyone

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            5
            ·
            4 months ago

            Honestly, I just use wg-quick to connect to VPNs, and I tested out ProtonVPN and it worked fine with it. I even set up my router to connect to ProtonVPN, so I could have a wifi network that’s always connected to their VPN.

            But I’d really rather not have the same company host my VPN, email, and other stuff, I’d prefer to separate them a bit so no one company has a lot of my data. And something like a VPN really doesn’t benefit from bundling anyway, unless it’s bundled with a browser or something a la Mozilla VPN.

        • Zetta@mander.xyz
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          2
          ·
          4 months ago

          I actually don’t know what people’s hesitancy is, but I’ve seen numerous people say proton is not good, we’ll see if anybody chimes in with a reason.

          • forgotaboutlaye@lemmy.world
            link
            fedilink
            English
            arrow-up
            12
            ·
            4 months ago

            I’ve seen doubt of it’s push to pack products into it’s offering ala Google - however I don’t see that as enough to call it not good.

            It’s also very easy (and suspicious imo) for anyone to call a service not good without any reason to back it up.

            • ElegantBiscuit@lemm.ee
              link
              fedilink
              English
              arrow-up
              4
              ·
              4 months ago

              I see that as offering services that people clearly use and value, and that the bills have to be paid somehow. So as long as proton can deliver the privacy and security features it promises, I personally don’t see anything wrong with providing an alternative when the only other options are built on monetizing your data.

          • Bakersfield@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            4 months ago

            The email service says it was unable to appeal a Swiss court’s demand to log the IP address of a French climate advocate.

            This weekend, news broke that the anonymous email service ProtonMail turned over a French climate activist’s IP address and browser fingerprint to Swiss authorities. The move seemed to contradict the company’s own privacy-focused policies, which as recently as last week stated, “By default, we do not keep any IP logs which can be linked to your anonymous email account.”

            Edit: formatting

          • vulgarcynic@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            4 months ago

            I often figure it’s google bias and / or people trying to impose their threat models on other people.

            Been using proton for quite a while with a few custom domains and am impressed with the service to price of their offerings.

            We can one off use cases with any vendor, but at the end of the day, they offer a more secure out of the box experience than just about any other platform out there. If someone is doing illicit shit and gets popped, it’s not on the service provider to provide air cover for them. Improve your opsec or self host.

          • Frozyre@kbin.melroy.org
            link
            fedilink
            arrow-up
            2
            arrow-down
            6
            ·
            4 months ago

            The one and only critique I’ll give to Proton is how they have it where you can have Google e-mails forwarded to you to your Proton address.

            And it’s like…why? The entire reason you’re going to ProtonMail is to escape Google. Why the hell would you want Google to try and pry into your Proton usage when all you want is to distance yourself from them?

            • dubyakay@lemmy.ca
              link
              fedilink
              English
              arrow-up
              11
              ·
              4 months ago

              You set up the forwarding in google, not proton. You mark the forwarded emails in your proton mailbox. You forward the emails to your proton account until you changed all the sources that you care about from your google to your proton mailbox. Then you turn off forwarding.

              Google never gets any more data from you except your protonmail address.

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              6
              ·
              edit-2
              4 months ago

              It’s really nice for the transition period. I personally forward my email to Tuta, which lets me slowly convert my services to my new address. I have my most important ones switched over now, but I had to switch dozens over (I would do 3-5 at a time, which was a pain).

              I’ll probably leave my gmail forwarding to my Tuta account, just because there’s no way I’m going to go though every single service I have ever used and switch it over, and inevitably some contact will continue using my old email.

              As far as Google goes, all it knows is that it’s getting less and less emails, and that what remains is being forwarded to <email>@tuta.com. But that’s not my main email address though, it’s just the one I set the account up with. I actually use <name>@<custom domain>, and I have a bunch of aliases configured for each type of account (e.g. <name>-banking@<custom domain> for my bank accounts, <name>-bills@<custom domain> for utilities and whatnot, etc). But that’s still not my actual, personal email, which is <name>@<different custom domain>, and I only give that one to my family and friends.

              So in short:

              • gmail -> tuta.com email - all Google knows about
              • random online accounts -> custom domain 1
              • family/friends -> custom domain 2

              If I can convince my SO to switch, I’ll give them an account at custom domain 2 and tell them to only use it for personal contacts, and to have everything else go through their old gmail or a Tuta alias. If I ever decide to switch to Proton, I’d have to transition all of those custom domain 1 emails to some proton aliases (unless I pay for the higher tier), which would be a pain, especially since the main reason I use these custom domains is to make it easier to switch services (e.g. just point my DNS records to the new host).

            • 𝕸𝖔𝖘𝖘@infosec.pub
              link
              fedilink
              English
              arrow-up
              2
              ·
              4 months ago

              That’s not everyone’s privacy posture. Some people use Proton to hide, some people use it to secure, some for both. If your goal is to secure, google’s antiprivacy isn’t against that.

              I’m with you, though.

        • linearchaos@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          2
          ·
          4 months ago

          Not OP

          There’s not a lot of negative press about them.

          They complied with Swiss government requests to out the IP of a French activist.

          It looks like they’re really doing the best they can.

          • MiltownClowns@lemmy.world
            link
            fedilink
            English
            arrow-up
            20
            arrow-down
            1
            ·
            4 months ago

            Correct. They comply with court orders, its a business. People still need to be secure in how they use it, which that guy wasnt. So if you’re attempting to evade the government, use a vpn. All your data is encrypted, where you access it from and your billing information cannot be.

          • Frozyre@kbin.melroy.org
            link
            fedilink
            arrow-up
            4
            arrow-down
            4
            ·
            4 months ago

            True but the guy was the one at fault and Proton had to comply. The French Activist was using ProtonMail e-mail for bad usages which is what it boiled down to. You left out the part where they complied with Swiss government yes but they didn’t with the French authorities.

            Yet it still comes down to people’s own responsibility. But people love to throw that out the window and expect everything to protect them when they get up in shit.

        • MigratingtoLemmy@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          edit-2
          4 months ago

          Swiss laws aren’t as tight as a lot of people think.

          I’d like for them to lean more heavily into open source

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            6
            ·
            4 months ago

            It’s probably tight enough for your needs. Unless you live in Switzerland or are breaking Swiss law, they’d need a really good reason to send your data anywhere.

            That said, I use Tuta. They have a similar source model (open client, closed server) and are based in Germany, but since they’re an underdog, they have a bit more value and lower costs. I pay €3 and get 3 custom domains and 15 aliases, whereas w/ Proton I pay $4 and get just 1 custom domain and 10 aliases; I can also add people to my plan for €3, instead of upgrading to a Duo for $15 or family for $24. If Proton matched Tuta’s features, I’d probably pay slightly more for the better UX, but I use those features so I’m very hesitant to give that up. I don’t intend to use their VPN or other products, so I’m very much not interested in their higher tiers.

            I do wish their server code was open source and self-hostable. I’d love to use my own storage, but still use their spam filtering and whatnot.

            • Cryophilia@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              4 months ago

              Unless you live in Switzerland or are breaking Swiss law

              That’s the thing though, governments tend to make everything illegal so they can selectively enforce.

        • Cocodapuf@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          4
          ·
          edit-2
          4 months ago

          Yeah, I don’t trust proton mail.

          First off, email is inherently insecure, trying to secure it is largely a waste of time.

          Secondly, proton has complied with subpoenas in the past, revealing user messages to authorities/governments.

          Finally, it’s just too centralized, with a single point of failure, why would you trust it?

  • sailingbythelee@lemmy.world
    link
    fedilink
    English
    arrow-up
    66
    arrow-down
    2
    ·
    4 months ago

    This is a very rude question, but on this subject of being lean, I looked up your 990 and you pay yourself less than some of your engineers.

    Yes, and our goal is to pay people as close to Silicon Valley’s salaries as possible, so we can recruit very senior people, knowing that we don’t have equity to offer them. We pay engineers very well. [Leans in performatively toward the phone recording the interview.] If anyone’s looking for a job, we pay very, very well.

    So, I googled their tax filing out of curiosity. It’s true that Meredith pays herself much less than her engineers, which is great. What I was rather shocked to see is that they pay their software developers enormous salaries. They’re listing developers making over $400,000 per year, with their VP making over $660,000 per year. Now, I’m all for the value-creators making more money than the CEO. I just had no idea that software developers make that kind of coin. I was thinking of donating to Signal, but I’m kind of weirded out by those astronomical salaries.

    • mosiacmango@lemm.ee
      link
      fedilink
      English
      arrow-up
      41
      arrow-down
      1
      ·
      edit-2
      4 months ago

      That’s inline with Silicon valley salaries. Basic houses cost 2mil there, so it’s not completely outrageous.

      As an example, openai pays all its engineers 300k flat+500k/yr in some stock based asset. Another example is Netflix, who are notoriously a very fickle employer, but salaries start in the 400k range and go up from there.

      • sailingbythelee@lemmy.world
        link
        fedilink
        English
        arrow-up
        24
        arrow-down
        1
        ·
        edit-2
        4 months ago

        Yes, the article makes the point that Signal needs to compete for talent with the rest of Silicon Valley. I get that. And we’ve all heard about the nearly unfathomable amounts of money that tech companies throw around. When you break it down to individual salaries, though, and see that even normal people in normal jobs are making a million dollars a year between salary and stock… well, I think it really exposes the spectacular wealth inequality that we have allowed to fester. I mean, sure, shelter costs may be high in Silicon Valley, but the cost of other goods remain about the same. A $50,000 truck that an average person in Nebraska might have to save for years to afford is barely a rounding error for folks making a million a year. I’m no economist, but it does seem like there are consequences for this kind of ever-growing wealth inequality.

        It is also absurd on its face for a multi-millionaire developer to place a “Donate Now” button in an app and talk about being a non-profit to tug at the heart strings of people who make one-tenth of what the developers are making. It’s feels like Scrooge asking Tiny Tim for a donation.

        Anyway, I don’t blame the developers for this absurd situation, and I do appreciate Signal, and Meredith is clearly a cool person who is fighting the good fight against big tech surveillance. But every once in a while an article like this reminds me how deeply fucked up the world is. It seems we are approaching pre-French Revolution levels of economic disparity, and maybe it helps explain why so many working class people are pissed off.

        • Cryophilia@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          8
          ·
          4 months ago

          I cannot WAIT for the inevitable market correction on SWE salaries. Entitled bastards.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      17
      ·
      4 months ago

      Not all SW devs make that kind of money. I don’t live in Silicon Valley, and I make significantly less than that amount. I could probably get a job there making somewhere north of $300k, but my expenses would go through the roof and I’d be stuck in SV traffic all the time, no thank you. I get paid well, but less than half what Signal is paying.

    • Linktank@lemmy.today
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      1
      ·
      4 months ago

      I mean, how does a free app with no advertising in it make that kind of money?

      • trailee@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        22
        ·
        edit-2
        4 months ago

        A free app with no advertising doesn’t make that kind of money, it gets progressively deeper into debt to a good Silicon Valley rich guy who got it off the ground, Brian Acton.

        His biography on the Signal Foundation website:

        Brian Acton is an entrepreneur and computer programmer who co-founded the messaging app WhatsApp in 2009. After the app was sold to Facebook in 2014, Acton decided to leave the company due to differences surrounding the use of customer data and targeted advertising to focus his efforts on non-profit ventures. In February of 2018, Acton invested $50 million of his own money to start the Signal Foundation alongside Moxie Marlinspike. Signal Foundation is a nonprofit organization dedicated to doing the foundational work around making private communication accessible, secure and ubiquitous.

        Prior to founding WhatsApp and Signal Foundation, Acton worked as a software builder for more than 25 years at companies like Apple, Yahoo, and Adobe.

        The Wikipedia article on the Foundation says the loan balance was up to $105M later in 2018. Meanwhile, Acton is still worth $2.5B according to Wikipedia, so things are probably fine for now, even 6 years later.

        But you’re right that Signal eventually needs revenue to keep even a small team of high caliber software engineers and devsecops folks around. You very much want excellent engineers to continue to be involved with critical encrypted communications software on an ongoing basis, so it will cost money indefinitely. Presumably Acton does not wish to bankroll it indefinitely.

        Again back to the interview:

        I wouldn’t imagine that most nonprofits pay engineers as much as you do.

        Yeah, but most tech is not a nonprofit. Name another nonprofit tech organization shipping critical infrastructure that provides real-time communications across the globe reliably. There isn’t one.

        This is not a hypothesis project. We’re not in a room dreaming of a perfect future. We have to do it now. It has to work. If the servers go down, I need a guy with a pager to get up in the middle of the fucking night and be on that screen, diagnosing whatever the problem is, until that is fixed.

        So we have to look like a tech company in some ways to be able to do what we do.

        I’m really glad they pay those engineers that much, so that Zuckerberg and his ilk can’t entice them away with oodles of money. One presumes they also believe in the cause, but I think this currently looks like Acton fighting surveillance capitalism with what capitalism got for him earlier in his career.

        Cofounder Moxie Marlinspike is clearly a brilliant hacker and coder who was crucial to Signal’s creation, but I think it makes sense that he hasn’t stuck around to try to solve the long term business problem of keeping it aloft infinitely.

        So what to do about it? The OP interview is with Meredith Whittaker, who’s entire job is figuring that out:

        Since she took on the presidency at the Signal Foundation, she has come to see her central task as working to find a long-term taproot of funding to keep Signal alive for decades to come—with zero compromises or corporate entanglements—so it can serve as a model for an entirely new kind of tech ecosystem.

        I’m a recurring donor because I want Signal to succeed and I want to vote now with my wallet, but fundamentally it’s on Whittaker to figure out how to make the long term work. Here’s what she says:

        I see Signal in 10 years being nearly ubiquitous. I see it being supported by a novel sustainability infrastructure—and I’m being vague about that just because I think we actually need to create the kinds of endowments and support mechanisms that can sustain capital-intensive tech without the surveillance business model. And that’s what I’m actually engaged in thinking through.

    • Higgs boson@dubvee.org
      link
      fedilink
      English
      arrow-up
      8
      ·
      4 months ago

      Yeah, that’s not especially enormous compared to startups in the valley offering huge equity alongside already generous compensation packages.

  • 𝕸𝖔𝖘𝖘@infosec.pub
    link
    fedilink
    English
    arrow-up
    55
    arrow-down
    3
    ·
    4 months ago

    My only gripe with signal, is the use of phone numbers as usernames. Not everyone with whom I want to communicate via signal has a phone number. I understand why they went this route, but wish there was an alternative way.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      34
      ·
      4 months ago

      You can use a username only for finding and adding friends, you only need the phone number to create an account. That’s probably because Signal started as an alternative to Messages (or whatever it was called back then), so you could send SMS if you wanted, or secure messages to friends w/ Signal. The whole point was to be a gentle transition from SMS to private messaging. However, they eventually dropped the SMS feature, but it seems they kept the phone number as username thing.

      It kind of sucks, but I think that’s a reasonable limitation since the vast majority of people using this service will have a phone number. You could probably even sign up for a free trial of something (e.g. Google Fi) to sign up for Signal, set up the username, and then drop the phone number service. I don’t know if there are any problems with this, but I don’t think they do anything with your phone number after everything is set up.

      • EpicGamer@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        ·
        4 months ago

        I think another reason they use a phone number is that it can mitigate issues with people or bots creating hundred of accounts maybe

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          5
          ·
          4 months ago

          But there are plenty of other services that don’t require a phone number that also seem to mitigate that issue, so while it may be a convenient option, it’s hardly the only option.

      • 𝕸𝖔𝖘𝖘@infosec.pub
        link
        fedilink
        English
        arrow-up
        8
        ·
        4 months ago

        Yeah. And I don’t fault them for this route. I just with I could sign up without a phone number. Maybe the username thing is a predecessor to allowing usernam-only registration in the future.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          ·
          4 months ago

          Yeah, hopefully. It would also be awesome to have a web login so I could access messages and whatnot when using someone else’s computer w/o having to install something.

          I don’t know what direction they’re going, but I’m honestly okay with the caveats that currently exist.

          • 𝕸𝖔𝖘𝖘@infosec.pub
            link
            fedilink
            English
            arrow-up
            5
            ·
            4 months ago

            Having web logon would mean they would need to hold the decryption key in some form (or have a weak decryption key, your credentials), so, while convenient, I think it would degrade security and possibly privacy. Unless you mean to receive new messages, the way the desktop app works?

                • sugar_in_your_tea@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  4 months ago

                  Why would they be joking? There’s really not a big difference between how their mobile and desktop apps work and what’s possible in the web. It can fetch the keys from my computer or my phone just like their other apps work, and store the keys and whatnot encrypted in temporary local storage, just like on the phone. WebAssembly could allow them to share the code and retain similar performance.

                  I honestly don’t see an issue here. If they need help, I’d be happy to lend a hand.

          • Manalith@midwest.social
            link
            fedilink
            English
            arrow-up
            2
            ·
            4 months ago

            I’d be more interested in allowing more than one Android device at a time like MySudo. They let you link Windows with a phone so I wouldn’t think it would be too hard to implement.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          4 months ago

          Sure, and I think that would send a message to all of your contacts that a new account is using that number, but I’m honestly not sure. If you have an active account (i.e. on a desktop or something), I think you can just change your number if that happens (i.e. get another temp number).

          It’s certainly more convenient if you use a longer-term number, but I think it’s feasible with a throwaway number. Once your account is set up, Signal doesn’t need your number for anything if you disable publishing that.

          • vulgarcynic@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 months ago

            It does send a “your safety number has been updated with user” message. But not as an automated message. Only when a new signal thread is started.

            Haven’t tried when only logged in to desktop and changing devices / numbers so I can’t speak to that.

      • EngineerGaming@feddit.nl
        link
        fedilink
        English
        arrow-up
        4
        ·
        4 months ago

        Another issue with phone numbers is that it makes it easier to censor - from what I heard, in Iran the confirmation SMS just would not arrive, making rentals the only option (thus making you risk your account being deleted by the new owner).

        My personal biggest issue with Signal, though, was the inability to register from the official desktop client. They were pushing to register on mobile instead. There are ways around it, like Signal-Cli (what I used) and Android VMs. However, the fact that they push people onto mobile at all is worrying, because phones are much harder to make private (while you can install Linux onto pretty much any given laptop/desktop, only certain phones are compatible with alternative OSes, and mine wasn’t so I could not trust it with my chats).

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          Hmm, I guess then you’d need to get a VPN that works in your country (not sure how hard that is in Iran) and find a VOIP service that either doesn’t require any payment, or accepts payments from Iran.

          It’s certainly not ideal, and I wish they’d eliminate the dependency on phone numbers, but until then, there are options for most people to create an account w/o having a permanent number.

          • EngineerGaming@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            ·
            4 months ago

            You can use Monero for payment, I started doing this ever since sanctions began. Free services are not really viable because they’re far more likely to have all their numbers already used up.

            But yea, the overall point is that it is a large inconvenience and a possible point of failure (the next number user deleting the account).

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              4 months ago

              Yeah, it’s certainly problematic, and I’d very much prefer that it not have that dependency. But I think it’s still worth using Signal despite needing a number, because it’s a really low barrier to getting new users on it.

              If you want something truly private w/o the dependency on a number, there are better options, such as SimpleX. However, the barrier to entry there is a bit higher.

              • EngineerGaming@feddit.nl
                link
                fedilink
                English
                arrow-up
                2
                ·
                4 months ago

                I have a few problems with Simplex (I worry about it being effectively centralized for now and that the VC funding may get it to either enshittify or stop development)… But I do use it quite a bit and even have the servers (which were very easy to set up and don’t consume a lot of resources). I like a lot of what it does (including being very easy to use), and hope it succeeds as it matures!

      • EngineerGaming@feddit.nl
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        Google is a very bad choice because it requires a phone number on its own. Also heard that there may be additional KYC.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          Are you suggesting you need a phone number to get a phone number from Google Fi?

          And yeah, it’ll definitely to KYC, because that’s a federal regulation. My point is that you don’t need the number long-term, so the number will only be associated with you for like a week while the trial period lasts. So sign up for Google Fi trial, create a Signal account, then cancel the trial. That sounds pretty reasonable to me.

          • EngineerGaming@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            4 months ago

            Yea. Don’t you need a Google account first to use such a service? Those do need phone numbers to register.

            And also KYC is unacceptable in this case, imo. If the number is needed only for a short time, there are similar, non-KYC options like what you would find on kycnot.me.

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              4 months ago

              Yeah, I think you’ll create a Google account as part of the Google Fi account creation process.

              If that really bothers you, use a different MVNO. Some offer free trials, but even if not, it’s not too bad to buy a month of service. My provider is Tello, and the minimum service that’ll give you SMS is $5/month. If you’re clever, you can probably also find a VOIP provider that does SMS for really cheap.

              My point isn’t that Google Fi specifically is what you should use, just that it’s an example of a service that offers a free trial, so you can sign up for Signal for free.

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      5
      ·
      4 months ago

      It creeps me the fuck out. I do not get why a service that bills itself as secure needs to know something that can be traced back to my credit card and name. I won’t use Telegram or Signal because of this.

      • 𝕸𝖔𝖘𝖘@infosec.pub
        link
        fedilink
        English
        arrow-up
        36
        arrow-down
        1
        ·
        4 months ago

        It’s about your posture. Most people who use signal use it to have privacy from governments. They’re not hiding that they use signal, they’re hiding what they write on signal. In this case, using your phone number isn’t a big deal.

        Some people, have a tighter posture, which could translate to your position. In that case, something like Briar could fit the bill.

        Lastly, security and privacy are not the same thing. Google products are secure, but they are not private. Self hosted sftp, for example, is private, but may not be secure. Signal is definitely secure, at least enough for general and governmental use. So, it seems, is telegram. Signal is more private than telegram in many ways, but it is not the gold standard for privacy (because of its use of phone numbers as usernames), but it is “good enough” for the masses. The balance between good for everyone and zero-knowledge private for everyone is delicate, potentially impossible. Honestly, I don’t know if signal was able to strike that balance perfectly, but they did a much better job than many other services, certainly than those others that are accepted by the masses.

        • ikidd@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          5
          ·
          4 months ago

          But putting a phone number in immediately exposes protesters to association. Sure, Signal can’t give out the contents of messages, but it still has the chain of contact. So if a government gets hold of this record, legally or otherwise, now you have everyone associated to a suspect phone number/person and can start rounding them up.

          It’s the complete antithesis of freedom of association when there’s a record of everyone that you’ve contacted. The contents don’t enter into that problem, and I can’t see why they feel the need to keep this as part of their system. It purposely makes it impossible to use this for something like peaceful protest. So, no, it doesn’t give you privacy from governments, because governments that don’t respect freedom of association will use that information to punish dissidents.

          I can’t imagine any reason to use phone numbers except to purposefully keep this chain of association for governments to use. Even Facebook doesn’t require this sort of personal proof, and it’s suspicious as hell.

          • noodlejetski@lemm.ee
            link
            fedilink
            English
            arrow-up
            20
            arrow-down
            1
            ·
            edit-2
            4 months ago

            Sure, Signal can’t give out the contents of messages, but it still has the chain of contact.

            it doesn’t. they’ve been ordered to hand over data multiple times, and the only thing tied to the phone number they have is 1. time the account has been created and 2. last time the account connected to the server: https://signal.org/bigbrother/

            • sunzu2@thebrainbin.org
              link
              fedilink
              arrow-up
              4
              arrow-down
              3
              ·
              4 months ago

              FISA order could require them to collect the data and turn it over, US courts won’t be able to to do shit about it.

              This is purely I trust signal bro type argument

          • 𝕸𝖔𝖘𝖘@infosec.pub
            link
            fedilink
            English
            arrow-up
            6
            arrow-down
            1
            ·
            4 months ago

            You’re mistaken on the basis of your beliefs here. Signal only had two pieces of data around your phone number (joined datestamp, last online datestamp). This means that governments can’t petition signal for any more information, since signal simply doesn’t have it to give (by design).

            Your point on fb is hilarious, because they do require it. They just don’t require you to input it, because (1) they already have it and (2) you freely provide the missing pieces without them even asking. But, like I said earlier, if this goes against your posture, use something like Briar or Matrix or whatever. Choice exists, because everyone is different and has different postures.

            • sunzu2@thebrainbin.org
              link
              fedilink
              arrow-up
              5
              arrow-down
              2
              ·
              4 months ago

              FISA order could be in place and signal disclosed what they were told.

              This argument about them producing only two data points is good but it is not a slam dunk arguement everyone makes it to be.

              Signal has technical capabilities to time stamp every ineteration you have with another person if it goes through their server. This is internet 101.

              So we relying that they don’t do this but if US government said do it. They would and Jack shit anyone can do about it.

              • pressanykeynow@lemmy.world
                link
                fedilink
                English
                arrow-up
                4
                arrow-down
                1
                ·
                4 months ago

                That is my concern with any US based company. With all the information we have how their government agencies used both legal and illegal means to access data how can you ever think those companies can protect your privacy even if they sincerely want to?

              • 𝕸𝖔𝖘𝖘@infosec.pub
                link
                fedilink
                English
                arrow-up
                1
                ·
                4 months ago

                Them being a us company is a very valid concern, and one I share. If I were a dissident, I likely wouldn’t use signal just because they’re us based.

      • UnderpantsWeevil@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        4 months ago

        The Signal pitch is that you don’t need identity security so long as the encryption is strong enough.

        That is, incidentally, the same pitch Botcoiner make.

    • ???@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      4 months ago

      I’ve been using it for a while and by far the biggest issue is how giant the backup file is and now about 3Gb of data were lost because of a signal version mismatch between an old phone I was using and the new one I switched to.

    • foremanguy@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      4 months ago

      For me, today the best messaging app is SimpleX, it is a bit in early development but it’s already really nice.

  • trailee@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    50
    arrow-down
    6
    ·
    4 months ago

    Signal is the best thing going on in tech these days. I’m very glad it’s being led by Meredith Whittaker.

    Did you know you can get a cool badge on your profile pic if you’re a recurring donor? $5 a month is far less than the value I get from it, but that’s all it takes for a cool badge (and knowing that you’re doing something active against the awful state of big tech today).

    • EK13@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      Just to add to this, I also like to use the “donate for a friend” option to gift friends a donation to Signal on their birthdays. It’s also $5 but a one-off thing, they get a neat badge for 60 days and perhaps it raises awareness of the donation option a little bit!

  • fubarx@lemmy.ml
    link
    fedilink
    English
    arrow-up
    14
    ·
    4 months ago

    As long as they stay away from public ‘channels.’

    There lie dragons.

  • solrize@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    3
    ·
    4 months ago

    What is signal anyway? I’ve never paid attention to phone apps much. Why isn’t it on F-droid if it’s FOSS? Is it like irc but with encryption? I guess I should look into it.

    • RecluseRamble@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      22
      ·
      4 months ago

      Why isn’t it on F-droid if it’s FOSS?

      That got me interested and apparently, they fear forks running out of date.

      Concerning F-Droid, we already providing an auto-updating APK directly from our site, and we really don’t want forked versions of the app maintained by other parties connecting to our servers. Not only could the users using the forked version have a subpar experience, but the people they’re talking to (using official clients) could also have a subpar experience (for example, an official client could try to send a new kind of message that the fork, having fallen out of date, doesn’t support). I know you say you’d advocate for a build expiry, but you know how things go. Of course you have our full support if you’d like to fork Signal, name it something else, and use your own servers.

      While that statement got plenty of thumbs down, I hate to admit that F-Droid is indeed out of date quite often. I currently can’t find a source for this but I once read this has something to do with their signing process.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        12
        ·
        edit-2
        4 months ago

        Yes, they manually sign every package.

        But they could easily have their own F-Droid repository, I have repositories for FUTO apps like Grayjay and their keyboard, Bitwarden, and Newpipe, among others. Those are run by the projects themselves, so they’re in charge of how often they update it, as well as how they sign it. So if they have issues with the “official” F-Droid repositories, they can always host their own. I honestly prefer projects that host their own repos precisely because they should, in theory, update faster.

        That said, a self-updating APK is good enough for me. However, I didn’t see an install option easily listed on their website and had to search for “signal android apk” to find the page. It should be listed on the regular install page on their website, next to the link to Google Play. I found three separate pages for getting it for Android, and all three had a link to Google Play and only one had the APK.

      • solrize@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        3
        ·
        4 months ago

        Hmm, ok, thanks. But I’m kind of tired of version churn: who needs to keep changing a chat program? IRC has been around since the 1980s or so and still works fine.

        • noodlejetski@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          who needs to keep changing a chat program? IRC has been around since the 1980s or so and still works fine.

          some people like texting their family who doesn’t use IRC, and they’d rather not send messages in plain text for one reason or another.

          • solrize@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            4 months ago

            I get that IRC is old school and encryption is important. My question is why the program has to keep changing. If the task is simple enough, there shouldn’t be incompatible changes required if there are new versions at all.

            • RecluseRamble@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              6
              ·
              4 months ago

              With new possibilities due to new tech user demands rise, too. People asked for features like group or video chats or coupled devices (not trivial with E2EE) and since good companies listen, they developed those and still do.

              Also, I don’t think there’s a single IRC client still in use that hasn’t been updated since the 80s. I wouldn’t be surprised if your favorite client got an update in the last couple of months - and that despite it being a trivial protocol.

    • dubyakay@lemmy.ca
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 months ago

      It’s more like WhatsApp or messenger (pick your poison on which one I am referring). Fairly lightweight. No useless features. And I think there’s an F-Droid version, running as Molly.

      • solrize@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        Interesting, it looks like molly.im has its own f-droid repo, but there is nothing about Molly in the regular f-droid repo. Thanks though. I guess I should look into this a bit more. I’m way out of date with phone stuff.

        • vii@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          Molly allows you to use alternative push servers (instead of Google’s), amongst other things.

          • EngineerGaming@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            ·
            4 months ago

            And (what is important to me now) allows using any Socks proxy instead of only Signal’s own censorship-bypassing solutions. This is a weird decision on Signal’s part, because in places like this, you might need to switch between various protocols when the old ones stop working. And for Signal, developing censorship evasion is not the primary task so naturally they would not be as advanced and quickly-evolving as the communities dedicated to it.

          • solrize@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            4 months ago

            Oh interesting, yeah I saw some reference to Signal relying on some kind of Google service. I figure I would want to self-host anything I was serious about. It also looks like these things do video chat, so they’re much more elaborate (perhaps unnecessarily) than IRC, which is text-only. I’ve never used Whatsapp and am not even sure what it is, except that for a while I confused it with Instagram.

            I’ve installed GNU Jami and that seems like enough for video chat? I just haven’t had occasion to actually use it. I’m not a video guy and frankly am usually happy with email. PGP from the 1980s still works fine, if anyone cares.

            • vii@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              4 months ago

              The aim of Signal Foundation is to displace the likes of WhatsApp and Messenger thus it has to support all modern and expected features.
              Interestingly enough WhatsApp uses Signal’s protocol for encryption, it’s part of the planned messaging interop forced on Meta by EU.

  • graphene@lemm.ee
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    6
    ·
    4 months ago

    Wasn’t there some controversy about Signal’s creation being supported by the US government to provide private communications for anti-us-enemy organisation or something? I’m sure I remember it correctly…

  • Twinklebreeze @lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    21
    ·
    4 months ago

    I love the idea of signal, and want to use it and invite friends to it. But then I remember I don’t really want to message anyone, and don’t really have friends because I have no interest in messaging people.

  • Summzashi@lemmy.one
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    64
    ·
    4 months ago

    Nobody is going to use Signal when it lacks so many features. Feels like MSN messenger compared to it’s peers.

  • sunzu2@thebrainbin.org
    link
    fedilink
    arrow-up
    7
    arrow-down
    65
    ·
    4 months ago

    How much signal and she spend onnthis shameless self promotion.

    JFC, if anything she is taking signal the wrong way and going the way of mozilla IMHO

    Signal is a good product but there is a lot areas where it can do better… Have gotten any new features over last 5 years? Besides aliases?

    What are they working on?

    Seen interesting discussions about how signal is farming our meta data to the feds, I was clowned a few years back on this hot take. I am very regarded though. Can anyone pitch on this tinfoil?

    Main looking to understand if that is even technically feasible?

    • ABCDE@lemmy.world
      link
      fedilink
      English
      arrow-up
      37
      arrow-down
      1
      ·
      4 months ago

      I was clowned a few years back on this hot take. I am very regarded though. Can anyone pitch on this tinfoil?

      ?

      • underwire212@lemm.ee
        link
        fedilink
        English
        arrow-up
        26
        ·
        4 months ago

        Yeah idk I’ve read it like 4 times and still struggle to find a coherent thought here.

      • deranger@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        20
        arrow-down
        6
        ·
        edit-2
        4 months ago

        Poster was made fun of in the past for saying Signal gave metadata to the feds. He has a learning disability (regarded = deliberately misspelled R slur). They’re looking for someone else to corroborate the metadata claim.

        That’s my interpretation at least.

        • CosmicTurtle0@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          16
          ·
          4 months ago

          They did a blog post about how the feds had made a second attempt to get metadata from them and they could only provide two fields of information: the date the account was created and the last time it connected to the service.

          It’s in the public record as well if I’m not mistaken.

          • sunzu2@thebrainbin.org
            link
            fedilink
            arrow-up
            1
            arrow-down
            9
            ·
            4 months ago

            The issue that if they were under FISA order or some other such shit, legally they would have to say what feds tell them, ie they would not be able to say and we give feds your logs.

            Question is whether they can technically collect the logs which is tinfoil i am following up on.

            Basic opsec thinking, if it is technically feasible, you must assume it is happening. This is game 101.

            So here we are trying to prove a negative but nobody also is able to provide anything beyond, trust signal bro.

        • Lost_My_Mind@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          6
          ·
          4 months ago

          “Retarded” is not a slur. It’s a medical term. “Idiot” is a slur that roughly means the same thing, though not nearly as far.

          • noodlejetski@lemm.ee
            link
            fedilink
            English
            arrow-up
            9
            arrow-down
            2
            ·
            edit-2
            4 months ago

            “Idiot” is a slur that roughly means the same thing

            “idiot”, “moron”, “cretin” and “imbecile” were all medical terms once and described different levels of intellectual disability, but they fell out of use and are now considered offensive. language changes, and context is important.

      • jollyrogue@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        4 months ago

        Signal uses Google Cloud Platform for their servers, for one.

        Then I think it’s something to do with metadata.

      • edric@lemm.ee
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        1
        ·
        4 months ago

        They also added stories which, despite what the internet might have you believe, was one of the most popular feature requests on the Signal message boards for many years

        This was weird for me personally. I consider Signal a messaging tool which in my mind is separate from an actual social media app, so it was a bit of a head scratcher for me to see stories as a very popular feature request. I don’t really care about sharing “stories” in that format to my contacts or seeing theirs, but then again that’s just me.

      • sunzu2@thebrainbin.org
        link
        fedilink
        arrow-up
        2
        arrow-down
        14
        ·
        4 months ago

        Does signal meta data allow for signal to time stamp witu who you communicate using their app and servers?

        Side note, PR like that costs about 15k fyi

    • Im_old@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      20
      ·
      4 months ago

      (almost) anything is possible with a CIA black fund budget. I’ve moved to Simplex chat and not looked back.

      • sunzu2@thebrainbin.org
        link
        fedilink
        arrow-up
        2
        arrow-down
        19
        ·
        4 months ago

        I feel that but people can’t just move since we need somebody to talk on these super duper 69 layer quantum resistant protocols.

        Looks simolex is gunning for the crown nowadays tho but there other viable contenders baking.

        Once new leader arrives, going to need to tell my group we migrating again 🤕

        • Zoot@reddthat.com
          link
          fedilink
          English
          arrow-up
          7
          ·
          4 months ago

          Why? Just stay on Signal. For the time being it is one of the leaders in private communication.

          Though, if you truly need secure private conversations, you would want to move around a lot anyway.

          • sunzu2@thebrainbin.org
            link
            fedilink
            arrow-up
            2
            arrow-down
            11
            ·
            4 months ago

            For now it is the gold standard but I don’t trust the leadership and their PR approach.

            I won’t move until I can justify moving my friends over and right now there is no alternative