• mipadaitu@lemmy.world
      link
      fedilink
      English
      arrow-up
      76
      arrow-down
      3
      ·
      2 months ago

      Not that the action against Telegram is right, but there’s a big difference between what Signal and Telegram is doing.

      • Otter@lemmy.ca
        link
        fedilink
        English
        arrow-up
        33
        ·
        2 months ago

        Would you have more info on the differences? I was wondering the same thing, but I don’t know enough about Telegram to compare

        • pimeys@lemmy.nauk.io
          link
          fedilink
          arrow-up
          74
          arrow-down
          2
          ·
          edit-2
          2 months ago

          Signal always responds to authorities when they ask for data, and they give them all they have: the day they registered, their phone number and the timestamp they last used the app.

          Telegram has unencrypted channels of drug dealing, and what I heard is a lot of illegal porn too. The authorities want information on certain users there and Telegram doesn’t comply. This is directly against the law Signal is not breaking, because they always send all the data they have to the law enforcement.

          • rottingleaf@lemmy.world
            link
            fedilink
            arrow-up
            18
            arrow-down
            1
            ·
            2 months ago

            Telegram is a propaganda weapon in some sense, between two worldviews - one is “a good service doesn’t require trust, because they physically can’t sell you”, another is “a good service you can trust because they won’t sell you”. And Telegram helps the latter.

            So frankly - kill it with fire. Sadly I’m in Russia and everybody uses it here.

          • sunzu2@thebrainbin.org
            link
            fedilink
            arrow-up
            21
            arrow-down
            11
            ·
            2 months ago

            while not wrong context matters, US social media companies also enable human, weapons, and drug trafficking. they play a role in a few genocides too.

            but the western regime does not care.

            • pimeys@lemmy.nauk.io
              link
              fedilink
              arrow-up
              30
              arrow-down
              6
              ·
              edit-2
              2 months ago

              But they give their data when the officials ask. That is all that matters. And I seriously hope none of us uses Telegram or WhatsApp to any discussions. Use Signal because that is so far pretty unbreakable.

              Telegram is already in the hands of that tiny Russian old man and WhatsApp is owned by a lizard.

                • pimeys@lemmy.nauk.io
                  link
                  fedilink
                  arrow-up
                  4
                  ·
                  2 months ago

                  Did so years ago. Everybody uses it from my family and friends. I’ve had a very active group chat there for eight years with friends. My mom uses it actively, even calls me using Signal. My partner knows it is the best chat app and actively uses it.

                  I just asked ages ago for everybody to switch to signal, they valuated the features and for a group chat automatically deleted messages and strong encryption were really interesting for everybody. Now we can shoot shit in a group chat without needing to worry that the logs are stored somewhere forever.

            • Pasta Dental@sh.itjust.works
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              2 months ago

              All of the illegal stuff like that that I’ve seen around on social media always linked to telegram channels. Most of the time what you see on regular social media are bots advertising the telegram channels, where the real people are at

        • unconfirmedsourcesDOTgov@lemmy.sdf.org
          link
          fedilink
          arrow-up
          14
          ·
          2 months ago

          I’m no authority on it but from what I’ve read it seems to have more to do with the social features of telegram where lots of content is being shared, both legal and illegal. Signal doesn’t have channels that support hundreds of thousands of people at once, nor media hosting to match.

          • socsa@piefed.social
            link
            fedilink
            English
            arrow-up
            14
            ·
            edit-2
            2 months ago

            Right, the French authorities are going to present evidence that this dude was aware of specific illegal activity and refuse to comply with a legal warrant involving said actively, making him guilty of obstruction at best, and possibly conspiracy. Signal complies with warrants, they just don’t have anyone’s keys. Telegram has everyone’s keys, and theoretically could turn them over but they refuse. That’s a huge difference from a legal perspective.

            • unconfirmedsourcesDOTgov@lemmy.sdf.org
              link
              fedilink
              arrow-up
              13
              ·
              2 months ago

              Thank you. I’m going to restate your explanation to be sure I’ve got it:

              • authorities want platforms to comply with legal requests
              • when Signal gets a subpoena, they open the key locker and show that it’s empty. They provide the metadata they can (sign up date and last seen date, full stop) and tell authorities they can’t do better.
              • when Telegram gets a subpoena, they open the key locker and show all the keys, then slam it shut in the face of the investigator, telling them to get bent.
              • conclusion: it’s easier to never have the keys in the first place than to tease the government with them
              • rottingleaf@lemmy.world
                link
                fedilink
                arrow-up
                2
                arrow-down
                3
                ·
                2 months ago

                It’s easier, but Telegram’s authors are from Russia. They psychologically can’t accept that “never have the keys” thing. They want to have control and they want to be able to tell “yes” to the investigator, possibly for something in return.

          • rottingleaf@lemmy.world
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            2 months ago

            And it’s sad that it doesn’t. Because that’s why people use Telegram.

            Media hosting - we-ell, I suppose something similar to bittorrent (or just sharing encrypted files over bittorrent) would do to back such a system?

            Telegram’s channels are like blogs, they have reactions and comment links leading to a groupchat associated with a channel.

            It’s basically a social network in an instant messenger format.

            Telegram is socially , in terms of finding a market niche, the smartest thing of what’s happened in the Internet recently. Durov really is a good businessman.

      • istanbullu@lemmy.ml
        link
        fedilink
        arrow-up
        16
        arrow-down
        63
        ·
        2 months ago

        Telegram is available on F-Droid. Signal is not. Whatever is Signal doing, it’s pretty bad.

        • toasteecup@lemmy.world
          link
          fedilink
          English
          arrow-up
          24
          arrow-down
          5
          ·
          2 months ago

          Are you developing your opinions based on vibes or have you actually audited their software yourself (you are free to do so both client and federation server code)?

          If you audited it, have you produced an actual report with metrics and points of reference for your data points?

              • rottingleaf@lemmy.world
                link
                fedilink
                arrow-up
                4
                arrow-down
                3
                ·
                2 months ago

                It’s actually sad, even though I’m a libertarian, tankies and in general marxists could have made a good input into our future. But if they can believe in Telegram being secure because of vibes and not even doing basic research, they’ve already lost.

                • toasteecup@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  2
                  ·
                  2 months ago

                  Heeey I am also a libertarian, I just tend towards left libertarian. Back to the point of discussion, I find it difficult to ha e a meaningful conversation with the tankies or in general anyone from lemmy.ml . The discussions tend to lack any real data and feel entirely vibe based OR it’s apologist bullshit for Russia.

                  Like it’s cool if you like communism and have a philosophy based around why you think it’ll help humanity. I can politely disagree but still listen and discuss. It’s quite another to just be a complete dipshit and say “Ukraine had the invasion coming” (actual quote I’ve seen).

          • misaloun@reddthat.com
            link
            fedilink
            arrow-up
            1
            ·
            2 months ago

            Doesn’t take away the fact that not being on F-droid is a huge issue and says a lot about how much they care about privacy and security.

        • gedaliyah@lemmy.world
          link
          fedilink
          arrow-up
          13
          ·
          2 months ago

          The folks at F-Droid have said that Signal would certainly qualify, but Signal doesn’t want multiple channels out there. F-Droid is just honoring their wishes.

        • MerchantsOfMisery@lemmy.ml
          link
          fedilink
          arrow-up
          13
          arrow-down
          2
          ·
          2 months ago

          Assuming you’ve audited Signal, can you tell us what your findings were and why you think Signal must be up to something pretty bad? I’m very curious and would love to be enlightened by someone as knowledgeable as you.

          • poVoq@slrpnk.net
            link
            fedilink
            arrow-up
            10
            arrow-down
            2
            ·
            edit-2
            2 months ago

            I’ll leave it up to you to decide if that is bad or not, but one of the reasons the Signal app can’t be put unaltered on F-droid is because it loads in external dependencies from Google at run-time, which can also be altered by Google at will with any Android update.

            • MerchantsOfMisery@lemmy.ml
              link
              fedilink
              arrow-up
              5
              arrow-down
              2
              ·
              edit-2
              2 months ago

              How significant is it that the server code is open-source or not? It’s possible for Signal to publish their server code while running completely different software on their servers. The point of the client is being open source and audited on a regular basis by the community, which is why it doesn’t make sense to trust the server-side software.

              The entire point is that we don’t have to trust the sever at all. The client is open source and regularly audited by the community. As long as the client stays fully open source, everything’s fine. Also, the closed source dependencies are part of a spam reduction effort which IMO is well worth it. Prior to this, Signal had a spam problem and the client itself remains fully open source.

              Signal could have very well not even told people that they added a closed source dependency on Google to its servers and just lied by publishing fake server code that omits the closed source dependency., but instead they were very transparent about the spam problem. In terms of they “why?” regarding the closed source dependencies, their argument is that making it open source would almost immediately result in all anti-spam measures being thwarted. Frankly I’m inclined to agree and again, as long as the client is fully open source and regularly audited, the server code is irrelevant to user privacy/security.

              https://community.signalusers.org/t/spam-scam-on-signal/26665

              https://signal.org/blog/keeping-spam-off-signal/

              • poVoq@slrpnk.net
                link
                fedilink
                arrow-up
                7
                arrow-down
                1
                ·
                edit-2
                2 months ago

                The external Google dependencies I am talking about are loaded into the client not the server, so that’s an entirely different issue.

                • MerchantsOfMisery@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  6
                  ·
                  2 months ago

                  Every app from the Play store requires GCM though, and Signal functions even if a user disables GCM. It pertains to a phone’s ability to notify a user of a new message. But again, users can disable GCM and the app itself will continue to work just fine.

                  For what it’s work, the APK on Signal’s website (obviously) doesn’t have the external Google dependencies. Personally, I really don’t see this as an issue at all.

              • Possibly linux@lemmy.zip
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                1
                ·
                2 months ago

                It would still be nice to have the server code. I want to run my own server on my own hardware

            • Preston Maness ☭@lemmygrad.ml
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              2 months ago

              one of the reasons the Signal app can’t be put unaltered on F-droid is because it loads in external dependencies from Google at run-time

              IIRC, the APK you get directly from their website doesn’t have the GCM bits in it (edit: I did not recall correctly; the GCM bits are there, but there is a websocket fallback if GCM isn’t available), and will work without them. At least, I didn’t have any issues with notifications back when I was running the website APK with GrapheneOS and no Google bits.

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      23
      arrow-down
      1
      ·
      2 months ago

      She has her hand in too many strategic places, unlike Telegram.

      employed at Google for 13 years

      speaker at the 2018 World Summit

      written for the American Civil Liberties Union

      advised the White House, the FCC, the FTC, the City of New York, the European Parliament, and many other governments and civil society organizations

      • rottingleaf@lemmy.world
        link
        fedilink
        arrow-up
        1
        arrow-down
        2
        ·
        2 months ago

        It’s a pleasing thought, of course, that an influential person may have morals and good goals (and nice looks).

        But since there’s no way to know for sure, I think I’ll just stop trying to classify those names into good and evil.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      5
      ·
      edit-2
      2 months ago

      She’s in the US

      Say what you will about US but they are pouring money into the cyber security industry

      • where_am_i@sh.itjust.works
        link
        fedilink
        arrow-up
        3
        ·
        2 months ago

        Dude, it’s a non-profit, and their biggest contribution is money that was made by selling WhatsApp to Facebook. Cuz the guy just couldn’t live with what happened to his creation.

    • TCB13@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      35
      ·
      edit-2
      2 months ago

      They won’t there’s no need. Their clients are garbage and they’re most likely backdoored anyways. This action against Telegram is only happening because they can’t get inside it, they can’t backdoor it nor corrupt anyone. If they were able to do that they wouldn’t be doing this.

      • ArchAengelus@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        11
        ·
        2 months ago

        No matter how good the protocol or client encryption, your privacy is only as good as your own physical security for the device in question.

        Given that if you lose your private key, there is no recovery, I would be surprised if there were real back doors in the clients. Maybe unintentional ways to leak data, but you can go look for yourself: https://github.com/signalapp/Signal-Android

        They have one for each client.

        • heavyboots@lemmy.ml
          link
          fedilink
          English
          arrow-up
          8
          ·
          2 months ago

          As an example of this, I believe SexyCyborg got in trouble for reporting on leaks via people’s 3rd party Chinese language keyboards. So her theory is that the keyboard apps people had installed leaked data when Hong Kong protesters were communicating with the press, rather than the actual Signal app. But… as stated above, people have to take responsibility for their device and in this case, they had chosen to install apps with leak issues into the communication process.

          • socsa@piefed.social
            link
            fedilink
            arrow-up
            6
            ·
            2 months ago

            This is precisely why opsec is more than just an app.

            Leaky keyboards are a possibility, but what is actually far more likely is just that someone on the signal group chat was a mole who was archiving the traffic for the party. Signal has since made efforts to bring anonymous accounts to the platform, which will help thwart such attacks. Though against a state actor it is still not enough unless you take additional measures to obfuscate traffic. And then that still doesn’t protect you against some CCP brownshirt from tailing you and then snatching your phone out of your hand when you unlock it.

            • milicent_bystandr@lemm.ee
              link
              fedilink
              arrow-up
              3
              ·
              2 months ago

              Leaky keyboards are more than a possibility. Sogou, the biggest one for Chinese typing, got found out a year or so ago for having terrible client-server encryption. They fixed it in an update, but many people didn’t get the update - not to mention it’s still sending every keystroke to Tencent (are the owners I think?) so they could also be saving and analysing private typing anyway.

        • TCB13@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 months ago

          Maybe unintentional ways to leak data,

          Yeah, that’s what I think it may be. Just like Apple reporting on all apps you open on un-encrypted HTTP calls and a few other things.

          • sunzu2@thebrainbin.org
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            2 months ago

            are you talking about phone notification bullshit and google got caught reporting to government with no warrants.

            • ArchAengelus@lemmy.dbzer0.com
              link
              fedilink
              arrow-up
              2
              ·
              2 months ago

              Signal’s defaults are pretty good about that. Push notifications are both opt-in and the information they send can be selected by the user. You can have it say “new message” and that’s it. Or the senders name. Or the whole message.

              I agree that it’s not intuitive that that’s a leak to most people, but push notifications are kind of wonky how they work.

              • sunzu2@thebrainbin.org
                link
                fedilink
                arrow-up
                1
                ·
                2 months ago

                signal is all around very strong… my main criticism is the “trust signal bro” cult pretending like Signal would not log chats if ordered by the spooks. which is naive AF and feels like they are trying to make normeis comfortable so they don’t demand better.

        • TCB13@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          3
          ·
          edit-2
          2 months ago

          If you don’t turn on the secret chat feature it wont be, yes. However if E2EE was the only deciding factor for a gov to go against an App then they woudln’t be going after Telegram. The fact that govts are going so hard at telegram simply proves that even when the company has access to all our chats they don’t actually provide them to said govts.

          I’m not saying telegram is good from a security perspective, I’m just saying that event without E2EE and all the modern wonders govts can’t still get in because the company doesn’t indulge their requests.

  • ByteOnBikes@slrpnk.net
    link
    fedilink
    arrow-up
    49
    arrow-down
    1
    ·
    2 months ago

    This is a very rude question, but on this subject of being lean, I looked up your 990, and you pay yourself less than … well, you pay yourself half or a third as much as some of your engineers.

    Yes, and our goal is to pay people as close to Silicon Valley’s salaries as possible, so we can recruit very senior people, knowing that we don’t have equity to offer them. We pay engineers very well. [Leans in performatively toward the phone recording the interview.] If anyone’s looking for a job, we pay very, very well.

    But you pay yourself pretty modestly in the scheme of things.

    I make a very good salary that I’m very happy with.

    That’s pretty cool. But knowing the number would matter.

  • perestroika@lemm.ee
    link
    fedilink
    arrow-up
    27
    ·
    edit-2
    2 months ago

    As a happy user of Signal (no bugs or incidents from my viewpoint), I regardless chime in to say a word for decentralization. :)

    Signal is centralized:

    • there is a single Signal implementation, with a single developing entity
    • you have to install its mobile version before you may run the desktop version

    There exist protocols like Tox which go a step beyond Signal and offer more freedom -> have multiple clients from diverse makers (some of them unstable), don’t have centralized registration, and don’t rely on servers to distribute messages - only to distribute contact information.

    In the grand comparison table of protocols (not clients), Tox is among the few lines that’s all green (Signal has one red square).

    • rottingleaf@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      2 months ago

      Maybe the US government (or even “deep state” or something) has realized that making everyone use insecure devices for easier surveillance is as smart as forbidding fire exits so that people would be easier to arrest.

      I haven’t heard too many bad things about Signal.

      Various dictatorships want to simply read correspondence because the social graphs producing actual value and keeping stability in our world, and also protecting their embezzled value stored abroad, are all abroad too, and they won’t hurt these. Some politicians in the west want to invade privacy for the same reason - what they embezzle is stored in ways unaffected by insecure communications in their own countries.

      But if you are part of some establishment, even if not well-meaning, you are interested to protect the system from outright erosion, meaning secure communications.

      Other than that, WhatsApp and FB Messenger are owned by Zuck and he’s become too big to tolerate, Telegram is an African brothel with no protection and plenty of diseases, and in general it’s all corporate around.

      Let’s please also remember that there are people of various views and interests in every organization and force.

  • istanbullu@lemmy.ml
    link
    fedilink
    arrow-up
    60
    arrow-down
    49
    ·
    2 months ago

    Signal’s hostility to third party clients is a huge red flag.

    They also refuse to distance themselves from Google’s app store.

    • ᗪᗩᗰᑎ@lemmy.ml
      link
      fedilink
      arrow-up
      51
      arrow-down
      2
      ·
      2 months ago

      That’s outdated information:

      Go forth and contribute, fork, or create your own.

      They also refuse to distance themselves from Google’s app store.

      This link has existed forever at this point if we count in internet years: https://signal.org/android/apk/ - getting an app directly from the developer with no middleman is about as distant as you can get from Google’s app store.

      • istanbullu@lemmy.ml
        link
        fedilink
        arrow-up
        16
        arrow-down
        7
        ·
        2 months ago

        Those clients exist despite Signal Foundation, not because they encourage community development. They are doing everything they can to discourage third party app development.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        2 months ago

        I wish they had Signal on F-droid but at the end of the day at least it is possible to use Molly Foss.

      • misaloun@reddthat.com
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        Signal actually has a rule on not using third party clients on its servers. These clients existing do not prove the point you intend.

    • Vitaly@feddit.uk
      link
      fedilink
      arrow-up
      29
      arrow-down
      1
      ·
      edit-2
      2 months ago

      Yeah, I would like to use it from f-droid instead of google store or apk

    • ramenu@lemmy.ml
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      21
      ·
      2 months ago

      What? How is this a red flag? Having third party clients is not good for security.

      • doctortran@lemm.ee
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        3
        ·
        edit-2
        2 months ago

        Having third party clients is not good for security.

        If the first party provider told you this, you should always second guess them.

        Moreover, providing an option that informed users can choose doesn’t hurt security. This idea the user can’t be trusted to use the appropriate type of messaging if provided options needs to die.

        • ramenu@lemmy.ml
          link
          fedilink
          English
          arrow-up
          23
          arrow-down
          4
          ·
          2 months ago

          When you use a client, you are relying on the client’s crypto implementation to be correct. This is only one part of it and there’s a lot more to it when it comes to hardening the program. Signal focuses on their desktop and mobile clients and they hire actual security professionals and cryptographers (unlike the charlatans in this thread) to implement it correctly.

          Having third party clients would not definitively mean the client is bad, but it most likely would break the security model. Just take a look at Matrix’s clients.

          • ReversalHatchery@beehaw.org
            link
            fedilink
            English
            arrow-up
            11
            arrow-down
            2
            ·
            edit-2
            2 months ago

            When you use a client, you are relying on the client’s crypto implementation to be correct.

            Nothing prevents this other client from using the same as the original app. When the alt client is just a fork, it’s even easier to check if they kept it intact or not.

            This is only one part of it and there’s a lot more to it when it comes to hardening the program.

            Something at which even the original Signal fails. It has received criticism multiple times (1, 2) for not being verifiable whether it’s been tampered with by the app’s distributor, and also for having included properietary google services dependencies which dynamically load further code from the phone which is also a security issue. Worthy forks solve both of these.

            Signal focuses on their desktop and mobile clients and they hire actual security professionals and cryptographers (unlike the charlatans in this thread) to implement it correctly.

            Last I heard (a month or so ago) the desktop client had serious unfixed issues.


            I think it further erodes your point that Signal is not just hostile in terms of not wanting it, but Moxie for instance has been very, very verbal about this.

            • ramenu@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              2 months ago

              Something at which even the original Signal fails. It has received criticism multiple times (1, 2) for not being verifiable whether it’s been tampered with by the app’s distributor, and also for having included properietary google services dependencies which dynamically load further code from the phone which is also a security issue. Worthy forks solve both of these.

              That’s unfortunate. I do hope that these forks don’t go and start making extensive changes though, because that’s where it becomes a problem.

          • poVoq@slrpnk.net
            link
            fedilink
            arrow-up
            10
            arrow-down
            5
            ·
            edit-2
            2 months ago

            No, if your system can’t support 3rd party clients properly, it is inherently insecure, especially in an e2ee context where you supposedly don’t have to trust the server/vendor. If a system claims to be e2ee, but tightly controls both clients and servers (for example WhatsApp), that means they can rug-pull that e2ee at any point in time and even selectively target people with custom updates to break that e2ee for them only. The only way to realistically protect yourself from that is using a 3rd party client (and yes, I know, in case of Signal also theoretically reviewing every code change and using reproducible builds, but that’s not very realistic).

            Now admittedly, Signal has started to be less hostile to 3rd party clients like Molly, so it’s not as bad anymore as it used to be.

          • UltraGiGaGigantic@lemmy.ml
            link
            fedilink
            English
            arrow-up
            5
            ·
            2 months ago

            Appreciate the link. I still believe in Matrix, even if the client ecosystem isn’t there yet. There HAS to be something to replace discord, the enshitification has already begun.

            • Possibly linux@lemmy.zip
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              2 months ago

              I wouldn’t call it a discord alternative. It is closer to fancy IRC/live forms.

              Then again I don’t really use Discord

          • ahal@lemmy.ca
            link
            fedilink
            arrow-up
            8
            arrow-down
            3
            ·
            2 months ago

            Excellent point! If I’m sending someone information that could get me killed if it were intercepted by the state, I’d sure as hell want some guarantees about how the other side is handling my data. Disallowing third party clients gives me at least one such guarantee.

            • doctortran@lemm.ee
              link
              fedilink
              English
              arrow-up
              7
              ·
              edit-2
              2 months ago

              You have absolutely zero guarantees, with or without their policy on third party apps. You can not send sensitive information to someone else’s phone and tell yourself it couldn’t possibly have been intercepted, or that someone couldn’t get ahold of that phone, or that the person you’re sending it to won’t take a screenshot and save it to their cloud.

              A lot of software nowadays is doing a real disservice to their users by continuing to lie to them like this by selling them the notion that they can control their information after it has been sent. It’s really making people forget basic information hygiene. No app can guarantee that message won’t be intercepted or mishandled. They can only give you tools to hopefully prevent that, but there are no guarantees.

              Moreover, this policy does not exclude them from including third-party functionality and warning the user when they are communicating with somebody that isn’t using encryption.

              Too many of these apps and services are getting away with the “security” excuse for what is effectively just creating a walled garden to lock users in. Ask yourself how you can get your own data out of these services when you decide to quit them, and it becomes more apparent what they’re doing.

              • rottingleaf@lemmy.world
                link
                fedilink
                arrow-up
                2
                ·
                2 months ago

                A lot of software nowadays is doing a real disservice to their users by continuing to lie to them like this by selling them the notion that they can control their information after it has been sent. It’s really making people forget basic information hygiene. No app can guarantee that message won’t be intercepted or mishandled. They can only give you tools to hopefully prevent that, but there are no guarantees.

                Oh, yes. These “deleted messages”, or these “hidden likes”, or whatever else.

                I mean, there are fundamental things and algorithms allowing to create such a system, with blinded keys, ghost keys and what not, only these disgusting cheats have a centralized service where any employee can see everything, yet pretend that they have “a security feature”.

              • ahal@lemmy.ca
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                2 months ago

                Of course, I fully agree! My point was just that you can eliminate the risk of poorly implemented cryptography at the endpoints. Obviously there’s a thousand and one other ways things could go wrong. But we do the best we can with security.

                Anyway apparently third party clients are allowed after all? So it’s a moot point.

              • ahal@lemmy.ca
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                2 months ago

                You do if third party clients aren’t possible? You have control over what client the receiving end is using.

                But apparently third party clients are possible, so it’s moot.

          • Possibly linux@lemmy.zip
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            4
            ·
            2 months ago

            Signal third party clients base off the Signal code base. They just add patches and remove certain dependencies. Also they are often more secure. You logic is from the Apple PR department.

            • ramenu@lemmy.ml
              link
              fedilink
              English
              arrow-up
              2
              ·
              2 months ago

              Again, having third party clients would not definitively mean the client is bad. Obviously, if it’s a simple fork with hopefully small patches that are just UI changes, it’s probably not going to harm the security model.

              I should have phrased this better in my original post. When I was thinking about third party clients, Matrix and XMPP immediately came to my mind. Not very simple forks. So I’ll phrase this better: “Having non-trivial third party clients is not good for security.” What non-trivial means is left to interpretation though, I suppose.

      • PlexSheep@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        Why do you think so? I see it as a strength in diversity and a great driving force for a proper server api

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      10
      ·
      2 months ago

      Do you hate Signal or do you hate the west? There legitimate reasons to not like Signal but calling them hostile toward third party clients is untrue. Last time I checked Signal wasn’t proprietary.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        3
        ·
        2 months ago

        They have demonstrated history of asking third party clients to not use the signal name, and not use the signal network. The client that currently exists that do this do it against the wishes of the signal foundation

        • ᗪᗩᗰᑎ@lemmy.ml
          link
          fedilink
          arrow-up
          13
          arrow-down
          2
          ·
          2 months ago

          They have demonstrated history of asking third party clients to not use the signal name, and not use the signal network.

          The lead developer, nearly 10 years ago now, specifically asked LibreSignal to stop. A single event does not make a demonstrated history.

          The client that currently exists that do this do it against the wishes of the signal foundation

          If you have evidence to back this claim, I would like to see it so I can stop spreading misinformation.

          • jet@hackertalks.com
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            3
            ·
            edit-2
            2 months ago

            In the Libra signal issue that you linked to, they made it clear they don’t want third-party clients talking to signal servers

            You’re free to use our source code for whatever you would like under the terms of the license, but you’re not entitled to use our name or the service that we run.

            If you think running servers is difficult and expensive (you’re right), ask yourself why you feel entitled for us to run them for your product.

            • ᗪᗩᗰᑎ@lemmy.ml
              link
              fedilink
              arrow-up
              6
              arrow-down
              1
              ·
              2 months ago

              He was specifically talking to that developer. The “You” and “You’re” in that quote was specifically targeted at the LibreSignal developer.

              I recall the gurk-rs developer specifically mentioned that his client reports to Signal’s servers as a non-official app. The Signal admins can see the client name and version - just like websites can tell what browser you’re using - and could easily block third party clients if they wanted to but they don’t.

              If Signal wanted to block third party clients, they would have blocked them already.

              • jet@hackertalks.com
                link
                fedilink
                English
                arrow-up
                5
                arrow-down
                2
                ·
                2 months ago

                Moxie made it incredibly clear, he does not want third party is talking to the signal servers.

                Libra signal took him at his word and turn themselves off

                The other developers, like Molly, take a stronger road.

                Is signal currently banning third party clients? No. But they’ve made it clear they don’t like them. They didn’t actually ban Libra signal, they just asked them to stop. Could they ban the clients in the future? Yes

                • ᗪᗩᗰᑎ@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  5
                  arrow-down
                  1
                  ·
                  2 months ago

                  I’ll reiterate my statement as you didn’t address it.

                  If Signal wanted to block third party clients, they would have blocked them already.

                • istanbullu@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  4
                  arrow-down
                  3
                  ·
                  2 months ago

                  If you have a backdoored client, then you would naturally object to third party clients :)

    • where_am_i@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      arrow-down
      5
      ·
      2 months ago

      What part of non-profit and open-source do you not understand?

      Review the source, build it yourself, be happy. It uses well-known assymetric encryption algorithms. Not much your agency could really do here even if they harvest all the traffic from the server.

      • NegativeLookBehind@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        3
        ·
        2 months ago

        Was my fucking question about the integrity of the algorithms they use, or was it about who’s been funding the product? Because a quick web search will show you that they did in fact fund it at one point.

        • where_am_i@sh.itjust.works
          link
          fedilink
          arrow-up
          7
          ·
          2 months ago

          And so what? You could be an oil dictatorship prince and donate a billion to Signal. It’s not going to compromise it in any way that is not directly auditable.

          So, your fuckin question is misguided. You’re “only asking questions” while implying intent.

  • sumguyonline@lemmy.world
    link
    fedilink
    arrow-up
    15
    arrow-down
    8
    ·
    2 months ago

    Signal is compleletly compromised through spell check on 99% of OEM smart devices. Spell check can see what your typing word by word, and signal uses it. Feds are 100% using spell check to view your private messages. And by feds I mean every government on earth with a computer.

    • Dessalines@lemmy.ml
      link
      fedilink
      arrow-up
      23
      ·
      2 months ago

      Spell check? If you mean smartphone keyboards, then yes, the non-foss ones are keyloggers. One of my side-projects is a privacy-oriented keyboard, but there are many out there that don’t require network calls to google or apple.

    • sunstoned@lemmus.org
      link
      fedilink
      English
      arrow-up
      17
      ·
      2 months ago

      Is this some Network Allowed problem that I’m too Network Not Allowed to understand?

      • kureta@lemmy.ml
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        2 months ago

        Are you using a custom rom? I don’t have this option on my oneplus 9 pro. but I have something else.

    • EngineerGaming@feddit.nl
      link
      fedilink
      arrow-up
      2
      ·
      2 months ago

      The problem is actually further - it’s that they push people to use Signal on mobile.

      In the official desktop client, there is no option to register (even though it would likely be not that hard to add a box accepting a verification code), they tell you to use it in the mobile app instead. All while far from all phones can have privacy-respecting OSes installed on them at all.

      Yes, there are ways around (Signal-cli or an Android VM - and even then you have to use Molly since the official client requires you to scan a QR rather than following a link). But arbitrarily directing people to a platform that is harder to make private is nonetheless weird.

  • beSyl@slrpnk.net
    link
    fedilink
    arrow-up
    4
    arrow-down
    9
    ·
    2 months ago

    The thing I hate about signal is the UI. Everything looks way too big on my device. WhatsApp, for example, holds 2 more chats, and the messages themselves are tidier.

    This may seem like it’s not a big deal, but UI is absolutely crucial on order to get people to actually use the app. I moved a few people to signal but they just hated the way it looks. “seems like an app for old people, font too big”. I can see that. They moved back to insta/WhatsApp.

    I think some small and easy UI changes could make the app much better: just give us a “compact” mode.

    • Both WhatsApp and Signal show the same amount of chats to me (9 for both). WhatsApp does show a small sliver of a tenth chat, but it’s not really properly visible. There is a compact mode for the navigation bar in Signal, which helps a bit here.

      From what I can see there’s slightly more whitespace between chats, and Signal uses the full height for the chat (eg same size as the picture), whereas WhatsApp uses whitespace above and below, pushing the name and message preview together.

      In chats the sizes seem about the same to me, but Signal colouring messages might make it appear a bit more bloated perhaps? Not sure.

      • beSyl@slrpnk.net
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        edit-2
        2 months ago

        For me, I can see 7 chats on signal, 9 chats on WhatsApp. There are tons of wasted space on signal for me. It just looks bad to my eyes.

  • coolusername@lemmy.ml
    link
    fedilink
    arrow-up
    15
    arrow-down
    21
    ·
    edit-2
    2 months ago

    0% chance that the feds don’t have Signal backdoors, otherwise Wired wouldn’t be promoting it. fyi everyone Proton is CIA. It’s modern cryptoAG.

    • mipadaitu@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      1
      ·
      2 months ago

      https://community.signalusers.org/t/overview-of-third-party-security-audits/13243

      https://freedom.press/newsletter/crossfire-over-messaging-security/

      https://freedom.press/training/locking-down-signal/

      You don’t have to take Signal’s word for it, because it’s been audited. The EFF, who are VERY privacy minded, and do extensive research into this type of thing, recommends Signal because it’s known to be secure.

      • Dessalines@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        2 months ago

        Does the EFF have access to signal’s server? Where they store all the phone numbers and messages for its users?

    • ramenu@lemmy.ml
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      3
      ·
      2 months ago

      Well, I disagree about Signal. Proton however, I agree is extremely shady and should be avoided at all costs.

      • JaggedRobotPubes@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        ·
        2 months ago

        That’s pretty strong and I’ve never seen or heard anything like it before. If it’s true I’m betting the rest of Lemmy would like some details, too.

        • ramenu@lemmy.ml
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          7
          ·
          2 months ago

          No support for Monero despite it being requested on uservoice 6 years ago. A Bitcoin wallet (seriously?) which is easily traceable. Important email metadata is also not zero access encrypted (i.e., subject headers, from/to headers) which leaks a substantial amount of information even if the body is encrypted. Not to mention they had clearnet redirects from their onion service a while back, something a lot of honeypots usually do.

          Even if it’s not a honeypot, you’re sure as hell not getting any privacy with Proton. That’s for sure.

          • ScreaminOctopus@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            5
            ·
            2 months ago

            You can’t e2e the to and from headers in an email. that’s a problem with the protocol, not with proton. I’d assume the subject line falls into a similar bucket, because mailservers probably want to use it to filter spam

            • ramenu@lemmy.ml
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              2 months ago

              I never said anything about E2EE. Please re-read what I wrote carefully.

    • servobobo@feddit.nl
      link
      fedilink
      arrow-up
      11
      arrow-down
      7
      ·
      2 months ago

      Centralized service with servers in the US, requires a phone number to create an account, and tech bros like it. “0% chance” 100% confirmed.