WTF. What could possibly go wrong. Flip phone here I come.

Sounds like it would be nice if Savannah offered Forgejo hosting.

Ok I used to feel sorry for non-libre streaming software users, but this is now in “one born every minute” territory. Thanks.

What the heck is this thing? Should many of us care?

Hmm ok, though if a security program needs frequent updates, that’s a cause for concern in its own right… :/

So do that. You can do that with Signal.

Do you know of anyone doing it? Other people have said there are difficulties.

You wouldn’t register on websites, but you would communicate with them over plaintext. I hope that makes it clearer.

It is ok, in that era (dialup or wired internet) unencrypted http was basically as secure as unencrypted landlne phone calls. People still have unencrypted phone calls all the time. Typicalally sites would show public content (like product pages on an e-commerce site) by http, then switch to https for checkout to protect stuff like credit card numbers. Encrypting everything became important when wifi became widespread. Wifi hotspots would hijack DNS and spoof entire web sites to steal credentials. Also, LetsEncrypt made it possible to bypass the CA scam industry, making https-everywhere more popular. Public awareness also increased due to Snowden’s disclosures.

The RSA encryption patent also expired in 2000. Before that, US website operators were potentially exposed to hassle if they didn’t use a commercial server with an RSA license ($$$). But, it didn’t apply outside the US and FOSS SSL servers existed for those wanting them.

Those are nice generalities but I think they ignore reality. Jami seems like sort of a side project to its developers. Bug reports often are answered with a suggestion to make sure everyone is running the latest version of Jami, which is often useless advice. Like if you try to call your friend with your new phone and the call doesn’t complete, it’s unhelpful for your phone manufacturer to say your friend should get a new phone. You might be interested in helping fix the problem but your friend just wanted to have a phone conversation and doesn’t want to get dragged into a debugging project. It’s even worse if the other person is not your friend but rather is someone you just met and exchanged numbers with. If you try to follow up with a phone call and there is a problem, GAME OVER. You permanently lose contact with that person. You can’t possibly suggest Jami as a Skype replacement after that happens to you once or twice.

Another thing with comms programs in general is you really can’t debug them with just one computer. Their whole function is to let two computers talk to each other, so you need two computers where you control both ends and ideally control the network as well, so you can insert delays, network faults, etc. If the Android version has trouble talking to the Iphone version, you need both kinds of phones. I’m not sure if Jami’s devs really understand that. I’ve worked on telecom stuff in the past and it’s just the reality of that field.

Yet another (I’m not sure of this) is that Jami is a peer to peer program so I suspect some of the problems revolve around firewall traversal gotchas of various types. I don’t know if there is a cure for this while keeping the basic architectecture intact. I do like it in principle and I know that people get BitTorrent working reliably without too much trouble, so maybe Jami is just missing some trick.

Finally, Jami is pretty old and back in those days, people hadn’t really thought about the subtleties of encrypted group chats. Signal does a better job, and these days there is a standard (RFC 9420) for how to do it (I don’t know if Signal follows this standard). It would be good if Jami were revamped for that, but 1) that would break interoperability again, and 2) I don’t know if it’s workable at all with Jami’s architecture (serverless, using a distributed hash table for peer discovery).

For now I’ve sort of given up on Jami and am trying to figure out what to use instead. It’s unfortunate that the main devs don’t seem to have that much interest in making Jami reliable. Randos like me capable of making small contributions can’t really help much with more involvement from the experts.

Oh I see. Yeah DVD drives generally use the same SATA interface as hard drives.

Because your status updates and messages are encrypted and stored (until retrieved, of course) once for every recipient, and that includes your other devices and their other devices.

I’d like to see a numerical estimate of how much data this is. But, it sounds to me like more reason to want to self-host.

I don’t see any point to rehashing the other stuff. Non-TLS websites mostly went away once DNS spoofing at wifi hotspots became widespread.

If you mean a 2.5" drive (laptop sized) then yes you can generally do that. 3.5" drives are usually 1" thick and won’t fit in a slim DVD drive slot.

ToE is generally taken to mean a theory that accounts for all four fundamental forces in physics, 1) strong nuclear force, 2) electromagnetism, 3) weak nuclear force (unified in some way with electromagnetism now), 4) gravity. The “standard model” only handles the first three, with gravity being separate and very mysterious. I’m skeptical of this new paper on various grounds but who knows.

Thanks. The more I think about it, the more this seems like outright evil behaviour on Signal’s part to pursue user growth, similar to Facebook etc. Imagine that you and your boss are in each other’s contacts for obvious work-related reasons. Do you really want Signal notifying your boss that you registered for Signal? For some of us it’s fine, but in general it seems like a terrible idea.

Yeah I’m on their Discourse forum, but the situation isn’t that great, and it’s unclear to me if the problems are fixable. Particularly when there are incompatibilities between version X and version Y, where both versions are already in the wild. You can’t travel backwards in time to fix those versions, and this (like email clients or telephones) is an application area where you can’t tell people to update their clients all the time. You have to keep things interoperable.

It’s also often inconvenient to reproduce bugs like that in order to diagnose them. If you try to talk to someone over Jami and it doesn’t work, you generally can’t borrow their phone to analyze the issue. If you’re one of the core developers, maybe you have access to a room full of different kinds of phones and OS versions to test with, but a typical user/contributor won’t have anything like that.

Thanks. I’m not a sophisticated Android user and so far have just stayed with installing stuff from F-droid. If the official build matches the F-droid build, that’s great. At some point I want to spend some time bringing up Android build tools, but I have too much other stuff going on right now.

Interesting, I wonder why it’s not in the main F-droid repo. Thanks.

Very interesting, thanks. Do you mean they use SGX (Intel’s buggy secure enclave feature)? Any idea what they use it for? If not SGX, do you know what the issue is? AMD Epyc processors have something similar but different, fwiw. If there is such highly secret info on the server though, that makes self-hosting even more important. It also makes the architecture suspect.

Telling the govt that you registered for Signal sounds like a bad failure as far as I’m concerned, e.g. if you are a user in a repressive regime. Do you think Trump would like to get his hands on a list of all the Signal users in the US? Probably yes. What would he do with the list? IDK but it has to be bad. So it should be an objective of Signal to make it impossible for anyone to create such a list.

Anyway, it sounds like Signal has wised up and is getting rid of the phone number requirement. I don’t understand why people here keep defending the misfeature. I’ve heard such things explained as “system justification” but I still don’t understand it. All of us make poor decisions all the time, but we should at least make some effort to recognize them, and fix them when possible.

https://en.wikipedia.org/wiki/System_justification

I think I would stay away from Synology in general these days, after this:

https://news.ycombinator.com/item?id=43734706

There are plenty of DIY NAS solutions available and I’d just use one.

To truly be safe from Signal’s influence you would need to audit the source code and build it yourself.

Usually I only install APK’s from F-Droid, which always builds its apps from source, rather than using the developer’s APK. I’m uncomfortable that Signal doesn’t seem to be on F-droid, and I’m in fact hesitant to install it from anywhere else. I’m not currently set up to build Android apps myself. I’m a fairly unsophisticated Android user.

They are overlapping areas, but they are “two completely different things”. They overlap by sharing common goals, not by being interchangeable.

They aren’t interchangeable but they intersect. Completely different means they are disjoint.

it proudly advertises you as a signal user to other signal users

That sounds terrible, a private message service shouldn’t advertise anything to anyone. If I subscribe to a subversive magazine, it shouldn’t advertise me to other subscribers. It’s a terrible invasion if they do. Signal and PGP are both comparable to subversive magazines in that regard, even if the PGP manual tried to say the opposite.

I think most of us these days recognize that the whole concept of public key directories and signature chains on PGP keys was a conceptual error in how people thought about privacy back then (they only cared about encrypting message content). We like to think we know better now, but maybe we don’t.

Okay? And? In this hypothetical world where Signal offered anonymity but still tied you to your number for other practical reasons, then you’re be correct that it would be a privacy concern.

According to Wikipedia, they do record some of that info and report it to the government when required. In fact there is further disclosure to them (they might not retain or use the info, but they do receive it) every time you connect to the Signal server.

Anyway the Wikipedia article indicates they have introduced usernames as an alternative to phone numbers, so they have finally acknowledged the problem and done something about it.