- cross-posted to:
- privacy@lemmy.ml
- cross-posted to:
- privacy@lemmy.ml
I wish Signal was developed more openly, more like the linux kernel for a “critical infrastructure” example. I wish it had more features, so it could take the place of something like Slack. I wish it supported interoperability like fedi.
But it’s good for what it is and I sure am glad it’s around. People who disrespect it don’t know what they’re talking about.
You know, if you want to replace Slack, look into Mattermost. It’s foss but otherwise pretty much exactly what Slack does so well.
deleted by creator
Isn’t matrix more like slack that you are looking for?
When it comes to security, I don’t think it’s close at all.
Why not? I thought it had very good security. It’s E2E encrypted and the government of France uses it.
Maybe I misunderstood. I thought I heard about terrible security implementations relating to matrix servers.
Edit: I think I was remembering this: https://arstechnica.com/information-technology/2022/09/matrix-patches-vulnerabilities-that-completely-subvert-e2ee-guarantees/
Looks like I’m mostly wrong.
A while back people had a problem with metadata or something. I used to have my own server, so I wasn’t really worried about it.
But it’s been like 3 years since I’ve used it or looked into it.
Kinda curious what’s changed at this point.
Time for Molly
deleted by creator
Signal fork
Terrible name lmao
??
“Molly” is a common nickname of the drug Ecstasy (MDMA)
“time for molly” kind of implies you’re off to get high
MDMA high is great, I’d do it all the time. Good name
Also a nickname for Molybdenum which makes Iron stronger like torrifying Signal makes encrypted communication stronger by protecting metadata from interception.
I wish it wasn’t located in the US where you know even though it’s e2ee they send all the data they get(and that’s a lot) to the government or whoever wants it. But e2ee is cool, right. Nobody from the government cares about it though, but it’s cool.
Bless the era of technology where Signal and ProtonMail exist.
Signal yes, Proton I have my doubts
I think yours is the first comment I’ve read that has Proton hesitancy. I’m curious what your reservations are.
Not OP, I’ve heard criticism of their recent Duo subscription and their bitcoin wallet.
I use Proton services and my biggest gripe is their mediocre Linux VPN app. No binaries to download/Flatpak, advertised port-forwarding isn’t fully implemented and requires playing around in a terminal, and UI feels less polished than it’s Windows counterpart.
There’s a community made Flatpak of ProtonVPN though, in case it helps anyone
Honestly, I just use wg-quick to connect to VPNs, and I tested out ProtonVPN and it worked fine with it. I even set up my router to connect to ProtonVPN, so I could have a wifi network that’s always connected to their VPN.
But I’d really rather not have the same company host my VPN, email, and other stuff, I’d prefer to separate them a bit so no one company has a lot of my data. And something like a VPN really doesn’t benefit from bundling anyway, unless it’s bundled with a browser or something a la Mozilla VPN.
Not OP
There’s not a lot of negative press about them.
They complied with Swiss government requests to out the IP of a French activist.
It looks like they’re really doing the best they can.
Correct. They comply with court orders, its a business. People still need to be secure in how they use it, which that guy wasnt. So if you’re attempting to evade the government, use a vpn. All your data is encrypted, where you access it from and your billing information cannot be.
Do keep in mind proton also runs a VPN he may have been running their VPN and they complied.
If he was using their VPN, they wouldn’t have been able to turn that over according to their own site: https://protonvpn.com/features/no-logs-policy#:~:text=No-logs VPN,lengths%2C or location.
They do have technical capability to do so. I just thing that is stopping then is “our trust”
True but the guy was the one at fault and Proton had to comply. The French Activist was using ProtonMail e-mail for bad usages which is what it boiled down to. You left out the part where they complied with Swiss government yes but they didn’t with the French authorities.
Yet it still comes down to people’s own responsibility. But people love to throw that out the window and expect everything to protect them when they get up in shit.
The French Activist was using ProtonMail e-mail for bad usages
I don’t trust ANYONE to decide on my behalf what a “bad usage” is.
Piss off with your entitlement.
Do you fuck your mother with that mouth?
I actually don’t know what people’s hesitancy is, but I’ve seen numerous people say proton is not good, we’ll see if anybody chimes in with a reason.
I’ve seen doubt of it’s push to pack products into it’s offering ala Google - however I don’t see that as enough to call it not good.
It’s also very easy (and suspicious imo) for anyone to call a service not good without any reason to back it up.
I see that as offering services that people clearly use and value, and that the bills have to be paid somehow. So as long as proton can deliver the privacy and security features it promises, I personally don’t see anything wrong with providing an alternative when the only other options are built on monetizing your data.
The email service says it was unable to appeal a Swiss court’s demand to log the IP address of a French climate advocate.
This weekend, news broke that the anonymous email service ProtonMail turned over a French climate activist’s IP address and browser fingerprint to Swiss authorities. The move seemed to contradict the company’s own privacy-focused policies, which as recently as last week stated, “By default, we do not keep any IP logs which can be linked to your anonymous email account.”
Edit: formatting
I often figure it’s google bias and / or people trying to impose their threat models on other people.
Been using proton for quite a while with a few custom domains and am impressed with the service to price of their offerings.
We can one off use cases with any vendor, but at the end of the day, they offer a more secure out of the box experience than just about any other platform out there. If someone is doing illicit shit and gets popped, it’s not on the service provider to provide air cover for them. Improve your opsec or self host.
The one and only critique I’ll give to Proton is how they have it where you can have Google e-mails forwarded to you to your Proton address.
And it’s like…why? The entire reason you’re going to ProtonMail is to escape Google. Why the hell would you want Google to try and pry into your Proton usage when all you want is to distance yourself from them?
You set up the forwarding in google, not proton. You mark the forwarded emails in your proton mailbox. You forward the emails to your proton account until you changed all the sources that you care about from your google to your proton mailbox. Then you turn off forwarding.
Google never gets any more data from you except your protonmail address.
It’s really nice for the transition period. I personally forward my email to Tuta, which lets me slowly convert my services to my new address. I have my most important ones switched over now, but I had to switch dozens over (I would do 3-5 at a time, which was a pain).
I’ll probably leave my gmail forwarding to my Tuta account, just because there’s no way I’m going to go though every single service I have ever used and switch it over, and inevitably some contact will continue using my old email.
As far as Google goes, all it knows is that it’s getting less and less emails, and that what remains is being forwarded to <email>@tuta.com. But that’s not my main email address though, it’s just the one I set the account up with. I actually use <name>@<custom domain>, and I have a bunch of aliases configured for each type of account (e.g. <name>-banking@<custom domain> for my bank accounts, <name>-bills@<custom domain> for utilities and whatnot, etc). But that’s still not my actual, personal email, which is <name>@<different custom domain>, and I only give that one to my family and friends.
So in short:
- gmail -> tuta.com email - all Google knows about
- random online accounts -> custom domain 1
- family/friends -> custom domain 2
If I can convince my SO to switch, I’ll give them an account at custom domain 2 and tell them to only use it for personal contacts, and to have everything else go through their old gmail or a Tuta alias. If I ever decide to switch to Proton, I’d have to transition all of those custom domain 1 emails to some proton aliases (unless I pay for the higher tier), which would be a pain, especially since the main reason I use these custom domains is to make it easier to switch services (e.g. just point my DNS records to the new host).
That’s not everyone’s privacy posture. Some people use Proton to hide, some people use it to secure, some for both. If your goal is to secure, google’s antiprivacy isn’t against that.
I’m with you, though.
Swiss laws aren’t as tight as a lot of people think.
I’d like for them to lean more heavily into open source
It’s probably tight enough for your needs. Unless you live in Switzerland or are breaking Swiss law, they’d need a really good reason to send your data anywhere.
That said, I use Tuta. They have a similar source model (open client, closed server) and are based in Germany, but since they’re an underdog, they have a bit more value and lower costs. I pay €3 and get 3 custom domains and 15 aliases, whereas w/ Proton I pay $4 and get just 1 custom domain and 10 aliases; I can also add people to my plan for €3, instead of upgrading to a Duo for $15 or family for $24. If Proton matched Tuta’s features, I’d probably pay slightly more for the better UX, but I use those features so I’m very hesitant to give that up. I don’t intend to use their VPN or other products, so I’m very much not interested in their higher tiers.
I do wish their server code was open source and self-hostable. I’d love to use my own storage, but still use their spam filtering and whatnot.
It’s probably tight enough for your needs. Unless you live in Switzerland or are breaking Swiss law, they’d need a really good reason to send your data anywhere.
Unless you’re a climate activist in France:
“The email service says it was unable to appeal a Swiss court’s demand to log the IP address of a French climate advocate.”
My understanding is that they broke Swiss law. Don’t do that if you’re hosting your evidence in Switzerland…
Unless you live in Switzerland or are breaking Swiss law
That’s the thing though, governments tend to make everything illegal so they can selectively enforce.
you might want to look at mailcow if you want to self-host your email server
I keep hearing they are CIA lmao.
Yeah, I don’t trust proton mail.
First off, email is inherently insecure, trying to secure it is largely a waste of time.
Secondly, proton has complied with subpoenas in the past, revealing user messages to authorities/governments.
Finally, it’s just too centralized, with a single point of failure, why would you trust it?
Like?
like them embracing Bitcoin and “AI”
Embracing is a strong statement… Their core product are their core products.
Having a Wallet and calling that embracing Bitcoin is like saying they embrace spam because they have an email client
Removed by mod
Removed by mod
Removed by mod
This is a very rude question, but on this subject of being lean, I looked up your 990 and you pay yourself less than some of your engineers.
Yes, and our goal is to pay people as close to Silicon Valley’s salaries as possible, so we can recruit very senior people, knowing that we don’t have equity to offer them. We pay engineers very well. [Leans in performatively toward the phone recording the interview.] If anyone’s looking for a job, we pay very, very well.
So, I googled their tax filing out of curiosity. It’s true that Meredith pays herself much less than her engineers, which is great. What I was rather shocked to see is that they pay their software developers enormous salaries. They’re listing developers making over $400,000 per year, with their VP making over $660,000 per year. Now, I’m all for the value-creators making more money than the CEO. I just had no idea that software developers make that kind of coin. I was thinking of donating to Signal, but I’m kind of weirded out by those astronomical salaries.
That’s inline with Silicon valley salaries. Basic houses cost 2mil there, so it’s not completely outrageous.
As an example, openai pays all its engineers 300k flat+500k/yr in some stock based asset. Another example is Netflix, who are notoriously a very fickle employer, but salaries start in the 400k range and go up from there.
Yes, the article makes the point that Signal needs to compete for talent with the rest of Silicon Valley. I get that. And we’ve all heard about the nearly unfathomable amounts of money that tech companies throw around. When you break it down to individual salaries, though, and see that even normal people in normal jobs are making a million dollars a year between salary and stock… well, I think it really exposes the spectacular wealth inequality that we have allowed to fester. I mean, sure, shelter costs may be high in Silicon Valley, but the cost of other goods remain about the same. A $50,000 truck that an average person in Nebraska might have to save for years to afford is barely a rounding error for folks making a million a year. I’m no economist, but it does seem like there are consequences for this kind of ever-growing wealth inequality.
It is also absurd on its face for a multi-millionaire developer to place a “Donate Now” button in an app and talk about being a non-profit to tug at the heart strings of people who make one-tenth of what the developers are making. It’s feels like Scrooge asking Tiny Tim for a donation.
Anyway, I don’t blame the developers for this absurd situation, and I do appreciate Signal, and Meredith is clearly a cool person who is fighting the good fight against big tech surveillance. But every once in a while an article like this reminds me how deeply fucked up the world is. It seems we are approaching pre-French Revolution levels of economic disparity, and maybe it helps explain why so many working class people are pissed off.
I cannot WAIT for the inevitable market correction on SWE salaries. Entitled bastards.
Not all SW devs make that kind of money. I don’t live in Silicon Valley, and I make significantly less than that amount. I could probably get a job there making somewhere north of $300k, but my expenses would go through the roof and I’d be stuck in SV traffic all the time, no thank you. I get paid well, but less than half what Signal is paying.
I mean, how does a free app with no advertising in it make that kind of money?
A free app with no advertising doesn’t make that kind of money, it gets progressively deeper into debt to a good Silicon Valley rich guy who got it off the ground, Brian Acton.
His biography on the Signal Foundation website:
Brian Acton is an entrepreneur and computer programmer who co-founded the messaging app WhatsApp in 2009. After the app was sold to Facebook in 2014, Acton decided to leave the company due to differences surrounding the use of customer data and targeted advertising to focus his efforts on non-profit ventures. In February of 2018, Acton invested $50 million of his own money to start the Signal Foundation alongside Moxie Marlinspike. Signal Foundation is a nonprofit organization dedicated to doing the foundational work around making private communication accessible, secure and ubiquitous.
Prior to founding WhatsApp and Signal Foundation, Acton worked as a software builder for more than 25 years at companies like Apple, Yahoo, and Adobe.
The Wikipedia article on the Foundation says the loan balance was up to $105M later in 2018. Meanwhile, Acton is still worth $2.5B according to Wikipedia, so things are probably fine for now, even 6 years later.
But you’re right that Signal eventually needs revenue to keep even a small team of high caliber software engineers and devsecops folks around. You very much want excellent engineers to continue to be involved with critical encrypted communications software on an ongoing basis, so it will cost money indefinitely. Presumably Acton does not wish to bankroll it indefinitely.
Again back to the interview:
I wouldn’t imagine that most nonprofits pay engineers as much as you do.
Yeah, but most tech is not a nonprofit. Name another nonprofit tech organization shipping critical infrastructure that provides real-time communications across the globe reliably. There isn’t one.
This is not a hypothesis project. We’re not in a room dreaming of a perfect future. We have to do it now. It has to work. If the servers go down, I need a guy with a pager to get up in the middle of the fucking night and be on that screen, diagnosing whatever the problem is, until that is fixed.
So we have to look like a tech company in some ways to be able to do what we do.
I’m really glad they pay those engineers that much, so that Zuckerberg and his ilk can’t entice them away with oodles of money. One presumes they also believe in the cause, but I think this currently looks like Acton fighting surveillance capitalism with what capitalism got for him earlier in his career.
Cofounder Moxie Marlinspike is clearly a brilliant hacker and coder who was crucial to Signal’s creation, but I think it makes sense that he hasn’t stuck around to try to solve the long term business problem of keeping it aloft infinitely.
So what to do about it? The OP interview is with Meredith Whittaker, who’s entire job is figuring that out:
Since she took on the presidency at the Signal Foundation, she has come to see her central task as working to find a long-term taproot of funding to keep Signal alive for decades to come—with zero compromises or corporate entanglements—so it can serve as a model for an entirely new kind of tech ecosystem.
I’m a recurring donor because I want Signal to succeed and I want to vote now with my wallet, but fundamentally it’s on Whittaker to figure out how to make the long term work. Here’s what she says:
I see Signal in 10 years being nearly ubiquitous. I see it being supported by a novel sustainability infrastructure—and I’m being vague about that just because I think we actually need to create the kinds of endowments and support mechanisms that can sustain capital-intensive tech without the surveillance business model. And that’s what I’m actually engaged in thinking through.
Yeah, that’s not especially enormous compared to startups in the valley offering huge equity alongside already generous compensation packages.
My only gripe with signal, is the use of phone numbers as usernames. Not everyone with whom I want to communicate via signal has a phone number. I understand why they went this route, but wish there was an alternative way.
You can use a username only for finding and adding friends, you only need the phone number to create an account. That’s probably because Signal started as an alternative to Messages (or whatever it was called back then), so you could send SMS if you wanted, or secure messages to friends w/ Signal. The whole point was to be a gentle transition from SMS to private messaging. However, they eventually dropped the SMS feature, but it seems they kept the phone number as username thing.
It kind of sucks, but I think that’s a reasonable limitation since the vast majority of people using this service will have a phone number. You could probably even sign up for a free trial of something (e.g. Google Fi) to sign up for Signal, set up the username, and then drop the phone number service. I don’t know if there are any problems with this, but I don’t think they do anything with your phone number after everything is set up.
I think another reason they use a phone number is that it can mitigate issues with people or bots creating hundred of accounts maybe
But there are plenty of other services that don’t require a phone number that also seem to mitigate that issue, so while it may be a convenient option, it’s hardly the only option.
Yeah. And I don’t fault them for this route. I just with I could sign up without a phone number. Maybe the username thing is a predecessor to allowing usernam-only registration in the future.
Yeah, hopefully. It would also be awesome to have a web login so I could access messages and whatnot when using someone else’s computer w/o having to install something.
I don’t know what direction they’re going, but I’m honestly okay with the caveats that currently exist.
Having web logon would mean they would need to hold the decryption key in some form (or have a weak decryption key, your credentials), so, while convenient, I think it would degrade security and possibly privacy. Unless you mean to receive new messages, the way the desktop app works?
deleted by creator
I can’t tell if you’re joking haha
Why would they be joking? There’s really not a big difference between how their mobile and desktop apps work and what’s possible in the web. It can fetch the keys from my computer or my phone just like their other apps work, and store the keys and whatnot encrypted in temporary local storage, just like on the phone. WebAssembly could allow them to share the code and retain similar performance.
I honestly don’t see an issue here. If they need help, I’d be happy to lend a hand.
deleted by creator
I’d be more interested in allowing more than one Android device at a time like MySudo. They let you link Windows with a phone so I wouldn’t think it would be too hard to implement.
Big concern with your number being recycled and a new user receiving the signal activation key on that number.
You need to enter your Signal Pin, otherwise you will get removed from all groups etc
Sure, and I think that would send a message to all of your contacts that a new account is using that number, but I’m honestly not sure. If you have an active account (i.e. on a desktop or something), I think you can just change your number if that happens (i.e. get another temp number).
It’s certainly more convenient if you use a longer-term number, but I think it’s feasible with a throwaway number. Once your account is set up, Signal doesn’t need your number for anything if you disable publishing that.
It does send a “your safety number has been updated with user” message. But not as an automated message. Only when a new signal thread is started.
Haven’t tried when only logged in to desktop and changing devices / numbers so I can’t speak to that.
Another issue with phone numbers is that it makes it easier to censor - from what I heard, in Iran the confirmation SMS just would not arrive, making rentals the only option (thus making you risk your account being deleted by the new owner).
My personal biggest issue with Signal, though, was the inability to register from the official desktop client. They were pushing to register on mobile instead. There are ways around it, like Signal-Cli (what I used) and Android VMs. However, the fact that they push people onto mobile at all is worrying, because phones are much harder to make private (while you can install Linux onto pretty much any given laptop/desktop, only certain phones are compatible with alternative OSes, and mine wasn’t so I could not trust it with my chats).
Hmm, I guess then you’d need to get a VPN that works in your country (not sure how hard that is in Iran) and find a VOIP service that either doesn’t require any payment, or accepts payments from Iran.
It’s certainly not ideal, and I wish they’d eliminate the dependency on phone numbers, but until then, there are options for most people to create an account w/o having a permanent number.
You can use Monero for payment, I started doing this ever since sanctions began. Free services are not really viable because they’re far more likely to have all their numbers already used up.
But yea, the overall point is that it is a large inconvenience and a possible point of failure (the next number user deleting the account).
Yeah, it’s certainly problematic, and I’d very much prefer that it not have that dependency. But I think it’s still worth using Signal despite needing a number, because it’s a really low barrier to getting new users on it.
If you want something truly private w/o the dependency on a number, there are better options, such as SimpleX. However, the barrier to entry there is a bit higher.
I have a few problems with Simplex (I worry about it being effectively centralized for now and that the VC funding may get it to either enshittify or stop development)… But I do use it quite a bit and even have the servers (which were very easy to set up and don’t consume a lot of resources). I like a lot of what it does (including being very easy to use), and hope it succeeds as it matures!
Google is a very bad choice because it requires a phone number on its own. Also heard that there may be additional KYC.
Are you suggesting you need a phone number to get a phone number from Google Fi?
And yeah, it’ll definitely to KYC, because that’s a federal regulation. My point is that you don’t need the number long-term, so the number will only be associated with you for like a week while the trial period lasts. So sign up for Google Fi trial, create a Signal account, then cancel the trial. That sounds pretty reasonable to me.
Yea. Don’t you need a Google account first to use such a service? Those do need phone numbers to register.
And also KYC is unacceptable in this case, imo. If the number is needed only for a short time, there are similar, non-KYC options like what you would find on kycnot.me.
Yeah, I think you’ll create a Google account as part of the Google Fi account creation process.
If that really bothers you, use a different MVNO. Some offer free trials, but even if not, it’s not too bad to buy a month of service. My provider is Tello, and the minimum service that’ll give you SMS is $5/month. If you’re clever, you can probably also find a VOIP provider that does SMS for really cheap.
My point isn’t that Google Fi specifically is what you should use, just that it’s an example of a service that offers a free trial, so you can sign up for Signal for free.
I get the point, I just said how bad of an example this is, lol
It creeps me the fuck out. I do not get why a service that bills itself as secure needs to know something that can be traced back to my credit card and name. I won’t use Telegram or Signal because of this.
It’s about your posture. Most people who use signal use it to have privacy from governments. They’re not hiding that they use signal, they’re hiding what they write on signal. In this case, using your phone number isn’t a big deal.
Some people, have a tighter posture, which could translate to your position. In that case, something like Briar could fit the bill.
Lastly, security and privacy are not the same thing. Google products are secure, but they are not private. Self hosted sftp, for example, is private, but may not be secure. Signal is definitely secure, at least enough for general and governmental use. So, it seems, is telegram. Signal is more private than telegram in many ways, but it is not the gold standard for privacy (because of its use of phone numbers as usernames), but it is “good enough” for the masses. The balance between good for everyone and zero-knowledge private for everyone is delicate, potentially impossible. Honestly, I don’t know if signal was able to strike that balance perfectly, but they did a much better job than many other services, certainly than those others that are accepted by the masses.
But putting a phone number in immediately exposes protesters to association. Sure, Signal can’t give out the contents of messages, but it still has the chain of contact. So if a government gets hold of this record, legally or otherwise, now you have everyone associated to a suspect phone number/person and can start rounding them up.
It’s the complete antithesis of freedom of association when there’s a record of everyone that you’ve contacted. The contents don’t enter into that problem, and I can’t see why they feel the need to keep this as part of their system. It purposely makes it impossible to use this for something like peaceful protest. So, no, it doesn’t give you privacy from governments, because governments that don’t respect freedom of association will use that information to punish dissidents.
I can’t imagine any reason to use phone numbers except to purposefully keep this chain of association for governments to use. Even Facebook doesn’t require this sort of personal proof, and it’s suspicious as hell.
Sure, Signal can’t give out the contents of messages, but it still has the chain of contact.
it doesn’t. they’ve been ordered to hand over data multiple times, and the only thing tied to the phone number they have is 1. time the account has been created and 2. last time the account connected to the server: https://signal.org/bigbrother/
FISA order could require them to collect the data and turn it over, US courts won’t be able to to do shit about it.
This is purely I trust signal bro type argument
You’re mistaken on the basis of your beliefs here. Signal only had two pieces of data around your phone number (joined datestamp, last online datestamp). This means that governments can’t petition signal for any more information, since signal simply doesn’t have it to give (by design).
Your point on fb is hilarious, because they do require it. They just don’t require you to input it, because (1) they already have it and (2) you freely provide the missing pieces without them even asking. But, like I said earlier, if this goes against your posture, use something like Briar or Matrix or whatever. Choice exists, because everyone is different and has different postures.
FISA order could be in place and signal disclosed what they were told.
This argument about them producing only two data points is good but it is not a slam dunk arguement everyone makes it to be.
Signal has technical capabilities to time stamp every ineteration you have with another person if it goes through their server. This is internet 101.
So we relying that they don’t do this but if US government said do it. They would and Jack shit anyone can do about it.
That is my concern with any US based company. With all the information we have how their government agencies used both legal and illegal means to access data how can you ever think those companies can protect your privacy even if they sincerely want to?
Them being a us company is a very valid concern, and one I share. If I were a dissident, I likely wouldn’t use signal just because they’re us based.
The Signal pitch is that you don’t need identity security so long as the encryption is strong enough.
That is, incidentally, the same pitch Botcoiner make.
Removed by mod
For me, today the best messaging app is SimpleX, it is a bit in early development but it’s already really nice.
Signal is the best thing going on in tech these days. I’m very glad it’s being led by Meredith Whittaker.
Did you know you can get a cool badge on your profile pic if you’re a recurring donor? $5 a month is far less than the value I get from it, but that’s all it takes for a cool badge (and knowing that you’re doing something active against the awful state of big tech today).
Just to add to this, I also like to use the “donate for a friend” option to gift friends a donation to Signal on their birthdays. It’s also $5 but a one-off thing, they get a neat badge for 60 days and perhaps it raises awareness of the donation option a little bit!
As long as they stay away from public ‘channels.’
There lie dragons.
deleted by creator
“hashtag anarchist yacht club”
Lmfao
What is signal anyway? I’ve never paid attention to phone apps much. Why isn’t it on F-droid if it’s FOSS? Is it like irc but with encryption? I guess I should look into it.
Why isn’t it on F-droid if it’s FOSS?
That got me interested and apparently, they fear forks running out of date.
Concerning F-Droid, we already providing an auto-updating APK directly from our site, and we really don’t want forked versions of the app maintained by other parties connecting to our servers. Not only could the users using the forked version have a subpar experience, but the people they’re talking to (using official clients) could also have a subpar experience (for example, an official client could try to send a new kind of message that the fork, having fallen out of date, doesn’t support). I know you say you’d advocate for a build expiry, but you know how things go. Of course you have our full support if you’d like to fork Signal, name it something else, and use your own servers.
While that statement got plenty of thumbs down, I hate to admit that F-Droid is indeed out of date quite often. I currently can’t find a source for this but I once read this has something to do with their signing process.
Yes, they manually sign every package.
But they could easily have their own F-Droid repository, I have repositories for FUTO apps like Grayjay and their keyboard, Bitwarden, and Newpipe, among others. Those are run by the projects themselves, so they’re in charge of how often they update it, as well as how they sign it. So if they have issues with the “official” F-Droid repositories, they can always host their own. I honestly prefer projects that host their own repos precisely because they should, in theory, update faster.
That said, a self-updating APK is good enough for me. However, I didn’t see an install option easily listed on their website and had to search for “signal android apk” to find the page. It should be listed on the regular install page on their website, next to the link to Google Play. I found three separate pages for getting it for Android, and all three had a link to Google Play and only one had the APK.
deleted by creator
Hmm, ok, thanks. But I’m kind of tired of version churn: who needs to keep changing a chat program? IRC has been around since the 1980s or so and still works fine.
who needs to keep changing a chat program? IRC has been around since the 1980s or so and still works fine.
some people like texting their family who doesn’t use IRC, and they’d rather not send messages in plain text for one reason or another.
I get that IRC is old school and encryption is important. My question is why the program has to keep changing. If the task is simple enough, there shouldn’t be incompatible changes required if there are new versions at all.
With new possibilities due to new tech user demands rise, too. People asked for features like group or video chats or coupled devices (not trivial with E2EE) and since good companies listen, they developed those and still do.
Also, I don’t think there’s a single IRC client still in use that hasn’t been updated since the 80s. I wouldn’t be surprised if your favorite client got an update in the last couple of months - and that despite it being a trivial protocol.
https://media.ccc.de/v/3e0a51f5-f60a-4a90-a78a-3a311c6ffe41 here the author explains why and it all sounds like a bucket of bullshit
Thanks, I might try to watch some of that.
It’s more like WhatsApp or messenger (pick your poison on which one I am referring). Fairly lightweight. No useless features. And I think there’s an F-Droid version, running as Molly.
Interesting, it looks like molly.im has its own f-droid repo, but there is nothing about Molly in the regular f-droid repo. Thanks though. I guess I should look into this a bit more. I’m way out of date with phone stuff.
Molly allows you to use alternative push servers (instead of Google’s), amongst other things.
And (what is important to me now) allows using any Socks proxy instead of only Signal’s own censorship-bypassing solutions. This is a weird decision on Signal’s part, because in places like this, you might need to switch between various protocols when the old ones stop working. And for Signal, developing censorship evasion is not the primary task so naturally they would not be as advanced and quickly-evolving as the communities dedicated to it.
Oh interesting, yeah I saw some reference to Signal relying on some kind of Google service. I figure I would want to self-host anything I was serious about. It also looks like these things do video chat, so they’re much more elaborate (perhaps unnecessarily) than IRC, which is text-only. I’ve never used Whatsapp and am not even sure what it is, except that for a while I confused it with Instagram.
I’ve installed GNU Jami and that seems like enough for video chat? I just haven’t had occasion to actually use it. I’m not a video guy and frankly am usually happy with email. PGP from the 1980s still works fine, if anyone cares.
The aim of Signal Foundation is to displace the likes of WhatsApp and Messenger thus it has to support all modern and expected features.
Interestingly enough WhatsApp uses Signal’s protocol for encryption, it’s part of the planned messaging interop forced on Meta by EU.Thanks that is interesting. I wonder if newer versions will use MLS.
Wasn’t there some controversy about Signal’s creation being supported by the US government to provide private communications for anti-us-enemy organisation or something? I’m sure I remember it correctly…
https://www.theregister.com/2024/05/14/telegram_ceo_calls_out_rival/
Alleged and mostly bullshit from the Telegram founder it seems.
Which is ironic considering the source.
I love the idea of signal, and want to use it and invite friends to it. But then I remember I don’t really want to message anyone, and don’t really have friends because I have no interest in messaging people.
Cool story bro
Nobody is going to use Signal when it lacks so many features. Feels like MSN messenger compared to it’s peers.
what do you mean? i use it a lot and it works great, photos, videos, phone calls, optional temporary location sharing with friends, and encryption.
what features do you want it to have that it’s lacking?
Don’t forget, cross-platform!
i totally forgot, another great point
Don’t forget voice calls! It has some rough edges there (my audio doesn’t always connect successfully, etc), but when it works the codec sounds better than a standard phone call and there’s no mass surveillance. I use it in place of phone calls for all the people in my network who have it, including my immediate family.
that’s a great point, i use the voice calls daily.
added above.
And video! Group video too!
I’m guessing they probably want stickers or something
Edit: apparently this is available on signal so I have no fucking idea then
Yeah you can even make your own stickers for free
Yea we heavily use it in the army
very cool, i had no idea.
free, convenient, reliable encryption.
My guess is it heavily private and does not have channels
does not have channels
except that it does. you can make a public group with a shareable link, and change permissions so that only the admins can post.
deleted by creator
very weak bait
Judging from the comments, it seems like you’re wrong.
You suck, man
Lol
That’s not a bad thing. Maybe some of us don’t want to be cluttered with a lot of things we don’t really care for on using. God forbid we go back to simpler days of communication whereas now we’ve got things like Discord trying to charge people to pay actual money to have fancy little animations for your profile picture.
Is that what you think is missing? Stupid pointless things that make you feel special because you paid money for it when the true attraction should be focused on how much communicating can be efficient and caring about your privacy and security?
Is that what you think is missing?
No.
The rest of your incoherent essay is now useless.
Removed by mod
You seem like a very stable and rational person.
Removed by mod
Removed by mod
Did you really just tell somebody to kill themselves over the preference if a messenger app lol
I liked msn messanger when it was around.
It was indeed great.
15 years ago.
How much signal and she spend onnthis shameless self promotion.
JFC, if anything she is taking signal the wrong way and going the way of mozilla IMHO
Signal is a good product but there is a lot areas where it can do better… Have gotten any new features over last 5 years? Besides aliases?
What are they working on?
Seen interesting discussions about how signal is farming our meta data to the feds, I was clowned a few years back on this hot take. I am very regarded though. Can anyone pitch on this tinfoil?
Main looking to understand if that is even technically feasible?
I was clowned a few years back on this hot take. I am very regarded though. Can anyone pitch on this tinfoil?
?
Yeah idk I’ve read it like 4 times and still struggle to find a coherent thought here.
Poster was made fun of in the past for saying Signal gave metadata to the feds. He has a learning disability (regarded = deliberately misspelled R slur). They’re looking for someone else to corroborate the metadata claim.
That’s my interpretation at least.
They did a blog post about how the feds had made a second attempt to get metadata from them and they could only provide two fields of information: the date the account was created and the last time it connected to the service.
It’s in the public record as well if I’m not mistaken.
The issue that if they were under FISA order or some other such shit, legally they would have to say what feds tell them, ie they would not be able to say and we give feds your logs.
Question is whether they can technically collect the logs which is tinfoil i am following up on.
Basic opsec thinking, if it is technically feasible, you must assume it is happening. This is game 101.
So here we are trying to prove a negative but nobody also is able to provide anything beyond, trust signal bro.
They probably have turned over logs because legal persuasion, and it sounds like they anticipated that. Moxie has been around the cypherpunk scene for a while, so they knew what they’re doing.
Plus the paper on the double ratchet algorithm is out there. https://en.m.wikipedia.org/wiki/Double_Ratchet_Algorithm
You sir ain’t only a linguist but a regard whisper too!
Thank you for the service!
“Retarded” is not a slur. It’s a medical term. “Idiot” is a slur that roughly means the same thing, though not nearly as far.
“Idiot” is a slur that roughly means the same thing
“idiot”, “moron”, “cretin” and “imbecile” were all medical terms once and described different levels of intellectual disability, but they fell out of use and are now considered offensive. language changes, and context is important.
Signal uses Google Cloud Platform for their servers, for one.
Then I think it’s something to do with metadata.
deleted by creator
They also added stories which, despite what the internet might have you believe, was one of the most popular feature requests on the Signal message boards for many years
This was weird for me personally. I consider Signal a messaging tool which in my mind is separate from an actual social media app, so it was a bit of a head scratcher for me to see stories as a very popular feature request. I don’t really care about sharing “stories” in that format to my contacts or seeing theirs, but then again that’s just me.
deleted by creator
Lol calm down, no one’s trying to fight you over Signal being the best private messaging platform. I was just sharing that it was weird to me how stories was one of the most sought out features from users.
In the future please be sure to get your opinions approved by the comment thread captain before sharing them publicly.
deleted by creator
It is the internet and we are on a discussion board lol
You made a post in an open, public forum and you’re confused why others would like to discuss the things that you posted?
deleted by creator
Does signal meta data allow for signal to time stamp witu who you communicate using their app and servers?
Side note, PR like that costs about 15k fyi
deleted by creator
-
@yogthos@lemmy.ml what you got to say for this one?
-
Verge doesn’t run flulf for free. This is PR 101. But I trust you bro
deleted by creator
Re-read what you wrote… JFC
This can’t be serious
-
(almost) anything is possible with a CIA black fund budget. I’ve moved to Simplex chat and not looked back.
I feel that but people can’t just move since we need somebody to talk on these super duper 69 layer quantum resistant protocols.
Looks simolex is gunning for the crown nowadays tho but there other viable contenders baking.
Once new leader arrives, going to need to tell my group we migrating again 🤕
Why? Just stay on Signal. For the time being it is one of the leaders in private communication.
Though, if you truly need secure private conversations, you would want to move around a lot anyway.
For now it is the gold standard but I don’t trust the leadership and their PR approach.
I won’t move until I can justify moving my friends over and right now there is no alternative