My only gripe with signal, is the use of phone numbers as usernames. Not everyone with whom I want to communicate via signal has a phone number. I understand why they went this route, but wish there was an alternative way.
Under Meredith Whittaker, Signal Is Out to Prove Surveillance Capitalism Wrong
Submitted 2 months ago by neme@lemm.ee to technology@lemmy.world
https://www.wired.com/story/meredith-whittaker-signal/
Comments
01189998819991197253@infosec.pub 2 months ago
sugar_in_your_tea@sh.itjust.works 2 months ago
You can use a username only for finding and adding friends, you only need the phone number to create an account. That’s probably because Signal started as an alternative to Messages (or whatever it was called back then), so you could send SMS if you wanted, or secure messages to friends w/ Signal. The whole point was to be a gentle transition from SMS to private messaging. However, they eventually dropped the SMS feature, but it seems they kept the phone number as username thing.
It kind of sucks, but I think that’s a reasonable limitation since the vast majority of people using this service will have a phone number. You could probably even sign up for a free trial of something (e.g. Google Fi) to sign up for Signal, set up the username, and then drop the phone number service. I don’t know if there are any problems with this, but I don’t think they do anything with your phone number after everything is set up.
EpicGamer@lemmy.world 2 months ago
I think another reason they use a phone number is that it can mitigate issues with people or bots creating hundred of accounts maybe
01189998819991197253@infosec.pub 2 months ago
Yeah. And I don’t fault them for this route. I just with I could sign up without a phone number. Maybe the username thing is a predecessor to allowing usernam-only registration in the future.
vulgarcynic@sh.itjust.works 2 months ago
Big concern with your number being recycled and a new user receiving the signal activation key on that number.
EngineerGaming@feddit.nl 2 months ago
Another issue with phone numbers is that it makes it easier to censor - from what I heard, in Iran the confirmation SMS just would not arrive, making rentals the only option (thus making you risk your account being deleted by the new owner).
My personal biggest issue with Signal, though, was the inability to register from the official desktop client. They were pushing to register on mobile instead. There are ways around it, like Signal-Cli (what I used) and Android VMs. However, the fact that they push people onto mobile at all is worrying, because phones are much harder to make private (while you can install Linux onto pretty much any given laptop/desktop, only certain phones are compatible with alternative OSes, and mine wasn’t so I could not trust it with my chats).
EngineerGaming@feddit.nl 2 months ago
Google is a very bad choice because it requires a phone number on its own. Also heard that there may be additional KYC.
ikidd@lemmy.world 2 months ago
It creeps me the fuck out. I do not get why a service that bills itself as secure needs to know something that can be traced back to my credit card and name. I won’t use Telegram or Signal because of this.
01189998819991197253@infosec.pub 2 months ago
It’s about your posture. Most people who use signal use it to have privacy from governments. They’re not hiding that they use signal, they’re hiding what they write on signal. In this case, using your phone number isn’t a big deal.
Some people, have a tighter posture, which could translate to your position. In that case, something like Briar could fit the bill.
Lastly, security and privacy are not the same thing. Google products are secure, but they are not private. Self hosted sftp, for example, is private, but may not be secure. Signal is definitely secure, at least enough for general and governmental use. So, it seems, is telegram. Signal is more private than telegram in many ways, but it is not the gold standard for privacy (because of its use of phone numbers as usernames), but it is “good enough” for the masses. The balance between good for everyone and zero-knowledge private for everyone is delicate, potentially impossible. Honestly, I don’t know if signal was able to strike that balance perfectly, but they did a much better job than many other services, certainly than those others that are accepted by the masses.
UnderpantsWeevil@lemmy.world 2 months ago
The Signal pitch is that you don’t need identity security so long as the encryption is strong enough.
That is, incidentally, the same pitch Botcoiner make.
foremanguy92_@lemmy.ml 2 months ago
For me, today the best messaging app is SimpleX, it is a bit in early development but it’s already really nice.
snek@lemmy.world 2 months ago
I’ve been using it for a while and bybdar the biggest issue is how giant the backup file is and how about 3Gb of data were lost because of a signal version mismatch between an old phone I was using and the new one I switched to.
trailee@sh.itjust.works 2 months ago
Signal is the best thing going on in tech these days. I’m very glad it’s being led by Meredith Whittaker.
Did you know you can get a cool badge on your profile pic if you’re a recurring donor? $5 a month is far less than the value I get from it, but that’s all it takes for a cool badge (and knowing that you’re doing something active against the awful state of big tech today).
EK13@lemmy.world 2 months ago
Just to add to this, I also like to use the “donate for a friend” option to gift friends a donation to Signal on their birthdays. It’s also $5 but a one-off thing, they get a neat badge for 60 days and perhaps it raises awareness of the donation option a little bit!
solrize@lemmy.world 2 months ago
What is signal anyway? I’ve never paid attention to phone apps much. Why isn’t it on F-droid if it’s FOSS? Is it like irc but with encryption? I guess I should look into it.
RecluseRamble@lemmy.dbzer0.com 2 months ago
Why isn’t it on F-droid if it’s FOSS?
That got me interested and apparently, they fear forks running out of date.
Concerning F-Droid, we already providing an auto-updating APK directly from our site, and we really don’t want forked versions of the app maintained by other parties connecting to our servers. Not only could the users using the forked version have a subpar experience, but the people they’re talking to (using official clients) could also have a subpar experience (for example, an official client could try to send a new kind of message that the fork, having fallen out of date, doesn’t support). I know you say you’d advocate for a build expiry, but you know how things go. Of course you have our full support if you’d like to fork Signal, name it something else, and use your own servers.
While that statement got plenty of thumbs down, I hate to admit that F-Droid is indeed out of date quite often. I currently can’t find a source for this but I once read this has something to do with their signing process.
sugar_in_your_tea@sh.itjust.works 2 months ago
Yes, they manually sign every package.
But they could easily have their own F-Droid repository, I have repositories for FUTO apps like Grayjay and their keyboard, Bitwarden, and Newpipe, among others. Those are run by the projects themselves, so they’re in charge of how often they update it, as well as how they sign it. So if they have issues with the “official” F-Droid repositories, they can always host their own. I honestly prefer projects that host their own repos precisely because they should, in theory, update faster.
solrize@lemmy.world 2 months ago
Hmm, ok, thanks. But I’m kind of tired of version churn: who needs to keep changing a chat program? IRC has been around since the 1980s or so and still works fine.
dubyakay@lemmy.ca 2 months ago
It’s more like WhatsApp or messenger (pick your poison on which one I am referring). Fairly lightweight. No useless features. And I think there’s an F-Droid version, running as Molly.
solrize@lemmy.world 2 months ago
Interesting, it looks like molly.im has its own f-droid repo, but there is nothing about Molly in the regular f-droid repo. Thanks though. I guess I should look into this a bit more. I’m way out of date with phone stuff.
nobleshift@lemmy.world 2 months ago
BTW, Moxie has a home made documentary kinda movie out called Hold Fast. It’s about sailing and uh stuff … It’s pretty keen, you should watch it.
WldFyre@lemm.ee 2 months ago
“hashtag anarchist yacht club”
Lmfao
fubarx@lemmy.ml 2 months ago
As long as they stay away from public ‘channels.’
There lie dragons.
Summzashi@lemmy.one 2 months ago
Nobody is going to use Signal when it lacks so many features. Feels like MSN messenger compared to it’s peers.
Varyk@sh.itjust.works 2 months ago
what do you mean? i use it a lot and it works great, photos, videos, what features do you want it to have that it’s lacking?
Bob_Robertson_IX@discuss.tchncs.de 2 months ago
Don’t forget, cross-platform!
trailee@sh.itjust.works 2 months ago
Don’t forget voice calls! It has some rough edges there (my audio doesn’t always connect successfully, etc), but when it works the codec sounds better than a standard phone call and there’s no mass surveillance. I use it in place of phone calls for all the people in my network who have it, including my immediate family.
DoucheBagMcSwag@lemmy.dbzer0.com 2 months ago
I’m guessing they probably want stickers or something
Live_Let_Live@lemmy.world 2 months ago
My guess is it heavily private and does not have channels
noodlejetski@lemm.ee 2 months ago
very weak bait
Summzashi@lemmy.one 2 months ago
Judging from the comments, it seems like you’re wrong.
big_slap@lemmy.world 2 months ago
Lost_My_Mind@lemmy.world 2 months ago
I liked msn messanger when it was around.
Summzashi@lemmy.one 2 months ago
It was indeed great.
15 years ago.
graphene@lemm.ee 2 months ago
Wasn’t there some controversy about Signal’s creation being supported by the US government to provide private communications for anti-us-enemy organisation or something? I’m sure I remember it correctly…
graphene@lemm.ee 2 months ago
theregister.com/…/telegram_ceo_calls_out_rival/
Alleged and mostly bullshit from the Telegram founder it seems.
Twinklebreeze@lemmy.world 2 months ago
I love the idea of signal, and want to use it and invite friends to it. But then I remember I don’t really want to message anyone, and don’t really have friends because I have no interest in messaging people.
Cryophilia@lemmy.world 2 months ago
Cool story bro
sailingbythelee@lemmy.world 2 months ago
So, I googled their tax filing out of curiosity. It’s true that Meredith pays herself much less than her engineers, which is great. What I was rather shocked to see is that they pay their software developers enormous salaries. They’re listing developers making over $400,000 per year, with their VP making over $660,000 per year. Now, I’m all for the value-creators making more money than the CEO. I just had no idea that software developers make that kind of coin. I was thinking of donating to Signal, but I’m kind of weirded out by those astronomical salaries.
mosiacmango@lemm.ee 2 months ago
That’s inline with Silicon valley salaries. Basic houses cost 2mil there, so it’s not completely outrageous.
As an example, openai pays all its engineers 300k flat+500k/yr in some stock based asset. Netflix notoriously is a very fickle employer, but salaries start in the 400k range and only go up from there.
sailingbythelee@lemmy.world 2 months ago
Yes, the article makes the point that Signal needs to compete for talent with Silicon Valley. I get that. And we’ve all heard about the nearly unfathomable amounts of money that tech companies throw around. When you break it down to individual salaries, though, and see that even normal people in normal jobs are making a million dollars a year between salary and stock… well, I think it really exposes the spectacular wealth inequality that we have allowed to fester. I mean, sure, shelter costs may be high in Silicon Valley, but the cost of other goods remain about the same. A $50,000 truck that an average person in Nebraska might have to save for years to afford is barely a rounding error for folks making a million a year. I’m no economist, but it does seem like there are consequences for this kind of ever-growing wealth inequality.
It is also absurd on its face for a multi-millionaire developer to place a “Donate Now” button in an app and talk about being a non-profit to tug at the heart strings of people who make one-tenth of what the developers are making. It’s feels like Scrooge asking Tiny Tim for a donation.
Anyway, I don’t blame the developers for this absurd situation, and I do appreciate Signal, and Meredith is clearly a cool person who is fighting the good fight against big tech surveillance. But every once in a while an article like this reminds me how deeply fucked up the world is. It seems we are approaching pre-French Revolution levels of economic disparity, and maybe it helps explain why so many working class people are pissed off.
sugar_in_your_tea@sh.itjust.works 2 months ago
Not all SW devs make that kind of money. I don’t live in Silicon Valley, and I make significantly less than that amount. I could probably get a job there making somewhere north of $300k, but my expenses would go through the roof and I’d be stuck in SV traffic all the time, no thank you. I get paid well, but less than half what Signal is paying.
Linktank@lemmy.today 2 months ago
I mean, how does a free app with no advertising in it make that kind of money?
trailee@sh.itjust.works 2 months ago
A free app with no advertising doesn’t make that kind of money, it gets progressively deeper into debt to a good Silicon Valley rich guy who got it off the ground, Brian Acton.
His biography on the Signal Foundation website:
The Wikipedia article on the Foundation says the loan balance was up to $108M later in 2018. Meanwhile, Acton is still worth $2.5B according to Wikipedia, so things are probably fine for now, even 6 years later.
But you’re right that Signal eventually needs revenue to keep even a small team of high caliber software engineers and devsecops folks around. You very much want excellent engineers to continue to be involved with critical encrypted communications software on an ongoing basis, so it will cost money indefinitely. Presumably Acton does not wish to bankroll it indefinitely.
Again back to the interview:
I’m really glad they pay those engineers that much, so that Zuckerberg and his ilk can’t entice them away with oodles of money. One presumes they also believe in the cause, but I think this currently looks like Acton fighting surveillance capitalism with what capitalism got for him earlier in his career.
Cofounder Moxie Marlinspike is clearly a brilliant hacker and coder who was crucial to Signal’s creation, but I think it makes sense that he hasn’t stuck around to try to solve the long term business problem of keeping it aloft infinitely.
So what to do about it? The OP interview is with Meredith Whittaker, who’s entire job is figuring that out:
I’m a recurring donor because I want Signal to succeed and I want to vote now with my wallet, but fundamentally it’s on Whittaker to figure out how to make the long term work. Here’s what she says: