Episode 085 - How dare you disagree with me about Signal?
Added 2022-12-17 12:58:01 +0000 UTCPaper on attacking Signal's sealed sender: https://cs-people.bu.edu/kaptchuk/publications/ndss21.pdf
Hacker News discussion about Signal's private group system: https://news.ycombinator.com/item?id=21744274
Original episode on Signal: https://www.patreon.com/posts/75011022
Derek's full comment:
You painted Signal as a villan(your word) and claim they're not protecting metadata. In addition to sealed sender, Signal also has private groups - https://signal.org/blog/signal-private-group-system/, which protects group name, membership, and admin lists. Signal has been working on username support and has made several announcements this year. In August, they posted a blog about a new contact discovery system which will underlie usernames - https://signal.org/blog/building-faster-oram/. In September, their new president, Meredith Whittaker, said that usernames are coming next year - https://community.signalusers.org/t/usernames-in-signal/9157/624. It appears that you will have to register with a phone number, but can hide your phone number and present a username to others. There has been code written to support this, with a lengthy discussion in the Signal community forum, for example - https://community.signalusers.org/t/usernames-in-signal/9157/562. There are good reasons for requiring a phone number. It is a very easy way to bootstrap the network. It makes contact discovery very easy, which is important for a minority platform. I understand that this harms anonymity, but Signal does not claim to provide anonymity. It's one of the reasons I am very skeptical that Session, Briar, Cwtch, and similar messengers will gain popularity -- it's just too hard to find other people on those platforms (by design). This does not mean that they are bad technologies; just that they serve a different use case (whistleblowers communicating with journalists, for example). The phone number requirement also makes impersonation harder and cuts down on spam. Signal does not collect metadata about their users, contrary to your claims (at the 14 minute mark). Signal has received multiple subpoenas and has not been able to produce contact lists, call durations, etc.
Comments
IMO signal is the easiest to onboard friends and family onto from iMessage or SMS plus you get the added benefits of hi res image and video sharing. For next level “privacy” but easy barrier to hurdle you have Session which is fantastic and isn’t reliant on a phone / SIM, is cross platform and easy to use. It is a little more challenging because people need to now starting storing their private keys securely but is still very easy to setup and use.
Urban Armed
2022-12-21 16:56:58 +0000 UTCI disagree with "if you are an APT target, don't use the internet." If a multi-million-dollar adversary is after you, you have to address all detectability, identifiability and linkability threats. So you have to be completely anonymous, burn identities often, and compartmentalize the shit out of your setup. It is possible to use Signal this way but you'd have to take extra steps that would slow you down and limit your burn rate - you'd have acquire a new IMSI and IMEI for each new Signal account. Which means a new anonymous device and a new anonymous SIM card. This is tedious and costly and can easily lead to mistakes. Depending on the features that you need, even something like Matrix or Wire can be more suitable provided that you create these accounts completely anonymous and are prepared to burn them. Signal is great for everyday use, it's great even against advanced attackers if they don't know your Signal account - which is unlikely considering APTs are likely going to have access to phone records or data sets with phone numbers.
The Hated One
2022-12-19 13:10:14 +0000 UTCHello! Thanks for your points. You can't transfer accounts from iOS to Android. I wasn't able to transfer my old account history to a new account. I need to change both phone number AND device. You can't run Signal on multiple phones. You also can't run it on desktop only. You have to register through the mobile app. The usernames have been promised for 3 years at least by now. Even if it comes eventually, Signal is not gonna drop the phone number requirement. Which is still a bottleneck a major detectability threat. I am not telling you to hate Signal or stop using it. I am just pointing out it has limitations that have been intentionally put in there and the development team refuses to acknowledge them. Signal is doing one thin right - it's an app for your average grandma in US/Europe. But it's not an app for a protest group in Iran or a married woman in Saudi Arabia. Right now, there is no ideal app for the most vulnerable groups in our society and they are being actively ignored and their needs dismissed. A total expert like Snowden or even a pathetic loser like myself can get Signal to be more private and anonymous than for an average person. But Signal's strict design around the phone number requirement makes a lot of groups especially vulnerable (journalists, activists, dissidents in authoritarian countries, targets of APTs).
The Hated One
2022-12-19 13:03:11 +0000 UTCThat was a long post, so it's hard to know where to start. I have some broader thoughts on security vs usability, and secure group membership, but I'll take some time to organize those. In the meantime, here are a few points to correct from your post: You can change your phone number with Signal - https://support.signal.org/hc/en-us/articles/360007062012-New-Number-or-New-Phone You can transfer data from one iOS device to another iOS device - https://signal.org/blog/ios-device-transfer/ You can transfer from Android to Android - https://support.signal.org/hc/en-us/articles/360007059752-Backup-and-Restore-Messages#android_restore You can run Signal on multiple devices. I currently have it on an Android phone, iPad, Windows laptop, and Apple desktop. You cannot have it on multiple mobile devices (e.g. two phones). Usernames are being actively worked on. It's a complicated change that will take time to complete. Here's a commit from a few days ago - https://github.com/signalapp/Signal-Server/commit/26f5ffdde34ec2941f6c6c1f07be9ee3380d2569 Here's a comment from one of the Signal dev's about username structure from a few months ago ([link](https://community.signalusers.org/t/usernames-in-signal/9157/642)) There has been work on usernames since 2019. Here's a large initial commit - https://github.com/signalapp/Signal-Android/commit/608815a69b78000345ef39510c71014ccbfd3003. You can see checks for valid usernames https://github.com/signalapp/Signal-Android/blob/main/app/src/test/java/org/thoughtcrime/securesms/util/UsernameUtilTest.java. I really encourage you to checkout the "Usernames in Signal" thread on Signal Community https://community.signalusers.org/t/usernames-in-signal/9157. There is a lot of good detail there.
Derek Morr
2022-12-19 12:24:34 +0000 UTCI'd say Signal. It's the easiest system to use.
Derek Morr
2022-12-18 21:32:16 +0000 UTCTrue. And if I just want to make a little harder for them to spy on me and my people I chat with? cwth?
A. K.
2022-12-18 00:30:26 +0000 UTCIMHO if your threat model includes 3 letters I wouldn't use the internet. There's too many honeypot these days and they can break the law to find you.
brownbaron
2022-12-17 22:36:50 +0000 UTCThanks. May I ask what messenger you would recommended that is "more safe" as I think that all 3 letter agency easily can decrypt the messages and/or have a backdoor to any so called secure chat app?
A. K.
2022-12-17 17:20:46 +0000 UTC
