Protest security - Signal app

Yes, that’s right.

They are not unwilling but want a ‘plug and play’ solution:

what we really want is a library that provides OSM which is API compatible with MapView and PlacePicker.

https://github.com/signalapp/Signal-Android/pull/7943#issuecomment-412382572

1 Like

I guess I’m naive. I just don’t get the issue with the phone numbers. I use the app to have private conversations with folks I know, that all have my phone number already, (not to mention the countless businesses, take out food places, insurance companies, doctors, etc that all have my number) and I have theirs, so notifying folks that I am on Signal, is bad how? And the actual conversations themselves, are all still private, which is why I, and most folks, use it anyway? Even if they go to usernames, won’t we still contact people with our number, to their number, to invite them to use it too? Then give them our username, likely over a non private/secure messaging service or phone call?

It’s as if saying yes, all my messages and conversations are private, but I hate the fact the folks now know I use it is bad? Like having a privacy minded phone/laptop is what we want, but we don’t want anyone to know we use them?

At the end of the day, my number is all over the place and has been for decades. I just want my conversations private and secure. But, then again, I have much to learn about computer/phone security/privacy.

2 Likes

I think there’s a few reasons people would like it to be possible to register without a phone number. 2 that come to mind are:

  1. It forces you to have a phone. Without that requirement you’d be able to use the desktop app as a full messenger and not necessarily need a phone plan for it at all (currently it requires you to link it to a phone to use it).

  2. In some countries it’s not possible to buy sim cards/phone plans without providing ID meaning that a phone number, and therefore the fact that you use Signal, can be tied back to an individual by the phone operator (and by extension the government) without physical access to your phone.

1 Like

Interesting. I have a friend that used her landline phone number to initially sign up, and then used it on her laptop after. That was a while ago, not sure if you can still do this now with a new sign up. So maybe you can use any phone number initially?

But again, not sure I care who knows I use Signal as long as they have zero access to my conversations/messages. But that’s just me. I’m sure my iphone knows what apps I have on my phone, and can easily tell the government, or anyone else they want, but they cannot access my messages, so I’m ok with that.

So if now we have only a temporary independence from Google libraries, for me it is not real independence.
We will see how open will be Signal Foundation since now there are Linux phones needing to register a SIM by a desktop app or hopefully to register without using a SIM.

1 Like

I really appreciate the discussion here, there are lots of valuable ideas. As a maintainer of Axolotl, I was always thinking, why do we need Axolotl or a re-implementation of the signal messenger? Traditionally the nerds go to irc or more recently matrix. So who is using Signal? Signal is somehow for security concerned people that are not that much into programming or everything DIY. It’s super to bring family-members to a more secure way, to use free software and talk about this topics. What they need is a good looking and working messenger without fiddling to much around.
Therefore without Axolotl Mobian or Ubuntu Touch would be a no-go, as for others a phone’s without whatsapp is a no-go. That’s the reason for the existence of axolotl, the same is for people with a feature phone. With Axolotl they can still communicate with their activist group.

On the other hand I can understand OWS, because thanks to them we have the Ratchet-Algorithm in many applications and they bring encryption into many places today. For example if you use a modified version of Signal, the self destroying messages can stay, whereby the communication partner thinks, the message has gone. For me, it’s an good idea, if you want to develop an security product, that you want control over the app because the secure features should be really secure.
WhatsApp tries to block everything that spoofs the identity of the original app, and that is working quite well. If ows really didn’t accept projects like Axolotl they would just block it, because we send our own user agent. They really know how many we are.

For the future, signal is developing a rust library and they are already using encryption algorithms for the new groups written in rust. They are also investigating how to use rust in js so i think they are working on using on base code for all signal apps but it’s not yet ready. Also you can see, that in the future the registration with email + pin could be possible.

What I propose against the lock in into google firebase notifications or apple push notification is to make a merge request against the signal server, where it supports any push server with a standard push chalenge like matrix does. For example then you can choose if you want to use the push server from Ubports/Ubuntu touch or the one from Firefox. The push notifications only contains the information “You have a new notification” Nothing more. The rest is a websoket connection directly to ows.

For me, Axolotl will exist and be maintained until there is a suitable situation, where Signal can be used on non Android/iOS devices.
Regarding the calls, it’s just webrtc with some special key exchange magic. We at axolotl welcome all help regarding that feature. Voice notes are already working on some devices/setups.

7 Likes

just come across this app, i have downloaded it but havent used it yet. but no need for contact details/phone number to use.

4 Likes

Nice! Be interesting to hear some folks who know more than I do if this is in the same league as Signal and Threema.

Some discussion on it here: https://news.ycombinator.com/item?id=25882319

No whitepaper or audit yet as far as I can see. On the same topic I’d like to see a more recent audit to take place on Signal.

1 Like

I think the Russian government and Putin have been demonized just like Qaddafi was in Libya because he created a gold backed currency. Putin paid off the debt to the central bankers so now he’s enemy #1 because they can no longer control him.

I think until there is a decentralized blockchain SMS equivalent you’re not going to get a completely trusted system.

2 Likes

:question: BINGO! If you know what I mean :sweat_smile:

1 Like

It doesn’t seem to be open-source though. So nothing I would use.

To add to my argument why it is important to get user consent for being discoverable by other participants:

"The simple information whether a specific phone number is
registered with a certain messaging service can be sensitive in
many ways, especially when it can be linked to a person. For
example, in areas where some services are strictly forbidden,
disobeying citizens can be identified and persecuted.

Comprehensive databases of phone numbers registered
with a particular service can also allow attackers to perform
exploitation at a larger scale. Since registering a phone number
usually implies that the phone is active, such databases can be
used as a reliable basis for automated sales or phishing calls.
Such “robocalls” are already a massive problem in the US [79]
and recent studies show that telephone scams are unexpectedly
successful [78]. Two recent WhatsApp vulnerabilities, where
spyware could be injected via voice calls [73] or where remote
code execution was possible through specially crafted MP4
files [26], could have been used together with such a database
to quickly compromise a significant number of mobile devices.

[…]

Our script for Signal uses 100 accounts over 25 days
to check all 505 million mobile phone numbers in the US.
Our results show that Signal currently has 2.5 million users
registered in the US, of which 82.3 % have set an encrypted
user name, and 47.8 % use an encrypted profile picture. We
also cross-checked with WhatsApp to see if Signal users differ
in their use of public profile pictures, and found that 42.3 %
of Signal users are also registered on WhatsApp (cf. Tab. IV),
and 46.3 % of them have a public profile picture there.
While this is slightly lower than the average for WhatsApp
users (49.6 %), it is not sufficient to indicate an increased
privacy-awareness of Signal’s users, at least for profile pictures."


4 Likes

Damn it! ive been recommending signal for ages now

Am I missing something? How do yo encrypt your username and profile pic on Signal?

1 Like

Wow that’s kind of a horrible article, it basically boils down to “it’s important to blur your face when you riot, so we’re here to help”

I mean I agree with the privacy sentiment but just seems like a really evil way to say it, and I’m surprised someone can be so forward about supporting riots and not get in trouble with the apple/google app stores or anything

Maybe because big tech seems to be supporting the riots?

3 Likes

I appreciate the link. I haven’t heard of this messenger and will be sure to check it out.

i somehow find the idea of mixing myself and a bunch of people i know inside a LARGER group of unknown/untrustable people to be perplexing. no wonder ‘Big-Tech’ tries to see who is who …

i mean the internet is one thing but the ‘matrix’ is completely different and more immediately dangerous …

don’t take this the wrong way though. i feel that small scale protests are perfectly fine if you don’t mix in potentially armed strangers …