Use #Signal? Despite the fact that there any *many* good reasons for anyone with important secrets to protect
*not* to do that (US-based, no warrant canary etc), and Moxie has defended aspects of his centralized set-up by saying people shouldn't use it for that?
Signal is the best of a bad situation. Android is already a somewhat compromised platform with all the Google stuff and proprietary apps that 99% of people use. I think it does a good job of what it was intended for which is provide E2E crypted mobile messaging with a good UX.
All of these criticisms of Signal are addressed by XMPP and OMEMO?
@noorul secure against what? What kind of app security you need depends on your #ThreatModel. But if you're trying to do security of any serious kind, not allowing people to use your app on GNU/Linux without also using an iOS or Android device just seem amateur. As does tying your chat ID to your phone number, which makes it much easier to tie metadata to real humans.
@noorul what's your use case? Who are you trying to chat with? Text or voice/ video? One-to-one or group? How sensitive are the chats likely to be? What kinds of adversaries do you want to be secure against? In my experience it's best to use a non-secure app, and choose what to say on that basis, than to speak freely using an app you think is secure when it really isn't.
FYI I've got various lists of #FreeCode chat apps here:
@noorul TBH your threat level is about what Signal can cope with. Even if it was a honeypot and Moxie worked for the NSA that's not going to affect you much. I would use Wire instead though. It has all the same pros, plus supports more platforms, doesn't require your phone number, and is developed by a team of professionals who take both software freedom and UX seriously. Swiss-based, so bound by GDPR.
@noorul Wire Swiss GmbH is not a corporation (a publicly-listed company owned by shareholders). It's a self-funding private company, that makes its money from a premium service (based on the same software) aimed at enterprise teams.
@noorul yes. So if you're specifically looking for a service offered by a non-profit or a cooperative, Wire isn't that. But if you just want a provider that exists to serve its users, not shareholders, Wire ticks that box (it doesn't have shareholders, just private owners). If you want a non-profit, I suggest you check out #DigitalCafes like #RiseUp, #FramaSoft, #Disroot etc. Disroot might be the best option for your needs, as they have a big focus on improving the #UX of hosted #FreeCode tech.
@noorul OK. So why would you use Signal? Contacts on iPhones who can't find a decent XMPP or Matrix app?
> recommended by Snowden
Yeah, I find that weird. Snowden may, for example, have only endorsed Signal as a good solution for average Jo Users wanting to avoid passive datafarming. I did a web search for Snowden's actual comments, but all I could find was gossip column quality commentary by journalists about what a fan Snowden is of Signal, in which any such nuance is long lost.
@noorul I notice those quotes are not linked to sources. So we don't get to see *when* those things were said, or in what context, without doing a web search on the quote and trying to find the original. How convenient for #OWS. If Snowden recanted this opinion later, they could still leave that shining endorsement quote on the #Signal homepage, and most people would be none the wiser.
@noorul BTW With all due respect to #LauraPoitras, she is a journalist not a programmer, and she relies on people like Snowden (or Drew) to tell her which apps are safe to use. #BruceSchneier is a public figure, and has very little to lose if his encrypted conversations turned out not to be secure. #MattGreen's quote is just about code quality. None of these endorsements have any bearing on whether the Signal service is safe for dissidents with 3-letter adversaries in their #ThreatModel to use.
@noorul like me, and you, and everyone, Bruce a) has more knowledge about some things than others, and b) comments on things from his own POV. A big part of #ThreatModelling is figuring out what kinds of adversaries you're trying to secure things against, and what the worst case scenario is if your security measures fail. Like I said, Bruce is pretty safe if any cryptography he uses happens to fail. Not so a dissident in Turkey, or Russia, or China. This distinction is crucial.
@noorul aww shucks :-P
@noorul good reasoning. I'm looking forward to having a chat with you on Jami and Tox after my one month sabbatical.)
@noorul There's no shame in re-evaluating software choices based on new information, in fact it's something to be proud of. We all make strategic decisions about what apps and services to use, based on what options are available, and what information we have about them. For all its flaws, Signal is a better choice than WhatsApp or Telegram (because Signal publishes source code for its client *and* server software). Before #OMEMO, it was arguably a better choice than #XMPP. It's always a toss-up.
@noorul I just wanted to remind you of this:
Unless you have any evidence of a relationship between OWS / Signal and the NSA that I'm not aware of? I mentioned the honeypot possibility as an example of a worst-case-scenario, I was *not* stating it as a known fact (AFAIK it isn't, and let's remember innocent until proven guilty).