Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)SO
Posts
72
Comments
2,733
Joined
2 yr. ago

Android @lemmy.world

Here it is, suckas. IPX68 water resistant, MIL-STD-810G certified, and SWAPPABLE BATTERY

science @lemmy.world

Many voters are willing to accept misinformation from political leaders – even when they know it’s factually inaccurate, if they believe the statements evoke a deeper, more important “truth.”

Privacy @lemmy.ml

Does anyone here use GNU Jami?

savedyouaclick @lemmy.world

This simple technique instantly reduces heat stress in dogs | teach them to dunk their heads in water

Privacy @lemmy.ml

Is Telegram really an encrypted messaging app?

raspberrypi @lemmy.ml

Pi Pico 2 Extreme Teardown

Cryptography @lemmy.ml

Bernstein and Lange -- Safe curves for Elliptic Curve Cryptography

Cryptography @lemmy.ml

The government unveils its quantum counter-weapons

savedyouaclick @lemmy.world

This Bay Area city is the fastest growing in California. Here’s why it’s booming | Dublin, CA (i.e. suburbia). It built a lot of new housing between 2010 and 2020.

Technology @lemmy.world

Raspberry Pi Pico 2, our new $5 microcontroller board, on sale now

savedyouaclick @lemmy.world

The ONE WEIRD THING that c/savedyouaclick really could use | More people posting

savedyouaclick @lemmy.world

Cutting down on this one food can lower your dementia risk, study says | processed red meat. Annoying captcha and popup in article.

savedyouaclick @lemmy.world

The loophole that can get you into LA's famously private Magic Castle | Book a room at the fancy hotel next door

Not The Onion @lemmy.world

Fox News host Jesse Watters thinks men who vote for women ‘transition’ to women

savedyouaclick @lemmy.world

California no longer has the fastest-growing home prices in the US | New York now beats San Diego

savedyouaclick @lemmy.world

Ryan Murphy gets surprise news from wife after winning Olympic medal | gender reveal, their new kid is a girl.

DeGoogle Yourself @lemmy.ml

Google Fiber is the only decent home ISP around here. What do I do?

savedyouaclick @lemmy.world

Why Katie Ledecky never could've been Team USA's Olympics flag bearer | Attending the opening would have interfered with her sleep schedule, with a competitive event coming right up.

Fediverse @lemmy.world

Lemmy (etc.): allow sorting preference for search

Lemmy.world Support @lemmy.world

automatically clean up tracking and other tags in posted urls

  • Very interesting, thanks. Do you mean they use SGX (Intel's buggy secure enclave feature)? Any idea what they use it for? If not SGX, do you know what the issue is? AMD Epyc processors have something similar but different, fwiw. If there is such highly secret info on the server though, that makes self-hosting even more important. It also makes the architecture suspect.

  • Telling the govt that you registered for Signal sounds like a bad failure as far as I'm concerned, e.g. if you are a user in a repressive regime. Do you think Trump would like to get his hands on a list of all the Signal users in the US? Probably yes. What would he do with the list? IDK but it has to be bad. So it should be an objective of Signal to make it impossible for anyone to create such a list.

    Anyway, it sounds like Signal has wised up and is getting rid of the phone number requirement. I don't understand why people here keep defending the misfeature. I've heard such things explained as "system justification" but I still don't understand it. All of us make poor decisions all the time, but we should at least make some effort to recognize them, and fix them when possible.

    https://en.wikipedia.org/wiki/System_justification

  • To truly be safe from Signal’s influence you would need to audit the source code and build it yourself.

    Usually I only install APK's from F-Droid, which always builds its apps from source, rather than using the developer's APK. I'm uncomfortable that Signal doesn't seem to be on F-droid, and I'm in fact hesitant to install it from anywhere else. I'm not currently set up to build Android apps myself. I'm a fairly unsophisticated Android user.

  • They are overlapping areas, but they are “two completely different things”. They overlap by sharing common goals, not by being interchangeable.

    They aren't interchangeable but they intersect. Completely different means they are disjoint.

    it proudly advertises you as a signal user to other signal users

    That sounds terrible, a private message service shouldn't advertise anything to anyone. If I subscribe to a subversive magazine, it shouldn't advertise me to other subscribers. It's a terrible invasion if they do. Signal and PGP are both comparable to subversive magazines in that regard, even if the PGP manual tried to say the opposite.

    I think most of us these days recognize that the whole concept of public key directories and signature chains on PGP keys was a conceptual error in how people thought about privacy back then (they only cared about encrypting message content). We like to think we know better now, but maybe we don't.

    Okay? And? In this hypothetical world where Signal offered anonymity but still tied you to your number for other practical reasons, then you’re be correct that it would be a privacy concern.

    According to Wikipedia, they do record some of that info and report it to the government when required. In fact there is further disclosure to them (they might not retain or use the info, but they do receive it) every time you connect to the Signal server.

    Anyway the Wikipedia article indicates they have introduced usernames as an alternative to phone numbers, so they have finally acknowledged the problem and done something about it.

    1. I haven't seen a non-TLS website in years.
    2. Your asserting "two completely different things" doesn't make it true. Privacy and anonymity are not synonyms but they are overlapping areas. Also ISTM you are redefining terms to suit your purposes. Anonymity to me means the message recipient can't tell who you are. If a THIRD PARTY (the server operator) can ALSO tell who you are, that's a privacy failure, not just an anonymity one.
    3. Why does it take so much storage per user? Does it have video uploads or anything like that? A user account should basically just be a row in a database.

    From https://en.wikipedia.org/wiki/Signal_(software) :

    In August 2022, Signal notified 1900 users that their data had been affected by the Twilio breach including user phone numbers and SMS verification codes.[105] At least one journalist had his account re-registered to a device he did not control as a result of the attack.[106] ...

    This mandatory connection to a telephone number (a feature Signal shares with WhatsApp, KakaoTalk, and others) has been criticized as a "major issue" for privacy-conscious users who are not comfortable with giving out their private number.[142] A workaround is to use a secondary phone number.[142] The ability to choose a public, changeable username instead of sharing one's phone number was a widely-requested feature.[142][144][145] This feature was added to the beta version of Signal in February 2024.[146]

    Using phone numbers as identifiers may also create security risks that arise from the possibility of an attacker taking over a phone number.[142] A similar vulnerability was used to attack at least one user in August 2022, though the attack was performed via the provider of Signal's SMS services, not any user's provider.[105] The threat of this attack can be mitigated by enabling Signal's Registration Lock feature, a form of two-factor authentication that requires the user to enter a PIN to register the phone number on a new device.[147]

  • That is a pretty weird post that doesn't make much sense, but I remember meeting Moxie and asking him about Android security and being surprised at how defensive he was about it. Is Signal the app he was working on? That helps somewhat. I get them confused with each other.

    The Signal app doesn't appear to be on F-droid, which is a bit discomforting.

  • The claim is that Signal's phone verification step doesn't cause privacy problems because Signal (purportedly) doesn't retain the phone numbers after verification. That claim is falsified because the phone carrier stores the call record even if Signal doesn't. They store it because of the same law that makes them turn it over to Big Brother on demand. The phone verification step is, therefore, a privacy problem. Obviously there are similar issues with IP routing, but at least I can use a VPN with an endpoint in another country.

  • read the history

    Is there a url for the history? Or for a good answer about the phone numbers? If the topic keeps recurring and the answers don't satisfy people, that suggests that there is no good answer, and that there are possibly misaligned interests between Signal and its users.

  • Are you saying I have to literally rebuild and distribute my own client APK if I want to use my own server? There's no "settings" in the existing client where you say what server you want to use, like every email client has? That sounds obnoxious.

    1. I don't understand what you mean about discoverability: is my presence on the network advertised to strangers and spammers? That doesn't sound good. What does the onboarding process look like?
    2. You still haven't said what Signal's advantages are supposed to be over alternatives, though I can guess some (e.g. better/more crypto than irc has). Jami seems conceptually ok, but buggy in implementation. Nextcloud Talk works but is kind of clunky. Matrix is popular though I've never used it: is it the main alternative to Signal these days? I thought it was what all the hipsters had migrated to while luddites like me were still on irc. Jitsi Meet looks nice though again I haven't explored it much. I've been puzzled for a long time that there is so much work in this area yet everything has deficiencies. Are there difficult problems to solve?
    3. If Signal's code is open then of course I'd want to self-host the server. Can I do that? Does that get in the way of the onboarding process you mention? Where does the phone number come in, in that case? If I to use Signal's server, that doesn't sound so open, and normally there's no way for me to verify that it's running the same code that they claim.

    I don't see where I'm spreading FUD. Ignoring a question and calling it FUD doesn't invalidate the question.