Notices by Micah Lee 🔑 (micahflee@mastodon.social), page 7

Fuck Facebook, btw

Hacking Team Hacker Phineas Fisher Has Gotten Away With It

Leaked court documents show that Italian authorities have no idea who hacked the government spyware maker Hacking Team, and a judge ruled the investigation should be shut down.
https://motherboard.vice.com/en_us/article/3k9zzk/hacking-team-hacker-phineas-fisher-has-gotten-away-with-it

@tuxicoman @lapingvino @freakazoid

There's nothing closed source in the official build.

Personally I'd like Signal in F-Droid. But I think Moxie's argument is that secure software delivery is hard, releasing to two app stores introduces complexity, and F-Droid doesn't give analytics or crash reports. In the end, I think he just doesn't care much because only a tiny (but loud) fraction of the user base doesn't have the Play Store

@tuxicoman @freakazoid @lapingvino

That's not true though.

You can build Signal from source if you want, or download the apk from https://signal.org/android/apk/ instead of the Play Store, and it runs fine on phones that don't have Google Play Services, or even any proprietary software.

"That’s why we at Twilio banned not just hate speech, but any organization whose primary purpose is spreading hate. It’s in our control to decide who uses our product, and from whom we take money. We choose not to profit from this hatred, or those who spread it."
https://medium.com/@jeffiel/words-matter-and-theyre-destabilizing-the-american-tribe-afaba172e4d1

@2342 it can read the ID of the recipient. But it can't read the ID of the sender. Once the recipient receives it, they decrypt it and then only they can see the ID of the sender.

New Signal privacy feature removes sender ID from metadata
https://arstechnica.com/information-technology/2018/10/new-signal-privacy-feature-removes-sender-id-from-metadata/

@lapingvino @freakazoid @tuxicoman Telegram doesn't use end-to-end encryption by default

@aadilayub
This new feature, "sealed sender", basically encrypts the "from" part of the metadata to the recipient, so the server can instead only see the "to" part.

This makes it so the metadata the server can see is just who is receiving messages, without being able to know who is sending them.

It means users will no longer have to trust that Signal is complying with it's privacy policy. Instead, Signal is making it impossible for them to access it.

@aadilayub well it most likely doesn't.

When you send a message, the connection between your phone and the server is encrypted with TLS, so people spying on the network can't see metadata. Once it hits the server, it can see who the message is from and to. It uses this to route your message to the right user. Signal promises to not log the metadata to disk, and there's strong legal evidence that they're telling the truth.

But still, you have to trust them.

1/x

@bob @tuxicoman @lapingvino

I don't think it's completely solved because of user IPs and timing correlation attacks, but it's the first step to solving it in a scalable way

@lapingvino @tuxicoman

But once it's released and everyone updates their apps, every Signal user will be using that feature.

@lapingvino @tuxicoman

So you think it's better that they don't work on encrypting metadata?

I'm just confused by your arguments. Can you use specific examples of when when Signal has communicated something unclearly?

@lapingvino @tuxicoman what do you mean "client-side calling code"? Are you referring to all this webrtc code for voice calls? https://github.com/signalapp/Signal-Android/tree/master/src/org/thoughtcrime/securesms/webrtc

Signal is very well designed and easy to use, and secure for what it tries to do: end-to-end encrypted replacement for unencrypted SMS and voice calls.

It's not the right tool for every situation, but like, it's pretty awesome.

@lapingvino @tuxicoman

What part of Signal isn't open source? Here is the server code https://github.com/signalapp/Signal-Server

Signal doesn't have a business model. It's not a business, it's a non-profit funded by a billionaire. It doesn't have ads, sell (or collect) data, etc.

One thing I appreciate about the Signal project is they don't make claims about security that aren't true.

Projects like bitmessage are great, but really need to prioritize UX if they want to be accessible outside of a tiny niche.

@tuxicoman @lapingvino

yeah, what are you referring to?

Mastodons have big mouths

Supermicro hack stickers at BSides PDX lol