SoylentNews is people
SoylentNews
from the tried-to-search-on-'Signal'-but-got-lots-of-noise dept.
Approximately two weeks ago, Open Whisper Systems announced the merger of two of its Android apps, Redphone (secure calling) and TextSecure (encrypted messaging) into one: Signal for Android. This is a counterpart to Signal for iOS, created by the same team. A Chrome extension is forthcoming.
Signal has been getting a lot of love from the security community (Snowden, Schneier, etc) specifically for it's user-friendliness --- something that has prevented the adoption of other crypto software.
The encrypted messaging algorithm seems to be a version of OTR modified for asynchronous mobile environments. Some version of this has been implemented in CyanogenMod as WhisperPush and WhatsApp.
Their blog has a lot of nerdy crypto detail for those interested. For example: deniability, forward secrecy, calling network.
All of their code is open source and funded by donations. Donations are also possible using bitcoin. Accepted pull requests get a payout using another of their projects, Bithub (code).
(Score: 4, Interesting) by boltronics on Friday November 20 2015, @02:23PM
Open source code, but not very committed to "open source" or free software in practise. No F-droid repository, and as I understand it, this is not a priority for Open Whisper Systems. Oh well.
It's GNU/Linux dammit!
(Score: 5, Interesting) by kadal on Friday November 20 2015, @02:33PM
That's what I thought. Then I read this: https://github.com/WhisperSystems/Signal-Android/issues/127#issuecomment-13335689 [github.com] . I think his stance is not unreasonable.
(Score: 4, Informative) by radu on Friday November 20 2015, @02:42PM
Actually only the last sentence makes sense (but it's enough sense for me):
(Score: 2) by boltronics on Saturday November 21 2015, @08:28AM
3rd party to who? Google? Google's a 3rd party to my point of view. The Google proprietary components are probably full of spyware for all we know. If I'm using Replicant, having Google's signature hardly matters. If Open Whisper Systems published their own F-Droid repository, they could sign all their own packages.
The problem with Open Whisper System's stance is that they somehow believe people who prefer free software are all "power" users, and that's BS. We want *everyone* to benefit from free software - not just geeks.
Moxie's contributing to a world where security software for the average person is expected to run on top of proprietary software, and we desperately need to put a stop to that. You don't need to be a security expert to see the problem with contributing to that trend.
It's GNU/Linux dammit!
(Score: 5, Insightful) by drgibbon on Friday November 20 2015, @02:46PM
Moxie is definitely not against free software, his concerns are security based. There's a thread on the Github tracker [github.com] where he explains why he prefers that F-Droid don't package Signal (back when it was TextSecure). Of course someone could just package it anyway, but ok, the guy has contributed a massive amount to security so people respect that. From what I remember, Moxie's main reasons are that he's against people checking "install apps from unknown sources" and he is also against the F-Droid centralised signing process. Actually OpenWhisper could just make their own F-Droid repo, but that would still mean that users need to install "unknown apps", which Moxie sees as a return to the "desktop security model". I can see where he's coming from, but I still think OpenWhisper should make their own F-Droid repo and release it quietly for the people who want it. However, what he doesn't want to see is geeks putting F-Droid on normal peoples' phones and checking "allow unknown apps" thus weakening security for those that don't know how to manage it. He would be happy to have APKs outside of the Play Store based on the conditions in this post [github.com], although I don't see how that gets around installing "unknown apps".
It's a bit of a hassle, but for myself I just build a version of Signal from source every now and then. They do at least make that process very easy.
Certified Soylent Fresh!
(Score: 5, Insightful) by melikamp on Friday November 20 2015, @05:53PM
I am getting a similar impression: not a lot of care be it the user freedom or the user security.
Seriously, let's have a discussion, because sometimes I feel like either me or the hole world is going crazy, and either possibility is really bad :) What can we infer about a security solution provider who does not ever ever mention a giant by-design security hole in their application? In this case, it's the fact that all target operating systems are adversarial (because non-free). How does the Signal app cope with the operating system or any of its privileged apps logging keystrokes? It doesn't. The overt assumption is that the OS is secure, which would be reasonable about a free GNU/Linux installation, for example. But the commercial deployments of Android offer neither security nor privacy, they are rooted by parties other than the user, often in an exploitative manner. Same for IOS. These are basic facts of life: non-free systems spy on their users. They do so because it's profitable, it's not illegal, and many users are so out of touch with security issues, they don't quite understand why this is bad, so they consent to it. The so-called security professionals who gloss over these facts really make me wonder. Don't they owe to the user at least a warning??? With big bold red letters: THIS APP ONLY RUNS ON NON-FREE PHONES, WHERE THE OS MAY BE LOGGING ALL KEYSTROKES AND SCREEN INFORMATION, AND THERE IS NO WAY TO KNOW WHEN IT DOES THAT OR TO MITIGATE THE LOSS OF PRIVACY IN ANY WAY. Because this is what's going on, right? Shouldn't the user be aware? What would be the reason to gloss over that?
I personally can hardly believe Snowden suggested the app to people, although his actual words may have been mangled by the interview process. I myself can sign under "IF you use Android, THEN Signal is the most secure option", but I would also add "which doesn't mean anything on an Android-based cell phone, but hey, everything else is even worse". And Schneier I actually spoke to, and he said he uses an Apple phone. OK, I guess he is being consistent with his advice, but now I am loosing my grip on what Schneier means by privacy.
Am I completely out of touch, people? What is the freaking point of making security and/or privacy solutions based on non-free platforms? The whole idea of a non-free platform to to strip the security, the privacy, and the control privileges from the user. None of the security features can be guaranteed there. Why are we wasting resources on this crap? Why is there a Windoze build of TOR, for example? Just so that the attackers can snoop over TOR communications through the backdoors in Windoze? I do not seriously suggest that TOR developers are screwing over their users on purpose, but there is this blindness to the issue, and I find it scary.
(Score: 0) by Anonymous Coward on Friday November 20 2015, @06:34PM
I agree with you to some extent, but there is a fundamental problem here: Most users don't want to give up convenience for privacy and security. Oftentimes non-free proprietary software is more convenient at the moment (not to mention pushed on people by multi-million dollar ad campaigns which of course do not inform users of what they're really getting), so people use that. Still, even under these circumstances, there's a chance that things like TOR could help, even if users would be better off with free platforms. Perfection is the enemy of... slightly better.
(Score: 5, Insightful) by melikamp on Friday November 20 2015, @08:05PM
You know, that's great, and probably true: we can reasonably suppose that using TOR on Windows (or Signal on IOS) does increase privacy and security, although the end result is still really really bad. What stymies me is... Where's the admission? Where's a fair warning? Where's the honest efficiency assessment by the devs or the security experts? If they want to spend their time developing "security" solutions for spy-phones, I can't complain, but what's that with pretending they work? Just tell the user like it is. The sooner users are aware of the basic facts, the sooner they will push legislators to marginalize the whole damn non-free software ecosystem.