I remember a few days ago there was a post on hackernews to stop being mean to the people that worked at signal. The Twitter user linked in that article is railing into signal devs and she calls them assholes that don’t care about what happens outside of western society.
> calls them assholes that don’t care about what happens outside of western society
That's hardly her main point:
> For Chinese who are used to a specific IME- like Sogou, trying to type on something else is a tiny bit like a QWERTY user suddenly faced with Dvorak- we can make it work, but it's slow enough day to day that 50/50 they just install Sogou because what's the big deal right?
> The Signal "fix" is "Incognito Mode" aka for the app to say "Pretty please don't read everything I type" to the virtual keyboard and count on Google/random app makers to listen to the flag, and not be under court order to do otherwise.
> Needless to say, Sogou/Baidu dos not respect the IME_FLAG_NO_PERSONALIZED_LEARNING flag. So basically all hardware here is self-compromised 5 minutes out of the box.
> so unless journalists tell them otherwise, which they have not been doing- users will install Sogou.
If it's an issue in any app that can lead to privacy leaks, it's a showstopper issue for something like Signal. It being an issue with any app is even more reason to tell people about it, not less.
But if a person has something important to say, calling people that don't know about the issue assholes is not a great way to go about it. I know there is a western, and especially US/English, bias in tech. But it's not like everyone tries to annoy others, it's more an issue of ignorance.
Btw I agree that when Signal says your messages are secure, it should probably do something to warn about ways things still may leak.
She has been ignored for over a year (she tried to get them to discuss the issue in 2019), and all the while people have been getting kidnapped by the Chinese government due to this misunderstanding. I can understand why she would feel upset. I think what set this off was signal responding to questions to some tiny Twitter account after ignoring her for so long.
It is an extreme exageration to say that the Chinese state artitrarily detaining people is due to Signal not working around the IME issue.
Let's be clear: the Chinese state detains people all the time, based on many sources of information, probably the least important being interception of keystrokes to Signal in an input method app. They own all the app makers and the app stores. They can push a specific version of an app to a specific person. Frankly it is meaningless to rely on Signal on a device like that.
The OWS team is small. They don't have a social media team like big corps do, tracking social issue engagement, what big accounts have tweeted etc, and it is ridiculous and counter-productive to be going off about it.
Of course signal is not the only way people get compromised in China but if the claim in TFA that 70% of Chinese users use a third party IME is correct, it seems reasonable that some of them, thinking their chat is secure, would say something that gets them in trouble. Naomi Wu has claimed this has happened and I have no reason to doubt her.
Yes OWS is small, but a major security vulnerability for a country with over a billion people seems worth addressing, no? Naomi Wu is certainly a big account on Twitter and we can see from TFA that Moxie and OWS are aware of this complaint. The question is what to do about it. If you read TFA you will see that the best suggestion seems to be a warning to users using any third party IME. Seems quite reasonable to me.
Since MSS are unlikely to tell us their decision making process it is quite opaque. It could have been CCTV, an informant, an unfounded denunciation, something they said on WeChat, one of the main compromised Chinese apps. It really isn't open to her claim this level of confidence.
If the keyboard is leaking keystrokes or word searches on a wide basis it would be difficult to hide technically. DFIR techniques for this are pretty straightforward, I'm sure plenty of people in HK could do it. Why no details?
But ultimately this is a much bigger Android problem, and won't be solved by fixing the keyboard (which OWS is obviously unqualified and ill-equipped to do). A broad ranging device lockdown guide, and OPSEC training (like [1] but for protest groups), is necessary to have anything except illusory protection. I don't think OWS should get into the business of issuing security advisories for all the platforms that they port to.
The pro-democracy groups seem to have this stuff figured out as well as you can and still have a visible protest movement. Very much following Chairman Mao: "The revolutionary must swim with the fishes."
This was Naomi Wu’s claim. She herself has been “taken away for questioning” by the Chinese government (and she shared photos of it) so I have no reason to distrust her claims.
I'm not sure I'd know about this if the statement wasn't notable for its coarse language. Moreover it's not just a case of criticizing someone who didn't know about the issue, it's criticizing people who are telling people to do something without understanding the risks.
> But if a person has something important to say, calling people that don't know about the issue assholes is not a great way to go about it.
I don't mind it at all. If someone uses "being called asshole" as a reason to not even inform anyone, they would have found another excuse. Some people simply register it as strong language and otherwise focus on the content. At any rate, it's very easy to judge what someone says in frustration when you yourself don't even suffer from the situation and/or don't care about those who do.
> But it's not like everyone tries to annoy other, it's more an issue of ignorance.
So she shed light on that, and instead of talking about the important bit, people think it's super important to teach a random person to not be rude, ever? That's what we're focusing on?
That's my point. By presenting the issue the way she did, people moved the conversation away from the issue and instead ended up in a meta-discussion about the discourse. If her points were laid out in a nicer manner, she would be closer to actually achieving her goal.
She did that over one year ago and was ignored. Policing her tone instead of addressing the issue that has people getting kidnapped in China is really missing the point.
Open source devs are horribly mistreated for a service they provide for free/very low income. I will gladly focus the conversation on someone being rude to someone that has dedicated their life to making the world a better place. Signal is a nonprofit organization dedicated to the betterment of mankind. They want to a good job and they’re not assholes.
"Making the world a better place" is terribly generic, and not impressive in context of stubbornly refusing to even acknowledge, much less warn users about, an issue that puts actual lives in danger. If they ignored her for so long, what was the excuse before she dared to say "asshole" to adults who dabble with something as serious as this?
The thread there is really interesting. Apparently the "OEM" IMEs aren't the ideal standard for Chinese input, so people tend to use a proprietary one like Sogou's. [1]
Naomi analyzes the technical side very well, but somehow face plants on the conclusion.
Insecure IMEs exist everywhere and affect every app. Not just Signal, not just in China.
This is the operating system's job to tackle, not Signal's. And oh wonder: Android displays a scary reminder when you install an IME (of course they could and should disallow network access for IMEs as well).
Signal should show a reminder to help people be secure, but framing this as some kind of obligation towards the people of China is weird.
I think Naomi wants at least a clear recognition of the issue from signal. All of us on HN can say “well yeah that’s obvious” but signal keeps telling everyone their app is “secure” without caveats that your keyboard could be leaking everything you type, making the system not secure. Saying “well that’s not my department” isn’t acceptable when people are being put at real risk here.
EDIT: The specific request in TFA is to detect users using a third party IME and give them a security warning. Seems pretty reasonable.
> This is the operating system's job to tackle, not Signal's. And oh wonder: Android displays a scary reminder when you install an IME (of course they could and should disallow network access for IMEs as well).
(ios makes the third-party keyboard ask the user for "full access" in order to hit the internet.)
It doesn't matter. You can compromise most of the phones (at least non rooted) if you or your people make the OS and thus also the OS level libraries that handle Text input from the IME, or even touchscreen information would be enough in most cases (unless everyone uses the randomized keyboard layout, and guard against "known plaintext" type attacks)
That's hardly her main point:
> For Chinese who are used to a specific IME- like Sogou, trying to type on something else is a tiny bit like a QWERTY user suddenly faced with Dvorak- we can make it work, but it's slow enough day to day that 50/50 they just install Sogou because what's the big deal right?
> The Signal "fix" is "Incognito Mode" aka for the app to say "Pretty please don't read everything I type" to the virtual keyboard and count on Google/random app makers to listen to the flag, and not be under court order to do otherwise.
> Needless to say, Sogou/Baidu dos not respect the IME_FLAG_NO_PERSONALIZED_LEARNING flag. So basically all hardware here is self-compromised 5 minutes out of the box.
> so unless journalists tell them otherwise, which they have not been doing- users will install Sogou.
This is important.