[cutitout]

> calls them assholes that don’t care about what happens outside of western society

That's hardly her main point:

> For Chinese who are used to a specific IME- like Sogou, trying to type on something else is a tiny bit like a QWERTY user suddenly faced with Dvorak- we can make it work, but it's slow enough day to day that 50/50 they just install Sogou because what's the big deal right?

> The Signal "fix" is "Incognito Mode" aka for the app to say "Pretty please don't read everything I type" to the virtual keyboard and count on Google/random app makers to listen to the flag, and not be under court order to do otherwise.

> Needless to say, Sogou/Baidu dos not respect the IME_FLAG_NO_PERSONALIZED_LEARNING flag. So basically all hardware here is self-compromised 5 minutes out of the box.

> so unless journalists tell them otherwise, which they have not been doing- users will install Sogou.

This is important.

[durkie]

I understand Naomi's point here, but I'm unclear how it relates to Signal. Isn't this an issue with 3rd party keyboards in any app?

[cutitout]

If it's an issue in any app that can lead to privacy leaks, it's a showstopper issue for something like Signal. It being an issue with any app is even more reason to tell people about it, not less.

[matsemann]

But if a person has something important to say, calling people that don't know about the issue assholes is not a great way to go about it. I know there is a western, and especially US/English, bias in tech. But it's not like everyone tries to annoy others, it's more an issue of ignorance.

Btw I agree that when Signal says your messages are secure, it should probably do something to warn about ways things still may leak.

[TaylorAlexander]

She has been ignored for over a year (she tried to get them to discuss the issue in 2019), and all the while people have been getting kidnapped by the Chinese government due to this misunderstanding. I can understand why she would feel upset. I think what set this off was signal responding to questions to some tiny Twitter account after ignoring her for so long.

[angry_octet]

It is an extreme exageration to say that the Chinese state artitrarily detaining people is due to Signal not working around the IME issue.

Let's be clear: the Chinese state detains people all the time, based on many sources of information, probably the least important being interception of keystrokes to Signal in an input method app. They own all the app makers and the app stores. They can push a specific version of an app to a specific person. Frankly it is meaningless to rely on Signal on a device like that.

The OWS team is small. They don't have a social media team like big corps do, tracking social issue engagement, what big accounts have tweeted etc, and it is ridiculous and counter-productive to be going off about it.

[TaylorAlexander]

Of course signal is not the only way people get compromised in China but if the claim in TFA that 70% of Chinese users use a third party IME is correct, it seems reasonable that some of them, thinking their chat is secure, would say something that gets them in trouble. Naomi Wu has claimed this has happened and I have no reason to doubt her.

Yes OWS is small, but a major security vulnerability for a country with over a billion people seems worth addressing, no? Naomi Wu is certainly a big account on Twitter and we can see from TFA that Moxie and OWS are aware of this complaint. The question is what to do about it. If you read TFA you will see that the best suggestion seems to be a warning to users using any third party IME. Seems quite reasonable to me.

[angry_octet]

Since MSS are unlikely to tell us their decision making process it is quite opaque. It could have been CCTV, an informant, an unfounded denunciation, something they said on WeChat, one of the main compromised Chinese apps. It really isn't open to her claim this level of confidence.

If the keyboard is leaking keystrokes or word searches on a wide basis it would be difficult to hide technically. DFIR techniques for this are pretty straightforward, I'm sure plenty of people in HK could do it. Why no details?

But ultimately this is a much bigger Android problem, and won't be solved by fixing the keyboard (which OWS is obviously unqualified and ill-equipped to do). A broad ranging device lockdown guide, and OPSEC training (like [1] but for protest groups), is necessary to have anything except illusory protection. I don't think OWS should get into the business of issuing security advisories for all the platforms that they port to.

The pro-democracy groups seem to have this stuff figured out as well as you can and still have a visible protest movement. Very much following Chairman Mao: "The revolutionary must swim with the fishes."

[1] https://www.slideshare.net/grugq/opsec-for-hackers

[TaylorAlexander]

Where we disagree is that I believe OWS should consider security advisories. This comes up multiple times if you read the whole thread linked in the top of this HN post (TFA). OWS wants to assume that users are normal people without much knowledge of opsec. They want the users to trust the engineers to guide them. Well, if everyone is saying “Signal is end to end encrypted and no one can read your chat” OWS might be able to help a lot of people by clarifying that while messages sent over the wire are encrypted, a compromised phone could still mean compromised conversations. This is painfully obvious to you or I, but regular people I speak to have no idea about things like this. Non technical folks I speak to still don’t understand the most basic opsec.

[bllguo]

Can you substantiate this claim? Or is this just "I know someone who was arrested, it had to be the keyboard"?

[TaylorAlexander]

This was Naomi Wu’s claim. She herself has been “taken away for questioning” by the Chinese government (and she shared photos of it) so I have no reason to distrust her claims.

[the_local_host]

I'm not sure I'd know about this if the statement wasn't notable for its coarse language. Moreover it's not just a case of criticizing someone who didn't know about the issue, it's criticizing people who are telling people to do something without understanding the risks.

[cutitout]

> But if a person has something important to say, calling people that don't know about the issue assholes is not a great way to go about it.

I don't mind it at all. If someone uses "being called asshole" as a reason to not even inform anyone, they would have found another excuse. Some people simply register it as strong language and otherwise focus on the content. At any rate, it's very easy to judge what someone says in frustration when you yourself don't even suffer from the situation and/or don't care about those who do.

> But it's not like everyone tries to annoy other, it's more an issue of ignorance.

So she shed light on that, and instead of talking about the important bit, people think it's super important to teach a random person to not be rude, ever? That's what we're focusing on?

[matsemann]

> That's what we're focusing on?

That's my point. By presenting the issue the way she did, people moved the conversation away from the issue and instead ended up in a meta-discussion about the discourse. If her points were laid out in a nicer manner, she would be closer to actually achieving her goal.

[TaylorAlexander]

She did that over one year ago and was ignored. Policing her tone instead of addressing the issue that has people getting kidnapped in China is really missing the point.

[cutitout]

> By presenting the issue the way she did, people moved the conversation away from the issue

By HER doing A, OTHERS did B? That doesn't even parse as English, and betrays doublethink.

[chickenpotpie]

Open source devs are horribly mistreated for a service they provide for free/very low income. I will gladly focus the conversation on someone being rude to someone that has dedicated their life to making the world a better place. Signal is a nonprofit organization dedicated to the betterment of mankind. They want to a good job and they’re not assholes.

[cutitout]

"Making the world a better place" is terribly generic, and not impressive in context of stubbornly refusing to even acknowledge, much less warn users about, an issue that puts actual lives in danger. If they ignored her for so long, what was the excuse before she dared to say "asshole" to adults who dabble with something as serious as this?

[zionic]

tweet thread is claiming app store apps are downloaded unencrypted and that they can be modified in flight. Any proof of this?