[TaylorAlexander]

Of course signal is not the only way people get compromised in China but if the claim in TFA that 70% of Chinese users use a third party IME is correct, it seems reasonable that some of them, thinking their chat is secure, would say something that gets them in trouble. Naomi Wu has claimed this has happened and I have no reason to doubt her.

Yes OWS is small, but a major security vulnerability for a country with over a billion people seems worth addressing, no? Naomi Wu is certainly a big account on Twitter and we can see from TFA that Moxie and OWS are aware of this complaint. The question is what to do about it. If you read TFA you will see that the best suggestion seems to be a warning to users using any third party IME. Seems quite reasonable to me.

[angry_octet]

Since MSS are unlikely to tell us their decision making process it is quite opaque. It could have been CCTV, an informant, an unfounded denunciation, something they said on WeChat, one of the main compromised Chinese apps. It really isn't open to her claim this level of confidence.

If the keyboard is leaking keystrokes or word searches on a wide basis it would be difficult to hide technically. DFIR techniques for this are pretty straightforward, I'm sure plenty of people in HK could do it. Why no details?

But ultimately this is a much bigger Android problem, and won't be solved by fixing the keyboard (which OWS is obviously unqualified and ill-equipped to do). A broad ranging device lockdown guide, and OPSEC training (like [1] but for protest groups), is necessary to have anything except illusory protection. I don't think OWS should get into the business of issuing security advisories for all the platforms that they port to.

The pro-democracy groups seem to have this stuff figured out as well as you can and still have a visible protest movement. Very much following Chairman Mao: "The revolutionary must swim with the fishes."

[1] https://www.slideshare.net/grugq/opsec-for-hackers

[TaylorAlexander]

Where we disagree is that I believe OWS should consider security advisories. This comes up multiple times if you read the whole thread linked in the top of this HN post (TFA). OWS wants to assume that users are normal people without much knowledge of opsec. They want the users to trust the engineers to guide them. Well, if everyone is saying “Signal is end to end encrypted and no one can read your chat” OWS might be able to help a lot of people by clarifying that while messages sent over the wire are encrypted, a compromised phone could still mean compromised conversations. This is painfully obvious to you or I, but regular people I speak to have no idea about things like this. Non technical folks I speak to still don’t understand the most basic opsec.

[angry_octet]

Telegram/WhatsApp/iMessage/FB Messenger all go pretty far down the 'this is secure messaging' path, with far less justification. (And for a Chinese iPhone iMessage is completely broken.) Far more people use the big platforms. Getting a significant user base for Signal is a big comparative win, even if the handset security it weak.

Should they be less minimalistic on their website? Probably yes. Would anyone read it? Geeks, yes. Maybe people who are worried. But I think it is a small win at a high cost.

Maybe it's possible to write a basic phone opsec guide and just stick it on medium or something. Rely on the magic of Google to help people find it. (Would Baidu index it? I wonder.)