[nimbius]

Moxies always been fairly dictatorial about Signal. no third party clients, no decentralization. im not surprised to see a DMCA at all.

So far Signal is a centralized encrypted messaging app that includes its own cryptocurrency and wallet no one asked for, shills me for donations every other release, and begs me to invite new users despite deprecating regular SMS message support.

if youre a threat-actor the most malevolent thing you could do at this point is just watch Moxie and the team drive this project into the ground.

[bogota]

This doesn’t change the fact that signal is the best option for my grandma to use still.

Moxie is no longer active in signal afaik. This is the new leadership.

[jeroenhd]

My grandma uses WhatsApp Web and Facebook hasn't taken down the WhatsApp Web snap yet. Both are end to end encrypted and based on the same transport but one of them used copyright law to take down a redistribution of their application.

Looks to me like Signal is the interior app here.

[bogota]

If you look at anything through a narrow enough lens you can make it look good.

[jeroenhd]

If "a messenger that works" is a narrow lens, then sure. WhatsApp is still as secure as it ever was and everyone is already on it.

Signal had one feature it did better than its competitors and that's allowing integration of SMS. That feature is now getting killed because of RCS issues. With all my contacts on similar chat apps, I don't see why I should keep Signal installed once they remove the SMS feature, let alone why I should convince my grandma to make the switch.

"But Facebook is evil and wants to control you and wants to suck your blood" yes and so do the companies that made our phones and mobile operating systems. What's the point of Signal's openness (well, "open", they did stop uploading the source code for a while when they were adding in their crypto scheme) if you still use it on a proprietary phone.

And no, Linux on neither mobile devices nor the desktop is grandma-ready.

[croes]

There is another feature of Signal.

It isn't owned by a data leech.

[snovv_crash]

Ignoring UX for non-technical users is a narrow lens.

[croes]

Meta wants your data, of course they wouldn't do anything that could stop that.

[the_mitsuhiko]

> This doesn’t change the fact that signal is the best option for my grandma to use still.

Is it? How do you measure that? It seems like WhatsApp is a better default choice for most people probably.

[spdl]

Except it's owned by Meta, who I really wouldn't trust even if they say it's E2EE.

[dijit]

To be honest I don’t see a strong reason to trust signal either except better marketing.

There are so many scandals that come to mind, like not updating the FOSS code for years.

I’m no fan of Meta, and they have incentive to hoover up data.

But I don’t have a good reason to trust signal other than that everyone on hackernews seems to love them.

[palata]

You mix up concepts. The client app is responsible for e2ee, you don't have to care about the server.

So you can actually audit the client code and make sure it is e2ee, which you cannot do with WhatsApp. In other words, for e2ee you must trust WhatsApp, not Signal.

I presume that for the outdated code, you think about the server code. That's different and would imply metadata, not message content.

Signal is e2ee, and you don't have to trust them for that.

[dijit]

> Signal is e2ee, and you don't have to trust them for that.

Only if both sides are using clients that are self-compiled, independently-compiled (and audited), deterministic/reproducible or third-party.

The problem is that the network and the app are the same people, and worse than that; they send binaries and expect you to trust them.

I know lip service is paid to reproducibility but afaik the instructions for doing that are 404ing.

I just get a greasy feeling from the lock-in, the heavy marketing, the fact that everyone refuses to speak critically of them unless it’s about anonymous usernames.

A truly good secure client would have worked on any network, it wouldn’t rely on transporting your data over their servers, it would be a protocol that was open to third parties to implement, it would also be reproducible or independently compiled by trusted third parties (like OS maintainers, who already audit a lot of the code that gets built and signed).

[yummypaint]

Look at how signal vs meta make their money. Meta's entire business model is built around directly violating people's privacy, and conspiring with other businesses to violate people's privacy.

Meta is a publicly traded company. Signal is a 501c3, it's a completely different kind of organization.

[dijit]

I already said that meta has an incentive to snarf up your data.

There is credibility to the notion that signal is designed to ensure that people who are paranoid would prefer it.

The fact that it exists and is convenient prevents more secure messengers from existing as the lions share simply goes to signal, and this is what I mean by marketing. It is conventional wisdom that signal is the bees knees and looking further or scrutinising it is folly.

A lot of funding comes from the government to signal too; and since it’s an American company it must comply to the best of its ability with US law. They tell us that they can only comply in small ways, but given that there is no independent verification of the server (that it even runs the FOSS code) and the hostility in having unofficial clients on the network I am left pondering.

[29083011397778]

Beyond that, metadata can be every bit as interesting as the actual conversation. Alice only talks to Bob on the weekend. Charlie sending a message to Dave cascades to Dave talking to Eric, Francis, and Gavin. Herald is only online from this business' IP address during opening hours.

The list goes on (and on), but the point is that Facebook gets to be the good guy and claim E2EE, while gathering all that metadata.

[ohbtvz]

Your grandma cares about E2EE?

[bogota]

I agree but the person i am replying to is talking about using matrix

[krzyk]

Default should be sms, it is on every phone.

As for web/desktop one can use also Telegram.

[johnisgood]

What about Element?

[krzyk]

Why not use sms? No need to install apps.

My parents use that. I use that.

[munk-a]

It's extremely expensive outside the US and can't be sent over wifi - so if you're communicating with someone abroad it's not a very convenient option. You're also missing out on E2EE and, lastly, Apple has corrupted the utility of it as a communication method for half of the devices out there.

[krzyk]

I'm not in US, and unlimited sms is included in monthly subscription.

And years before that sms was cheaper than data.

Also sms is cheaper when roaming in Europe (in my case it has zero cost besides the monthly subscription price).

Sure IM are etter if you need group chat or communication abroad. But that is not the case for majority of population where 1 to 1 communication is used inside a single country.

[bogota]

Missing the point. Sure pen and paper works great still.

[krzyk]

It is more like comparing pen and pencil.

[bogota]

Im talking about writing a letter

[411111111111111]

I thought moxie moved on from Signal? Is he still in the loop?

[cyberphobe]

The anti-signal crowd loves to blame moxie for everything. Just part of their overall commitment to being fact-free

[berkes]

Moxie was fairly controversial in his stance on several issues. That's not "fact-free".

[cyberphobe]

Moxie is no longer involved in Signal. Blaming him for things Signal does now is pretty free of fact

[dijit]

Other than that he set things up to be that way.

He’s not blameless for the fact it’s not federated, for example. Even if he’s not involved anymore.

[palata]

Federating is hard, and Signal is trying hard to solve the metadata problem in a fundamentally different way (which I happen to believe is better).

I see you want federation, that's fine. I want private metadata. Don't use Signal if it doesn't do what you want, but maybe try to accept that not every project should do what you want. They have their preferences too.

[dheera]

> no third party clients

Isn't their client open source? If I compiled it myself, is that a third party client?

If they don't let me compile it myself, how can I trust their official version is using the source they published?

[alias_neo]

You can build their client and use it yourself, but they don't want you to distribute it and they don't want you using their infra and API from a third party client.

[maccam94]

They don't want people distributing unofficial builds that claim to be Signal due to the risk of supply chain attacks against users.

[kodah]

Honestly not what I expected to hear about Moxie. Any more tales that back this up? If this line of behavior is true then I think it's time to move on.

[hammycheesy]

Reading this thread is what convinced me to switch away from Signal and investigate Matrix:

https://github.com/LibreSignal/LibreSignal/issues/37#issueco...

[capitalsigma]

I was ready to grab my pitchfork after that first comment, but farther down:

>>Some time ago you federated with CyanogenMod. What has changed since then?

>What changed was going through that experience. It seriously degraded the UX for our users and held us back in the development process at many times. I'd estimate that all told, we lost about 6 months to a year of progress. It's something we'll probably never do again, and has fully convinced me that federated protocols are a thing of the past in this world of ours.

That's a pretty reasonable take: we tried it and it hurt velocity too much.

[gkbrk]

Ah yes, velocity. I want my secure and encrypted messaging app to have development velocity so they can add sketchy cryptocurrencies, stories and giphy integrations instead of making a stable and polished app that can send messages and pictures.

[Zak]

There's a time for high velocity, and a time for stability. Federation, at least officially-supported federation is difficult when it's time for high velocity. Having used Signal in 2016 when that thread was written, it makes sense to me that Moxie felt it was a time for high velocity.

I'm not convinced that's still the case in 2022. There are a couple issues I'd like to see polished in the Android client, but I have not noticed bugs or missing features that seem likely to require breaking changes.

[kodah]

Thanks, this was illuminating.

Ironically, from his website:

> In general, I hope to contribute to a world where we value skills and relationships over careers and money, where we know better than to trust cops or politicians, and where we're passionate about building and creating things in a self-motivated and self-directed way.

[esaym]

Curious what all you had to do to switch from Signal to Matrix.

[rch]

Yeah, I regret ever mentioning the project to people.

[RektBoy]

Also HQ in US, rofl.

[kybernetyk]

Wait? Really? I've been out of the loop regarding Signal. But "crypto punk/anarchist" Moxie Marlinspike is using DMCA takedowns and doesn't like decentralization and 3rd party clients? I'm flabbergasted.

[palata]

Moxie is not at Signal anymore.