Hacker News new | ask | show | jobs
by upofadown 508 days ago
Briar messenger is specifically designed for things like protests. I think I would prefer it over Signal. The article says:

>Signal has responded to 6 government requests since 2016, and in each case the only information they were able to provide was at most: ...

That is the all the information they claimed they had. We have no way to know what they actually collect. Briar runs P2P over Tor so they can't collect data, even if they should want to.

Whatever is used, an article like this should remind the potential protester to turn on disappearing messages with an appropriately short interval. The powers that be might use something like a Cellebrite box to get all your old messages by cracking the phone security.
2 comments
mmooss 508 days ago
> Briar runs P2P over Tor so they can't collect data, even if they should want to.

That makes the common, dangerous, naive assumption that the implementation is secure. Correct, complete, secure implementations are very hard.

(It also assumes the design is secure, which is impossible to tell based on that limited information. P2P is not any more secure than over the Internet: In fact, it's easier to identify (there are only a few Briar P2P signals and near-infinite Internet signals - you've outed yourself), and if you mean local mesh P2P networking, that doesn't help at a protest, where the authorities also are present.)

In the more public app world, only Signal has done it well enough that experts trust it, and they have lots of free help from the expert security community.

link
AnarchismIsCool 507 days ago
It...depends.

If you're not technical, signal is hands down the best solution.

If you have a group that's going to something and you are willing to take some extra steps, something like matrix/briar/simplex/whatever setup with a self hosted instance provides you with the knowledge that all the infrastructure is under your control and that the feds just aren't going to have the time to sit down and figure out how this shit works.

The thing this thread is wildly missing the point on is unless you off a ceo or are a prolific organizer, the feds are systematic. They pick a set of techniques and technologies that cast the widest net possible with the money they have, then spend their time trying to nail people within that venn diagram. Yes, security through obscurity is not ideal in-and-of-itself, but combined with encryption and chaos, you can get much farther than using the same stuff everyone else has been using for a decade+. If you stay near the leading edge of tech the feds are a decade behind you, they still have years of threat briefing powerpoints to sit through before they can even think about implementing a countermeasure.

You could find 1000 CVEs in briar but if only a handful of of people at a demonstration are using it, the feds are still going to be sitting there beating their heads against signal because that's what they know how to do. If they ever find a single high severity CVE in signal, it's game over for everyone.

link
mmooss 507 days ago
What are the bases of your claims about what government authorities do and don't do, what their capabilities and resources are, etc.?

> the feds just aren't going to have the time to sit down and figure out how this shit works.

They have resources many orders of magnitude larger than you. The NSA has tens of billions of dollars per year and five or six figures of personnel. It's you who don't have time.

link
AnarchismIsCool 506 days ago
:)
link
fph 508 days ago
Signal is open source and ships with verified builds, so yes, we have a way to know what they actually collect.
link
upofadown 508 days ago
I meant at the server. We have no way to know that is running there.
link
tptacek 507 days ago
The point of end-to-end encrypted messaging is not having to care about what the server is running, which is why the threat models for most academic cryptographic research on these things is "assume a compromised server", and, if that gets you real compromises, the protocol is considered broken.
link
upofadown 507 days ago
End to end encryption protects content. It doesn't protect things like information about who is talking to who. For that you need something like an onion network. As already mentioned, Briar uses Tor for that. Signal claims to not collect such information but my point is that we have no way to know what they collect. Claims don't count for anything for these sorts of things..
link
Almondsetat 508 days ago
How can the server collect data you aren't sending to it?
link
mmooss 508 days ago
The server is open source too. You could download it and run your own server, afaik.
link
TiredOfLife 508 days ago
Signal occasionally drops something that could be the server code.

When they were working on their cryptocurrency they didn't release anything for over a year.

link
chikere232 508 days ago
isn't that what the e2e encryption is for?

I guess they could collect metadata of course

link