• dirtfindr
    link
    fedilink
    arrow-up
    7
    ·
    edit-2
    5 years ago

    OWS has finally realized the huge shitshow that arises from requiring phone numbers. Note that this is merely a positive step toward eliminate ph#s – they ultimately still have not fixed the problem.

    The article was written by someone with marketing in mind, because they omit an important detail: where does the key storage move to if they’re protecting it with a PIN? In their phone to toilet example, they’re assuming the keys are forever lost (nevermind that an advanced user can possibly recover their data). So it’s essentially implied that OWS is moving key storage into the cloud. It’s not likely an accident that OWS omits this from their article. Resist.Berlin points out (in the article below) that OWS is quite happy to transmit sensitive PINs over an insecure phone line. So if they don’t also change that attitude this is a recipe for disaster.

    For the moment, you should still be avoiding Signal. These two articles give extensive rationale:

    And this article covers which privacy advice sites you can and can’t trust in this regard.

    • DessalinesA
      link
      fedilink
      arrow-up
      3
      ·
      5 years ago

      This makes me more suspicious of signal than I already was. If they’re really trying to get rid of phone numbers as identifiers, then why are they announcing pins, which are another private identifier and not publicly addressable? The purpose of them is solely for backup, and has nothing to do with public addressing.

      They could solve this whole thing by adding a username and password, its not difficult, 99% of systems use it for logins.

      I’m sticking with matrix anyway, its already far beyond anything signal does.

    • dirtfindr
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      5 years ago

      The PIN cannot be the identifier directly because the article states the PINs are primarily used for data recovery. If PINs were also your identifier then anyone could trivially do a recovery op on your data.

        • dirtfindr
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          5 years ago

          Is that due to OTF not offering money, or due to OWS not accepting the money? I’m assuming it’s the former.

          When a US politician accepts a bribe from a US lobby like the NRA, how long does it buy loyalty for? Perhaps just as long as the term for the elected office, but with OWS Signal there are no term limits.

            • dirtfindr
              link
              fedilink
              arrow-up
              2
              arrow-down
              1
              ·
              edit-2
              5 years ago

              Insecurity due to bribery can manifest in many ways. Snowden revealed (and Bruce Schneier elaborated) that the mass surveillance strategies are largely carried out by paying bribes to enlist cooperation from key organizations. E.g.

              1. backdoors – This is completely trivial for non-free s/w. It still happens with free s/w but it requires a bit more effort, like compromising the few developers whose eyes are going to be on the piece of code under attack. Signal is non-free masquerading as free. It’s GPLd, but OWS uses network protectionism to block users from actually benefiting from free s/w. OWS threatened the makers of Libre Signal with a lawsuit. So if there is something you don’t like in the code, you can’t fix it. Your choice is to take-it-or-leave-it. Since you can’t effectively change it and make it your own, are you really going to take the time to read the code? Unlikely. When OWS renders software freedom useless, there are fewer eyes on the code and this can even be more dangerous than closed-source s/w b/c it includes the false sense of security that someone who looks at the code is looking after your interests. The big openssl bug emerged due to this snowdrift dilemma.
              2. bugs – Who needs a backdoor when hackers exploit bugs? Bugs can be planted just as a backdoor, and in fact it’s easier to plant a bug in than it is a backdoor. Existing bugs can be ignored as well. The adversary (opentechfund) could spot a bug and either pressure OWS not to fix it, or they can make requests that guide developers eyes away from the bug. It’s so easy; I plant bugs all the time and get away with it. The only difference is that when I do it, it’s an accident. When an adversary does it, it’s an “accident”.
              3. weak design – The project may have a design idea that makes the app more secure, but they simply opt not to take that direction b/c an important donor wouldn’t like it. Or if you consider the topic of this thread, it’s quite possible that Signal is looking to weaken the design – to get keys into the cloud in order to set users up for compromise. Government bribes are not often to cause outright blatant backdoors, but rather to weaken security in ways that their highly skilled hackers can come up with a clever attack that works in not-so-obvious ways. I don’t mean to push a conspiracy theory but you must consider the timing of this putting the keys in the cloud with the “Earn IT Act”. At the same time, they can keep users interest by claiming this is a precursor to eliminating ph#.