I have been a fan and person encouraging the use of signal over the likes of whatsapp. Its been good to me but like every piece of software there are things I would change about them. For example the whole pin code thing is not only concerning but also a real challenge for casual users.
The pin code thing and phone number thing is not that much of a concern for most but I’ve been keeping an eye on others coming into the space. Threema is one such messaging app which seems to have all the privacy and security needed backed with its strong European base in Switzerland.
I wrote it off in my mind because it didn’t have a open code base for security experts to view openly. However that recently changed with them opensourcing the code base.
Because of this change I’m relooking at the Threema, although I don’t think I’ll be dumping Signal as a result but rather using both?
I have been introducing Signal to friends as a proper alternative to Whatsapp. Its mainly been ok but my friend Hannah has hit a catch 22 problem, in her own words…
Signal should be a great app. It’s secure, easy to use and even my most skeptical and tech-suspicious friend uses it. But since I forgot my pin, I’ve not been able to get onto the app, not been able to reset my account or even been able to delete my account to start again!
I did email to get some advice about this problem but what I got back (after nudging to get a response) wasn’t really helpful. Apparently, you can reset your pin once you’re in the app but since I don’t know my pin, I can’t get into the app to reset the pin I don’t know. I also need to be in the app to delete my account. So basically, in order to access the information I need, I need the information I need. And yes, I did query the logic of this advice but it was just repeated to me!
This is really frustrating because even after deleting the app and waiting 7 days as suggested, the problem remains. In fact, I’ve done this a few times, waiting longer periods and it still hasn’t worked. Signal is effectively holding my phone number hostage, not allowing me to use it to create a new account or access the numerous messages I’m informed I’m missing (through other less secure – but at least reliable – platforms).
I get that not revealing my pin to me is a security thing but to be honest, it seems daft that I can’t even reset that pin using other means. For example, Signal already texts me a confirmation number when I try to sign in – surely this is enough to know that I’m the owner of the phone? They also have my email address.
If I really can’t reset my account, I would be more than happy to delete the current account and start over again. But until there’s a way for me to do this without entering the app in the first place, I’m stuck in limbo.
I’ve sent one last email to try and sort it out… fingers crossed!
If anyone has a solid answer what Hannah can do, that would be massively helpful. Even I’m lost to what she can do now.
“Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with,” Signal wrote in 2016.
That, according to critics, has now changed.
“They should have a dumb network that knows nothing because it can’t be compromised then,” The Grugq told Motherboard. “[Having contacts] is a lot. It isn’t messages, sure. But I don’t like it. I don’t want them to have anything. Make the networks dumb and the clients smart.”
I do understand why they have done it, but I don’t know where its going next. Marlnspike (head dev of Signal) replies.
Marlinspike defended the decision to enable PINs and give users a way to migrate to a new device and keep certain data, and will increase the security of users’ metadata, “new features Signal users have been asking for.”
“The purpose of PINs is to enable upcoming features like communicating without sharing your phone number. When that is released, your Signal contacts won’t be able to live in the address book on your phone anymore, since they may not have phone numbers associated with them,” Marlinspike told Motherboard. “For most users, this also increases the security of their metadata. Most people’s address book is syncing with Google or Apple, so this change will prevent Google and Apple from having access to your Signal contacts.”
The changes Signal has made show how there can be a tension between messenger usability and feature set and security. It’s too early to say whether you should stop using the messenger. For most users’ threat models, it’s still one of the best options. But one of the key things that set Signal apart—that it collects almost no information about its users, appears to be changing.
It was always clear to me Twitter direct messages was never secure in anyway, hence why I tried to move private conversations over to another medium. If thats not email or signal what else? Recently I have been looking at a couple others…
Session which is decentralised messaging and Criptext, which is actually secure email. Both need work but have decent security.
We live in incredible times with such possibilities that is clear. Although its easily dismissed by looking at the sorry state of the UK during our EU withdrawal or the tech press panic over the corona-virus.
To quote Buckminster Fuller “You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.”
Ian thinks: Signal as a behemoth is concerning but its clearly made the best use of open source licenses to keep itself in check. Love the new systems which are being built on the protocol, real opportunity for something very new.
Ian thinks: Following the previous link, a look at the sorry state of American’s public service broadcasting. The up lift of donations is good but for how long, how sustainable is public donations?
Ian thinks: The comparisons are spot on and its clear podcasting is going through a massive change right now. Spotify’s play to commodify and dominate is hard to break unless there is experiences they can not own.
Ian thinks: The writer makes a good point about Spotify taking decentralised open media and locking inside a closed proprietary system. Lessons to be learned for future services we use.
Ian thinks: Been using Firefox containers for the last 6-8 months and find them incredibly useful. The user experience is a mess and provides an opportunity for design disruption.
A security flaw in WhatsApp can be, and has been, exploited to inject spyware into victims’ smartphones: all a snoop needs to do is make a booby-trapped voice call to a target’s number, and they’re in. The victim doesn’t need to do a thing other than leave their phone on.
The Facebook-owned software suffers from a classic buffer overflow weakness. This means a successful hacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on the microphone and camera, accesses photos, contacts, and other information on a handheld, and potentially further compromises the device. Call logs can be altered, too, to hide the method of infection.
The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
I noticed Arriva trains (now Transport for Wales) have changed their policy on board wifi usage. I had problems with it in the past…
Had to optimise picture down because uploading it is eating into my left over data on Arriva Trains. Note I'm got 3hrs left of my journey pic.twitter.com/7KZ9rOLpi5
Now instead of cutting you off when you hit the shocking amount of 20meg (yes you heard me right – 20meg!) They throttle the internet to your device at 20meg.
Its still not ideal but I do feel its a better compromise that cutting the internet completely. Especially because frankly the signal from tethered phones during the journey through south Wales can be pretty poor for miles and miles.
I looked at Wire a while ago but stuck with Signal. Some friends think I’m insane when I say I’m not using Whatsapp, but I have many reasons.
Herb asked me why I use Signal and not Wire, then a few people at Thinking Digital put the final shot in the social cannon. So I re-looked at it again and installed it alongside Signal.
They are quite different, for example Signal is very tied to a phone number while Wire is but isn’t (well you can only register one phone number which is a shame). I can login with the email across devices and it doesn’t seem to offer its self as a sms/mms client. While Signal does offer to be a sms/mms client if you accept it. But you can’t run Signal on multiple phones as it locks to that phone number.
I originally didn’t see the 64bit Ubuntu/Debian package, so ran it through Wavebox which makes websites act like native apps. But today I saw the deb.
Generally I’m thinking of Wire as something more like Ubuntu, while Signal is more raw like Debian. I’m sure some will hate that comparison but I look forward to seeing where they both go next, both are secure, open and run across all platforms.
But as they move forward with features, will they keep the same data ethics (privacy, security, data ownership, identity, permission) in mind? I really hope so..
One of the biggest differences compared to other secure messengers like WhatsApp or Signal, is that Wire does not require a phone number to sign up. Anyone can register with an email on desktop or tablet and then decide if they want to use the same account on their phone or not.
Running two signal clients on Ubuntu without the stress, made one d.ark and other light themed to remind me which one is which
I’m very sure I’m not the only one with 2 mobile phones (heck I really have 3 actual active SIM cards in 3 phones but thats another story).
I have chosen not to use WhatsApp as their EULA doesn’t fit well with me, so instead I always suggest Whisper Systems Signal client. I have many reasons including a linux web client but I have been wondering why one client couldn’t support multiple accounts? Especially since you can easily and securely verify the phone to the desktop client, using a generated token.
I’ve been wondering if I could run two signal apps or run them under different system users… then it dawned on me, its using Google Chrome’s app framework, maybe I could use Open Source Chrome aka Chromium to do the same? Surprisingly without having to setup another user account for the Chrome store, I was able to download Signal again and make Chromium launch it.
Now I have 2 completely separate signal apps which are linked to different phones but using the same Ubuntu desktop environment.
I was listening to the Steal this show podcast season 2 episode 8 with Balázs Bodó and Jamie King. They were talking about how we have kind of gotten use to the way the net is and they are wondering where the innovation is coming from or going to.
It tweaked my interest as I have always got a interest in technology uses for legal and illegal purposes. Its that classic cat/cops and mouse/robbers scenario, I’m not saying technology is neutral, but the same technology can be used to liberate and enslave. I thought it might be nice to share some of the stuff I’ve got in my tabs/task list to look at…
Most of the good stuff I’ve recently been looking at is all about privacy and security, which has required me to get a lot more serious about my digital keys.
Ok I think I'm starting to get Public/Private key thing.
Asemica
I have always been interested in Steganography, especially in clear view where you wouldn’t normally expect it. Securebook always interested me and I’m slightly responsible for inspiring the developer of that. But its not been update in a while and I always thought why can’t I use something else to generate the text required in a way which is clearly still readable?
Because of this I’ve been looking for something like Asemica.
Zeronet
I was originally looking at Zeronet for my decentralised dating idea but have always been interested in things like freenet from a long long way back. Its pretty neat and certainly ticks all the buzz words but has a solid idea built on open tech.
Keybase
I can’t quite work this one out but I signed up to the alpha and have been trying it out for the last few months at least. I haven’t sent any GPG messages yet but getting my head around it all. The keybase file system is much more like a distributed dropbox and it doesn’t take a lot of thinking to imagine the possibilities.
ZeroTier
This is what I’m using as a VPN for all my devices and its quite simple but effective. Its quite neat as it works like Hamachi and I have configured my server at home to bridge networks, allowing me to access my 1gig connection in the UK from anywhere. I haven’t played with accessing other networks yet but its in my tasklist to bounce around the world if needed.
TOR (the onion router)
Does this one really need any explaining? So many people instantly think of the dark web and buying drugs, porn or worst. Well theres a lot more to the dark web than this and I’m seeing some seriously credible technology solutions built on top of TOR. Of course TOR project really lend its self to huge amounts of data bandwidth, but have you recently looked at the TOR Stem or TOR messenger?
Theres other things I’ve seen which I’d rather not talk about which does the connection over TOR then switches to IPv6 afterwards for the bulk bandwidth.
Signal
Remember that instant messenger system Snowdon used? Well its end to end encrypted messaging by open whisper systems and theres apps for most platforms including Linux and Android. Its pretty neat but if used in a careless way can’t really help you much. Some would say whats the point now Facebook/Whatsapp are doing the same? Well actually they are using Open whisper’s library, so clearly superior.
Signal is starting to get a lot of people now and although it won’t be as popular as whatsapp, facebook messenger or even google allo; its pretty neat and bots are coming.
I’d like to see shared identities, so both my mobile phone numbers (work & personal) combined. I could choose to message from either of them but also see both. A master identity of some kind?
Bitmask
Encrypted VPN and Email, looking at it I thought it was a bit too good to be true. So I checked out and found its actually an implementation of the LEAP Encryption Access Project, which had a number of interesting projects including TorBirdy (TOR+Mozilla Thunderbird).
Less about privacy and security but still on my task list
Plex and Emby
Streaming your own media anywhere and everywhere is very attractive especially when you have a fast home connection. I have Plex installed but I’m certainly looking at Emby which seems to be the new kid on the block. Looking at it, Emby might play nicer with things like Kodi & VPNs maybe?
