Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>is that a warning is better than lulling people into a false sense of security.

But in the end any such warning is meaningless as it can't possibly be acted upon.

>Again, your phone may not be compromised but your IME could still be malicious.

If you're using a malicious keyboard app I think it's fair to say that your phone is compromised.



It can be acted on: you can realize that you probably shouldn't talk about everything using Signal despite the person urging you to install it swearing that it's secure. (which was the exact event that was given as a reason to add this: some journalist telling Chinese students(?) to use Signal to talk to them freely)


If your keyboard sends everything you type to the state, and there are no usable alternative keyboards, what realistic actions can you take?

a) type nothing anywhere on your phone: send only emojis, 'gifs', and voice notes?

b) learn to read and write a language with keyboards that don't phone home; or transcribe your written language to an alphabet with a keyboard that doesn't phone home

c) buy an expensive phone with an OS supplied keyboard that doesn't phone home (assuming such phones exist?)

d) learn Android development and input method theory and build a new keyboard for yourself

Are any of these actions actually feasible for the general population?


Knowing what you can't do safely is important. How is "don't send 'incriminating' messages to that journalist through a phone, or if you do be aware you might be monitored and there might be consequences" not a realistic action in the scenario?


Should Signal then come with a blanket warning “Do not trust Signal!”?


A brief explanation of the threat model (i.e. what it aims to protect against and what it doesn't) would probably be more useful. "Do not trust people that tell you Signal is perfectly secure" is true but probably doesn't lead to the right user behavior. I'm not claiming communicating these things well is easy.

(and obviously a bunch of the blame lies with people that do uncritically push Signal, if you are journalist not misleading your "sources" is important, but again they need to be educated too and it's not surprising that's not happening perfectly - efforts in that would also have been a reasonable response IMHO. And of course this is based on the assumption that the events have been presented somewhat accurately)


Why is it the responsibility of the Signal developers to do people's threat modeling for them?

If your situation is that you need to communicate things that could get you killed or imprisoned, you should be using a burner phone that has pretty much nothing installed on it but Signal (or whatever app you choose to use for secure comms). You should also be using a third-party OS/ROM that you can be pretty sure hasn't been backdoored by a local telco or government, or a device that you've managed to import from abroad that likely doesn't have local modifications.

I would assume that most people do not do this, and yet somehow expect Signal to magically make the entire stack below it secure, which is a ridiculous expectation.


It shouldn't do their threat modeling, but it is being widely promoted as "secure" (with little to no further restrictions) by and to people without detailed tech knowledge and is in an excellent position to inform their "threat modeling". As a principle, "People should know better" somewhat works for experts tools, tools for non-experts should where possible let users know what they are not aware of. (What exactly that means and where the limits are is, as said, a non-trivial question)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: