The Article is question is linked here, it is mandatory to read it first to understand what I am talking about.
FUD and speculations to shape public opinion to spread fear based on nothing. This is unprofessional.
Lemmy also could be a honeypot, if you accuse others without anything then make sure the boomerang does not come back. In fact the source code is hosted on platforms you have no control over, such as GitHub who is known to make their own rules as they go.
At the end you never know what people are behind and their promises are worth nothing, however the source code is open and Signal uses Google, AWS and CO. as servers because their services are reliable and proven to be secure. The metadata that goes over those servers are so small that this alone is not enough to compromise you directly. Golem.de has an entire series of articles regarding Signal, explaining most things in-depth and linking to actual research regarding possible metadata leakage and server infiltration.
His NSA claim is pure FUD because the NSA has interest in national security and if the dirt hides behind Signal or Session, it would not matter, they will become all a target so or so, does not matter if Signal, Threema, Session or any other IM for that matter. This clearly shows that he does not understand how NSA operates. Besides there are other organisations like GCHQ and others who have similar goal. In fact there are agencies around the world, often working together to fight criminals and cyber-criminals. This is actually a good thing and not a bad thing, not everything is bad. That people abuses the given power is the bottom line here.
There is nothing substantial he brings forward, this is all FUD and based on what if. Adding links to irrelevant topics and discussion does not make it look better, it makes it worse as those links typically lead to nothing except opinions. Those opinions are coming from people that are often no experts, using other solutions themselves and have interest to promote other solutions because they might be involved into it or make profit out of it. Revealing this is tricky, difficult and takes actual research, which most people are entirely not willingly to address because journalism on such level is not done over night.
China and Signal, nonsense argument as China is biggest state to censor.
China is known to sensor, even blocks HTTPS, several stores etc within the country to make it very hard to obtain secure messenger and establish communication behind Governments back. This is known and nothing new or surprising, has absolute nothing to do with Signal nor is that an argument because some servers, services are in general compromised, blocked. This is also not what Signal is made for nor can Signal fix it.
Blah blah self-hostable. This is no argument.
- He is also wrong about that you cannot self-host Signal.
- Self-hosting can make you more vulnerable and not more secure. He does not even mention any down-sides. There are to all alternatives, all systems always downsides. Like with self-hosting. Google etc are known to be, as said, secure and reliable. The average user typically fully trusts and rely on others for the software packages, which can be dangerous.
Nonsense about alternatives shutdown.
He links to two events that he interprets as shut down. The point here is that creating alternatives that are incompatible causes damage on the original software because people then have compatibility issues and this is the real reason here. No one mention that. The first thing that users would do is to create issue tickets and ask questions why fork x is no compatible or there are problems with it. He protects his property, which is more than fine. Forks in general tend to add no reasonable benefits and are often outdated, more insecure and are usually maintained by only 1 or 2 people, while as Signal is covered and inspected by more people.
If I create a Lemmy.ml clone that is less secure, or pretends to be xyz which you also would have legitimate interest in protecting the original, so I do not understand the hypocrisy here. It is to avoid damage, compatibility issues, reputation damages in case something leaks out, trademark related things etc.
More nonsense about metadata
The evidence for or against the “privacy” of centralized services is always circumstantial, because ultimately we can never know what code the server is actually running, or if it’s been compromised by a malicious actor. The server is a black box we can’t see into.
This is irrelevant because most people also cannot inspect nor understand the code even if it would be fully public. Your mentioned circumstances are what metadata can be pinpoint back to you and this is already answered, there is not enough even if the servers are breached or directly compromised by your beloved NSA. The evidence is given here.
Phone # Identifiers
The fact that you can just buy a burner sim with cryptocurrencies on lots of pages and then register it links absolute nothing to you, which is besides the NSA paranoia he spreads alone a factor why no one should take this essay serious. Using burner sim also gives you more possibilities as you can use it for other accounts and reasons too.
The phone number thing btw was added to make it easier to share, find and use your contacts to make them easier aware and not to exploit it. You can also btw just permission block it within Android after you are finished. However, your contacts already besides this has your real phone number and real name, or your burner number number most likely anyway and then typically upload your number and data into the cloud so or so anyway. Even if you want to protect your number and data your friends might me careless and you anyway end up in a database cloud. When you call someone and he uses Stock OS and all the G apps he gets your number and then you never know if that is not uploaded into Gs Cloud anyway, so there is in the real world no escape no matter how hard you try. There is nothing you can win.
Abandonment of Open source
This is an outdated story and the source code was updated. Nothing implied ever that something was outdated. This is a rumor spread to create moral panic. dessalines did not updated his section.
Bundling a Cryptocurrency
This is a good thing as we saw in Ukraine.
He mention Threema and others without any evidence, conjecture at best. Centralization has benefits and self-hosting everything creates bigger carbon footprint as well as makes you more likely a target as attackers have more interest in extracting and exploiting you to obtain your hosted data. He entirely ignores it and not mention it with one single word.
Blah blah Matrix this and matrix that. Given the fact that Matrix is more broken than Signal I prefer Signal each time over Matrix.
dessalines is not an expert and just because he runs the show here does not mean he is always right, and in this case most of this essay is wrong, based on sentiments as well as FUD and speculation. Most of his essay is absolute irrelevant to Signal, e.g. the NSA part because they simply inspect every alternative including Matrix. He entirely fails to mention that hosting your own services can make you more vulnerable, takes much more time and money than depending on proven systems. You really think you have more research, more experience than Google, then you must have it coming.
dessalines in his intro makes huge claims about Signal and govt funding and at the bottom when he advocates and links French government funding for Matrix he mention no concerns here. SO how is that any different from Signal, he claims NSA or possible others could influence the project but when Matrix does the same it is okay or what, ridiculous.
At the bottom of his essay he at least admits that federation has a metadata leakage problem. But his ending of the essay is not much about Signal, more to advocate and promote other projects which is irrelevant to Signal as well as the metadata problem as other solutions which he links also are not fully anonymous, e.g. Briar is not designed to be anonymous.
I find it odd when he talks about security when Lemmy does not even support minimum basics such as 2FA or Webauthn but dares to shit-talk other people based on conjecture and no actual evidence. I could list 100 other things what is wrong with Federation or Lemmy in general here but I let it go as he does not handle criticism well and comes with the dear old, make a pull request or provide actual solution speech to play things down not outlining pretty clearly that there are many, many things that are wrong on a nuclear level.
Let me clearly say that I am not a Signal friend there are many threads when I expressed my own concerns, however I always had respect for Moxie and his idea, work and approach on handling real-time communication. I think he did an overall good job. Again do not get me wrong I also think Signal is wrong but more because the old developer and CEO decided – due to spam attacks – to close parts of the source code on the server end, which is security by obscurity principle which I am not a fan of.
The criticism dessalines links in his essay are often conjecture and not something that has much meaning in the real-world. They are often gathered by other people that are based against Signal, often to promote their own programs, apps or involvement in other projects to make them look better.