Presented at
May Contain Hackers (MCH2022),
July 23, 2022, 11:40 p.m.
(30 minutes).
This is a rant about how moving ecosystems are not a good reason for centralizing a crucial service, how stickers are no substitute for a desktop client that does not crash, and how effectively shutting out less popular OS platforms is just not cool.
In his seminal work ["The ecosystem is moving"](https://signal.org/blog/the-ecosystem-is-moving/), Moxie Marlinspike laid out clearly the reasons why it's impossible to do what [Matrix](https://en.wikipedia.org/wiki/Matrix_(protocol)), or [the Fediverse](https://fediverse.party/), or for that matter the Web, have done: create a dynamic, quickly-evolving ecosystem without centralizing it.
For years, as a person responsible for information security of at-risk reporters and their sources, I have been advocating Signal as a secure Internet messaging service. And with good reasons.
Criticizing a security-sensitive tool like Signal is tricky, as it might be misconstrued as a call to abandon it, and move to alternatives that might be in fact worse. But here, at a hacker conference and with little risk of causing confusion and diverting users towards less secure platforms, can we please have an honest conversation about Signal's problems? And how 5 years after that blogpost, moxie's centralization has not solved them?..
There are good reasons to exert a level of control over what connects to a communication network. But effectively shutting out a community of developers that would love to implement Signal clients [for](https://gitlab.com/rubdos/whisperfish) [less](https://open-store.io/app/textsecure.nanuc) [popular](https://forum.pine64.org/showthread.php?tid=8505) [OSes](https://forums.puri.sm/t/how-can-you-install-signal-on-the-librem-5/10244) (many of which happen to attract the kind of infosec-aware crowd that used to be the core pushers of Signal) is not a good outcome.
Opening up more on the client side and providing some form of independent client development program (starting with a stable API) would already help a ton. Even if it's just the desktop client that gets re-written in something that is not in essence a packaged browser [trailing it's upstream on security patches](https://news.ycombinator.com/item?id=22239791).
Finally, we need to talk federation. Does it make moving fast and breaking things more difficult? Yes, yes it does, and that can be a good thing. It also makes the resulting federated service more resilient (one [service provider experiencing issues](https://www.indiatoday.in/technology/news/story/signal-users-globally-experiencing-issues-company-working-on-a-fix-1759524-2021-01-15) does not bring the whole network down). And, it lets others innovate without being locked out.
Presenters:
-
rysiek
Information Security [ISNIC](https://isnic.is/), the .is DNS registry. Co-founder of the [Technical Error Correction Collective](https://tecc.media/). Tech, policy, and activism background. Previously Chief Information Security Officer / Head of INfrastructure at [OCCRP](https://occrp.org/).
Co-operated with a number of EU-based organisations working in the digital human rights area and participated in a bunch of Internet governance meetings. Main policy interests: information security, privacy in the digital age, Internet governance (including censorship, surveillance, Net Neutrality), copyright reform, digital media literacy.
Links:
Similar Presentations: