It seems that a couple of security researchers from this community felt that Signal's implementation of a TLS-in-TLS proxy to allow its use in censored Iran didn't live up to their standards (it can be detected by censors and blocked). However, after Signal rejected this issue, they turned toxic and were prevented from posting anymore [1].
The above post is their reaction, which feels more like them lashing out rather than attempting to uphold the greater values of the anti-censorship community. I feel that it doesn't benefit anyone that they behaved this way, choosing to attack the Signal team and the reporter of the article below, rather than resolving the issue productively while allowing the community to continue focusing on their mission.
It's more important how we all feel about each other and our drama than the fact there isn't a currently easily available obvious way to have private secure conversations.
Your "they are not being constructive enough" is actually very unconstructive, because it drags the conversation into more drama.
The tone is not more important than the facts. It never is.
Im not suggesting you have some alternative motive to deflect the facts. Any one could have written this reaction.
The top comment on a thread like this is always the same. Talking about tone. But I don't mean this offensively, I'm sure I've done it myself as well at times, but it feels like theater. Like a journalist asking a question they know they won't get an answer to. Talking about drama is the same participating in it.
At one point in my career I had a somewhat public facing role. I made a tough decision that aggravated a user, who decided to send me several death threats. Suddenly that tough decision wasn’t so tough anymore. Any possible resolution was gone.
These situations involve people. We aren’t fact machines.
> Russell Conjugation (or “emotive conjugation”) is a presently obscure construction from linguistics, psychology and rhetoric which demonstrates how our rational minds are shielded from understanding the junior role factual information generally plays relative to empathy in our formation of opinions.
> Years later, the data-driven pollster Frank Luntz stumbled on much the same concept unaware of Russell’s earlier construction. By holding focus-groups with new real time technology that let participants share emotional responses to changes in authoritative language, Luntz was lead to make a stunning discovery that pushed Russell’s construction out of the realm of linguistics and into the realm of applied psychology. What he found was extraordinary: many if not most people form their opinions based solely on whatever Russell conjugation is presented to them and not on the underlying facts.
> (Humans) fear (that) authentic emotions will get us into trouble with our social group, and so continue to look to others to tell us what is safe to feel.
By e.g. paying attention to if the speaker said "whistle blower" or "snitch"
I think the point is that these people just sound like they are barking up the wrong tree. They're bitching at a non-profit org who gives away their services for free for not doing things exactly the way they want. And then getting self-righteously upset when said non-profit bans them for acting in an abusive manner.
> The tone is not more important than the facts. It never is.
This is 100% wrong. Tone does matter. If you want someone to do something for you, acting entitled and insulting them usually isn't going to get you where you want to go. Unfortunately straight facts don't sway hearts and minds. That is just how human psychology works. I wish it were different, but wishing does not make it so (speaking of facts!).
The Signal team does not owe these people a way to conduct private secure conversations. Yet they are working on it anyway, because they believe it's the right thing to do. And I bet it's pretty demotivating for a bunch of people to come and tell them that they're doing it wrong and their current interim efforts are useless. No one is owed an explanation or dialogue from the Signal team, and behaving aggressively in order to demand one is about the most unproductive thing they could do.
> The tone is not more important than the facts. It never is.
This is an error software engineers sometimes make.
When working with human beings, tone matters. Tone always matters. "Nature cannot be fooled," but presenting facts with the wrong tone can lead to them being discarded, harming the project and/or people involved. You get better outcomes recognizing that people make better decisions when they aren't emotionally tilted.
The successful projects operated by people who don't know how to interact with other people are significant outliers (and in some cases, their creators and maintainers have recanted their past approach as counter-productive, ref. https://arstechnica.com/gadgets/2018/09/linus-torvalds-apolo...).
The thing about Mother Nature is her dependability, not only can she not be fooled, she's the firmest conceivable foundation upon which to build. When you're depending upon tone that's never more than a subtle shift of tone from disaster. "Four legs good, Two legs bad" becomes "Four legs good, Two legs better" so easily.
I agree with you that tone matters, but I think that's a bad thing, a weakness or vulnerability. We should take "tone matters" into consideration the same way we'd take "OCSP without stapling results in a query to the CA for each leaf certificate examined, thereby harming privacy" into consideration. Can we prevent it? Can we mitigate the resulting harms? We definitely shouldn't celebrate it.
> not only can she not be fooled, she's the firmest conceivable foundation upon which to build
I agree.
What do we do with that observation when we then observe that human beings care so deeply about how they're being interacted with by other human beings? We are products of nature, after all.
>The tone is not more important than the facts. It never is
I think this framing is wrong. Tone and facts are both important (often equally so) and must both be addressed in parallel tracks.
If someone rudely raises concerns about the security of your product, it's fine to ban them as long as you also address their claims of insecurity. You can kill a community by not addressing claims of technical flaws and you can kill a community by not enforcing standards of conduct within it.
Of course it can be. If your tone is so bad, that nobody listens to you or implements things that you want, then it doesn't matter how right you are on anything.
Getting stuff done and solving problems relies on way more things than just being right.
> Im not suggesting you have some alternative motive to deflect the facts.
Ok but by making these comments you are also deflecting from real problems that having a bad tone causes.
I agree, it is a chain of poor responses to abuse, these people probably considered the original response that they got (along with having their pull request deleted) as an abuse which is why they responded in that way.
I don't really have any particular opinion on Moxie or Signal; I've never interacted with either the product, the community, or the person. But I will say in the abstract that many founders drastically underestimate how much extra headache poor community management will cause them in the long run.
> there isn't a currently easily available obvious way to have private secure conversations.
Ricochet[1] works really well. It uses Tor hidden services to communicate. Your Ricochet ID is your onion address. To add a contact, you input their Ricochet ID and a short message, and Ricochet connects to their onion address and sends a contact request. If the contact request is accepted then you'll each show up as a contact on each other's client and can chat whenever you want.
Tor is really perfect for this, you can't get more private or censorship-resistant than Tor.
The UI is currently not great, but that's not a protocol problem.
The biggest problem with Ricochet is that hardly anyone is using it.
Doesn't the security of Tor depend on the proposition "Surely my opponent would never operate a bunch of exit nodes"? That has always been my impression, and it seems like a problem when your opponent is a state actor.
1. To deanonymise a hidden service connection you need to observe the traffic of all of the nodes in the circuit.
2. OK, let's say your adversary controls all of the nodes in the circuit and deanonymises the endpoints. Now what? You're no worse off than you would be if you weren't using Tor in the first place, so it's not an argument against Tor at all. All it's saying is "the absolute worst case of using Tor is no worse than the best case of not using Tor".
> the absolute worst case of using Tor is no worse than the best case of not using Tor
While this is true I just wanted to point out that one does in fact not need *all* the nodes. It is possible to perform traffic analysis and infer which nodes are used by a certain user even if the attacker only controls a part of the nodes. [1]
While this of course doesn't change the fact that using tor is a good idea, one should not let themselves be lured into a wrong feeling of security when using tor.
I think we are both talking about tone. While you are saying that expressing emotions and the drama is important in a discussion over Signals' future, I believe that such conduct only drives a wedge into it. These issues are emotional and affect important freedoms, but while expressing them is important doing it in such a high-profile, damaging way can only bruise egos and create even more tension. Instead, both parties should sit down and take a long, serious look at their grievances and how they will address them.
They're banning the other party for their abusive language and behaviour, for their unsubstantiated, bad-faith claims of suppression and for misusing project resources. On top of the fact that they're not listening to why their assertions are incorrect.
Any party acting in such a belligerent, infantile manner is going to be banned since they have proven they cannot act like grown-ups in a grown-up setting.
That's a fair point and I agree with you. Something I've been wondering as of lately, what can we (as a society) do to move off the edge of high emotions? I feel as if it's a common theme anywhere I look.
We must start reading the rules of the online places we visit, as a start, and obeying them. If we don't agree with the rules, don't like "codes of conduct"? Fine, we do not participate there at all.
It's their house and we abide by their rules.
If we break a rule and it's pointed out, then we apologise and goto 10: read and follow the rules. We do not throw tantrums, we do not cry "censorship! suppression!".
We act in good faith: if we post a thread, open an issue, submit a PR, and it is closed, then we do not simply repeat our action. Whether we agree with the closure or not, repeating is an attempt at evasion and a smack in the face of those running the place. Either of these two behaviours then invite us to be banned, because we have acted in bad faith.
We do not immediately and vocally assume that an act we don't like is a personal attack against ourselves or our values. If our post is "hidden by the community", this does does not mean "the leadership of the project is orchestrating an agenda against us". It means our peers have found our conduct distasteful and is a very loud alarm that we must heed: that we have behaved outside of the expected conduct and our peers found it distasteful, unhelpful, insulting. If a web site algorithm has prevented us from posting a link, an image because our account is new or it has triggered anti-spam measures, we do not post elsewhere about how we're being persecuted.
We invite like-minded people to join the discussion when they have innovative ideas, when they can add material to a discussion that has not yet been supplied, an angle that has not been addressed, or a concept that has been misunderstood. We never ping our friends to jump on our bandwagon, shouting the same things over and over again. Perhaps if a concern is dismissed as an outside, then more voices can be constructive, but they must conduct themselves with civility and be particularly aware that they need to add to the discussion, not to add pressure.
If a counterpoint is given to something we passionately believe in, then to discuss is to use logic and data to refute it. In the ideal, we ask ourselves to fight for this counterpoint: perhaps it is entirely valid? What we must refrain from is reading a fair and polite counterpoint and immediately treating it as an attack, a dismissal. This prompts a counter-attack and we are no longer discussing - we are now detracting from the point. When we make our issue or improvement a negative it reflects back upon us. Who wishes to discuss with a party that cannot cope with rational disagreement? In addition, we must resist the urge to simply exaggerate our cause: to state an incorrect point more loudly does not make it correct, it just antagonises those who disagree. Those who we are trying to see our reasons, our solutions, or problems.
Once we have broken the rules, assumed and publicised bad faith, breached expected conduct, ignored the ire of our peers, evaded bans, repeated actions which were turned down, called on our friends to flame and troll, replied to constructive criticism with louder voices, manipulated the conversation with hyperbole and outright refused to listen to the possibility we may be wrong...then we hold a beacon above our heads, advertising that we are incapable of joining a rational debate and seek not to improve anything but only be told we are right and righteous.
I say this not to you, but to answer your question: if anyone reads what has transpired in this matter, and then asks your question, they need to very deeply analyse their behaviour because it is unacceptable in any civilised society.
I'm sorry, but we don't read replies longer than 140 characters or that use the word "persecuted". Please create a new account and re-submit your argument in the form of a haiku.
Having made rules is not sufficient for those rules to be just. Rules are not themselves authority bearing - nor can one side be upset when they make obnoxious rules and get push back. When you respond to criticism of those rules by deleting the criticisms... well it's clear you are no longer hosting an open forum and instead trying to shut down speech you don't like.
The posters did not use insults, they did not attack the people behind signal - they pointed out that the statement regarding the proxies was false (which it factually was) and that the circumvention that Signal gave was likely insufficient for most users. Shutting down a potentially serious security bug because it's in the wrong spot or because you don't like the tone is bullshit - it tell me you as a person care more about tone policing then keeping your users safe. When you're doing battle against nation-states who like to jail their dissidents, you don't get to reap half-successes.
This isn't a child's baseball game, this is a situation where lives are at risk. "Sorry, we really tried to put out the fire, but your yard sign made me upset and I had to go write in my journal instead of doing my job."
> Having made rules is not sufficient for those rules to be just
Quite. And if one doesn't think the rules are just, then simply don't play the game. However, rules such as "don't spam an issue", "don't spam a PR", "don't insult others", "please use the forum for this discussion" strike me as being simple, sensible and just rules. Which rules are unjust, in this context?
> Rules are not themselves authority bearing - nor can one side be upset when they make obnoxious rules and get push back.
In a dictatorship - such as a web site forum - the rules are, in fact, authority bearing. Since a user or their content can be removed at the whim of an operator, that authority is proven. This entire dramatic performance has been because the entirety of one "side" is upset when they've been subjected to pushback because they have broken the rules, and the authority of those rules has been effected.
> When you respond to criticism of those rules by deleting the criticisms... well it's clear you are no longer hosting an open forum and instead trying to shut down speech you don't like.
You are conflating what happened here. A user committed malconduct (of the sort that most projects would react badly to) and their offending material was deleted because it was an unhelpful duplicate placed in the wrong forum. Such content can only be deleted because it is...unhelpful, duplicate and in the wrong forum. All that was needed was the discussion moved to where it was expected. GitHub projects are not open forums and the PR was not speech.
> The posters did not use insults, they did not attack the people behind signal
> Shutting down a potentially serious security bug
They were not shut down to begin with - they were simply asked to post in the correct forum. Once they started their abusive behaviour they had to be shut down because they couldn't behave themselves.
> This isn't a child's baseball game, this is a situation where lives are at risk. "Sorry, we really tried to put out the fire, but your yard sign made me upset and I had to go write in my journal instead of doing my job."
I'm not sure what you're trying to achieve here, other than proving one of my latter points.
If any of those so much as raise an eyebrow, you must be the most sheltered darling on the entire internet. "Moxie and Signal is shit"? Really? I get called worse names in online gaming by kids.
> ..their offending material was deleted because it was an unhelpful...
Their offending material was a security issue! A fair amount of people seem to share their concerns. If it's in the wrong place then move it, and if it's a duplicate then close it and add a link to the original where conversation is happening. If you can't handle basic moderation of your forum, then stop using your damned forum and maybe use github issues like every other project.
> In a dictatorship...
Yeah, Signal can throw a tantrum, take their toys and go home. So can us as their userbase and the people who recommend it. Right now I'm one of those people who can be reached on Signal and who recommends it to others - and if Signal can't find a way to appropriately receive feedback then I'm no longer going to be doing that.
> Once they started their abusive behaviour they had to be shut down..
No. They didn't. Signal staff could have literally just responded: "Hey, thank you for the report, we're examining this now and will update as we can. Please mind the language." That's literally all it would have taken. Instead Signal continues to stick it's head in the sand and ruin it's relationship with it's users.
I recently bought Threema and I can only say that I like it more than Signal. Now it even has local (meaning your images don't leave your phone) object detection in images, global search in chats, etc. The only thing that's missing is usage on multiple devices and a native desktop client - but the app itself is great so far.
Unfortunately it's not possible to productively resolve issues with the Signal team, something you can find documented again and again.
(My own experience: I had to justify the the user impact of 30+sec freezes on every sent message, confirmed by multiple people. Bug was closed wontfix.)
This is a known thing with Moxie and the culture he's created at Signal and it's unfortunate that he's still starting drama with everyone instead of doing any self-reflection.
FWIW, my experience with Signal sadly confirms this. There’s a critical issue for years with the iOS app that there’s no way to backup or otherwise extract your chat logs (contrary to the usual behavior of iOS apps which automatically backup to your computer or iCloud), no warning of this when you first install, and almost no communication from developers on the subject for years despite huge numbers of complaints.
They hide behind the shield of being volunteers to justify not addressing or communicating about any user concerns, but they also want to play in the big leagues and have hundreds of millions of users who would otherwise be using other chat platforms.
> They hide behind the shield of being volunteers to justify not addressing or communicating about any user concerns
I agree this lacking feature is an important matter, but the Signal team have explained why the iOS app doesn't have a backup facility. Saying there's "no communication" is not true.
I'm not sure what the purpose of saying "hiding behind the shield of being volunteers" is. Are you inferring they're lying and that they simply don't care? Perhaps that they're raking in their paycheck whilst leaving the volunteers to martyr themselves against complaining users? Neither are helpful accusations.
Not no communication. Almost no communication. They have occasionally given explanations for why the feature is difficult to implement, and occasionally given explanations for why they think the feature shouldn’t exist at all even if it could be implemented (despite it existing for Android users). They have never clearly communicated what their intent is: Will they implement it? If so, when? And they have never clearly warned users of this sharp edge in advance of installing software which will hurt them if they care about not losing control over their own data.
By “hiding behind the shield of being volunteers”, I’m not implying anything about them lying about anything. I’m saying that they have explicitly, on multiple occasions, indicated that it’s bad form for users to feel entitled to certain dealbreaker issues being fixed, or even to feel entitled to communication about whether those issues will be fixed and on what schedule. And their reason for believing users are not entitled to anything from them is that they are just volunteers.
But where are they supposed to do the more communication? Surely they can't go reading and responding to every thread online that discusses Signal - there's just so many of them. In GitHub, too, issues often get duplicated or drowned in comments.
(Although I strongly disagree that they should be saying when they are going to implement it, as that's only setting themselves up for failure: unless it's almost ready, there's just too many things that can influence your roadmap.)
> Thanks, we know this is a big deal and think about it a lot. We're working on ways to do it that would be privacy preserving, and in the mean time we've got the p2p device transfer you mention.
> But where are they supposed to do the more communication? Surely they can't go reading and responding to every thread online that discusses Signal - there's just so many of them.
They could put out an official statement on their web site about the matter that everyone can reference. "We intend to do this and here's the way we intend for it to work, and we expect it to take roughly 1 year ±6 months to implement. Here's the GitHub issue to track our progress."
This isn't rocket science; plenty of other organizations have ways of disseminating information to millions of people so that everyone knows what's up. I don't expect the White House Press Secretary to speak to me personally, but I do expect her to answer questions from reporters and make official statements about matters that huge numbers of people care about.
Either way, there needs to be some acknowledgment that this is not just a nice-to-have feature request, but that things are actively, terribly broken for certain users at the moment. They should not be working on aesthetic features like Stickers when something is so fundamentally broken. They should be acknowledging their users' pain, apologizing for having screwed up, and emphasizing that they appreciate the priority of this matter.
And until the issue is fixed, it would also take approximately 0 effort for them to warn users about this prior to installing or using the app, so that users can opt out in the meantime if they want control over their data.
>> Thanks, we know this is a big deal and think about it a lot. We're working on ways to do it that would be privacy preserving
Thanks, that's a small step in the right direction which I hadn't seen. Still, it comes after years of being almost entirely mum on the subject, and "think[ing] about it a lot" isn't terribly great comfort to users who have been stuck in the lurch for literally years. How long are they going to be thinking about it? When do they start taking action? What does "privacy preserving" mean?
> This isn't rocket science; plenty of other organizations have ways of disseminating information to millions of people so that everyone knows what's up.
Is that so? Do people know when WhatsApp is going to add feature x or address bug y?
> Thanks, that's a small step in the right direction which I hadn't seen. Still, it comes after years of being almost entirely mum on the subject
Does it? Or is it possible that you also hadn't seen all earlier instances where they made statements like that? It's just that that sounds very possible to me, given how many different issues there are that affect many different people.
(In addition to the other questions you mention seem unanswerable, unless it really is there one and only number one priority, which seems unlikely given e.g. events like the outage not too long ago.)
But even then, there's really no point in trolling the PR section of Github besides griefing. Just fork the thing and make a better Signal if you believe so harshly that there's no hope with Moxie at the helm.
Even if one thought that this would help the people that need help on this matter, you can't really fork signal as it is today, I think. Or at least whatever it is that signal is using on its servers because that is very unlikely to be the software in its public repo, which hasn't been updated in almost a year. And even for a while before then, most of the commits were version bumps with no visible changes on the code.
If anything, that's another problem with signal that's not getting enough attention (that I've seen): It claims to be open source, but as of now, it doesn't seem to be. At least not in the servers.
Not only that, but Signal has indicated that third-party clients are not welcome to use their servers. So even if you contented yourself with forking the client, you can't use it.
What could have been the more productive way? If their issues are closed (and Signal does not seem interested in discussing this) and they feel like this is actively putting peoples lives in danger I feel they should call this out.
Following the project guidance on interaction, especially when directed specifically. Remaining cordial when engaged on the technical aspects, rather than throwing one's toys out of the pram the moment one is challenged. Avoiding excessive exaggeration of the issues as a tool to amplify one's point of view. By not immediately stomping around the project's places and throwing insults, factually incorrect accusations and orating about how one must be correct, rather than engaging in reasoned debate. By not drumming up a playground of like-minded people to assail those who disagree with one.
Nowhere in technical communities is this behaviour tolerable, productive or successful. This affair is painfully cringey to watch; it reads like a sugar-induced temper tantrum by a class of kindergarteners screeching at an adult that their juice cartons should be a different shape because corners are dangerous.
It would have been more productive if the group had not embarrassed themselves with every single action they've made.
> this can't possibly put peoples lives in more danger than using signal without a proxy a week ago would've.
I see one reason it could, it filters out people who do "need" to use it. It could even be people who did not use it before, but think it's undetectable now. Signal implies it can't be detected, at least to non-technical readers.
>Unlike a standard HTTP proxy, connections to the Signal TLS Proxy look just like regular encrypted web traffic. There’s no CONNECT method in a plaintext request to reveal to censors that a proxy is being used.
If the mere use of Signal is banned, traffic analysis tools an DPI can be used to identify users and bring them the unwelcome attention of the regime’s well-staffed secret police. I’m sure the Chinese are selling them surveillance tech, and if not Iranians are quite capable of developing it themselves.
It’s not a simple issue to resolve. WireGuard is better in that it only establishes a flow if authenticated, but UDP traffic is a giveaway.
The bug reporters reacted immaturely to being asked to submit the report on the Signal forum instead of GitHub, but Signal hiding before a CoC to avoid discussing substantive issues is not a good look.
> I’m sure the Chinese are selling them surveillance tech, and if not Iranians are quite capable of developing it themselves.
Actually it seems more likely that it's US-built censorship tools -- specifically BlueCoat, which was detected in 2013[1]. BlueCoat claimed they didn't sell the hardware to Iran because it would violate sanctions but that's not much consolation for the people who are being surveilled using their tools.
Here is how we do things, we responsible security researchers. Do things by following steps:
1. Is this a security vulnerability, or simply a bug? If just a bug, send to Github Issue, or send to the user forum, according to the maintainer's instruction (Signal use the forum, instead of issue). If this is a security vulnerability, go to step 2.
2. Is there a secure channel to contact software provider, or the provider can give a secure channel? For Signal, the best way is open a issue to say "hey we found a vuln, any PGP pubkey i can trust". If they did not provided after 14 days, go to step 4b. If they provided, go to step 3.
3. Contact with the provider and tell them what this vulnerability is, and how to fix it. Now, it's provider's responsibility to track down the bug fix flow. If they fixed it, delivered it, and told you their customers are all safe now, go to step 4a. If anything else happened (e.g they refused and think this is not a bug), or 90 days passed, whichever comes first, go to step 4b.
4. Finally:
4a. In this case, vendor fixed everything, patches should have been delivered, so whatever those vendor thinks about, you can just write a blog and says "i found a vulnerability in some software, here is the PoC". If you have a CVE number, congrats, now you can write an article about it. Now things are all done, and you can hunt next bug if you want.
4b. In this case, either vendor does not want to fix this bug, they failed to fix this bug in time, they failed to manage their software in time, or they just don't want to give a thing about you. This is the vendor's failure, not yours. So now you can write a blog and says 'here is a 0 day, try it if you want, have fun'.
So this is a general ruleset of how we do things. The word, "Productive", especially when it is used to describe doing a job very quick, is sometimes in contradiction of our primary object. We are fuzzing and digging for vulnerabilities to *make users safer*, instead of *being productive*. To protect users, protect ourselves, and protect everyone from being attacked by evil maids, we (responsible security researchers) all agree following this rule, to ensure everyone can make profit from finding vulnerabilities. If I failed to tell you what is a responsible disclosure, search it on Wikipedia. Most teams are following this rule, including Project Zero from Google, MSRC, Amazon's bug bounty, BugCrowd, and thousands of other platforms/teams.
Let's go back to the topic: Why I think those people are gangsters?
1. They directly send the full exploit, not even a simple PoC. This is far beyond the basic consensus. Once they made that, all rules above is no longer suitable, because they are just responsible security researchers. I don't think they deserve any CVE numbers, or any other vulnerability program's credit, except for an warrant from FBI, or China's MPS, since this is simply a criminal behavior.
2. Closing an issue does not mean ending an talk. Signal's team clearly said they should go to the forum, but they are simply not following the rule. Signal also have a bounty e-mail (https://support.signal.org/hc/en-us/articles/360007320791-Ho...), but clearly those gangsters just ignored it, or they will fill their mailbox with PGP signatures.
3. They claims this is a vulnerability, but they are just not treating it as a vulnerability, since they simply did not think releasing PoC is a risk for users - fun fact, security for users is their weapon for all articles they have published, including to the bleeping computers (https://www.bleepingcomputer.com/news/security/removal-notic...).
4. In a private Chinese group, one of the author's followers commented on this event: "They should just use V2Ray for that", and the author replied with agreement: "Why build your own software instead of using good old ones?". I believe this is enough for me to believe they are not having a good faith to Signal, or users of Signal.
Let's leave there and find more vulnerabilities of GFW, instead of Signal. This is just a amusing joke, presented to you by some V2Ray authors, to propaganda their own software.
This isn't putting anybody's life in danger - to my rough understanding the only thing detection of a proxy allows for is its takedown. I doubt the Iranian government has the resources or will to trawl their entire net for these proxies and trace their physical locations. What I meant by resolving the situation in a more productive way entails taking a step back and considering the situation outside this Twitter and Github row.
Both the Signal team and this anti-censorship BBS strive towards the same values, and the only thing drama and indignation does is to crack and weaken the effect of the community as a whole. The public sparring should stop and longer-term dialogues should be held to consider everyone's points and come to a conclusion that reasonably satisfies all sides. Depending on emotional investment this may be tough to do at the moment, but down the line it will do wonders for increasing cohesion and productivity.
People have been arrested for merely using an anti-censorship proxy in my side of the world. There is a real danger, even if you have never witnessed one.
> I doubt the Iranian government has the resources or will to trawl their entire net for these proxies and trace their physical locations.
The proxies are necessarily run outside of Iran, as Signal is blocked inside of Iran. I think the (tenuous) argument is that the government could see that user X is connecting to proxy host Y (outside of Iran), and then themselves connect to proxy host Y to verify it's a Signal proxy, and then take action (including potential violence) against user X for connecting to it (and presumably block further connections from within Iran to proxy host Y).
It's overblown, I think.
> Both the Signal team and this anti-censorship BBS strive towards the same values, and the only thing drama and indignation does is to crack and weaken the effect of the community as a whole.
This is precisely why I'm so curious about why this happened. It's easy to dismiss it as simple douchebaggery, but at least one of the accounts harassing Moxie on twitter about it have the classic hallmarks of sockpuppets, and the whole over-the-top PGP signing thing (and opening of multiple issues, and seeking press) makes me think this is a bit more of a coordinated smear campaign.
>Several harsh prison sentences were handed down during the reporting period in retaliation for online activities. Mostafa Abdi, an editor of the news site Majzooban Noor, was sentenced to 26 years in prison and 74 lashes in August 2018. Five other journalists at the outlet received sentences ranging from 7 to 12 years (see C3).
Did they draw the government's attention because they were connecting to banned websites or because they were running a high-profile news outlet?
It's seems unlikely to me that the Iranian government would be able to prosecute even a small fraction of instances of the former, whereas there's only a small number of high-profile news outlets at any given time.
Due process is not really a thing in Iran. If the Government wants you in prison, they will throw you in on flimsy pretexts. Which is why journalists need to be extra careful: they don’t just need to hide their activities but need to hide any trace or hints of participating in those activities. Outspoken people will be monitored closely, and even an attempt to access signal (say) could be used by the Government to imprison the user.
Signal is end-to-end encrypted. The only thing the network surveillance would be able to determine is that you were connecting to Signal via an open Signal proxy, not the people you were talking to, or the content of your messages.
When proxying, who you're talking to can be determined from large-scale network surveillance. You look for patterns of messages sent from your device and messages of the same size received by another device immediately after.
Yes? To some people just that fact would be revealing of needing to use Signal, it could be used in prosecution. Especially in the case where most people would not be using it at the moment.
Revealing the fact that one uses Signal can be an issue on itself.
I doubt it, the two main researchers behind it both have an extensive history of contributions on Github. The correct explanation is most likely the simplest: egos mixed with typical programmer idealism proved to be a Molotov cocktail that flared into drama.
I'm in the process of re-reading the book, How To Win Friends and Influence People. It's an older book but the discussion on human behavior and utilizing that to influence people is still useful.
I found the behavior and statements around this to be the kind that make the situation worse rather than make it better. They appear to be working against their own goal and may not realize it.
I recommend quote their "anti-censorship community". I'm anti-censorship, but I'm not a member of them. Their behavior insults me. I'm not represented by them.
They even talk about their own inappropriate behaviour in this statement:
>2021-02-06 12:00 @DuckSoft sended a pull request that adds the PoC to Signal TLS proxy's repository. It has since been deleted and both @DuckSoft and @studentmain were banned by the Signal organization on GitHub in the afternoon. A repost by @U-v-U was later closed and locked.
These people decided to abuse the pull request system after being asked to use https://community.signalusers.org/ instead of GH issues to discuss their concerns.
I think that it was you who replied to the wrong comment. I did not see any evidence of them talking about any inappropriate behavior of their own nor did I see them saying anything inappropriate in the quote that you posted.
>2021-02-06 12:00 @DuckSoft sended a pull request that adds the PoC to Signal TLS proxy's repository.
This is inappropriate. Pulling in a random PoC to the repo is not how you’re supposed to use PRs. Issues exist for this purpose, but theirs had already been removed.
>It has since been deleted [...] A repost by @U-v-U was later closed and locked.
Reposting the inappropriate PR is also inappropriate.
They are, along with all of the misbehaviour this group is perpetrating. Acting in this way well result in nothing but derision and bans from any organisation (and prospective employer, for that matter) because it is childish and unproductive.
How is reposting content that was previously removed by maintainers not inappropriate? Signal made it very clear that this stuff should be posted on their community forums, not github.
"We are the underdogs, doing the real work, and yet unappreciated by many people."
This is the number one reason why people's tone gets sharper and sharper in online "communities", and often they are 100% right.
Most online "communities" devolve into cliques, where the powerful gang up on dissenters. Often the dissenters indeed do a lot of real work behind the scenes, while 80% of the powerful are well spoken parasites.
The powerful then resort to censorship, which escalates the situation.
In this case, who cares about resolving issues "productively" if people's lives are at stake?
The above post is their reaction, which feels more like them lashing out rather than attempting to uphold the greater values of the anti-censorship community. I feel that it doesn't benefit anyone that they behaved this way, choosing to attack the Signal team and the reporter of the article below, rather than resolving the issue productively while allowing the community to continue focusing on their mission.
[1] https://www.bleepingcomputer.com/news/security/removal-notic...