Comment by Dunedan

> they very early on established direct-connection infrastructure for sending SMS, meaning that they have a marginal cost of literally $0.00/message in most markets.

I am very, very interested to understand how that works, because without more detail or sources I'm calling bullshit. I definitely understand how Twitter could have greatly reduced their per-message fee with telecom providers, but at the end of the day Twitter is not a telecom and is still at the mercy of whoever is that "last mile" for actually delivering the SMS to your phone, so I don't understand how they have no marginal cost here. Happy to be proven wrong.

To clarify - iMessage does not use SMS if you're going from Apple to Apple device and both devices have data/wifi available. iMessage refuses to support messaging to Android clients and defaults to SMS for these messages.

I've got an Android phone so all iMessage transmissions come across as SMS (or MMS).

> For P2P communication. SMS is alive and well for B2C messaging, most importantly for 2FA OTP delivery, but also as a first line of defense against spam/bot account creation.

In Brazil, businesses use Whatsapp to communicate with consumers. You order pizza and book doctor appointments over whatsapp

If only someone would release a universal protocol that the app's native messaging apps could utilize to eliminate the need for these 3rd party messaging apps. Oh, right, it's called RCS and Apple refuses to support it.

If SMS actually worked for this purpose, it would be acceptable. However, SMS provides no guarantees about: 1) If it actually gets delivered 2) If it is delivered to the intended recipient 3) 1 and 2 without anyone reading or tampering the message while in transit

Now, even if stars align, your SMS ends up on a route where nobody is mitm-ing or hijacking it, the telco systems work and it gets delivered, it is STILL not a guarantee of identity. It simply verifies that you have somehow got access to a particular phone number.

"Sign in with $Clearinghouse" could bring you to a page that prompts whether you want to share a user ID or the phone number, as required, with that service.

The clearing house verifies you only once, or once a year, instead of every time. If the clearing house were to be a nonprofit, perhaps even set up by Signal themselves to spread costs with similar services, that has to be cheaper.

It also gives users confidence that only a randomized user ID was shared, so it won't be used for cross-service correlation and tracking, if the service didn't actually need your phone number but only some identifier.

A Flow:

> Service A => User: Please Enter Your Phone Number and Email

> Service A => Clearinghouse: Please verify phone number XXX wants to sign up for an account with us

> Clearinghouse => User (SMS): Please respond with the Email you used at signup to confirm you want an account with Service A

Later...

> Service B => User: Please Enter Your phone number and Email

> Service B => Clearinghouse: Please verify phone number XXX wants to sign up for an account with us

> Clearinghouse => User (Email): Please verify you want an account with Service B

Not saying it's great (providing email twice is annoying), but it's something.

Oh I forgot that signal is not just about forwarding messages. I’m wondering how much the VOIP costs.

Java in theory and in synthetic benchmarks: damn near as lean and mean as C.

Every actual Java project: “oh, did you want that memory and those cycles for something else? Yeah, sorry, I need them all. Why no, I’m not actually doing anything right now, why do you ask?”

> Many SaaS SMS providers are just frontends for legacy telco services.

I worked on an automated SMS marketing system back in the day so I have seen this in action, at scale. This would be stuff like "text LAKERS to 12345 for Lakers updates"- we didn't handle the Lakers but we did handle many sports teams. Though I wasn't privvy to the financial side, I got the sense that the per-text cost ended up being manageable at scale, but this is because we were one organization who would apply the rules onto our own customers, and if we failed to do so properly we risked losing the interconnects to the various carriers. We typically used a single contracted "aggregator" service which provided a unified API for the carriers. When I left, we were using OpenMarket.

When you have a self-service SaaS offering such as Twilio, the per-text costs are going to go up because the barriers for sending unwanted texts (or fail to follow the rest of the rules mandated by the TCPA) is so much lower, and Twilio has to address that organizationally which adds cost.

Additionally, Twilio does not purchase short codes (ie 12345) which means its harder for the carriers to track bad behavior across their network. There is an initial cost (fairly high) to acquiring a short code, though you can also share short codes across customers in some cases. Acquiring a single short code and sending all messages from that short code would likely reduce costs.

I would love to see more detail from Signal about what sort of SMS interconnection they are using, because directly connecting with an aggregator instead of a SaaS offering (if they haven't already) could save a lot of money, and they are definitely at the scale that would allow for it. And given that they only use it for account verification and are a non-profit, it seems likely they could get a good deal since the risk of TCPA violations is effectively zero.

Maybe they should flip it on its head - get a thousand? Ten thousand? numbers that can accept SMS and tell people to "text 473843 to this number" to verify.

Java is entirely performant if you treat it right, and many of the problems with GC in J8 are fixed in later versions.

You can push Java very far.

Of course you can also write horribly ugly code in it.

I don't consider Session to "bundle" the Loki blockchain or the Oxen network in any sense.

Here is more information about what I meant when I used the term "bundled".

https://www.techopedia.com/definition/4240/bundled-software

In business, you get what you pay for. Cheaper hosting might raise more issues that need to by handled by your employees, who also are expensive, and also the organization's focus gets disrupted. The hosting company / cloud vendor has an enormous economic advantage, with access to the entire hardware and software stack, the engineers who built it, people whose full-time job is operating it. Often it's cheaper to pay more for better.

As I have to explain about open source, 'Free is only free if your time is worth nothing.' (And I use a lot of FOSS, it just not always the solution.)

As I understand it, you have to often use multiple gateways based on which one is cheaper and can deliver your message to the recipient, and also take care of handling retries in case one gateway fails. This is not something you typically want to handle if you're not aware of it, and the process of having to talk to each vendor and figure out their limitations is tedious.

There's a lower bound on what these services can charge in the form of interconenction fees charged by the mobile service providers delivering the messages.

In the US, that's effectively zero due to the US phone infrastructure largely using a shared-cost model, but in most other countries which use "sender pays", these fees can be significant.

DO, at least, has bad peering agreements that will cause you noticeable, unfixable (if you stay on DO…) persistent problems at large enough scale.

I use Hetzner, but they have a bad rep for killing services that attract too much attention, e.g. DMCA requests

Might not be cheaper at scale and truly globally.

The loaded costs should have the numbers run.

It would be a fascination under the covers look with signal.

They probably already have that staff for GCP, Azure, AWS?

> Signal actually jumps through quite a few hoops in order to let you and your contacts are on Signal without Signal actually having access to a copy of your whole address book. It's even mentioned in TFA.

It doesn't say how it works. If Alice's phone can tell whether her contact Bob uses Signal without Alice and Bob doing any sort of a priori cryptographic exchange, why couldn't Signal itself do whatever Alice's phone is doing?

> They want the address book because if you don't have engagement promotion features like that, there is no way to ever become remotely popular in the chat app space.

Intentionally ignoring the fact that Signal splatters your phone number to everyone else is a humongous problem. And you can even put your phone number block in your address book, and it'll tell you everyone who has Signal. This happens all the time, with Signal servers leaking all of this metadata.

And doing "engagement promotion" is what companies do to sell more shit. So, exactly what are they "selling"?

>Why is the security a joke?

Metadata, pertaining to communication patters and to whom matters just as much as what's being said.

And that metadata, like "your phone number" and "contact's phone number", and "when data is being sent to/from" is that metadata.

> The data is e2e encrypted,

> and isn't related to a phone number in any way after registration.

Bullshit. I see new people hopping on signal fairly regularly. If that was true, it'd be a simple verify-once-and-delete. It aint.

> Do you know of a better way of combining privacy and anti-abuse measures?

I reject your claim of "privacy", with regards to metadata.

Secondly, Tox has an alternate way to handle this, by allowing any number of accounts not tied to anything. Sure, it's a SHA256 id, but who cares. There, its secure AND anonymous.

Basically, I look at Signal as "better than SMS, but not much". It's basically a way to keep the phone company from scanning messages.

It would be great if that was what was in their announcement.

Most of that cost is literally coming from sms outside the us though. The rates for us sms are much lower than almost anywhere else.

That's a neat workaround for the people that can figure that out, but doesn't change the underlying problem for the majority of users at all.

Aren't these VoIP? Almost every service blocks VoIP numbers for sign ups these days, but perhaps Signal is an exception.

Huh, I knew those existed for voice calls, didn't realize they applied to SMS too. Makes sense, though.

This will probably never happen. One of the reasons WhatsApp blew up is because using a phone number as your source of identification means there's much less friction in the signup flow. No username/password to create and your social graph is already there in your contact list.

My mom was able to get our entire extended family on Signal without my involvement, which is a testament to how easy that is.

Phone numbers are the easiest login for people, especially in a world where not everyone has an email address.

I know this will invite comments about usernames. I would like usernames a lot too.

Which might be said to increase privacy. I suppose there's something to the point about combating spam. But surely there are other ways to do this, right?

As far as I understand, this is even more expensive than SMS in many cases due to WhatsApp's B2C messaging fee structure.

It's also not a great idea to make sign-ups for an instant messaging service contingent on having an account with another, competing service.