Comment by jillesvangurp
2 years ago
Aside from the salaries, which I agree are a problem, I think there are a lot of architectural issues that are both costly and not so secure.
> We use third-party services to send a registration code via SMS or voice call in order to verify that the person in possession of a given phone number actually intended to sign up for a Signal account. Simple solution, go distributed.
6M $ for that. Stop doing that. What do dictators control? Mobile phone networks and other infrastructure. And, yes, they really do go after people any way they can.
This "cost" puts people into danger. Coupling identity and operator infrastructure is a critical privacy flaw. And a costly one too apparently. If your #1 goal is to be the most private solution, this cannot be tolerated to continue to be the case. Get rid of it. Your identity should be your cryptographic key.
> which I agree are a problem
Are they? These salaries are much lower than most tech competitors. I know we like to call out "high" salaries when a useful service is struggling - but they'll struggle even more if they can't retain good talent because their pay is too low. There's a reason tech skill in government is generally lower than that in industry, for instance.
> Are they? These salaries are much lower than most tech competitors.
That really depends on the location these people are working from. In most of the world, those are insanely high salaries.
A company like this doesn't need to be based in SV.
I tended to agree with your sentiment. But the reality is that for some unknown reason to me, it's companies from SV the ones that get famous and used globally.
Why didn't this start from say Mexico? Or Singapore or Vietnam? Or at least Germany which has a good record of freedom conscious tech scene .
My bet is in something related to the "maslow pyramid": people in SV have so much money that have everything solved in their lives, so they have the luxury of spending their time in this sort of problems.
2 replies →
Salaries for executives in most tech competitors are inflated and should go down, starting with Signal.
Is 700k for a CEO really that inflated? You can probably find a few people here in HN as an IC making even more money at some top tech company.
I agree, if you lower the salaries now they will probably leave.
Nonsense. Asking for donations as a millionaire (which is what these people are) is a bit awkward.
This only makes sense if you ignore the world outside the Bay area and assume it's a talentless wasteland. Bay area salaries are vastly inflated in terms of value for money.
There is lots of talent elsewhere of course. I live in Europe. Lots of smart people here. I think I personally know quite a few people that could do at least as good a job as Signal has at building a messenger app + platform. No offense, but this isn't exactly rocket science.
And of course the elephant in the room here is that money is running out because this organization has a cost problem. Inflated salaries, insane cost for things that they should arguably get rid off (like the SMS bills), etc. That's a leadership problem. They aren't even getting value for money despite those salaries.
>I think I personally know quite a few people that could do at least as good a job as Signal has at building a messenger app + platform. No offense, but this isn't exactly rocket science.
They are building a secure communicator that a normal person can reasonably use - and succeeding. Something nobody else before them managed to pull off. If this isn't rocket science I don't know what is. Not to mention that they pioneer cryptographic protocols in this area, which other messengers later use.
>This only makes sense if you ignore the world outside the Bay area and assume it's a talentless wasteland.
I'm also from Europe (and love it, despite its flaws) but this comes off like whining. If it's really so easy, maybe the smart people here should create their own Signal and reap that overinflated salaries, what do you think?
Or maybe smart people are not enough and you also need VCs, reasonable taxes, laws... Oh btw, did you hear about those plans of EU to get rid of E2E encryption?
Maybe EU is underpaid instead of Bay area overpaid?
But it's hard to compare EU and US salaries directly. You got taxed way more and your health care isn't bound to your job.
Their #1 goal is not to be the most private solution. Their goal is to make day-to-day communications of most people difficult to surveil.
Day-to-day/People is why they keep the registration process familiar to other platforms like WhatsApp/Telegram. "Most" is why they try to compete with Telegram/WhatsApp on features to drive adoption (see Stories and Announcement Groups).
Have you tried verifying your contacts? It's clunky, but I believe this is how signal handles the problem:
https://support.signal.org/hc/en-us/articles/360007060632-Wh...
Using signal without verifying contacts is like bit like using HTTPS without verifying certificates. It prevents passive monitoring.
Outsourcing identity to operators just moves the problem. And it adds a lot of privacy and security concerns. Besides, other platforms manage just fine without phone number based authentication (which is what this is).
> This "cost" puts people into danger.
They know this, but it's likely a precondition of not getting Joe Nacchio'ed. It's a feature, not a bug. Signal's partners* in FVEY IC/LE have given them a lot of latitude in developing a very solid e2e cryptographic protocol and application as long as the users themselves are identifiable.
The pigs don't need to backdoor the protocol or the keys as long as there is more than one party to a conversation and each party is identifiable. The prisoner's dilemma, in real life, almost always gives the pigs a defection.
My pet conspiracy theory is not that Signal is evil, but that Signal is being allowed to operate by the pigs as long as account identifiers are very difficult to anonymize. They are likely very good people with good intentions, but when the FBI or NSA makes you an offer you can't refuse, you do the best you can.
*: I'm not suggesting Signal is in bed with IC. Just that if you operate a communications service of any scale, IC/LE will be your partners whether you want them or not.
The reason I don’t use signal much is this link to a phone number.
Both because sometimes I don’t have a phone number. And I don’t want participants to know my phone number.
I don’t get why they have this requirement as it’s not like having a phone number means anything significant. For me, I think privacy includes my ability to not reveal my identity to the network.
> And I don’t want participants to know my phone number.
They're currently in the testing phase of allowing phone numbers not be known by your conversation partners: https://community.signalusers.org/t/public-username-testing-...
You still need to register with a phone number though. Until that's no longer a requirement, I'm personally not using Signal.
1 reply →