Signal introduces usernames and phone number privacy.
Signal introduces usernames and phone number privacy.
Signal’s mission and sole focus is private communication. For years, Signal has kept your messages private, your profile information (like your name and profile photo) private, your contacts private, and your groups private – among much else. Now we’re taking that one step further, by making your...
You're viewing a single thread.
Finally, been ages.
A number is still needed to register I believe.
Requiring a number is a good way to limit bots.
A PoW could limit bots too. Require say 30 seconds of work before your registration submits. For regular users that isnt to bad. For bots its a PITA to get tons of accounts
Edit: tor uses PoW as DDOS protection and its helped massively
PoW...Prisoner of war?
That will also keep away bots.
You can only sign up if you've taken at least one Prisoner of War. Bots can't take prisoners of war for obvious reasons.
Kinda like how Aztec boys came into age in their society.
Proof of work. Example, bitcoin
How does this prove anything if using an emulator to bulk register bot accounts? Also, Signal Desktop is a thing.
It was the original purpose of the bitcoin algorithm to limit spam.
If you have to do a lot of maths that takes your computer (for example) 30 seconds, that means it costs 30 seconds of compute to create an account. Nothing to an average user, for a spammer that wants thousands of accounts it gets expensive.
Several captcha[0] libraries already use this and it's great for accessibility (normal captchas are terrible for it)
[0] I know, it's not technically a captcha.
Accessibility is very important to me as a blind user, and this helps tremendously.
Anything you use to autotranscribe images or are image uploads without alt text a nightmare?
Images w/o alt text suck
Ah bummer… I’ll do better!
Oh, neat. I was unfamiliar with PoW. Thanks!
Pow does not limit spam in bitcoin. Fees do. Pow is used as a decentralized election mecanism to distribute the block production.
I know what it is. It is not a barrier to entry though.
He explained why it is, so can you elaborate on why it's not?
Because it's not. I can spin any number of emulators or VMs that do any amount of work with a simple script, but that's all it does. How does it prove I'm anything but a scripted, virtual instance of a person with a device?
There's a reason why Telegram is flooded with bots, Signal as of now has not been.
Bots can buy phone numbers, hell, they can solve most captchas better than humans.
There’s a reason why Telegram is flooded with bots, Signal as of now has not been.
Telegram requires a phone number, so it clearly isn't working.
For each account you register, you have to do 30 seconds worth of work. So to register one account, you do 30 seconds worth of work. To register 100 accounts, you do 100*30 or 3000 seconds (50 minutes) worth of work. Registering tens of thousands of accounts then becomes unfeasible.
And how can a VM or emulator NOT do this?
Anything that can compute can do it. The important part is that it has an associated non-insignificant cost.
Exactly! ANYTHING THAT CAN COMPUTE CAN DO IT. Few things have a uniquely identifying piece of information with other levels that are barriers to entry...like a phone number. The idea is to STOP bots from signing up to Signal.
Are you missing the point maybe?
It stops bot FARMS from being feasible.
If preventing Jimmy Bumfuck from spinning up a couple sock puppets is your fear, yeah, PoW systems don't help. But those are rarely the problem.
For a phishing scam or astroturf operation to be worth it, you need tens of thousands of accounts all running the same script. Those get filtered hard by PoW systems.
Phone validation works just as well, and stops Jimmy Bumfuck from making sock accounts. But now every user must be stapled to a phone number. Maybe that's a worthwhile trade to you, but it sure doesn't seem to be to everyone replying to you.
Nah bro, you are.
It's ALSO possible to generate virtual phone numbers for a small cost.
Using a cryptographic PoW is a different small cost.
Either way, it only takes a small cost to prevent mass bot registration.
You're treating processing power and time as if it is 100% free just because it can be done in a VM. But it doesn't matter if it is a VM. It is still going to require at least some certain threshold of processor time, and that processor time has a real cost. For the kind of place that can just spin up thousands of VMs and use it to do massive bot registration... they could just be mining bitcoins instead.
It's not just whether you can do this. It's how much value it has vs what ELSE you could be doing with the time and energy. A Signal account is already worth vanishingly little as a spam tool, they just need to give it enough of a cost to make it not worthwhile.
A number is still needed to register I believe.
Indeed, which makes their headline a bit misleading. Giving Signal your phone number is not keeping it private.
I thought peoples big problem with it was not wanting to give others their number to use signal? Like I meet Joe Blog online and don't want to give him my real number to chat.
Less people worried that signal had their number?
Seems the second group is a vocal minority. This feature helps the first group, but doesn't help the second group.
According to Signal, the first group is the larger group and this helps the most users of Signal.
Could it be better? Sure. This is still a good step in terms of privacy, even though it doesn't really improve anonymity.
Its important to not let perfect be the enemy of good.
Personally, I care about the phone number requirement not because I don't want to reveal it to Signal servers, but because it limits access to Signal for people in countries that block their SMS service - registration messages just don't arrive
It's specific to signal? Like they want to block people registering or what's up with that SMS block?
Not specific to Signal. I believe he was referring to places where Twilio doesn't serve, for example because of sanctions.
Putting a SIM card in a phone exposes it to enormous surface area of attack. People have been asking to register with anonymous emails instead of a phone number, like Wire has had for years
Do you need the SIM card inside the phone after registration?
Does it matter? At that point your phone is owned by Pegasus et all with zero click vulns
I thought peoples big problem with it was not wanting to give others their number to use signal?
The issue is that giving your phone number to Signal Messenger LLC is giving it to others, and therefore not keeping it private in the usual sense of the word.
Some people may be unconcerned about a corporation knowing their number vs. their contacts knowing their number, but that doesn't diminish the misleading aspect of this headline.
Wrong, it still keeps it private but not anonymous. It's not the same concept and for most thread models knowing that you use Signal is not really an issue, especially since with this feature no one can check if you have one if you don't give them your username unless they have access to Signal servers in which case they still have nothing except the knowledge that you have an account.
They do a lot of work to keep your phone number private, or at least any data that is tied to it. This username upgrade is solely for someone to communicate over Signal without needing to hand over your phone number.
For example, you can now be in group chats with internet strangers by just giving them your username.
On top of that, once MLS is adopted, you can communicate with other messengers as well.
What is MLS?
Kinda stupid for privacy to hand over your phone number... Very counter intuitive