bantering with punk was Re: What advantage does Signal protocol have over basic public key encryption?

[Karl]

>>
>> I want my messages preserved, so I don't worry about forward secrecy =S
>
> 	In that case it seems that signal has little to offer to you apart from
> their surveillance services tied to your phone number.

=(  obviously i like it because it cryptographically preserves the
integrity of threads

this conversation ended up being unpleasant to me.  i am changing my replies.

I LOVE YOU PUNK!  I HATE ARGUING!

I LOVE FASCISTS AND FAKE LIBERTARIANS AND GOVERNMENT AGENTS AND
SOCIALISTS AND TERRORISTS!

> 	
>
>
>> > 	So what the hell are you saying about 'time travel' now? YOU first
>> > alluded
>> > to the fact that IN THE FUTURE p-gpg could be broken. I just added,
>> > broken
>> > JUST LIKE SIGNAL. And so you are FALSELY ADVERTISING signal.
>>
>> Second half of above paragraph.
>>
>> I'll try to read your caps: you're saying that signal is similar to
>> pgp,
>
>
> 	In some ways signal is worse than pgp. For example, you don't need to
> register with morlonpoke using a phone number to use pgp. You just compile
> it and run it.

WHO CARES.  However: You don't need to register with morlonpoke to use
signal _either_.  You can _also_ just compile and run it, and numerous
forks have _done_ that.

I LOVE YOU PUNK!  I HATE ARGUING!

I LOVE FASCISTS AND FAKE LIBERTARIANS AND GOVERNMENT AGENTS AND
SOCIALISTS AND TERRORISTS!  I LOVE ANYBODY WHO HATES ME!

>
> 	on the other hand signal makes it easy for lazy or 'non-technical' people
> to use encryption. Instead of getting people to be more educated...
>
>
>
>> and dangerous, and we need to cut the bullshit and get to stuff
>> that's real, being honest about the problems of all the solutions we
>> have?
>
>
> 	Pretty much. I don't see signal solving any fundamental problem, contrary
> to what advertisers seem to believe.

Nah it's incremental steps.  Here's some relevant bullshit calling:

Signal is run by a nonprofit.  Talking about their behaviors in terms
of marketing and advertising is poisonous to the global community, in
comparison to some of the marketing atrocities still going on in front
of our faces.

You talk this way about people all the time.  You are turning people
who could help the things you say you are supporting, against each
other.

>> >> I don't remember what we were talking about,
>> >
>> > 	so go read what you wrote 2 hours ago. You don't even need to do that.
>> > I
>> > quoted what you said above. And I'll quote you once more
>> >
>> > 	"4. perfect forward secrecy.  addresses the issue with pgp where
>> > future
>> > advancements decrypt all your messages"
>>
>> So what are you saying the "basic problem" is, now.
>
>
> 	My  point was/is that your claim about 'PFS' and pgp is wrong, that's all.

I'm not a cryptographer.  I summarised theft of private key,
compromise of devices, discovery of attacks via side channels, and
cryptanalytic advances, all together into one inaccurate phrase that
still produces the same behaviors in end-users if believed ;P

>> you often send insulting things, I'll treat the reply as my form of
>> sending insulting things.
>
> 	yeah, people say insulting things all the time, while pretending to be
> 'polite'. I insult people after they try to take me for an idiot.

This "pretension of politeness" is a struggle to engage in actual
rational discourse.

>> [personal experience description inhibited.  meanwhile, maybe you've
>> been mind controlled to argue on this list.]
>
> 	see, that sounds pretty insulting. But Ok.

The things you say don't seem to logically line up all the time.  This
could be because I come from a really different place from you,
because you are really upset, or because you have been manipulated to
influence us.  I'm inferring it's the first 2, but could use your
confirmation.

>> > 	If thanks to 'future advancements' keys are broken then there's no
>> > 'foward
>> > secrecy'.
>>
>> well, maybe i'll go look up forward secrecy so as to try to be more
>> rational here, but i'm also remembering you asked me not to reply
>> unless i was able to give you the respect of reviewing message content
>> you snipped away, to reply.
>
>
> 	I 'snip away' stuff that I don't think needs to be quoted repeatedly. Or
> stuff I won't reply to because I don't think it's important. If there's
> something you think it's important and I should reply to, then let me know.

Snipping's important.  When bantering on this list, I'm usually in a
flashback or something and it can be helpful to see reminders of what
we're referring to.  This is me being stupid, not really your fault,
but I get frustrated around it.

>> I know I'm wrong there about something.  Do you know what it is,
>> specifically and clearly in language somebody experienced on this list
>> would agree to?  What does forward secrecy address, if not this?
>
> 	'forward secrecy' separates long-term identity keys from session keys so
> that 'compromise' of identity keys doesn't affect session keys. Also
> compromise of one session key doesn't affect other session keys. Why it is
> called 'forward secrecy', I don't know. Seems like a stupid name to me.

=) In communities of digital activism, we like it when people learn
cryptography and security on a community level.  It makes friends with
us no matter who you are.

I haven't read the math or anything, but it sounds like it is
exponentially more difficult to compromise an old message with forward
secrecy, compared to without, similar to how bitcoin produces breaks
of the sha256 hash, while also producing incredible security of data
held by that same hash.

>> > 	Also, we're using plain text here because this is a public forum.
>>
>> that's not how I feel, the comparison seems like gossiping instead of
>> sending a letter to a mailing list.  in signal, messages are signed by
>> the sender and misbehavior of the isp and server are defended against
>> a little more.
>
> 	well yeah. And yet, misbehavior of isps or list server is not a problem
> here. You keep talking about it, but there isn't evidence of any tampering.
> I'm not saying it can't happen, just that it isn't happening here as far as
> I can tell.

to speak that language where you pretend everyone has the same
experiences, "bullshit"!  the list admin posted about messages
bouncing due to misbehaving network infrastructure just recently.
https://lists.cpunks.org/pipermail/cypherpunks/2020-December/085620.html
many other issues have been posted, many with cryptographic signatures on them.

>> it's notable that speaking in a forum transparent to those who dislike
>> the topic gets you hurt.  anarchists everywhere learn to organise in
>> small private groups.
>
> 	Yes, I'm certainly not against that tactic, but now we're on the public
> arpanet, which is a very big public forum, not a 'small private group'.

i'm talking about the relevance of technologies supporting safe
communication, not whether we happen to be using them now.  people on
this list have gotten repeatedly targeted, and it's been repeatedly
discussed on this very list.

>> pgp is broken by factorization.  teleportation would not be an
>> efficient way to research this.
>>
>> not sure if https://primecoin.io/ is that relevant but we can make an
>> economy focused around compromising any cryptographic primitive, now.
>
> 	heh

;p

i got this smiley from somebody from another country from mine.  it
means a silly half-smile.

anyway, cryptographers support researching compromising their stuff.
it helps people understand what is going on better.  i don't know if
people understand the dangers of pressuring that this be done
_privately_, i haven't been keeping up on the talk.

>> > 	at least decentralization doesn't allow the NSA to get all the data at
>> > once, directly from morlonpoke.
>>
>> where are you from?  it's so funny to see the 'z'.  it's the united
>> states spelling.
>
> 	i'm not a native speaker of english. My english is mostly US-influenced I'd
> guess, but you shouldn't expect any consistent spelling from me =)

don't usually see non-native speakers taught the united states
spellings; usually british.

>> i guess we'd better find this mr morlonpoke and defend them =/  dunno
>> how to do that.  we can call it freeing them from the shackles of
>> technology and forcing them to work on what actually makes sense to
>> work on.
>>
>> the nsa already has agreements with isps, whereas a
>> morlonpoke-agreement would be a new negotiation.
>
>
> 	like I said signal.org website is 'hosted' by amazon-NSA. That's trivial to
> check. And a quick search seems to suggest that the servers for signal the
> 'app' are also amazon-NSA

yeah i summarise all that stuff as kinda 'signal sold out to
mainstream so that they could have users' but in reality it probably
came from academia where there's more trust for business because
they're financing and hiring from the organisations, so play nicer.

the nice thing is that because it's open source, everyone is taking
their work and ripping the govcorp parts out, and reusing it.  and
because they're trusting, they would accept pull requests that resolve
the things you describe.

here, punk will again ignore these points? saying that because people
related to signal have unpleasant attributes, we should dislike signal
itself?

>> we could invest time and energy in making a contribution to signal to
>> make it decentralised.  this is phyiscally possible.
> 	
>
> 	doesn't look like something they are interested in.

they're interested; they're just brainwashed by usa culture, so they
prioritise other concerns first.  meet those concerns and they'll love
an improvement.

>> >> It is weird that signal uses centralised servers.   [if you could quote
>> >> this line it would help me remember this topic.  i can forget things
>> >> when what i see, changes.]
>> >
>> > 	I don't think 'weird' is the right word.
>>
>> how about "painful as if you were getting beaten up by a fake holding
>> a surveillance camera so many times that you can't feel anymore"
>>
>> what word would you use?
>
>
> 	painful is a lot a better than 'weird'.

it's indescribably painful, the lack of forthright demonstration of
trust in the systems we share ... am i coming from the same place as
you here?

>
> 	And if their server is run on the amazon-M$-NSA 'cloud' then I'd call it
> 'outrageous'.
>> > 	I don't see why we need a blockchain based messenger. A blockchain may
>> > solve part of the 'key distribution problem' but in turn key
>> > distribution is
>> > just one part of the whole communication problem. So a blockchain is not
>> > a
>> > silver bullet.
>>
>> blockchains break filters and firewalls like a tsunami, if they are
>> cryptographically sound and functioning.  if there is some protocol
>> quirk that makes for a censorship worry, that code can be designed to
>> not have that quirk.
>>
>> it's getting late for making a blockchain messenger as people slowly
>> start noticing that money is just a fake thing to move them around,
>> but that hasn't actually happened yet.  the strength of a
>> cryptocurrency blockchain comes from the belief in money (because it
>> gives it to people as its steps of functioning).
>
> 	the claim that money is a fake thing is pretty bold. And I still don't see

well, there'd be less money in general if people weren't _using_ it
that way, with government-managed banking, and political marketing
campaigns, and such.

if you have $10 and somebody has $1 trillion, and you use money as
your only way to survive, you are that person's effective slave.

> what a 'blockchain' bassed messenger would look like. You seem to believe
> that 'blockchains' can solve many problems? They rather look like nasty
> surveillance tools to me, except if carefully used.

a blockchain basically pretends that it is paying people to spend
incredible degrees of electricity to make certain that messages called
"transactions" are spread to everybody on the network with precision,
accuracy, and certainty.  it pays the people making sure of this in
these messages, so it is pretty easy for it to do.

you could cast it claiming other good or bad things, too, systems have
many properties, not just one.  surveillance is not easy on a
blockchain, it is just possible.  when you say blockchains are about
surveillance you sound really weird, and people wonder how you got the
idea, and why you are so passionate about it.

>> I didn't like how the people running it engaged in a chest-beating
>> competition with another cryptographic organisation, but they were
>> probably doing the best they could, just like you are.  I also don't
>> like that they have a centralised server, require a phone number to
>> register, and mostly support web-enabled technologies run by
>> corporations that have huge opportunity to put backdoors in.  But it's
>> pretty clear they gave a _lot_ of avenues for people to help address
>> those situations.
>
> 	I'm not sure how people who are not part of the company can fix those
> problems? Apart from using the software to run a different service I guess.

Signal isn't run by a company, but rather a nonprofit.  It's an open
source project where a huge portion of the development effort is from
community work.  2,149 accepted changes from random online
contributers: https://github.com/signalapp/Signal-Android/pulls?q=is%3Apr+is%3Aclosed
 (that number may be a little high because unaccepted contributions
are included in that page too, but i keep clicking different pages and
i only see acceptance (PR merging) of every suggested change, over and
over again.)