A lot has changed since 2014, and this might actually be possible now. It could be tough to do this right and figure out what to do with the edge cases like importing a WA conversation that overlaps with an existing Signal conversation, or handling things like quoted replies, but this could be a fun project if anyone here wants to take a shot at coding it up.
Yeah, bummer. There were some iOS 14 changes that made this stop working as reliably, which was unfortunately right around the time people were getting new devices. It should be better now, and we're working on more stuff in this area.
With respect, as I otherwise feel you’ve made an amazing app on Android and iOS, why do you allow local backups to internal storage on Android but not iOS?
Enabling a backup on iOS, even if buried in advanced settings, that lets me export an encrypted .zip (for example, similar to Android) to my internal storage via the Files app would be tremendous. As it stands, I lost a very large amount of message history when an old iPhone broke.
I totally understand your reasons for not enabling iCloud backup, but why not a local encrypted backup via the Files app, just like Android?
Even if you feel this goes against your ethos, though I do not understand why that would only apply to iOS, it would be far better to go through a few warning messages and back up my messages than to lose years of conversations with a friend or partner who passed away. There’s hundreds upon hundreds of anecdotal stories where people value this or were burned by Signal on iOS, so clearly it is important to a large part of your existing and also potential userbase.
The point I was trying to make was more on how Wire made the whole password situation optional, I am aware of the conversation name and creation date being stored but that's an issue depending on the threat model for each user.
The main issue I see is with the intrusiveness of how Signal PINs are handled by the UI, this will only work to alienate users or encourage writing simple PINs that make them weak to use! It would've been much better had it been treated as a fully opt in feature and PINs treated more as passwords, without the constant bombardment of reminders to input it.
This can be placed behind a "sync" option for example and enabling it opens a dialogue explaining the need for password, from there it's up to the user to enable sync and in doing so they have to set a password like normal services.
> Still stupid, shouldn't they ask if I want that functionality?
It's kind of a difficult thing to ask. "Do you want this app to work like every other app in the world in the ways you've come to expect?" If people were to simply reinstall Signal and find that all of their contacts were gone, all of their groups were gone, all of their block lists were gone, etc... they'd almost certainly be surprised. It's not a behavior anyone expects.
Every other consumer messaging app in the world solves this by storing all of that information in plaintext on their servers. We're trying to do something privacy preserving instead, and have done a fair amount of engineering work to try to make it as frictionless as we possibly can.
If you have ideas for how we can achieve the same ends with less friction, we're definitely interested in the feedback.
> Not like it's going to be hard to brute force a user's PIN.
Check out this blog post for more information about the technology:
> "It's kind of a difficult thing to ask. "Do you want this app to work like every other app in the world in the ways you've come to expect?" If people were to simply reinstall Signal and find that all of their contacts were gone, all of their groups were gone, all of their block lists were gone, etc... they'd almost certainly be surprised. It's not a behavior anyone expects."
You could say:
"Hi there! Do you want to keep a backup of your conversation metadata locally, or via the cloud? The latter requires you to be badgered for a pin every day and lose all your data, even the information that the pin doesn't protect, if you lose it. The former allows you to backup to a file you can save on your computer, and store a password in your password manager!"
I think calling it a PIN and asking for it so frequently is part of the problem. It certainly induces me to use a shorter one than I would otherwise like (since I keep having to enter it so often _right_ at the time I am trying to use the app).
Asking for it once at the time of a new registration, install, or a restore/reinstall would be far more preferable to me. Treating it more like a "filevault" key or an "encryption phrase/password", would certainly encourage me to use a much longer key and just put it into a password manager (and/or write it down and put it somewhere physically safe).
>It's kind of a difficult thing to ask. "Do you want this app to work like every other app in the world in the ways you've come to expect?" If people were to simply reinstall Signal and find that all of their contacts were gone, all of their groups were gone, all of their block lists were gone, etc... they'd almost certainly be surprised. It's not a behavior anyone expects.
I see a lame excuse.
Lets be real: Groups have never worked very well in Signal, so people use alternatives. It's been my experience that at some point it screws up and everyone has to delete the group and we start over again.
Contacts are stored by Apple, Google, Microsoft, and/or their work email provider for a large majority of the population. Only the minority using burners might care and they are likely already used to setting up lists every time they burn a device.
Put a checkbox in the app for: 'Store my blocklist and profile info in Apple/Google's backup system. This will share info with them'. Some users will want that, others won't. Quite a few people would like to have Signal's message backups included in an offline iOS backup, their complaints have fallen on deaf ears. Stop pontificating and give the option. It was a bigger compromise on your end creating a Signal Desktop app than it was to provide an option to include message exports in an encrypted backup.
Say what you will about Telegram, they made a much more reasonable compromise with their 'secure messaging'. This feature is not in their desktop apps as the attack surface of a desktop/laptop is too large. Secure chats instead focus on ephemerality and are torn down after completion. It's a more realistic threat model.
>Check out this blog post for more information about the technology:
Right now if you re-install Signal on your device, you lose all your messages. That's already a very bad user experience, but imagine how much worse it would be if you lost your entire address book in that moment as well.
Right now that's not a problem because your social graph is in the address book on your phone, and isn't managed by Signal. This is one of the primary reasons that Signal uses phone numbers for addressing: it leverages an existing user-owned and user-managed social graph. However, what we've repeatedly heard from users is that they don't want addressing to be based exclusively on phone numbers for a variety of reasons.
If we're not using that social graph, then where does the Signal-specific social graph live? For every other app in the world, the answer is that it lives in a server-side plaintext database. Snapchat, WhatsApp, Telegram, Matrix, Wire, FB Messenger, Skype, etc etc... they're all just storing your entire social graph in a plaintext database (along with a bunch of other stuff, like your groups, profiles, etc).
Given the way that technology has developed (devices are fundamentally designed for a world of clients and servers), it's probably not possible for us to build something that makes no use of servers. Instead, we've focused on building something that doesn't store or transmit any sever-side plaintext.
For instance, when you set your Signal profile name and avatar, that lives "in the cloud" so that other Signal users can retrieve and display it. But it's encrypted (https://signal.org/blog/signal-profiles-beta/), so only your contacts can see it (not us).
With Signal Private Groups (https://signal.org/blog/signal-private-group-system/), again we have to store data "in the cloud," so that there's a canonical data source for group management, but again all of the contents are encrypted so that only group members can see it (not us).
In this case, we're using Secure Value Recovery to ensure that a future addressing scheme that's not based on phone numbers is available across app reinstalls, phone switches, phone loss, etc. We could have just done what every other consumer messaging app in the world has done (store it in plaintext on the server), but we built this instead. It is the most user-friendly option that we could conceive of while still being privacy preserving, and took a lot of engineering work.
We're going to keep looking at all the feedback we've gotten, though, to try to make it the best experience we can.
Currently signal is asking for a pin periodically to allow migration to a new device every few years when a user gets a new phone.
Instead of typing in a pin few days/weeks for years, why not just have an export feature that users can select. Have users fill out an encryption key, then 1 minute later when they grab their new phone they can type it in again.
Ideally this would work from the desktop client, a tablet client, and phone clients. So if my device dies, is stolen, or sold I can restore my history from any other signal client I run.
Or maybe use the IOS approach which allows users to cloud sync to keep history (if they want), or to turn it off, which is less convenient, but more secure.
Either approach would save 10s or 100s of pin entries, and still provide a good user experience when switching phones.
> Right now if you re-install Signal on your device, you lose all your messages. That's already a very bad user experience, but imagine how much worse it would be if you lost your entire address book in that moment as well.
Why not just allow users to load their data into the cloud with a pin or password? My friends that use Signal because I pressure them into it (remember, that's why a lot of people use Signal) just want a one click upload/download. Generally these are also iPhone users, which currently doesn't allow this. Why not just give a one-click option to sync into drive or iCloud? Make it optional too (for the privacy folk who are generating your userbase). Doesn't this solve the whole problem?
The point is not to force this idiocy on people. Losing my messages and contacts when setting up a new device is actually a great feature. I regularly delete them and signal even has a feature to do so automatically. And forcing people to create a pin in the ui is just lousy ux. Until I read this article, I had no idea what that meant and just wanted it to go away. Now I want it to go away even more.
Edit: it's especially stupid if you can't use a pw manager with it. I haven't tried it because I don't want to set one. Once I'm forced, I'm going to ditch signal. Fuck that.
> Right now if you re-install Signal on your device, you lose all your messages.
Right now, if I re-install Signal on a new device, it will (hopefully) prompt me for a Signal-generated passphrase that I've stored very securely, and then allow me to restore everything, messages and address book, from a backup that I've diligently made and stored under an additional layer of encryption together with the rest of my data.
Will that facility remain available? Will the backup remain encrypted with the strong passphrase, or will any app with access to external storage be able to exfiltrate something that the Signal Foundation would be able to decrypt under the assumption that SGX is broken?
While I've so far been impressed with Signals' choices (prioritizing security but staying usable), I'm extremely disappointed with the new reliance on SGX, and forcing me into this scheme would likely get me to ditch Signal.
In particular, if I get a dialog forcing me to set a PIN, I'm out (at that point, Signal will be broken for me anyways - I'm using it to talk to very non-technical users that react to UX changes with a blank stare; they won't be able to use the app if a mandatory modal popup shows up, and flying over to teach them how to deal with it isn't exactly an option right now.)
I use Signal so I don't have to trust opaque stuff happening at a third party. From my understanding, Secure Value Recovery relies heavily on SGX, and becomes mostly equivalent to plain text (brute-forcing a short PIN) if you don't trust SGX.
> For every other app in the world, the answer is that it lives in a server-side plaintext database. Snapchat, WhatsApp, Telegram, Matrix, Wire, FB Messenger, Skype, etc etc... they're all just storing your entire social graph in a plaintext database
This is true for today's Matrix network, but we do have peer-to-peer Matrix working now too (as previewed at https://fosdem.org/2020/schedule/event/dip_p2p_matrix/) which stores the metadata purely on the clients.
There are no servers, other than rendezvous points to seed the network. (It's still vulnerable to traffic pattern analysis, but we're working on that - and Signal suffers this even more).
It's also worth noting that because Matrix doesn't tie identity to phone numbers (or anything else), the 'social graph' which is built up is of limited use if it's built up of anonymous personae.
I have two comments, one about the signal pin implementation as it exists now, and one possible Avenue forward to obviate the need for signal pins under certain circumstances.
for signal pins today, there should be an option to not be reminded of it because the user has a password manager. The option to not remind could be buried in the settings with a big scary warning that says if you do not get reminded again you will lose everything.
Signal pens can be bypassed entirely in the cases where users have multiple devices such as a linked phone or desktop.
One device sets a strong alphanumeric pin and sends it to the server. Users can share an ID unique to each signal installation on each of their devices. Each individual device has the ID for every other individual device. For each device that does not know the signal pin, it can request it from a device that does have the signal pin and or the device that made it. If a signal installation has the pin and gets a request for the pain from another device ID that it knows about, it provides it.
This device ID exchange behavior is used in syncthing to support e2ee peer-to-peer file sync, and could be used for syncing metadata in the situation where one device has its installation lost or reinstalled and needs to be repulled from the central servers.
An existing device(s) is told the Id of a new device and the new device is told about the existing device(s). None will communicate with the other without already having the user enter the device ID.
Once the two installations have handshaked, the existing device tells the new device what the seignal pin is and it can download it from the signal server.
For users who do not wish for cloud storage could have their device treat another device as the canonical source for the data post handshake and the data could be synced over lan or using stun/turn.
If Signal PINs came with a feature that made it possible for me to not have my identity tied to a phone number I'd have understood (and accepted?) this release and rollout better.
moxie, I want to thank you and the entire team at Signal for all that you're doing to further e2e crypto and making mass surveillance more difficult for nefarious actors around the world. You're making everyone's communications safer.
> Right now if you re-install Signal on your device, you lose all your messages. That's already a very bad user experience, but imagine how much worse it would be if you lost your entire address book in that moment as well.
How about letting people back this up? There's no way to do this on iOS or in the desktop app. You're solving a problem of your own making with a solution your core audience of privacy conscious users does not want.
I'm not sure why you're being downvoted? Backups are an essential feature of chat apps, and it seems pretty sane that a lot of Signal users don't want any information stored in the cloud, full stop.
There must be at least 99% of the users that have phone number contacts only, because dealing with usernames is a hassle to begin with. And why not store username-only contacts in the phones normal address book to begin with?
Why force this "feature" on everyone? There is ZERO reason for Signal to do this.
I might as well use WhatsApp if you're going to start doing this shit, but I guess that's the point.
I can see why the ability to store a social graph and other metadata on Signal's servers would be a useful feature for users who don't want to tie their Signal data to their phone number and/or a plaintext social graph, and it would make sense to give users the opportunity to opt into that functionality. But for those of us whose social graph is our phone's contact list, having it forced upon us is a significant step backwards in terms of UX while adding essentially no value.
One of the things that made me optimistic about broad adoption for Signal prior to this change is that it was basically zero-friction for Android users to use Signal over the stock messaging app, aside from the few seconds it takes to download Signal and enter your phone number. But bugging the user for a PIN all the time is a significant reason to stick to the stock messaging app (or any other one, for that matter) and makes it a lot harder for me to recommend Signal in good faith to friends and family who don't care about privacy.
I think you are overreacting. Other, more popular messaging apps, also have prompts and yet they are used by hundreds of million of people.
In my opinion as power users we forget what regular users want and need, and are not willing to give up a little of what we like. But think of the benefits (phoneless sign ups and much much better private groups, to begin with) and tell me they don't outweigh the cons (a PIN prompt once every 2 weeks, in the marginal case).
It’s frustrating that we can’t still use a local address book for this. vCard is an extensible format, so a contact vCard could very well contain a Signal-specific identifier. I don’t know if the various mobile contact APIs support this though; I suspect not.
FWIW, there are a couple of things about Apple's and Google's systems that don't work for Signal:
1. There is no meaningful remote attestation. There's no way to verify that there are HSMs at the other side of the connection at all. The people who issued the certificates are the same people terminating the connections.
2. There's no real information about what these HSMs are or what they're running. Even if we trust that the admin cards have been put in a blender, we don't know what the other weak spots are.
3. The services themselves are not cross-platform, so cross-platform apps like Signal can't use them directly.
4. It's not clear how they do node/cluster replacement, and it seems possible that they require clients to retransmit secrets in that case, which is a potentially significant weakness if true. I could be wrong about this, but the fact that I have to speculate is kind of a problem in itself.
My impression is that you're suggesting the HSMs Apple uses are better than SGX in some way, but it's not clear that anyone could know one way or the other. I think all of the scrutiny SGX is receiving is ultimately a good thing: it helps shake out bugs and improve security. It's not clear to me that the HSMs Apple uses would actually fare better if scrutinized in the same way, which could be a missed security opportunity for them.
We didn't feel that it would be best for Signal to start with a system where we say "believe that we've set up some HSMs, believe this is the certificate for them, believe the data that is transmitted is stored in them." So we've started with something that we feel has somewhat more meaningful remote attestation, and hopefully now we can weave in other types of hardware security, or maybe even figure out some cross-platform way to weave in existing deployments like iCloud Keychain etc.
"My impression is that you're suggesting the HSMs Apple uses are better than SGX in some way, but it's not clear that anyone could know one way or the other. "
I predicted SGX would have more attacks simply due to it being widely available with more incentives. They started showing up. The HSM's get an obfuscation benefit on top of whatever actual security they have.
The main benefit of a good HSM, though, is its tamper-resistance. It takes a meeting of mutually-suspicious parties to know it was received, set up properly, the right code on it, and inability to do secret updates outside those meetings. From there, there's probably a greater chance that you didn't extract any secrets from it than an Intel box with who knows whatever SGX attacks, side channels, etc are going around.
My recommendation was combining several of them (i.e. security via diversity) if one could afford it. The systems in front of them should also have strong, endpoint security carefully sanitizing and monitoring the traffic. Think a security-focused design such as OpenBSD or INTEGRITY-178B instead of Linux. Safe, systems language for any new code. Good you're using some Rust.
Honestly, I'm just hedging against people who spend a lot of time thinking about SGX and have formed opinions about it. I don't have a strong opinion either way. My "take" here is just that the information you're protecting with SGX is information Wire "protects" with indexed plaintext in a database, and that SGX vs. HSM is not really a useful debate to have in this one case.
> As for Lyme disease: The actual infection can be treated with a standard course of antibiotics. The infection does not persist indefinitely, although some people experience long-lasting effects after the infection is gone.
I don't think it's possible to make an absolute statement like this with 100% certainty given the current state of the art. Lyme is a spirochete, and there also seems to be real research suggesting it can grow biofilm to make it antibiotic resistant or resurgent.
There are patients who test positive under CDC criteria, take antibiotics, and never see a transition from IgM to IgG.
There are also patients who test postive under CDC criteria, take antibiotics, see a transition, but still experience symptoms (what you would call 'long-lasting effects'). In some cases patients in that situation have extreme gland swelling that when biopsied, seem to contain Lyme.
Like all of medicine, I think it's squishier than what you're describing. There is also a lot of crazy shit on the internet, but like you say, that's because people are genuinely suffering and have no alternatives.
> I don't think it's possible to make an absolute statement like this with 100% certainty
100% certainty is an impossibly high bar in any hard science
This is the problem with chronic Lyme communities: They fixate on the "what if", no matter how small the probabilities. Many of these patients might very well have entirely treatable yet unrelated disorders, but their fixation on the chronic lyme infection theories keeps them focused on the wrong treatments. Many doctors have tried endless treatments with high-dose antibiotics, but the clinical studies consistently show no difference vs. placebo. We all need to move on from the chronic lyme infection theory unless/until someone provides real evidence to the contrary.
> There are patients who test positive under CDC criteria, take antibiotics, and never see a transition from IgM to IgG.
That was me. I tested positive under the CDC criteria, but followup IgG tests were negative. I lucked into a very astute infectious disease specialist who was as up-to-date on the research as I could have hoped for, and she even took the time to walk me through the various theories and studies.
> This is the problem with chronic Lyme communities: They fixate on the "what if", no matter how small the probabilities.
The chronic lyme people (e.g. ILADS) are often making recommendations that aren't based on solid evidence, but the reason they exist in the first place is because the CDC recommendations are also bullshit and the CDC isn't doing nearly enough to stem the epidemic.
There only have been a couple antibiotic studies, it's hard to get funding for more elaborate studies because of the controversy. Those studies ignore the research on biofilms and only gave antibiotics for a couple weeks. And even in those flawed studies there was a marked improvement in quality of life for Lyme patients.
Let's take the PLEASE[0] study for example.
Although significant improvement in health was measured (on average 4.6 points on the SF-36 scale; 3 points is considered significant progress) the results were presented with the headline: 'Long-term use of antibiotics does not benefit long-term complaints of Lyme'.
While tens of thousands of patients have been cured by a cocktail of antibiotics taken for several months or sometimes years. This is also what the current in vitro research is showing. Lyme persisters can only be killed by a combination of antibiotics.[1] Like tuberculosis. And it's also what this data analysis of 200 patients shows.[2]
>We collected data from an online survey of 200 of our patients, which evaluated the efficacy of dapsone (diaminodiphenyl sulfone, ie, DDS) combined with other antibiotics and agents that disrupt biofilms for the treatment of chronic Lyme disease/post-treatment Lyme disease syndrome (PTLDS).
...
Conclusion
DDS CT decreased eight major Lyme symptoms severity and improved treatment outcomes among patients with chronic Lyme disease/PTLDS and associated coinfections.
And recently we have the spectacular results of Disulfiram.[3] A clinical trial is underway at Colombia University so we won't have offical results until 2021 but all signs point to it being a gamechanger. Lyme communities are full of people with miracle stories after taking Disulfiram.
It's pretty simple, if the disease is able to enter the form where it starts producing biofilms it can use them to evade antibiotics. A patient then must explore treatments to break up biofilms, and eradicate whatever infections or co-infections are present within them. There's medications that do this and more functional methods such as hyperbaric oxygen chambers.
The people who have symptoms after antibiotic treatment and the people who relapse after antibiotic treatment still likely contain Lyme disease biofilms and persister cells which are capable of causing a full relapse given enough time and the right conditions.
Those who receive early treatment and success with a single round of antibiotics are the lucky ones, and not the standard patient experience.
Even people who have been bitten by a tick, immediately started antibiotics, and caught it immediately can still get chronic Lyme disease, especially if their initial round of antibiotics was for too short a duration.
There is a lot of shit on the Internet, and what's happening to the people who have Lyme disease is an absolute travesty and crime against humanity due to our corrupt and failing medical system. The actually science and research on this is clear though: biofilms exist, Lyme disease can become chronic due to biofilms and persister cells which can evade antibiotics.
Everyone talks about how theres super bugs and infections that evade antibiotics, well Lyme disease is literally a super bug that evades antibiotics and is probably one of the most successful super bugs of our lifetimes and yet people try to deny its capabilities despite countless medical research studies proving otherwise. It's baffling really.
Are there phage therapy options for persistant lyme disease? Lyme disease is caused by the pathogen Borrelia burgdorferi. A quick pubmed search ([1],[2]) turned up two papers describing phage that interact with Borrelia.
Neither discussed their suitability for phage therapy. The most recent investigated phages as a potential mechanism for horizontal gene transfer b/w Borrelia burgdorferi: https://www.ncbi.nlm.nih.gov/pubmed/27811049
They seem to have developed phages for clinical treatment of chronic infections (perhaps biofilm mediated) of typical pathogens, and suggest that patients suffering from chronic lyme disease may actually be testing false-positive for Borrelia, and if so, may actually be suffering from chronic biofilm-mediated infection of a more common pathogen. In their words:
>>>> quote <<<<
Sometimes patients who have a legitimate, or otherwise, diagnosis of Chronic Lyme Disease, fibromyalgia or chronic fatigue are actually suffering from a toxin overload that is produced by a particular strain of bacteria. By clearing the treatable bacterial infections and utilizing various techniques to help reduce the toxin loads, there can be much improvement in the patient's overall condition.
Patients who have or who have had Lyme and Lyme co-infections may have serious damage to their immune systems, making them more susceptible to infection. Chronic infections are biofilms, they are colonies of a number of bacteria that together form colonies in various parts of the body - the sinuses, urinary tract, prostate and elsewhere that are inherently more resistant to antibiotics. While in-vitro lab tests may show sensitivity to various antibacterials, such infections typically do not respond to antibiotics. Dr. Tim Lu (MIT), a professor at MIT, explains why biofilms are antibiotic resistant, and why bacteriophage therapy can be effective:
"A classic example of a patient who had a Western Blot test that detected antibodies for Borrelia bergdorferi: Laura Roberts nearly died from her "non-Lyme co-infection", due to a deadly strain of MRSA which was detected by the lab. There are other similar cases." - Dr. Tim Lu - Biofilms and Phage Therapy
To reiterate, if your infection is a biofilm containing Borrelia or any of the Lyme co-infections, phage therapy from our clinic is NOT going to help you. If the infection is caused by one of the treatable genuses (Staphylococcus spp., Streptococcus spp., Enterococcus spp., E. coli, Proteus spp., Pseudomonas aeruginosa, Salmonella spp., Shigella spp., Clostridium difficile (C.Diff), Klebsiella spp., Morganella spp. and several others) there is a good chance we can - but NO GUARANTEE. You will need to test for the presence of these treatable pathogens and even if they are cleared, sometimes symptoms will persist.
> "Also the end of the story mentions there are no obvious monuments to the people who worked to help rescue people but there is one in the very city he was reporting from dedicated to the firefighters and others involved: https://oddviser.com/ukraine/chernobyl/memorial"
I've seen it and really love it. The distinction is that it's inside the exclusion zone, a guerrilla art installation built by the liquidators themselves, not somewhere people can see it where life goes on, like Kiev or Minsk.
Right, sounds like a fascinating place. Thanks for the article.
I'm interest to learn more about the security of the place (ie, how effective is it, the possible repercussions when caught, etc). Something I plan to read more into one day.
"Only 1400 kilograms of uranium and graphite mixture would have needed to hit the water to set off a new explosion. Our experts studied the possibility and concluded that the explosion would have had a force of 3 to 5 megatons. Minsk...would have been razed." - Vassili Nesterenko, director of the Institute of Nuclear Energy at the National Academy of Sciences of Belarus.
I am not a nuclear physicist, but at least some people who are did not find this to be "clearly nonsense."
If nothing else, consider this. If all it takes to cause a 3-5MT explosion is to get uranium hot and poor water on it, why would anyone go to the effort of developing a more complex weapon? The entire Manhattan project could have been easily solved if it was this simple, and even then the Fat Man and Little Boy bombs only yielded between 13-22kT. It wasn't until 7 years after WWII that the US managed to conduct a test that broke the mega-ton barrier. More complex H-bombs are required for this.
But regardless, we're picking nits here. It's a fun read and I enjoy your stories, so I wasn't intending to pick on you.
Ignoring the plausibility of the yield, Minsk is over 150km away from Pripyat. It's impossible for a 5Mt explosion centered on Pripyat to even reach Minsk, let alone "raze" it.
I think there's a lot of uncertainty in talking about Chernobyl, since most of the information published by the Soviet authorities was intentionally incorrect or misleading, designed to downplay the significance of the accident.
One thing I've found interesting in talking about Chernobyl is that advocates of nuclear power are often willing to accept the Soviet numbers as fact, since they confirm the idea that nuclear power is still relatively "safe" even in case of disaster.
I don't know what the exact numbers are, and I'm not sure if any of us will ever know for sure, but one of the documentaries I like is Discovery's "Battle of Chernobyl," since it includes a lot of interviews with people who were actually there and participated in the events. They interview Nikolay Antoshkin, the colonel general in charge of the helicopter operations there, which is where the 600 pilot deaths number comes from. I'm more inclined to believe that account than what the state published.
> One thing I've found interesting in talking about Chernobyl is that advocates of nuclear power are often willing to accept the Soviet numbers as fact, since they confirm the idea that nuclear power is still relatively "safe" even in case of disaster.
I believe the IAEA report (which you can read yourself) put together by the United Nations and relevant affected governments in the mid-2000s. It shows that over the entire course of time 4,000 people will have died prematurely as a result of the accident at Chernobyl (including people who killed themselves because they feared they were "contaminated"), and between 31 and 54 people died between both the explosion itself and to acute radiation injuries in the immediate aftermath -- including the helicopter pilots you mention. [1]
I also believe that 7.3 million people die every year as a direct result of the burning of fossil fuels. [2]
Everything is trade-offs. The accident was bad, and it could have been an awful lot worse. On the other hand, it's important we not lose sight of the big picture. When humans get hurt, they learn why, and move forward - this should not be an exception.
> It makes a lot more sense to compare high-tech nuclear energy with high-tech renewables (with storage).
If you really want to compare that, rooftop solar actually has a significant risk of worker death. I am willing to bet that, per TWh, there would be significantly more deaths with solar than nuclear.
Your hypothesis made sense to me, so I did a bit of research to try and back up the claim.
No idea about the biases or accuracy of the information supplied in these links, so take it with a grain of salt, but they seem to support the idea that Solar (installation) is indeed more dangerous than Nuclear per TWh.
Too many factors to call it more "dangerous", and also disingenuous because the absolute worst case scenario for solar power doesn't have the possibility of negatively impacting millions of peoples lives.
But hey, this is a bit of a fun fact that might stop people demonising nuclear energy so much.
The absolute worst case scenario for Chernobyl would have happened if the corium had melted through to the water table and caused a huge steam explosion. This was narrowly avoided. It's hard to estimate the impact but at the very least a much larger area would have been heavily irradiated.
Deaths/TrKWhr isn't a useful measure, because nuclear has a binary risk profile. When it goes badly wrong it does a lot of lasting economic damage, in ways that other energy sources don't.
There's also no way to compare "TCO" like for like because coal etc are nasty immediate pollutants, while nuclear waste remains a problem for a very long time.
The real problem with nuclear isn't the technology, it's the trustworthiness of the management culture around it. If the industry was a byword for truth, honesty, and straight dealing it would be perceived in a much less negative way.
That doesn't seem to be how the industry operates.
Interestingly enough Wiki notes a EU study[0][1] that shows that nuclear and wind are some of the cheapest energy sources when you price in environmental effects and health costs.
People "demonizing" nuclear typically do it because of the potential devastating consequences of an accident, and the uncertainty of storing waste for thousands of years. Not because they think nuclear have a high death toll in everyday use.
But the potential devastation isn’t rooted in reality - anyone can assume the worst could happen, and when it did happen in Chernobyl the numbers haven’t been very high.
The alternatives, even the green ones like hydroelectric, have dwarfed nuclear-related deaths hundreds, if not thousands, of times over with single catastrophes[0].
Arguments against the storage of nuclear fuel usually don’t understand how little waste there is and, even still, burying a problem for 200 years while we figure out how to deal with it is an infinite number of times better than dealing with the fallout of global warming by not shifting to nuclear energy.
I'm actually pro nuclear, but I get concerned when I see people downplaying the risks. The only way we can have safe nuclear is if people actually understand and take the risks seriously and put oversight and safeguards in place. E.g. saying that Chernobyl is the "worst that could happen" is just willfully ignorant. Chernobyl was bad but could have been a lot worse.
Even then, nobody even knows or agrees how many victims Chernobyl have claimed or will still claim.
Comparing nuclear-related deaths to the Chinese dam disaster is a bit disingenuous also. China did not have nuclear power in the same time period, so of course no nuclear-related deaths happened. But if China had had enough nuclear plants to replace dams and they had the same amount of construction errors, removal of safety features, bad management and a "once in 2000 years" unforeseen natural disaster - are you sure no nuclear accidents would have happened?
If you just compare absolute numbers, you will see walking is more dangerous than skydiving.
> anyone can assume the worst could happen, and when it did happen in Chernobyl
The miniseries makes it clear that the absolute worst outcomes at Chernobyl were prevented through huge effort: water was drained from the tanks under the meltdown, so there was no steam explosion that would have smashed the other reactor cores as well. The meltdown then did not burn through the concrete and into the groundwater table.
Are you telling me that this chart [1] is pure correlation with no causation whatsoever? Do you live in the area affected by the Chernobyl disaster? (I do). Or do you live half a world away with no direct health-related stake in this? Even so, why are you content with hiding under the rug these "statistical anomalies"?
The 7.3 million figure is like the “12 years left” figure, that is to say it requires a little work to understand where it came from and what it means.
“Ambient air pollution was responsible for 4.3 million deaths” and “3.8 million
deaths every year as a result of household exposure to smoke from dirty cookstoves and fuels”.
I haven’t dug into the indoor figures but a quick reading suggests that attributing the death toll to fossil fuels in general is misreading the report.
For example, ”91% of those premature deaths occurred in low- and middle-income countries” so the bigger problem is how the fuel is used - since richer countries actually use more fuel per capita.
Cooking with coal on an open stove in an unventilated room will slowly kill you from the carbon particulate. Apparently this is a large percentage of the indoor pollution death statistic. The problem here is coal stoves specifically not fossil fuels in general.
The outdoor statistic is a bit more interesting. The Model they use to calculate the number [1] basically takes a curve of PM exposure level across populations around the world, multiplied by an integrated exposure-response (IER) function.
Over the last few years they have lowered the counterfactual concentration (the point below which PM has no efffect) and steepened the IER.
Through this methodology they can arrive at a death rate of nearly 5 million without a single death certificate ever actually stating “air pollution”.
They do this by trying to tease out the damage done by PM by observing places where PM has changed and then looking at how mortality rate due to cancers and such also changed.
It’s an interesting figure, but in a sense misses the forest for the trees.
Particulate matter definitely has adverse heath effects. One study said an average shortening of life expectancy in Europe of 9 months. But the overall “industry” that creates PM (everything from cars kicking up dust on the road to smokestacks) also is responsible for the modern world where ~8 billion people can survive. Is PM shortening lifespans? Or is PM drastically extending lifespans (e.g. preventing mass starvation) while simultaneously also somewhat shortening an idealized life that could have magically gotten everything it needed to survive except without any PM.
If you are going to publish a number of the harm of PM by extrapolating from an IER and PM levels, it would also be useful to consider the net effect, which would be staggeringly positive in terms of lives saved and lengthened not shortened.
> If you are going to publish a number of the harm of PM by extrapolating from an IER and PM levels, it should be a net effect, which would be staggeringly positive in terms of lives saved and lengthened not shortened.
Respectfully I disagree. You've conflated the primary effect and the side-effect. The primary effect is energy is generated and energy is what has improved our lives. The side-effect is PM exposure which is killing us. Burning fossil fuels isn't extending anyone's lives. Generating energy is. If we can trade it out for a better method the same extension of life persists, and the premature deaths drop. Thus, we can factor it out. The truth is, it does both things, and we need to switch it out for an energy source which only does the former without doing the latter.
Imagine for a second a power plant that generates electricity but once in a while it murders a random passer-by. It think it's fair to say the power plant is responsible for those murders, and we can talk about replacing it without having to talk about all the good it's doing.
I actually agree with you and edited my comment before reading your reply to soften that specific part (should be -> could be useful to consider)
I think the interesting thing which the statistic misses is that people are still choosing to light that stove with coal even though the PM it creates is damaging their health, because it’s the least worst option.
Outside PM is different because it can come from the factory down the road producing widgets for some other country, but the fact that inside PM contributes to nearly the same negative health impact, that is not a government intervention / negative externality! Starve with clean air or cook food for your family. This isn’t a fossil fuel problem, and isn’t something that can be switched out in any sense.
A makeshift stove can burn coal and cook a meal. You’ll never match that with any non-emitting technology because it will always require some investment where literally none is available.
Yeah, I think that's totally reasonable and I should have addressed that in my reply too. There's definitely a big difference between PM released by factories and that of individuals cooking/heating/etc with coal.
> A makeshift stove can burn coal and cook a meal. You’ll never match that with any non-emitting technology because it will always require some investment where literally none is available.
True, I just hope that cheaper, clean power (whatever that means) allows more people to make the healthy choice.
To be clear, the other points I agreed with in large part.
I see interviews with Antoshkin about the lack of precautions taken for the pilots, in stories citing the "600" number as the total number of pilots involved, but nothing establishing 600 fatalities.
I screened the Discovery documentary you're referring to and watched all the segments in which Antoshkin appears. It's the narrator of the special who claims 600 helicopter pilot fatalities, not Antoshkin himself, unless I've missed something. Can the 600 number be squared with the number of helicopters involved (the documentary claims 60, I think) and the number of missions the pilots fly (dozens per day), and with the fact that you can find some of those pilots giving interviews just a few years ago?
> One thing I've found interesting in talking about
> Chernobyl is that advocates of nuclear power are often
> willing to accept the Soviet numbers as fact, since they
> confirm the idea that nuclear power is still relatively
> "safe" even in case of disaster.
I figure it balances out the people who are extremely critical of nuclear power and accept that there could actually have been a 5 megaton explosion.
I'm not a strong advocate of nuclear power myself, but I tend to discount the value of Chernobyl as an argument for/against nuclear power. It was a terrible design in addition to being old, had little in the way of containment, and the games the operators were playing with the plant were off-the-charts stupid. Compared even to the oldest commercial Western-design reactors, it is a horrid contraption.
And even still the remaining 3 reactors at the Chernobyl plant continued to operate safely, the last one closing in the year 2000. There’s a number of RBMK reactors in use today; they learned from the accident and patched up the issues. Not to say the new western reactors aren’t better, the very much are.
After a magnitude 9 earthquake, one of those older reactors at Fukushima "just" melted down, and core material probably hasn't escaped secondary containment (unfortunately the water pumped through the core is a different story). In contrast, during a botched safety test the reactor core at Chernobyl exploded.
The impact to the surrounding environment was many orders of magnitude greater at Chernobyl, which is what happens when the reactor core explodes.
~50 people died at Chernobyl from acute radiation exposure in the first few weeks, and a couple employees actually got exploded. Lots of people died in the Tohoku earthquake and tsunami, but none like that.
Please consider how you're hurting folks' ability to make good decisions when you spread misleading absolutist nonsense.
I don't see thousands of people adversely affected by renewable energy for years (due to cancer, displacement and other health issues). Only counting deaths does not paint an accurate picture.
Besides, noone knows the total cost of nuclear energy because noone has solved the nuclear waste problem for 100,000+ years. There are likely to be billions of dollars needed to be spent on this long term issue.
Sorry but 600 pilot fatalities in the Chernobyl disaster is just plain nonsense, no matter what you might believe about soviets.
> I think there's a lot of uncertainty in talking about Chernobyl, since most of the information published by the Soviet authorities was intentionally incorrect or misleading, designed to downplay the significance of the accident.
You seem to be assuming malice when there's mostly incompetence, and giving too much credibility to huge organizations; they aren't perfectly coordinated black boxes in control of everything they are trying to do. Chernobyl disaster has been cross documented top to bottom in that regard. Most of the missing info was due to corruption, see the song "Я вынес из зоны" by Sergey Uryvin as an example. There was an attempt to downplay the incident early on, but one simply cannot hide the disaster of that scale. Neither there was much desire to do this internally, after the scale became apparent. Besides, most of the information wasn't coming from authorities.
The only reason one can be uncertain about such ridiculous claims is unfamiliarity with the details of the disaster, and/or lack of understanding of culture at the time and also the language.
1) If you prefer we can multiply all the numbers by 100, nuclear is still better than what we actually did over the past 40 years since Chernobyl.
2) We have actual evidence of how a similar-era nuclear reactor fails in Fukushima (it was built in the 80s iirc). If we write off the Soviet numbers as misinformation, then using a strictly evidence-based approach and extrapolating from Fukushima, their numbers were overexaggurating the damage.
I doubt they were exaggurating, I think Chernobyl was a lot nastier than Fukushima, but as a commited nuclear advocate, the idea that I'm relying on Soviet numbers is a misrepresentation. I'm relying on the divide-by-40-years, the linear-no-threshold-model-is-not-sensible and the by-gum-we-know-a-lot-more-about-how-to-design-things-safely-since-we-are-now-in-2020 arguments (3 sig. fig). Also the this-thing-is-millions-of-times-more-energy-dense-than-anything-else-it-is-amazing-we-are-talking-orders-of-magnitude-improvment-your-brain-probably-can't-imagine-that-without-special-training motivating factor.
> since most of the information published by the Soviet authorities was intentionally incorrect or misleading
There's also the opposite - cold war era propaganda trying to make the Russians seem backwards and primitive. The Soviet Union at the time was also opening up through glasnost.
On top of this, fossil fuel companies had a lot to gain through scaremongering around nuclear energy. It worked as very well as almost all planned nuclear power plants were mothballed.
Discovery channel where every single documentary is staged, exaggerated and filled with useless emotions. Even the department of information in the Soviet Union is more reliable than that.
Even if a thousands died from Chernobyl, it reflects the danger of the Soviet system, not of nuclear energy.
Just take the thing we learned in this week's episode: The design flaw on the RBMK reactors that caused the explosion had been observed before, but the report was classified to not put the glorious Soviet nuclear technology in a bad light!!!
In any remotely sane system, security risks are published and compensated for. The operators would have known about this risk, and not pressed the fateful AZ-5 button that caused the explosion
I kinda miss your point. What then does the Fukushima incident reflect? Danger of Japanese system, lol? Or as the US contractors built it, the US system?
As according analysis [1] the Fukushima station design itself did not consider the natural features of place. Chernobyl incident happened due to human error, according to same source.
Fukushima was a very extreme natural disaster striking at a precise location to expose that the Fukushima reactors were not fully ready for a theoretically possible but never in 1000+ years of Japanese history observed earthquake.
15,897 people died in Japan that day, in buildings, roads, and vehicles. None from the nuclear incident. Yet no one talks about how the building, road, and vehicle security failed and wants to ban those.
Sure, the Fukushima security could and should have been better. The industry has learned the lessons, as it does from all accidents. But even if it didn't, we could easily absorb accidents like these for once in a 1000+ years and still be the cleanest energy form there is.
The comparison with Chernobyl is no comparison. That was an unforced error on a calm spring night. Operators doing experiments on badly designed reactors with known flaws they were not informed about because it would look bad to spread the information that pressing a certain button in a certain situation was risky. So they pressed the button, and the reactor exploded.
If the exclusion zones were made as excessive as Chernobyl, sure, but most of the Chernobyl exclusion zone is safe today, and most of the rest could be made safe with relatively little additional effort. With even a somewhat more reasonable exclusion zone, if that was the trade-off and we could save those who die from fossil fuel plants today, it'd be an easy choice for my part.
Of course it's not a realistic trade-off - it's "easy" to make plants vastly safer than either.
> I think there's a lot of uncertainty in talking about Chernobyl, since most of the information published by the Soviet authorities was intentionally incorrect or misleading, designed to downplay the significance of the accident.
I'd add the Romanian authorities to that list (I'm from Romania). Looking at the areas contaminated with Cesium-137 [1] one can see that Bulgaria is reasonably high in that list while Romania is no-where to be found, even though my country physically stands between Bulgaria and Chernobyl. The reason for that is that Ceausescu's regime was either too incompetent or too ideologically corrupt to correctly measure the Chernobyl disaster's effects on the country's population and ecosystem.
>>One thing I've found interesting in talking about Chernobyl is that advocates of nuclear power are often willing to accept the Soviet numbers as fact, since they confirm the idea that nuclear power is still relatively "safe" even in case of disaster.
The other posters mentioned the trade-off, or people die in plane crashes but many more would have died had they taken the car. Power needs to be generated one way or another...
Also, can we agree that the Chernobyl plant's design and management might have been lacking? New models are much safer.
Hehe. Discovery channel? I would rather trust Soviet lies.
Of course Soviet lied to cover up but i believe there was also symmetric campaign to exagerrate impact o Chernobyl.
And the very hbo series is going to be rather scary propaganda.
I read a lot on topic.
After Chernobyl ca half a million people were relocated. Most of it just for psychical comfort as there was no risk involved.
