Is there a certain time period after which we can say it's not FUD? Like if we go 10 years without any additional clarification after the Snowden slides, is it still automatically FUD?
No claim of present NSA ability was stated. Noting the age of the data in question is a fact. Stating that an absence of new data creates a state of unknowing is a fact.
Fear of an oppressive government hacking the connection and arrest you.
Uncertainty of agencies' capabilities given that they operate under top-secret levels with unlimited budgets.
Doubt that they would stop working on or advancing the state of the art at defeating the security.
It seems a little unreasonable how much you are being downvoted, the parent comment uses uncertainty to cast doubt on the idea that TOR is safe from the NSA. That can easily invoke fear.
Unfortunately that is largely what we have to go off with the NSA.
> There's no way to know GCHQ/NSA aren't running 90%+ of bridges and exit relays
Yes there is. There are currently 857 exit nodes. The Tor Project only has to personally know who runs 86 of them to ensure that 90% of the exits are not run by the NSA.
In fact, since ~90% of traffic exits through the top ~260 relays, they'd only need to know 27 of the people who run those.
This guarantee doesn't scale very well considering the combined 5 Eyes intel budget is ~60 billion USD and throwing just 0.1% of their budget at negating Tor would completely overwhelm the network with hundreds of thousands of stooge relays, plus they have the added benefit of global backbone cable traps. Tor can't give any kind of guarantee against a global passive adversary (5 Eyes) which is why they specifically warn against believing otherwise.
> The Tor Browser does not send misinformation; it just blocks.
No, it doesn't. TB sends all kinds of misinformation, from the user agent string (always reports itself as being its base version of Firefox running on 32-bit Windows 7) to rounding javascript timing functions to reduce the precision.
> A solution would probably be a browser where every version, on every platform reports the exact same things, always the same way.
> The Wire guys made very specific claims (where did they get the >$2M figure from ... and why would they simply invent such a figure).
Their court filing[0] says the license fee was "unspecified" and the $2 million figure was based on "information and belief" which is legal terminology used to dodge perjury[1]. If they had really been told that, they wouldn't be using terms that mean "I heard that from somewhere second-hand and think it might be true".
Most users haven't made a conscious choice to use Chrome. They install it accidentally by not unticking a checkbox[0] or because they are told it will make the Google work better[1].
You think more than 50% of the people using Firefox or (especially) Internet Explorer deliberately sought it out and installed it after making an informed decision?
I'm not even talking about tricks. IE comes pre-installed on all PCs, obviously, except for Europeans, and that only for a few years. But users generally do not bother performing in-depth research on the software they install, be it a browser some other piece of software. They use what that one technical friend keeps blabbering on about, or what their sysadmin installs on their work PC, or whatever comes up as #1 Google result when they search for 'open PDF file'. They intentionally install Firefox, true, but I am not convinced that decision is informed.
This topic was about GCM specifically, which, since it goes through Google servers (unlike, say, my arbitrary browsing, or the network profile of my arbitrary apps), is directly available to Google.
Speculating that Google may have access to my full network profile is a little off-topic, but yeah, if they did have that data, they could certainly do similar analysis on it.
The answer is "GCM may reveal more to Google than one would expect from using an E2E encryption application (like metadata, and more than one would initially assume)".
The person I initially replied to was talking about Google, GCM, E2E encryption, and that metadata won't reveal anything to Google except time/date of a single message and the message size. I pointed out there may be more information there.
I have no doubt that the NSA can do traffic analysis, or may have some of this data already... I'm not sure why that is in the replies to my comments in this thread.
That's only a meaningful answer if simple traffic behavior wasn't already revealing the same information. Was it, or wasn't it? I feel like I'm having a hard time getting a straight answer.
Does Google already have simple traffic behavior? If yes, then this information is nothing new to Google. If no, then this information may be new to Google.
Form a straight question and you'll get a straight answer.
Are you in the right thread? The discussion here is about what information Google can get from GCM messages, not what the NSA can get from GCM messages.
And even though your question is off-topic, I already answered it above.
Why would you accuse someone of being allergic to a technology when they are simply answering questions about it? If you disagree with the actual topic of discussion - that Google (not the NSA) might get more than just "message sizes and timestamps" out of an E2E-encrypted app which uses GCM messages - then have a normal conversation about it instead of bringing up the NSA repeatedly.
And if not, then stop making baseless and inflammatory accusations.
> Are you in the right thread? The discussion here is about what information Google can get from GCM messages
The parent poster of the post you initially replied to asserted that Signal was "giving NSA the only thing what they want: metadata from Google", so I guess that's where tptacek is coming from.
On a side note, Google can't actually know the message sizes because GCM is used without a payload.
More worried about NSA correlating the two after getting the data from Google, but the one good thing about their centralization model probably is that with millions of users to a central server (and something you do as often as texting) this makes timing analysis extremely difficult.
But the "observer" can still know which mobile phone is yours and who communicates with whom? Especially if the "observer" has the info from the Signal servers.
Edit (as i can't post you reply to your answer):
And based on the NSA principle of the "thee levels of distance" everybody is reachable as long as some common numbers are in our contact lists which we happily upload.
What does Play Services have to do with anything? APKs downloaded from the Play Store are signed by a key the developer holds and validated by Android's PackageManagerService which is open source.
Signal itself works, but since Google is blocked no phones are sold with Google Play Store and even if you hack it onto your phone (which will break when it wants to update play services) it will drain your battery trying to connect to blocked services. Unless you use vpn (which will drain battery by itself and also eventually be blocked), but notifications probably still won't work because of the phones original firmware. So yes it works if you hack it onto your phone and then remove play services and checks the application manually. Until it wants to update the app that is, which is often.
Point. It doesn't really work because it only supports the Google Play Store, even as most Chinese phones can load apps directly (because of the fragmented ecosystem). So at least it doesn't work in the "prevent mass surveillance" way.
I guess maybe it works from the Apple App Store? (which isn't blocked)
I reproduce here the dead message from "uola" I think the message deserves a proper response and not to be flagged.
"Signal itself works, but since Google is blocked no phones are sold with Google Play Store and even if you hack it onto your phone (which will break when it wants to update play services) it will drain your battery trying to connect to blocked services. Unless you use vpn (which will drain battery by itself and also eventually be blocked), but notifications probably still won't work because of the phones original firmware. So yes it works if you hack it onto your phone and then remove play services and checks the application manually. Until it wants to update the app that is, which is often.
Point. It doesn't really work because it only supports the Google Play Store, even as most Chinese phones can load apps directly (because of the fragmented ecosystem). So at least it doesn't work in the "prevent mass surveillance" way.
I guess maybe it works from the Apple App Store? (which isn't blocked)"
Thanks for that link. It is much more informative than the other one. I can see where he's coming from. Some of the things he wants as a developer are things that I don't personally want as a user (automated updates), but then I can build and install the thing myself, as he says.
Correct me if I'm wrong, but couldn't he host a private repository like the Guardian Project does with his own binary signed with his own key? People would have to manually add the repo, but I believe F-droid lets you do that. Fdroid just wants everything they build to be signed with their key, which to me makes sense. The Pale Moon dev had the same or similar reservations last I checked, but I heard nothing about a private repo.
It would be more work for him of course, maintaining a repo and pushing updates to two locations, but I don't think it would be too much extra work and it sounds like a lot of people are looking for a non-GP repo. Pushing to your own server is easier than updating in an app market anyday.
At the end of the day, he can of course spend his time how he wants, I just think there's a loud if not large group that would like a Google Play Services-less Signal.
Unless I'm mistaken, he's already done that. He just had to rename it to something else. So AFAICT there is nothing to see here. As you say, F-Droid already does that with several packages (and even renames them when requested).
Some people are clearly angry, but it seems that this is yet another case where people are angry because they don't understand the GPL or don't understand the situation (or both).
If you're talking about https://fdroid.eutopia.cz/, I don't think that's the same thing. This isn't Moxie's and because of the name change, not completely moxie's code unless he's got a build flag for changing the name everywhere, not sure.
I download things from F-Droid, mostly for convenience and security since I get notified about updates, but I understand it is another person/group I need to trust. I trust, for whatever reason, that they will build directly from source and update frequently.
Ways this could go, as I see it:
0. Moxie's code, moxie's build, Google's repo - The current way I know of getting moxie's build, but you have to trust Google as well.
1. Moxie's code, moxie's build, moxie's repo - I think this would be best, and what I was talking about.
2. Moxie's code, fdroid'd build, fdroid's repo - what I would also like, but moxie publicly discourages unofficial builds so fdroid doesn't want to touch it. Up to them.
2b. Moxie's code, moxie's build, fdroid's repo - a hypothetical some people have floated, but fdroid won't host binaries they haven't built from source and I don't blame them and moxie wouldn't provide an official build outside of Gplay either way.
3. Moxie's code modified with new name by 3rd party, 3rd party's build, 3rd party's repo - eutopia.cz's build and repo. Another person to trust to build correctly and update frequently
I don't think it's just some people being angry. I think things could be better, but it doesn't sound like they will. Moxie wants F-Droid to provide services similar to what GPServices provides before he'll do 1. F-Droid will never do this(hopefully). So we have to live with 0 or 3. I think scenario 1 > 3 > 0, other people think otherwise.
Except they are. The F-Droid devs kept claiming they weren't. Moxie asked them to describe the system and surprise, surprise the keys are stored on a machine that is connected to a network that is connected to the internet. It turned out that the F-Droid devs didn't/don't understand the concept of stored offline vs online.
What? APKs are signed by the developer before they uploaded to the store and the signatures are verified by PackageManagerService which is a part of AOSP.
whether implicit trusts such as for example Google Play Licensing[1] or explicit trusts such as for example the set of Certification Authorities Android devices ship with, you are trusting Google in many ways.
In the example you provide, you are trusting google in the same way you are trusting every SSL cert authority. What you are responding to is a reference to the signing of the APK, which is not (and cannot be) done by google even if the security of the transport layer is compromised.
