I expect a tool which claims to be secure to actually be secure. I don't view "but that makes it harder for the average person" as an acceptable excuse. If Edward Snowden and Bruce Schneier are going to spout the virtues of the app, I expect it to actually be secure when it matters - when vulnerable people using it to encrypt sensitive communications are targeted by smart and powerful adversaries.
Making promises about security without explaining the tradeoffs you made in order to appeal to the average user is unethical. Tradeoffs are necessary - but self-serving tradeoffs are not, and it's your responsibility to clearly explain the drawbacks and advantages of the tradeoffs you make. If you make broad and inaccurate statements about your communications product being "secure", then when the political prisoners who believed you are being tortured and hanged, it's on you. The stakes are serious. Let me explain why I don't think Signal takes them seriously. [...]
Truly secure systems do not require you to trust the service provider. This is the point of end-to-end encryption. But we have to trust that Moxie is running the server software he says he is. We have to trust that he isn't writing down a list of people we've talked to, when, and how often. We have to trust not only that Moxie is trustworthy, but given that Open Whisper Systems is based in San Francisco we have to trust that he hasn't received a national security letter, too (by the way, Signal doesn't have a warrant canary). Moxie can tell us he doesn't store these things, but he could. Truly secure systems don't require trust. [...]
And here comes the truly despicable bit:
Moxie forbids you from distributing branded builds of the Signal app, and if you rebrand he forbids you from using the official Open Whisper servers. Because his servers don't federate, that means that users of Signal forks cannot talk to Signal users. This is a truly genius move. No fork of Signal to date has ever gained any traction, and never will, because you can't talk to any Signal users with them. In fact, there are no third-party applications which can interact with Signal users in any way. Moxie can write as many blog posts which appeal to wispy ideals and "moving ecosystems" as he wants, but those are all really convenient excuses for an argument which allows him to design systems which serve his own interests.
No doubt these are non-trivial problems to solve. But I have personally been involved in open source projects which have collectively solved similarly difficult problems a thousand times over with a combined budget on the order of tens of thousands of dollars.
What were you going to do with that 50 million dollars again?
It is clear from its design and behavior that Signal's priority is to be a social network first and an encryption tool second. Growth at any cost.
Last year I gave Signal a try and it immediately spammed all of my contacts with my non-public phone number. So I was already aware that Signal is sketchy as fuck.
But abusing Trademark law to circumvent the checks and balances that open source development normally provides is just appalling. They get to pretend that it is open source, get the bullet item on the pitch sheet, get the good press associated with that, while still maintaining absolute control. It's no less a vertically-integrated, untrustworthy data silo than any product from Facebook or Google.
Like many of our sessions, the event lasts an entire working day and involves co-workers cuddling in a 'relaxation tent' designed to reduce stress and encourage team bonding. Our cuddling sessions can accommodate from four people up to groups of 20 at a time. [...]
We've based each 'relaxation tent' on Moroccan and Indian relaxation practices, and there will be incense and oil lamp lighting, as well as large bean bags and relaxation beds for everyone in the group. During the day co-workers will be required to cuddle each other in a variety of different positions and will need to switch partners every two hours -- so that you have a chance to bond with everyone.
At the beginning of the day there will be a group admission session, where co-workers will talk about the negative traits of their colleagues [...]
We're also looking for professional 'cuddlers' to help us run the classes. Applicants must have experience in a similar role and will ideally have a psychology background or qualification. Successful applicants can expect to be paid upwards of £30 an hour and must be available to run up to four classes a week.
In the world of clownery, tradition has long dictated that a clown must never steal another clown's look. To that end, British clowns have developed a system that sits at the exact intersection of twee whimsy and nightmarish menace that makes clowns such an enduring fixture in both children's entertainment and horror movies.
To prevent the theft of a clown's face, members of Clowns International (a UK-based international group) must painstakingly paint their clown faces onto eggs (!), then enter those eggs into the Clown Egg Register (!!), housed in the Wookey Hole Clowns Gallery-Museum in Somerset (!!!), and I swear to god that all of the nouns I just listed actually do exist. [...]
But the book couldn't answer my most burning question, so I did the only reasonable thing I could. I wrote to the book's publisher and demanded to know, What the fuck, British clowns? Or, as I put it in my very professional email, "Is there anyone who can explain to me why ... eggs?"