Threads for EvanHahn

  1. 8

    Company: Signal

    Company site: https://signal.org

    Position(s): Engineering: iOS (engineers and tech lead), Android, Desktop, Server/Infra, Calling & Core Libraries. Product Designers too!

    Location: 100% remote (within US timezones)

    Description: Signal is a 501c3 nonprofit organization developing open source privacy technology that protects free expression and enables secure global communication. We’re a fully distributed/remote, small team looking to grow slightly (currently 30 people total/20 engineers). If you care about code quality as much as you care about user privacy, we’d love to talk with you.

    Tech stack: Swift/Objective-C, Java/Kotlin, TypeScript, Java, Rust. We publish all our codebases @ https://github.com/signalapp, check ’em out!

    Compensation: Competitive with Big Tech, without selling your soul or compromising your ethics. Full 401k match, health/vision/dental, parental leave, and self-managed time off.

    Contact: workwithus at signal dot org (several of us staff that email alias). You can also DM me on here, or email evanhahn at signal dot org.

    1. 11

      A couple small ones I’ve made:

      • boop plays a happy sound if the previous command exited successfully (i.e., exited with status code 0) and a sad sound otherwise. For example, if I’m running a long-running test, I might run npm test ; boop. It helps me know whether something finished, and whether something went wrong.
      • tempe creates a temporary directory and cds into it.

      I use these many times per day.

      1. 3

        On a similar note, I have this in my .bash_profile (Mac):

        function alert_if_not_in_foreground {
            if ! lsappinfo front | xargs lsappinfo info -only name | grep 'Terminal' > /dev/null; then
                printf "\a"
            fi
        }
        PS1='$(alert_if_not_in_foreground) ... more stuff ...'
        

        So when I leave some long-lived command running, and by the time it’s finished I’m not looking at the Terminal, it prints the bell character (which on my setup will also make the Terminal.app icon bounce and show a notification badge) so I don’t need to remember to check it periodically.

        I guess it could be done with PROMPT_COMMAND as well, which this thread just taught me about :)

        1. 1

          Looks like a good idea. Where does that sfx command comes from though?

          1. 2

            Right here. It’s basically just a wrapper around mpv.

            1. 1

              Which sound files are you using?

              1. 2
        1. 4

          This post struck a nerve with me. I currently have people on Twitter complaining about a problem that “only needs two hours of your time” (a direct quote). At a previous job, people were upset because “the community could knock this out in a day”.

          From my limited career experience, there’s a huge time difference between a prototype and a production system. I find that, indeed, many prototypes take a small amount of time. Much of my time comes from “productionizing” the system: handling edge cases, adding logging, dealing with platform-specific inconsistencies, etc.

          Perhaps these people are right, and perhaps I should be faster by an order of magnitude. But from my experience, real production software takes a lot of time to get right.

          1. 2

            Why does the first version have to be “production software”?

            1. 3

              It doesn’t have to be in all cases, you’re right. In the two personal examples I mentioned above, they were.

              1. 3

                Because that’s all the time that product gave you.

            1. 87

              I work at Signal, and here are my two cents:

              Signal is incrementally better than the incumbents on the technology side. We do a better job encrypting message contents than most and I think we do a much better job staying ignorant about message metadata (e.g. who you’re talking to) than our competitors. I’m proud of the work my colleagues have done and I do think we have some significant differentiators, but Signal’s architecture is similar to WhatsApp’s.

              The bigger shift, I think, is not technical. People know that corporations don’t always have users’ best interests in mind; Facebook is emblematic of this problem. In my view, shifting from a for-profit app to a nonprofit one is as significant as switching from a centralized platform to a federated one, if not more significant.

              That’s not to say Signal gets a pass; we are far from perfect. But I think we’re a baby step towards the ideal.

              I spend a lot of time on Mastodon and the cries for a better federated/decentralized system are loud there. I, too, would love to see messaging get there in the mainstream. Maybe it’s Matrix, maybe it’s Berty, maybe it’s Briar, who knows. But I see Signal as an important step to get there.

              This isn’t an official response from Signal, just my opinion!!

              1. 12

                Thanks for the input here! I think these are reasonable ways to view things even if I periodically express frustration at the ways Signal falls short of (or operates on a philosophy that contradicts) my personal ideal. I derive a tremendous amount of value from it even if I’m uncomfortable with, say, the stances laid out in the ecosystem is moving, and I’m grateful for the utility provided in a very hard space to work in.

                The bigger shift, I think, is not technical. People know that corporations don’t always have users’ best interests in mind; Facebook is emblematic of this problem. In my view, shifting from a for-profit app to a nonprofit one is as significant as switching from a centralized platform to a federated one, if not more significant.

                As someone who works for a nonprofit on a public good that’s extremely centralized in architecture (I’m an employee of the Wikimedia Foundation), I tend to share this view. The way software labor gets paid for is crucial, and if there might be better models than a foundation, then there are certainly also far worse ones.

                That said, though I’d far rather work for a donation-supported nonprofit than most of the realistic alternatives, our centralization sure is a vulnerability that keeps me awake at night. All institutions are vulnerable to capture, corruption, or collapse, and I wish we had better models for mitigating that risk. I’m pretty sure federation / distribution of architecture is an important piece of the puzzle, but it’s often difficult to discuss that in a way that’s also clear-eyed about the benefits and affordances of centralization.

                1. 4

                  That’s not to say Signal gets a pass; we are far from perfect.

                  Out of curiosity, in what ways would you hope the project would improve?

                  1. 4

                    Maybe it’s Matrix

                    Matrix’s future is encouraging, because they tackle not only centralisation but also moderation.

                    The answer is to remove the centralisation. Users should be able to make up their own minds and make their own censorship decisions - something that we’re actively working on and supporting via Matrix’s decentralised reputation work. – https://element.io/blog/2021-escalated-quickly/

                    1. 3

                      I don’t think we automatically get a pass because we’re a nonprofit. I’d trust a nonprofit’s incentives over a corporation’s, but we could still do plenty of bad things. I’m not aware of us doing anything like this, but I want to avoid saying “nonprofits = always pure and good”.

                      The most obvious improvements I see are with the desktop app, which is what I work on day-to-day. It’s no secret that the app is buggy, consumes a lot of resources, and isn’t at feature parity with the mobile apps. I joined in an effort to improve those things, but there’s still a ways to go. Turns out it’s hard to build a good native app for three different operating systems (especially when no two Linux installations are the same)!

                      1. 1

                        For what it’s worth, there’s no love lost between me and the Electron end-user experience in the general case, but Signal at least manages to be the one Electron app I run routinely. On my fairly new and expensive desktop system I don’t usually have performance complaints and I can’t remember it crashing much. That may sound like damning with faint praise, but then again if you’ve used the typical Electron-based chat app maybe not…

                        1. 1

                          Tangent on this, a lot (or at least some) would like to know if OWS has a stance on making bots and clients for unsupported operating systems. That bear has to be poked eventually and we can only hope for a positive response! :)

                      2. 4

                        I know you can’t answer this (and might not be fair for me to ask) but what’s your opinion of the Radio Free Asia (CIA spin off) funding that seeded Signal? I’m not trying to create FUD, just not seeing much talk about it. How do you convince a skeptic like me?

                        Also, why isn’t Signal investing in p2p? Maybe you can answer the second question…

                        1. 16

                          You are swallowing FUD from the same people that has been trying to discredit the Tor project for the past 6-7 years on the same reasons.

                          Inherently it doesn’t matter if CIA throws money on secure crypto. Because it’s secure. The double ratchet algorithm has had eyes on it for years and considering the fairly good track record of people finding suspicious crypto I’m not even batting an eye on the conspiracy some people are trying to push.

                          1. 6

                            If a US government run conspiracy exists around Tor I would be far more worried it relates to the laughably low count of active nodes and the potential that a not so insignificant count of them are being run by malicious parties.

                            1. 11

                              You don’t need a conspiracy to point at the multiple successful attacks against the Tor network and active sybil attacks people have used on it though.

                              1. 3

                                Who brought up conspiracy theories? Is it a conspiracy to think that the intelligence community would be more likely to fund a project that they can crack?

                                1. 5

                                  When a large group of people with disparate goals and interests are treated as though they were all cooperating on a single unified goal, yeah, that’s conspiracy. At the very least, the intelligence community is divided into two very different groups: “attackers” and “defenders”.

                                  It’s quite plausible that the “attackers” group would want to fund vulnerable crypto systems in the hope that more useful traffic would be unprotected. However, it’s also quite plausible that the “defenders” group would want to fund very strong crypto systems, so that their agents’ communications would be secure, and hidden among a flood of equally-secure civilian communications.

                                  Just saying “Ah, this was funded by a spin-off of the CIA!” is not in itself evidence of vulnerability or security. If you could prove whether that funding came out of the “attackers” or “defenders” budget, that would be interesting and useful.

                                  For me, the fact that the CIA money was part of the seed funding (not when Signal was already popular) suggests that the money came from the “defenders” budget — they hoped it would get big enough that their own agents’ traffic would go unnoticed. I’d expect a donation from the “attackers” camp to come later on, once they had found a weakness, to help Signal establish a lead over competing apps without known weaknesses. That’s not proof, of course, but without hard evidence nothing’s certain.

                                  1. 1

                                    When a large group of people with disparate goals and interests are treated as though they were all cooperating on a single unified goal, yeah, that’s conspiracy.

                                    is anyone saying that?

                                    Just saying “Ah, this was funded by a spin-off of the CIA!” is not in itself evidence of vulnerability or security.

                                    …or that?

                                    1. 1

                                      There are people saying that. Which is why this is being discussed in the first place.

                                      1. 1

                                        who/where?

                            2. 6

                              What FUD are they swallowing exactly? They only stated that a CIA spin off initially funded Signal, which is true. It’s reasonable to ask why the U.S. intelligence apparatus would want to fund projects like Signal and Tor.

                              1. 2

                                Sure but in some cases, the CIA’s and the public’s interests can be aligned. Strong crypto, safe communication, identity hiding proxies are needed for both.

                                1. 3

                                  sure, for some definitions of “the public.” during periods for which we have records of CIA activities, the peasants of southeast asia probably would’ve preferred the CIA to be less able to secure identities and communications.

                                2. 1

                                  The FUD is that this somehow compromises the integrity of signal.

                                  1. 1

                                    Depends what you mean by integrity and what you think of Radio Free Asia.

                                  2. 1

                                    Well, when someone asks on lobste.rs, where they know that the chances of getting a factual answer to this question are zero, you might reasonably think that the question isn’t a straightforward request for factual answer. What else might it be? FUD and innuendo are among the possiblities.

                                    Personally my first guess for that funding would be someone at the CIA used some money in a way that helped their own performance reviews and maybe get them promotions, without regard to what effect it would have on other people at the CIA or NSA.

                                    “Tasks accomplished this year:

                                    • Blah that helps Chinese/Burmese/Indonesian blah blah against state wiretapping”

                                    This is a guess, not a factual answer. I’m just assuming that the CIA is no better coordinated than the places where I’ve worked. That people at the CIA will put their own department’s tasks and goals above those of other people in other buildings, just like… I could digress into frustrated rambling here.

                                    1. 1

                                      so you’re insinuating through innuendo that the only reason they would ask for an open ended opinion on this topic, is to spread FUD

                                  3. 4

                                    A union election is about to start in the Amazon facility in Bessemer, Alabama. Amazon wanted the election to run on their internal voting system instead of mail in ballots. The union reps declined because they were suspicious about running a union vote on the companies own platform for what seems to be like a good reason. Of course Amazon made the same arguments, that their software is secure an anonymous.

                                    The question is it legitimate FUD? Because it seems to me, if people are getting on Signal because they are worried about US government monitoring, then it would seem like a legitimate concern that the CIA funded the same software they are trying to use.

                                    Just because it’s FUD doesn’t mean it’s illegitimate. Just like just because it’s a conspiracy theory doesn’t mean there isn’t a conspiracy. I personally think this is a legitimate concern and there is no reason to believe Signal at face value given it’s history.

                                    Let’s also point out that technically, it’s very easy to shut signal down. Look at the recent outage. Look at the fact they are renting AWS hardware. Even if you don’t believe the FUD, nothing technically about signal seems robust.

                                    1. 5

                                      A union election is about to start in the Amazon facility in Bessemer, Alabama. Amazon wanted the election to run on their internal voting system instead of mail in ballots. The union reps declined because they were suspicious about running a union vote on the companies own platform for what seems to be like a good reason. Of course Amazon made the same arguments, that their software is secure an anonymous.

                                      How does this apply to signal? Union workers that has consistently been under threat and pressure in the US are completely sane to consider something else. For this argument to make sense then you are just suggesting signal is in direct opposition to the goal of their users. This feels like constructing some strawman.

                                      The question is it legitimate FUD? Because it seems to me, if people are getting on Signal because they are worried about US government monitoring, then it would seem like a legitimate concern that the CIA funded the same software they are trying to use.

                                      I disagree that some undocumented donation from a government agency is funding anything. The article Yasha has written is pay walled. Whatever donation they made years ago doesn’t matter as they have created a non-profit and gotten a significant donation from the whatsapp founder.

                                      Just because it’s FUD doesn’t mean it’s illegitimate. Just like just because it’s a conspiracy theory doesn’t mean there isn’t a conspiracy. I personally think this is a legitimate concern and there is no reason to believe Signal at face value given it’s history.

                                      The argument needs to be stronger then “some government agency gave a donation”.

                                      1. 3

                                        The union comparison is correct because there is a long history of vulnerable groups being targeted by the US government. Isn’t it sane for the same groups to be suspicious of tech funded by their oppressors?

                                        1. 1

                                          Are you saying that any organization taking donations from the US government is ultimately working for the US government to do their bidding?

                                          Isn’t it sane for the same groups to be suspicious of tech funded by their oppressors?

                                          This is inane. How much money was given how many years ago?

                                          1. 2

                                            Obviously if the USPS funded it, or national park service, or the NSF, I wouldn’t be really be that concerned…

                                      2. 3

                                        The term FUD is only honestly used to describe disingenuous propagandising. Amazon’s voting software is not widely used FLOSS, unlike Tor and Signal. You are actively spreading FUD by making this misleading comparison.

                                        1. 3

                                          What if it doesn’t matter if the messages are encrypted. What if the metadata, who talks to who when is what they’re trying to capture? Because getting the rest of the conversation is easy… Simply arrest them and get access to the phone.

                                        2. 3

                                          I don’t think that a donation from the CIA is sufficient enough reason to worry. However it would have surely been smart for a project like Signal not to accept it, given the clear conflict of interests at play.

                                          1. 2

                                            Or alternatively that money would’ve enabled a lot of good and may not have come with significant strings - after all, I’m sure the CIA would use Signal too if it met their needs.

                                            Ultimately we just don’t know. That’s what breeds the conspiracy theory. I’m not convinced we’re entitled to an answer, but it is something that could be easily disspelled if the project wanted to.

                                            1. 3

                                              You underestimate conspiracy theorists’ ability to do mental gymnastics if you think this can be easily dispelled. Look at how insistent mempko is being about factually incorrect assertions about metadata.

                                              Bottom line, historical funding is not evidence of ANYTHING. It’s clear (to me) why the CIA might want something like Signal to exist and be rock solid, but that will never satisfy some who choose to see opportunity for conspiracy.

                                              1. 1

                                                As far as I know, only contact discovery is in the SGX enclave. Signal themselves made it clear they are working on not knowing who sends messages to who but as far as I know, they aren’t there yet. Am I factually wrong here? I would love to see the evidence. I’m a big boy and can admit when I’m wrong.

                                                Signal set themselves up on a huge up hill battle by insisting on a centralized architecture. They could have gone p2p and would have no idea when people are talking and who they are sending messages to. They decided against that because it’s easier to upgrade the client with shiny new features. In other words they chose ease of development over security.

                                                And you know what? It worked! They are really popular now and have a really nice client.

                                          2. 2

                                            I think people are more worried that facebook selling their data than US gov wiretapping. The latter happens anyway.

                                          3. 1

                                            The double ratchet algorithm has had eyes on it for years

                                            The double ratchet algorithm is also fairly simple, and quite obviously correct. Any student in applied cryptography can examine it and convince themselves there’s nothing fishy there.

                                            1. 2

                                              I’ll repeat what I said above. What if it doesn’t matter if the messages are encrypted. What if the metadata is what they are trying to capture. Signal knows who is connected and who talks with who, when. Getting the rest of the conversation is easy, just get physical access to the phone.

                                              1. 5

                                                Signal knows who is connected and who talks with who, when.

                                                They don’t.

                                                https://signal.org/blog/sealed-sender/

                                                https://signal.org/bigbrother/eastern-virginia-grand-jury/

                                                1. 3

                                                  additional resistance to traffic correlation via timing attacks and IP addresses are areas of ongoing development.

                                                  “area of ongoing development” means “we have no solution for this yet”

                                                  1. 2

                                                    And? They removed a whole class of metadata, pushing an attack from a trivial lookup to the statistical realm. Is your complaint that they haven’t done enough? That the CIA protected you from everyone but them?

                                                    I’d love a chat app that advertised itself as “literally only the CIA can read your messages.”

                                                    1. 1

                                                      I was responding to /u/Foxboron’s claim that Signal doesn’t know who talks with whom. My understanding is that the IP address logging and traffic correlation can be done by Signal, so they could figure out who talks with whom.

                                                    2. 2

                                                      There are solutions for this problem. Examples - Pond by imperialviolet and Vuvuzela. Both hide the fact that you are sending the message. The cost - your device sends data all the time. Most of the time it’s white noise, sometimes it’s encrypted message. Observer can’t distinguish. Obviously, this does not work on mobile because of power requirements.

                                                      Alternatively, you can introduce random delays. This means you are no longer in chat territory - you are operating mailing service.

                                                      Anything short of two solutions above makes correlation attacks directed at contact network discovery very doable. And decentralization does not help - it will leak the same or greater amount of metadata, depending on implementation.

                                                      1. 1

                                                        In this case I think the attacks are a lot easier than with e.g. Tor because all messages go through Signal’s servers and they know the identity of the recipient.

                                                        1. 1

                                                          https://signal.org/blog/sealed-sender/

                                                          They know the identity of the recipient, but not the identity of the sender.

                                                          There is an argument to be made, that by partitioning users into federated servers (or relay nodes, without permanent residence) you partition your anonymity set.

                                                          1. 1

                                                            Correct me if I’m wrong but it seems really easy to deduce or guess with high confidence who the sender is, based on the information that Signal servers have access to. For example if you receive a message and reply to it immediately, Signal could get a pretty accurate mapping from your IP address to your identity for that message, no?

                                                            If I’m right it’s quite interesting that this blog post is being spread around as evidence that Signal doesn’t know who talks to whom.

                                                            There is an argument to be made, that by partitioning users into federated servers (or relay nodes, without permanent residence) you partition your anonymity set.

                                                            I don’t see an argument for that. In this case it seems like your “anonymity set” is the group of people who could plausibly use the same IP address as you at the time you are sending a message, which is quite small if not a group of one.

                                                            1. 1

                                                              Correct me if I’m wrong but it seems really easy to deduce or guess with high confidence who the sender is, based on the information that Signal servers have access to.

                                                              Yes. Definitely. But that is also true for an attacker who just controls the routers around signal’s servers, which is cleaner way to attack the network (hard to get caught!).

                                                              In this case it seems like your “anonymity set” is the group of people who could plausibly use the same IP

                                                              That would be trying to hide the fact that you are using the communicator.

                                                              No. I’m speaking about hiding whom is talking to whom. Imagine your server handling high amount of traffic. And we have a hostile router that can see packets and their destinations, but not packet contents. When router does time correlation attack to identify whom is talking to whom, the worst thing server can do is immediately forward messages from sender to the receiver. This makes connecting the dots trivial. Now, if multiple pairs of people talk at the same time, server can introduce a small random delay (lets say below 1s) between receiving and forwarding to confuse the router. More people talking - more possible permutations there is. AFAIK this method of confusing the observer is not a very good one. I recall seeing papers about de-anonymization of Tor users via capturing and analyzing traffic data for a long period of time. But that is a problem of every low latency communication method. To work around that you would need to lots of wasted bandwidth (as in vuvuzela) or long delays (as in mixnet).

                                                              1. 1

                                                                I think we are talking about two different things. It’s easier for Signal because for each message they know the IP address of the sender (at the time of sending) and the identity of the recipient. If they can figure out who maps to the IP address for a given message, they know the identity of the sender and the recipient for that message – not just that the sender is using their service.

                                                                1. 1

                                                                  My real point - you wont get much in terms of privacy just by distributing servers :-)

                                                                  1. 1

                                                                    probably true, but you do get interface stability and independence

                                                      2. 1

                                                        That still means Signal does not know though. You would only get the information with a global adversary which is fairly hard to protect against.

                                                        IP (still) does not correlate to a person though.

                                                        1. 1

                                                          It’s not even a global adversary. You just need an adversary sitting in AWS. And who is bigger a global adversary than the USA?

                                                          1. 1

                                                            are you saying U.S. intelligence funded a project with vulnerabilities that could only be reasonably exploited by a hegemonic adversary? :)

                                                            1. 1

                                                              To add to my snarky reply, I don’t think you are right that Signal doesn’t know. If you reply to a message within a few seconds of receiving one, your IP address probably hasn’t changed, so Signal would know your identity as a sender. That’s just one example, and it’s not hard to think of ways that Signal could figure out the sender and receiver in most cases (or at least have a confident guess).

                                                  2. 5

                                                    You’ve expressed confidence in Signal’s message encryption. It’s open, well analyzed, and widely used.

                                                    You’ve expressed concern about Signal retaining metadata. Your only specific threat of “who talks to who when” has been specifically and repeatedly addressed: https://signal.org/blog/sealed-sender/

                                                    Well over a year after that announcement, I looked at their code to see how it worked. It didn’t. It wasn’t on. And I don’t care enough to look again because…

                                                    Signal is still strictly more secure than every other major messaging app.

                                                    Finally: both the autobahn and the US interstate highway system were national defense projects. Should I be skeptical of them?

                                                    1. 1

                                                      Moxie doesn’t like p2p and decentralization. He made an entire talk about that during 36c3 and the recording of that talk was promptly deleted after a wave of backlash and criticism since apparently Moxie didn’t actually agree to have the talk recorded.

                                                      edit: I was wrong and posted rumors.

                                                      1. 5

                                                        that talk was promptly deleted after a wave of backlash and criticism.

                                                        That’s not true. The talk was deleted because Moxie asked for the talk to not be recorded and to not be made public: https://twitter.com/moxie/status/1211427007596154881

                                                        I just prefer to present something as part of a conversation that’s happening in a place, rather than a webinar that I’m broadcasting forever to the world. I have less faith in the internet as a place where a conversation can happen, and the timelessness of it decontextualizes.

                                                    2. 2

                                                      Get to work unionizing so you can force Signal to allow third party clients and federation!