Hacker News new | past | comments | ask | show | jobs | submit login
Et Tu, Signal? (stephendiehl.com)
880 points by darylyu 11 days ago | hide | past | favorite | 442 comments

I definitely agree with the article that it felt a bit like a betrayal. I've pushed some friends and family to use it over Telegram despite significant usability issue, and now I see that instead of implementing some IMO basic features like proper message sync and easy backup when you get a new phone, they prefer to implement a... micropayment system? Based on some niche altcoin which doesn't even exist on mainstream exchanges?

It goes beyond the usual issue with cryptocurrencies. Let's assume that they integrated with Bitcoin or Litecoin or some "mainstream" CC, would it still be a good idea? You can already send wallet addresses over signal if you care to do it.

I'm willing to give the Signal devs the benefit of the doubt and assume that they meant well and aren't actively trying to benefit from the move (even though I'm not completely dismissing this possibility) but at the very least it's just showcases a very strange way to lead the project and prioritize issues. I can think of a dozen things out of the top that would do more to drive Signal adoption than integrating with some "literally what?" cryptocoin.

This is going to drive the adoption of this niche cryptocoin, it's not going to do anything at all for Signal.

Telegram is just so much more usable than Signal.

The perceived advantage of Signal over Telegram is LITERALLY not having an option for a cloud-synced chat and ONLY having end to end encrypted chats. That's all.

You give up of usability to get that advantage. Explain to your mom why she has to give up Telegram to get basically the same functionality as Telegram secret chats.

Signals crypto is used by Facebook and was sponsored by the US Govt. Before you believe "OMG Telegram crypto is bad!" FUD, do 15 minutes of research.

Signal's by default e2e encrypted chats can be used across platforms, e.g. synced across desktop and mobile. Telegram's secret chats are only available on the device where you initiated them. That's a major disadvantage.

Signal is single-device. The crappy web app that reads stuff from your phone is not a real client.

I just have to reply here because it's so wrong.

Signal doesn't even have a web app. They have a desktop app that works great and that I use every day, all day long for all kinds of communication. On my desktop and laptop.

The same is true of Whatsapp; this is not a major impediment to adoption for most people.

There are no known attacks against Telegram.

The problem is entirely that its cryptography was sketchy and just plain weird to begin with. It wasn't wrong, per se, but raised some eyebrows. And then some of the questionable choices were silently fixed removing the ability to MITM, etc, but with no real notice.

It's not FUD.

> There are no known attacks against Telegram.

Because there isn't anything to meaningfully attack. Chats and chat backups are not encrypted by default.

and telegram does not used encrypted e2e messages by default. Only on the special secret messages that no ones uses.

More than one red flag there, there was the claim of it being secure just because the spec was out there and nobody had broken it yet.

Interestingly, if you say that Signal's funding is sketchy and it raised some eyebrows, that would be FUD (see sibling comment). But saying the same about Telegram encryption is for some reason perfectly fine and definitely not FUD.

Shouldn't we have the same standard for all claims?

> Interestingly, if you say that Signal's funding is sketchy and it raised some eyebrows, that would be FUD (see sibling comment). But saying the same about Telegram encryption is for some reason perfectly fine and definitely not FUD.

> Shouldn't we have the same standard for all claims?

Huh? Telegram's protocol has been criticized by cryptographers for making specific "odd" cryptographic choices (see See https://crypto.stackexchange.com/questions/31418/signal-vs-t...). It's not FUD to bring that up.

However, it is FUD to imply something concrete based for vague, indirect reasons.

So you're saying we should have the same standard while literally giving two different types of allegations that are thrown at Signal and Telegram respectively?

We either consider the funding of both and decide how the funding COULD ultimately impact the product, or we could look at the source code of the applications and the cryptographic theory supporting them and talk about that. If crypto experts aren't finding holes in Signal's protocols [1], I don't think random people on the internet yelling "bUt It WaS fUnDeD bY ..." will make it less secure.

[1] https://eprint.iacr.org/2016/1013

That's a big advantage, and a very important one. But definitely, that and the superior crypto is what keeps me on the app. Telegram is in a whole different level when it comes to usability and refinement.

>Signals crypto is used by Facebook and was sponsored by the US Govt

Funny that you're talking about FUD.

It is not FUD.

OWS was financed by Open Technology Fund, to the tune of almost $3M, during the years 2013-2016. See here: https://www.opentech.fund/results/supported-projects/open-wh...

What is Open Technology Fund? It is a program of Radio Free Asia, which run by US Agency for Global Media, funded by US Congress.

Hey, advisor for a non-signal E2EE chat service here that also benefited from the Open Technology Fund.

I recognize that you'd basically just be taking my word for it, but literally all they did was take an application from us, approve it after doing their diligence, and paying Cure53 for an assessment. There was no other involvement or, as you're implying, interference.

Just my experience, but I'm publishing this because the fud breaks my heart. OTF does good work.

In my experience, most people who project nefarious intentions on the government have no experience working with or within the government. The government, after all, is a big thing with no unified goals or intentions. But for some reason, for some people, 'government' always means 'bad'.

To be fair it usually is bad when it comes to matters of privacy and being open and honest about said privacy.

Governments gave us things like GDPR and HIPAA.

It could be, I believe what you say is very much the truth.

But that doesn't really matter. Even by doing that. these two are associated. Imagine, if there was a non-profit, that took money from some Kremlin or Fobidden City development program, using exactly the same procedure. Would be that non-profit trustworthy going forward, given their association?

So this one is the same, just with red and white stripes. Definitely not FUD, they did take money from US Gov agency.

> Would be that non-profit trustworthy going forward, given their association?

Kinda depends. If the money was authorized by a parliamentary body (with clear legal text around who's receiving funding, what the conditions are, etc), I wouldn't be so worried. If it was authorized by an executive as a disbursement from a random pot, I'd be more worried about strings.

Ergo my comfort with US congressional funding v. a DARPA grant or In-Q-Tel investment.

>Would be that non-profit trustworthy going forward, given their association?

As long as the product is proprietary, no.

That is not the point. The point is what does the funding get them? A backdoor? The algorithm as well as the client source are open for audit and have been audited multiple times.

Last I checked, end-to-end was only available on the phone app (not the desktop client) and only for one-on-one conversations. That's a pretty huge difference, but one that most people won't even understand or care about.

But the simple fact is that for most people the security profile of Telegram is good enough and its UI is miles ahead of Signal.

I've already complained about that in the past but the fact that the desktop client still won't let me set the spellchecking language is baffling to me. It's an application that's meant mainly for exchanging text, and it won't let me configure the spellchecking, and let's not even talk about formatting options.

It amused me when in the announcement they said that the reason for testing the payments in the UK was that they were English speaking. You can tell that this is an application developed my monolinguals...

FWIW, if you’re on macOS at least, private chats are supported under the Cocoa client.

Most non profit work in the US is somewhat funded by the US government via grants and crap ... 80% to be exact.

Can you share what you have discovered about Telegram's crypto implementation in these 15 minutes of research when you did them? That would be far more useful than just leaving a teaser without anything concrete.

Matrix has E2EE cloud chats

I thought about spending my time on promoting Signal, now I am happy that I avoided it.

As someone who has been defending Telegram against certain claims here from time to time this is still a sad day for me.

I'd appreciate however if everyone who has been saying ugly things about the alternatives would take a step back now and consider if there is more to security than E2E-encryption.

E2E-encryption is a seriously nice and useful property of a messaging system, but in the long run it is only one of many important details, and while E2E-encryption is always a good thing for end users as far as I can see other useful properties are often directly at odds with each other:

- incentives and funding. Free to give everyone the ability to use it or paid to align incentives?

- anonymity or verified identies? Both have significant advantages.

- repudiation or non repudiation? Depends on if you agreed on a contract or discussed something that the new regime doesn't approve of.

- backups? or ephemeral? Again, depends on if you are sharing family photos in a group or or sharing something that should stay between you and the recipient

Edit to add: As for solutions I think healthy competition is one of the best ways to ensure every messaging system tries to be tje best they can be.

> easy backup when you get a new phone

I just recently got a new phone, and used the new feature to do this (uses wi-fi direct) and I have to say it seemed like it would be easy enough for non-techy users to use.

Try transferring from an iOS phone to Android. Try transferring messages to a new desktop (you can't).

It's 2021, I don't want to be platform locked and none of the other popular messaging apps have that issue.

Last I checked (about a year ago I think) Whatsapp backups were platform-locked as well.

> Last I checked (about a year ago I think) Whatsapp backups were platform-locked as well.

I'm not sure why you are being downvoted. Whatsapp backups are still platform locked to this day. But that may change soon.


Not completely. WhatsApp pushed out an Android-compatible backup option on their BlackBerry 10 app when they announced that they were shutting the app down a few years ago. But it was behind a notice that said it was 'not supported', even though it worked fine. Only to Android though.

You can get a dump of all your messages with someone pretty easily.

I transferred between two Android phones, and had to re-pair desktop clients. It all worked, but now the desktop client won't receive messages I've sent via phone.

Also video calls still don't synchronize orientation. It's very hard not to stoop down to use more vulgar language to express my feelings about this.

> Also video calls still don't synchronize orientation.

This is insanely annoying in real life.

Whatsapp does, so it's probably not that critical of a feature.

Most people don't switch platforms very often so it's not a big deal to them and just a corner case. Also most people don't care that much about old messages so again a corner case.

That's great to know, I didn't know they had improved on that front. Last time I tried to do it you had to manually copy a file from a micro-SD card (and it was only supported on Android) and then you had to copy a crypto key. In the end I couldn't get it to work and gave up.

Unfortunately day-to-day my issue is more with syncing the desktop to the phone client's history and as far as I know it still won't let me do that.

An other super convenient feature of Whatsapp and Telegram is that they offer a pure web interface with basic functionality which is super convenient if you're in a pinch and don't want to/can't install the standalone desktop application.

Yeah, but consider the use case where you lose your phone in an accident or someone steals it. You can recover your sim card, you know your recovery password. But you'll be SoL and you won't be able to recover the history of all of your group and individual chats. This sucks.

There's a backup function. Maybe they should add some cloud drive integration to that feature.

Signal for Android allows backup. Signal for iOS doesn't.

My phone needed to be factory reset, where was my backup to restore from without purchasing a second phone?

I only just got this set up, but you can point the automatic backups to your SD card on Android. I guess some cloud sync app could pick it up from there or internal storage.

Signal for iOS disables backup.

Did you ever try to salvage data off a dead phone? Many of us only buy a new device when the old is fubar.

Not sure why this was downvoted. I switched phones yesterday and transferring signal with the direct wi-fi transfer was easier than transferring whatsapp, I do know that that used to not be the case.

because it is only relevant for one very specific type of 'switching phones'

Will that feature work if you drop your phone and it breaks? Or will you lose all your conversations and photos then?

> I'm willing to give the Signal devs the benefit of the doubt

How many "benefit of the doubt" cards do they have left by now?

Zero. This was an obvious get rich quick scheme. They intentionally fragmented the space of privacy coins to profit off of a frankly disgusting pump and dump.

Mobilecoin (Foundation) is a technological, ethical, and legal tour de force. I recommend you read their FAQ, but, to me anyway, it is obvious why Signal/Moxie needed to create a new coin (tl;dr: It needed to be a private venmo-like experience). To prevent conflicts of interest, a new org was created. Hence Mobilecoin, not SignalCoin. A few highlights:

Technological: * First Oblivious RAM implementation, "fog", so that transacting parties cannot be revealed * Their Rust codebase is really nice * Instant transfers with little computing power (CO2 emissions)

Ethical: * Moxie and Josh Goldbard hold no MOB, along with the employees. The Mobilecoin foundation has some awesome partners, e.g. the Long Now Foundation. * Mining is not ethical, it pollutes the planet and is just bad. The only alternative is a "pre-mine" given to an independent org, ie Mobilecoin Foundation

Legal: * The US's laws are not clear on what is allowable with privacy coins, so Mobilecoin has played it conservatively by saying US residents can't own the coins.

In summary, the critiques of Mobilecoin (in any of its incarnations, foundation, moxie, etc.) are assuming the agents involved have a financial interest in MOB being expensive -- I contend that is not the case. Please show your evidence.

PS. I am assuming good faith and honesty in statements, eg "Marlinspike notes, however, that neither he nor Signal own any MobileCoins." https://www.wired.com/story/signal-mobilecoin-payments-messa...

PPS. Some direct responses:

>Let's assume that they integrated with Bitcoin or Litecoin or some "mainstream" CC, would it still be a good idea?

No, not private. Also slow. Also pollutes planet. Monero is close on the privacy front, but takes 3 minutes to send (very stressful). It's possible a coin with the proper attributes could be made on stellar, but that raises questions towards ownership of Lumens (and pumping them) and their stellar reimplementation in Rust is likely more secure.

>Niche coin

nit: MOB has a top 15 market cap with 250m coins in distribution. Though I would hesitate to compare to other cryptocurrencies which are almost entirely scammy, polluting garbage.

> Moxie and Josh Goldbard hold no MOB, along with the employees

Right, the foundation sells the premined crypto-currency at a pumped up price. The foundation pays Goldbard and Moxie for their work. Employees are paid from the VC. No one connected has to hold any of it, nor will they want to after the dump.

Agreed that the foundations and payments need to be transparent. But if they are making, say on the order of a hundred grand a year in payments, wouldn't it behoove them to have a stable or increasing MOB market cap in the long run. IOW, if payments << market cap (currently O(10B)) then pumping and dumping is a disincentived move.

> I recommend you read their FAQ

Could you provide a concrete link please? There's a bewildering array of officials looking websites with zero information. And a widely shared white paper (among others linked from Wikipedia) that Josh claims isn't the whitepaper he originally wrote. It's hard to know what's what.

This makes me sad. I have, up until now, been happy with Signal, but with this foray into cryptocoins, I now put it in the general "why do you hate the planet" bucket that all other cryptoshills are in.

It works (FSVO "works") for small levels of transaction, but does not scale to "a substantial fraction of humanity uses it for payment" (low-end, imagine 2.5 billion people trying to make on average 3 economic transactions per day, you'd need to be able to sustain about 80k transactions per second; now note that I low-balled bot the number of economic transactions AND the global population).

Moxie, this is seriously disappointing.

As a signal user and even promoter my biggest issue with a new cryptocurrency is that my privacy and security concerns for a chat app are different from my privacy and security concerns for monetary transfers.

I'm not sure why you find Monero's confirmation any more stressful than instant-like blockchains, most wallets will show pending transactions as soon as they enter the mempool.

Proper message sync is hardly possible with end-to-end encryption everyone so excited about (without fully understanding the implications of true secrecy). If you have e2ee and then sync messages via google drive (looking at you, Viber), you are kinda missing the point.

I remember that Skype, before it was bought and ruined by Microsoft, had P2P chat history sync that worked the following way: once two of your devices were online at the same time, they synchronized chat history among the two running instances flawlessly. It was super reliable and predictable.

I am sure that Signal could implement the same peer-to-peer sync scheme with full end-to-end encryption without any secrecy compromises.

Pre-MS skype was so far peak IM.

Don't forget about when IM networks actually used open standards instead of closed proprietary protocols. Managing all of my accounts through pidgin was a breeze, and didn't leave me swapping between half a dozen different programs trying to remember which networks somebody would typically use.

That was never a thing: Pidgin & the rest had to write their own implementation for many of those protocols, starting with AIM.

There was a tiny period, somewhere in 2006, when many services were XMPP, maybe even federated, but due to the lack of good clients - compared to skype -, it never manifested as good as it should have.

There are now many nice XMPP clients, but the big players now all moved into proprietary territory.

I also remember a period in time when I could use Trillian to connect to ICQ, MSM, AIM and have it all in one convenient chat client without having to fire up all the individual ones. Granted it sometimes broke when the protocols updated, but for a moment it was pretty cool.

Good point, I am misremembering.

This is actually working very bad in most practical situations. The way to go is Telegrams way, where you store all data on the server and happily sync ut easily between devices. Just do it on your own server using xmpp. E2ee helps mostly against server owner, and you eliminate this risk by being your own server owner.

> E2ee helps mostly against server owner, and you eliminate this risk by being your own server owner.

Unfortunately you only eliminate it by being your own server owner _and_ your recipient being their own server owner. Take a look at email: I might not want to use e2ee because I self-host, but the second I send an email to a friend hosted on gmail, Google gets all the content.

I think federation does have its place (for different reasons) but it unfortunately isn't enough for privacy.

> Just do it on your own server

What if I don't have and don't want my own server?

You run your own datacenter?

XMPP is extremely light, you can use a moderately powered personal computer to handle traffic from several users. I don't have the numbers with me but last I'd heard, the number was in the hundreds.

ejabberd can host ~2k active connections on $2/month server.

Where can I get this $2/month server?

The nice thing about client-side/end-to-end security is that the service provider matters less.

Also, $2/month is $2 more than many people would be willing to pay for private messaging, and I can't message people on a network they're not on, no matter how much I pay.


And if you're privacy is worth less than $2/month, just use Telegram. It works way better than these messenges obsessed with privacy, precisely because it does not have encryption for most messages

> Ionos.com

That looks a lot like a server hosted by somebody else in a data center.

It's also way more hassle than almost all of my contacts would be willing to go through, and if only I self-host but they don't, it'll be Gmail all over. (Almost all emails go through Gmail because that's what at least one of the parties in an exchange is likely using.)

Point-to-point encryption is not enough for messaging in today's network topology.

> just use Telegram

No thanks, I'll continue using one actually spending some effort on not being able to read the messages their users send.

Fortunately most people in my country do. Ironically it's only a couple of people in my circle of friends worried about the privacy of said messenger switching to Telegram "because it's encrypted"...

One of the features of the Signal protocol is that each message is signed with a different key so that if one message is somehow compromised it's still impossible to retrieve the others. I think this would break with P2P sync.

Your Signal client has all the messages stored unencrypted (this is true because you can read them all, and search all the local messages).

What's preventing the client from dumping all the messages to a single file, encrypt it with a public key of the other running instance of Signal logged in to the same account, and send it, so that your other device can decrypt the file and import all the messages?

First people want full security, but when they encounter inconveniences that come with true full security, they start wanting convenience. What works best is a very very very good promise of security without e2ee, as shown by Telegram. It's users just know that Telegram is the most protected messages, and they are happy with it's advanced features.

e2ee is a technical term, not a social term. It only means that 2 devices exchange bytes and no third-party can read them. Nowhere is there any obligation that the 2 devices belong to different people: it is perfectly possible to exchange history between your laptop and your smartphone with e2ee.

Matrix features E2EE with proper message sync between clients: https://matrix.org/

> Proper message sync is hardly possible with end-to-end encryption

iMessage (and soon WhatsApp) would beg to differ.

It is much more difficult, yes, but definitely not impossible.

This article mirrors my feelings toward this announcement well. I spent a significant amount of time trying out different messaging apps and convincing my friends and family to move over from Telegram and WhatsApp. I used my reputation and their trust in my expertise.

The whole blockchain industry is just too mixed with scams that I feel comfortable to have my non-tech relatives dealing with it. It's enough that I have to educate them on 'investments' in random coins (it's gambling) and cure their FOMO regarding NFTs. Now the technology will be integrated into the messaging app that I endorsed, well-packed together with the smelly involvement of Moxie with the currency.

What now?

I've always hesitated to recommend Signal to people due to Moxie's attitude towards the more traditional security and privacy community where things like federation and open source are respected concepts. Tack this on the list and Signal just seems like a crazy thing to recommend now.

If they can get the onboarding process on Element to be just a little bit easier, maybe a phone number based default, I'll be dumping Signal in a heartbeat.

That's exactly my thoughts. I convincd all my friends and family to switch over to Signal, and now this bullshit. I should have trusted my gut feeling about Signal not wanting to use a decentralized protocol to be a bad sign in the long-term.

> I've always hesitated to recommend Signal to people due to Moxie's attitude towards the more traditional security and privacy community where things like federation and open source are respected concepts.

My understanding is that is a part of the amateur 'security' community, not the professional or expert one?

Why would you think that? And what is the amateur 'security' community?

>>> I've always hesitated to recommend Signal to people due to Moxie's attitude towards the more traditional security and privacy community where things like federation and open source are respected concepts.

>> My understanding is that is a part of the amateur 'security' community, not the professional or expert one?

> Why would you think that? And what is the amateur 'security' community?

Hi - I think that because IME federation and open source are heavily emphasized by amateurs, and much less so by professionals.

By amateur 'security' community, I mean nothing more than it sounds - non-professionals who focus on security, among a constellation of other issues.

My point is that the arsome's comment (the first one) uses "traditional security and privacy community", and I want to clarify what that means. Among professionals, Moxie is much more traditional than the amateurs are, as I understand things.

What would you say are the cons of Telegram?

I've been highly impressed with the UX for quite some time, but have refrained from pushing it (and the likes) onto friends. My family and friends seems to have slowly drifted towards signal, and I haven't bothered affecting that, but if I would go from a pure UX, I'd suggest telegram. So, I'm genuinely curious to know others' thoughts on it. I have only limited knowledge, just vague recollections of Russian developers (?), which might or might not have distanced themselves from political pressure (?), as well as the app itself being somewhat open sourced (?), based on the same protocol as signal (?).

Telegrams stupidity was marketing itself as secure. If it never had, then all arguments and sour intent towards it would be hugely misplaced.

As it stands, it’s not E2E by default and it’s E2E scheme is homegrown- which is usually not recommended (though IMO was not a dealbreaker), the big issue there was that there were flaws in the original design of the encryption scheme which makes it harder to look passed the fact it’s homegrown.

Telegram can intercept most messages on the platform, however, ultimately I trust them more than Facebook; so I’m less concerned.

Additionally, since Facebook controls _both_ ends of whatsapp _and_ does not support third party programs, then even though WhatsApp is E2E there’s little preventing Facebook from pushing an update to your phone which backs up all your chats to their cloud.

> As it stands, it’s not E2E by default

Yes, and enabling E2E "secret chats" on Telegram actually hurts user experience, so most non-tech-savvy users avoid it. Additionally, your address book is continuously synced to Telegram servers.

> there’s little preventing Facebook from pushing an update to your phone which backs up all your chats to their cloud

Just to add to your point- WhatsApp currently backs up your chat history to Google Drive or iCloud unencrypted. It requires opt-in but they nudge you frequently.

> Additionally, your address book is continuously synced to Telegram servers.

It doesn't even need access to contacts to run, and it happily runs on machines that don't even have address books (and, might I add, has the best UX there as well).

What you do need, at least for initial signup, is the ability to receive SMS, like you do with Signal. I wish all of them would just stop that nonsense.

> cons of Telegram?

Also, Telegram is not federated. It is just another vendor lock-in.



Contrast that to email. Even if gmail.com bans you or shuts down, you can still use a different email vendor or self-host. (You lose your old email address if you don't own a domain, but you can still communicate with others.) The only good IM that has this characteristic seems Matrix.

As we've seen from XMPP and Matrix federation comes with it's own set of tradeoffs. Matrix (specifically the element client) has come very far but it's still not at a state where I can reccomended it to non technical acquaintances.

My non-tehnical acquaintances are using it just fine. Any particular issues you've been having?

It's been a while since I checked it out but key management on encrypted group chats.

Perhaps you tried it before key cross-signing? In that case, you had to verify each of your devices with each of your participants devices. Now you only need to verify once per participant. It's much better now in general.

I am also a happy Telegram user and think it offers amazing UX but if you leave WhatsApp due to privacy concerns, Telegram might not be the right solution. All Groups and by default any other conversation you have are only encrypted in transport between your client and their servers. Also their encryption has been called into question a lot at the beginning.

As other the other answers state: It's them rolling their own cryptography. Also, not having E2EE in group chats. Their UX is really good and I agree with you, going from that alone I would always suggest Telegram too.

There are other considerations too, like that fact that I often got notifications that someone joined Telegram but that person was a friend of a friend and not in my personal contact list. One of my friends works for an actor's agency and then I got notifications when some of his clients joined the platform. I'm pretty sure they weren't aware of it and from a privacy standpoint this is very questionalbe and left a very sour taste. I always feared that I missed a privacy setting and am exposed the same way.

If that person is your contacts, you get a notification.

If you're in someone else's contacts, they'll get a notification when you sign up too.

Contact information gets uploaded (Name, Email, Phone Number) so that they can generate "rich" push notifications, as the server issuing the push has to produce the message (no code can run client side).

More info here, though could be outdated (2013): https://news.ycombinator.com/item?id=6915194

Group messages in Telegram arent e2ee just because of their design choice. You cant enable it like you can for the 1:1 chat.

I think the most common complaint is that group chats are not encrypted, and regular chats are also unencrypted by default.

They are encrypted, just like everything else in the app, just not E2E. There's a big difference between no encryption and encryption that isn't E2E.

Yes, one of those means the server can see all your messages and the other means it can't.

Transport encryption has been the default for almost all internet traffic for some years so it's no longer something that you can reasonably not have.

Which has benefit so that you can see past messages. This why I think Telegram is a perfect place for hosting public groups chat (like an IRC but with better usability).

I believe the most commonly cited criticism is that they rolled their own cryptographic solution.

Can't you just continue to use Signal as before, without using the cryptocurrency?

Throwaway for obvious reasons.

I interviewed at signal a while back, and none of their recent mishaps surprise me. At first, they had me talk to Brian Acton on the phone for about an hour, who seemed to think I was already getting an offer, and he was there to sell me on it. He was cool to talk to, so I didn't mind, but I was surprised at this level of confusion for a company that small.

Next, I was given a lengthy take home project (which I was warned not to do in a language other than Java, because Moxie would reject candidates if they didn't pick a language he liked). After I finished it, they disappeared for a month.

Apparently I passed. They said I was basically the only one out of 200 people they sent it to that did pass. I assumed this meant I would be getting an offer, but they then wanted me to do a full onsite. The "onsite" weirdly consisted of another take home, but shorter, and a live interview. After not hearing back again for a while, I got an email titled: "Hello from Signal!". Great! I opened it, excited: it was a rejection.

I tried to get feedback on why I was rejected but never heard back. The best thing I can come up with: in the system design interview, as a solution to a postgres node being overloaded, I didn't come up with the solution of having a SPOF redis node with a full key scan every 10 minutes acting as an intermediate data store before transferring to postgres. I was told this is how they actually do things.

Take this with a grain of salt, since I'm obviously still irked by the experience, but it's all true.

> I didn't come up with the solution of having a SPOF redis node with a full key scan every 10 minutes acting as an intermediate data store before transferring to postgres.

Obviously that is bad architecture smell.

But if you didn't already know; redis supports high availability through "sentinel"[0].

[0]: https://medium.com/@amila922/redis-sentinel-high-availabilit....

Sentinel smears the SPOF out into a redundant (but still memory-backed) system. Backups mitigate the risk of data loss further. AOF can also be used but may cancel out the performance gains.

...and none of those change the fundamental durability/performance tradeoff of the system, nor do they replace a proper scaling strategy for an RDBMS.

> SPOF redis node with a full key scan every 10 minutes acting as an intermediate data store before transferring to postgres

On the one hand, oof.

On the other hand, the number of massive software architectures on extremely well-known platforms held together by exactly that system (not an equivalent one, exactly Redis-in-front-of-RDBMS-with-cronjob-flush, no RDB backups, AOF, Sentinel or anything either) I've seen is also depressingly high.

I was recently pulled onto Signal by a non-techie who values his privacy. I talked to him about Matrix/Element and he had no idea what that was, but was very happy with Siganl. I must admit, the app is very nice. All I had to do was give it access to my contacts and bam, I am now able to chat with all my contacts.

By comparison, Element is much more like a chat program than a phone messenger. It's good for "I want to connect with that person from GitHub" instead of "messaging the cute girl I met last night" or "messaging my grandpa". And yet, it feels to me like Matrix/Element is the platform less likely to pull something like this. Then again, Keybase seemed that way as well...

> By comparison, Element is much more like a chat program than a phone messenger. It's good for "I want to connect with that person from GitHub"

Element is what messaging should have been from the START: a federated service just like email, where you register an account with your provider of choice, just like email, and start adding/chatting other people after getting to know their address, just like email. So, instead of asking that cute girl her phone number or her email address, you would ask her her element address.

Whatsapp spoiled this approach years ago, so now we are basically screwed because everyone is used to the central approach and it's almost impossible to move away from it. But TODAY's implementation of Element and their shiny clients 12 years ago, would have been a great success just like WhatsApp was (whishful thinking at its finest, I know).

There's also DeltaChat: It looks more or less like WhatsApp, but it uses email as the transport and storage mechanisms, and it is seamlessly encrypted with AutoCrypt. It supports both one-on-one and group chats. It has apps for mobile and desktop.


That seems awesome, thanks for sharing! What an awesome approach.

There was decentralized XMPP/Jabber back in the days with lots of clients and it didn't catch up.

But I said with today's Element UI/UX. Anyway email was already a standard before corporations took over internet, it would have been really difficult to have a decentralized standard taking over in the 2009 Internet already. Also XMPP was EEE by both Google and Facebook around that time.

I think you hit the nail on the head with "Element is much more like a chat program than a phone messenger". Me and a friend experimented chatting with Element (Riot at the time), and while it certainly "worked", the process of getting everything working was not something I would expect a non-programmer to be able to figure out. We had to finagle different keys across different computers and phones and it was fairly painful. Both of us are software engineers, so at some level we have fun figuring this stuff out, but I cannot see a universe where Element catches with the general public unless the process is as quick and painless as Signal.

I feel like Element works better as a competitor to Slack or IRC than as a competitor to Signal or Whatsapp.

> I feel like Element works better as a competitor to Slack or IRC than as a competitor to Signal or Whatsapp.

To me it's a competitor to Keybase. "I want to send my co-worker/client an API key that I don't want exposed to the public" is about the only use for Keybase I've had. I have like 5 contacts on there for this reason. Slack/IRC is much more usable for getting shit done, but not being E2E I wouldn't send anything sensitive over them. Element is currently a "this is a mildly nicer experience over PGP + Email/Slack.

This is why I use https://keys.pub and/or Magic Wormhole.

Yep yep, totally think that's reasonable.

I know very little about the intricacies of cryptography, but part of me wonders if there's some way of doing a federated "key synchronization" service similar to keybase.

So Keybase is just a UI for PGP/GPG (well that was what it was before it became a Borg). The problem with GPG:

1. You need to keep your private key very private, which is incompatible with the idea that you might have several devices you normally use. GPG itself does not provide you with a mechanism to sync your private keys between devices because this is a super insecure thing to do without some serious work.

2. GPG requires that you and another person verify each others' public keys out of band. I need to meet you in a parking lot to validate your key fingerprint while you validate mine.

3. GPG's web of trust relies on attaching public keys to real world identities. You are asked to validate government documents when verifying public keys. That's incompatible with how a lot of us want to work. Note that this isn't a built-in requirement, but GPG itself provides no guidance on how to validate user123 on GitHub, just User Onetwothree Jr in real life.

4. GPG's UI is almost as arcane as tar :)

Keybase solved this by:

1. Providing a secure way to manage private keys across devices.

2. Outsourcing proof of identity to other providers. Its use case is validating the identity of user123 on GitHub, which happens to also work fairly well for CelebrityName on Twitter, or FriendName on Facebook.

3. See #2: social proof means you can attach that proof to any kind of identity.

4. GUI + nice TUI works better.

Where Keybase fell short was that a non-techie will not understand much about "social proof" and the only kind of social proof they have access to is limited to Twitter, Facebook, and Instagram.

Signal's solution to this was simpler: you have a QR code/set of numbers that represent your fingerprint right in the app. You show me yours, I'll show you mine. We get connected by phone number or email. That's it. If Signal was built on a federated platform it'd be perfect and nothing about it from what I understand prevents that.

That sounds kinda similar to the problem Matrix solved with cross-signing, how when you login to a new device and verify it with one of your already logged-in devices, it can request your old message keys E2EE so you get all your history.

Maybe a similar thing could be built on top of it?

> Matrix/Element is the platform less likely to pull something like this

Agree, I've been using Matrix/Element, and it's a bit slower/buggy but seems like it'll be around for longer.

It has improved a lot. I once wanted to switch with another tech-savvy friend 2 or 3 years ago and the experience was abhorrent. Nowadays I use it mostly like a IRC client and it improves constantly.

However the comparison between this and signal falls flat due to the metadata that needs to be stored on matrix servers due to its federated setup.

The best part about Matrix/Element, is that it could be Matrix/Anything. If Element is buggy, switch to another client.

And unlike Telegram where the client is open source, with Matrix you can also switch the server. Or bring your own server.

> less likely to pull something like this

They are less likely to do this kind of secretive development, but they could go that direction. They have considered cryptocurrency in the past, see https://matrix.org/blog/2017/08/22/thoughts-on-cryptocurrenc.... They are open, but still driven by a single company which could change direction at any time.

They also surprised their community multiple times with renames of their app and weird redesigns (remember the horizontally-scrollable unordered bubbles for room selection?)

I think Element is unable to do this since they have nobly chosen a federated protocol.

Which part? The part of also integrating SMS functionality? The part where I can message my other contacts who aren't using Matrix via SMS and finding them by phone number? Having a good marketing strategy?

Sorry, I should have quoted. They are “unable to pull something like this” due to being a federated protocol. If they try to add crypto to their app, another app can be used to communicate to the same people in the same way.

You can layer over easy onboarding on top of a federated protocol..

Same here, I have been looking at Element too... Alternatively, anyone use Threema?

Would you say this is a weakness of element or matrix itself? In principle you could made a clone of signal, WhatsApp, telegram etc. using mobile APIs right?

I think it's 100% the client. But this is the problem with a federated system like this: it increases your marketing surface without providing apparent value to the consumers. Consumers don't want choice, they want the one product that will do exactly what they need it to do. When I am presented with "choose your client from this list of 5-15" my eyes glaze over. I just want to try the thing. That isn't to say that there shouldn't be choices, there absolutely should. But the problem is that there needs to be a very easy short and gentle on ramp for new users.

Element is none of those things. It's name is so forgettable and so generic that people often don't even know whether it's an app, a library, a website, etc. The mobile app is yet another chat app with nobody on it until I do the legwork of pulling them in. It's just not usable on day one after I already spent the time to figure out which app I need. In the meantime, Signal can become your default messenger on Android within a few minutes and do everything you used to be able to do but more and better.

Good Morning,

I am the CEO of MobileCoin.

A few points:

1) I started MobileCoin to fund Signal. That’s it. I believe that a world with a well-funded signal is a better place. In order for signal to compete in the 21st century with messaging apps around the world they need a payment story. MobileCoin is the only thing ever built that is both privacy protecting and fast that meets the standards of data retention signal requires.

2) MobileCoin Inc. intends to maintain an extreme minority of the coins once the dust settles.

3) This is designed to be used as a payment rail, which requires us getting coins in the hands of users. As you might imagine, navigating the regulatory waters of how to do that with compliance to how governments want us to behave is non-trivial. It’s important for us to move with correctness over speed.

4) this project is 4 years of my life building real technology. This is not a pump and dump scam. We have been very careful in the design, operation, and development of this system to give it the best chance at surviving in the world of cryptocurrency projects. It is non-trivial to deliver a coin that is useful for payments (the requirements are speed, privacy, low-energy footprint, and operation in resource-constrained mobile environments).

Let me put it simply, I love signal and we intentionally designed this currency to be as oblivious as possible with respect to user data so that signal could maintain their relationship with their users, one of retaining as little information as possible without compromising on the user experience. Nothing else in cryptocurrency, or payments, comes close to the level of privacy and performance that MobileCoin has achieved.

I welcome any questions I am able to answer. Note that some questions revolve around tightly regulated areas of concern and may take longer to answer as I must check with outside counsel before replying.

2) MobileCoin Inc. intends to maintain an extreme minority of the coins once the dust settles.

a.k.a. we intend to sell all of our vast stacks of pre-mined coins onto gullible users. This is exactly how a pump and dump scam works.

To be clear, we want to get the coins into the hands of users so they can buy things with them. Doing so in a legally compliant fashion is non-trivial. Looking at what happened with key base and stellar, a simple airdrop to users of the system doesn’t necessarily result in utilization or economic development.

There are multiple different things to consider here: 1) regulatory, 2) economic system design, 3) usability, and 4) user-first commerce.

In short, it’s much more important for us to be correct than it is to move quickly. When all is said and done, users of MobileCoin will have obtained coins many ways: through giveaways, sales, and commerce activities. Making sure we do these things correctly is the only way the ecosystem will be able to operate long term.

This isn't addressing the parent comment at all. Does the trust plan to market dump coins on their users?

I'm not sure what you mean by dump. MobileCoin plans to reinvest coin proceeds into the ecosystem to help foster economic development. We also plan to give away coins once we figure out how to do so in a regulatory-compliant fashion.

MobileCoin also needs some amount of money to operate, some of which will come from the sale of coins, but our balance sheet of coins is quite limited. We would prefer to minimize those sales as much as possible.

Does that answer your question?

I think you need to lay out the plans much more concretely and have a proper plan for transparency.

The crypto world is full of scams and misinformation. Technical people are unlikely to trust the coin if transparency and oversight stay so vague.

Scanning through this discussion, quite a few red flags have been raised by users. I assume your intentions are good at the outset. But when the money comes rolling in, even the most pure plans can be corrupted.

> I'm not sure what you mean by dump.

Sell your token at overinflated prices (in a similar way as other ICO scams) and funnel money into pockets of whoever is running this specific scam, with some minor amounts put toward claimed goals.

This is hard because we don't have any control over the price of the coin whatsoever :(. We don't sign any listing agreements or do market making or pay exchanges anything to list. We literally haven't done anything except publish the code and make the coin available to the public.

Thank you for helping me to understand what you're looking for; we will go back to our counsel and ask them for more advice with this in mind.

All of your answers are so obviously not answering directly. You were simply asked if you would be selling the coins to retail investors on exchanges and gave a bunch of blabber when the answer is clearly yes.

Form your post above RE selling coins at inflated prices to the public, you said “This is hard because we don’t control the price” Umm, you could give away the coins. You claimed that Stellar gave away coins but the coins didn’t end up being used by end users. How does selling the coins at hyper-inflated prices to end-users change this? Why will they use the coins if they are sold them vs given they?

It would be great to know the timing, amounts and prices of coins that have been sold to either investors or the public.

Your reputation and Signals are hanging on a thread here. We’d all appreciate some transparency.

How many coins will Mobilecoin sell and over what time period? You and Mobilecoin currently control about 212.5M coins which is $8.5 Billion created out of thin air. The price was recently inflated with a suspiciously perfect timed short squeeze, likely orchestrated by one of your investors looking to pump their bags.

You mentioned exchanges own ~50% of the mobilecoin supply, how did they come to posses that amount of coins? Did you give them away for free? Or did they pay some price for each of the coins they have? If it's the latter can you disclose at what price you sold the coins for? This would give mobilecoin users a good baseline price for what the creators of the coin believe it's worth. Thank you.

> In order for signal to compete in the 21st century with messaging apps around the world they need a payment story.

What is a "payment story" and why do messaging apps need it? Signal should be secure SMS with a better UI, nothing more.

I'm pretty sure that's just a buzzword for "revenue model", which is to say a plan for how it will make money. The charitable interpretation in this case would be "how to keep devs on the job and not homeless", and the uncharitable case would be "how to make Moxie Marlinspike and his buddies obscenely rich".

It looks to me like either there's a lot of selling out going on here or there's a lot of great examples of how not to market a good thing to reasonable, aware, suspicious people (which is, in short, pretty much the core market demographic of privacy software users).

As for me, I'm starting to wonder whether Session is much better than Signal, and I think that if you want privacy in a cryptocurrency you're probably better off with Monero.

I love the dichotomy 'working vs homeless'. It's a sad state of a country if being jobless implies homeless. Also, I don't think someone working for a SV company can't just move somewhere cheaper and reduce spending until the next gig.

I don't understand this either. Does Signal need to compete with streaming services like Netflix next? What about Steam? I didn't choose Signal as a platform, I chose it because it is (supposedly) a secure and privacy focused messenger app.

I guess there are some users who expect something in this vein after seeing it in whatsapp or imessage? Still, bundling some unstable opaque cryptocurrency to it instead of just normal money seems a bit disingenuous.

Or they want to become WeChat.

I believe many apps are currently implementing this.

What financial interest does Moxie have in MobileCoin Inc, MobileCoin TS Ltd or any connected business? Does he stand to gain from the success of MobileCoin?

You could have avoided most of the criticisms if you had a clear explanation of why you pre-mined. Saying that you intend to sell it is not as reassuring as you seem to think it is.

The pre-mine has to do with using stellar consensus protocol. Basically if you don't have staking or mining (which I personally believe are detrimental to the longevity of these networks) then you end up with a pre-mine. Essentially all of the game theoretical systems for rewarding operations of the network pit the interests of the miners/stakers against the interests of the users of the network.

Again, why do avoid answering the question? When you avoid answering the question, it comes off as more and more sleazy.

I'll take from the fact you dodged the question that Moxie does indeed have a financial interest

Is it a stable coin? Users want to send real money; MOB is just temporary inconvenience necessary for digitalization. Do you guaranter that users can get out the same £ they put in (minus a clearly disclosed fee, within a reasonable time frame of days to weeks)?

If not, it's useless. I'm a chat app user, not a Forex trader.

This is not a stablecoin. MobileCoin has plans around stablecoins in short order that will allow users to transparently get back to stability on their transactions, but those aren't available on day 1.

What percentage of the coins does MobileCoin and its founders/early investors currently hold?

Seems your early investors certainly have a large chunk https://threader.app/thread/1335948142022311936

MobileCoin has made over 50% of the coins available for purchase. We are currently figuring out how to give away coins while remaining regulatory compliant.

That does not answer the question. You answered the question of "how many coins do you intend to sell" not "how many coins do you currently hold." Based on your answer I can only assume that you hold >50% of the coins and intend to sell 50% of them in the near future.

Kinda seems like the sort of thing you would have figured out ahead of time...

Unfortunately cryptocurrency regulations are anything but clear and obvious. This is a new frontier and operating with an abundance of caution is of paramount importance. We respect the hard work all of the regulators are doing trying to figure out this new world.

We're all doing our best to work within the constraints.

Yeah but like, what if you find out that you can't distribute the remaining coins in a compliant way? Wouldn't that be something that should have been determined before all the work to integrate with Signal was done? It just feels like if that were a true priority, it wouldn't be in the "implement first, figure the rest out later" category. Even if it's a complicated question.

I can assure you that we have the best minds in the regulatory and legal worlds thinking about this and there just isn't a lot of regulatory clarity. If you had told me that 4 years after I started MobileCoin we still wouldn't have guidelines on how to issue a cryptocurrency in the US I would've told you that you were insane, yet here we are. This isn't to point fingers at the regulators, I really think they have a humongous task before them; regulating cryptocurrency is the institutional challenge of a lifetime.

We want to make sure we operate out of an abundance of caution. Correctness is more important than speed.

I'll ask again: Why are you geoblocking US based users from the sales page you linked previously?

Out of an abundance of caution and advice from our counsel. The regulatory landscape in the United States is complicated. It is hard to predict what is and what is not ok. We tend to be far more conservative than other players in the space.

I find it strange that you bundle your currency ecosystem into a product that is widely used in the US and you haven't ironed out how to sell it directly to them. Also, it's a strange choice geoblocking the traffic rather than serving a static lander explaining the issues. This entire situation is rife with strange choices.

I see risk exposure increasing greatly across the board, for Signal operations, users, and everyone involved from your side due to this merging of services.

Translation of GP: “What we're doing has been illegal in the US for decades.”

1) I started MobileCoin to fund Signal. That’s it. I believe that a world with a well-funded signal is a better place. In order for signal to compete in the 21st century with messaging apps around the world they need a payment story.

So I think that's the base of what people are upset with. Signal suddenly essentially became a for-profit (it decided to prop up a for-profit company which would in turn fund it as a revenue model). Now a lot of people that donated to and promoted what they considered to be a non-profit project feel cheated.

So instead of contributing to the Monero project to improve the space for everyone, you decide to fragment the privacy coin space instead with a sketchy premined coin.

From some of the discussions I've seen, it looks like part of the MobileCoin strategy is to shit-talk Monero as a way to build hype for MobileCoin, and claim all prior art came directly from CryptoNote while ignoring the fact it's implementing stuff pioneered in implementation by Monero. I've seen some pretty friendly discussion history with Monero in the first days of the nascent MobileCoin project turn into MobileCoin people being absolutely, obnoxiously awful later on.

If there's some way this can be explained away by MobileCoin people, I think it'll make a great story, because there seems to be a lot of stuff there that doesn't look explainable.

You...don't believe in new coins, innovation on features, or marketplace competition?

Network effect and perceived legitimacy is critical. Splitting that is obviously suboptimal, especially when privacy depends on having a large number of users to blend in with. There isn't a single cryptocurrency in the top 20 by marketcap that isn't mass-surveillance-friendly

I think it’s pretty clear mobilecoin coin never be added to monero

Why not use the Bitcoin Lightning Network? It allows faster transactions then MobileCoin and much better privacy than on-chain Bitcoin. Privacy doesn't match Monero, but will undoubtedly improve over time.

Clearly this would prevent the "get rich from pre-mine" benefit, but also remove 99% of the criticisms related to greed, centralization, geographic limitations, etc.

I don't see how MobileCoin can be censorship-resistant, neutral or permissionless in the long run. Are those goals of the project?

Bitcoin isn't private or suitable for peer-to-peer transactions since it has tainted coins.

Why another altcoin and not simply ETH or BTC? You state privacy and performance: could you be more specific?

A few things:

1) tx settlement time is ~3 seconds on mobilecoin, p99 latency right now with single block finality. Eth and Btc are great but they aren’t that fast (for payments speed really matters).

2) with respect to privacy, the key innovation of MobileCoin is that when all of the systems are operational, there is no transaction graph stored in the ledger. The links between transactions are known only to the counter parties to those transactions. In the event of a failure of the Secure Enclave, links between transactions degrade to probabilistic links between transactions (and forward secrecy can be restored upon recovery of the enclave).

The effect is a payment system that is both fast and privacy-protecting with no central authority, a quality not present in any other payments system I am aware of today.

Does that answer your question?

Oh, last and perhaps most important, because of our consensus design, we don’t use a ton of energy like btc and eth.

I have not yet read in detail how you use SGX. But setting up SGX requires complicated processes and signing contracts and other paperwork with Intel. (Correct me if this is wrong.)

Given that setting up the "systems" requires a huge effort, I assume that the architecture assumes a single central entity is running all these core systems, right? If yes, does the system rely on these core components to be up? If yes, how does it not rely on a central authority?

Another aspect I don't yet understand: Traditional cryptocurrencies solve the distributed consensus problem through mechanisms like proof-of-work or proof-of-stake. What does MobileCoin use as a consensus mechanism?

https://github.com/UkoeHB/Mechanics-of-MobileCoin/blob/maste... << This document has an extensive explanation of the consensus mechanisms and the attestation/enclave mechanisms in their respective chapters.

Have other existing privacy cryptocurrencies been considered?

Grin is a lightweight privacy cryptocurrency using MimbleWimble. It uses a fair distribution (no pre-mine), with an emission of 1 GRIN per second:


Yes the problem with Grin is that it allows perfect input/output linkage (see: https://github.com/mimblewimble/docs/wiki/Grin-Privacy-Prime... under information leakage).

Grin also doesn't meet our standard of <5 second blocktime.

Why not use an existing currency which solves the problems you highlight, like Nano?

Nano doesn’t solve privacy to the degree we were excited about. Again, fast + privacy protecting is really hard to achieve, particularly if you care about fast tx recovery on a mobile device.

If you actually cared about privacy, you'd have just used Monero, and saved yourself 4 years effort building YAS (Yet Another Shitcoin).

And no, speed is not the most important. As long as the user can see the payment incoming, it's trivial UX to say "Payment received. Will be confirmed and available for use in 3 minutes."

edit: it appears MobileCoin is (allegedly) built on a combination of XMR + the Stellar consensus protocol? If true that's a slightly better scenario than I previously thought

Monero isn't fast enough and doesn't support transaction recovery (it also has probabilistic linkage which MobileCoin doesn't due to our use of secure enclaves). We spent almost 18 months building MobileCoin Fog to solve the second problem (https://github.com/mobilecoinfoundation/fog). It's a non-trivial stack of code to allow users to recover strings from servers they don't control without the operators of those servers being able to learn what strings are being recovered.

Don't get me wrong, we stand on the shoulders of giants, but there's a lot of new tech here.

Why can't I find details about your node partner vetting process and what the requirements are to be considered a partner to run a node?

We don't vet node operators. Node operators each individually choose who to peer with in a liquid democracy. Anyone can peer with anyone else; consensus is an emergent property of the graph.

Okay, so do the current node operators publish their peering requirements?

Given your description it sounds like governance is whatever the MobileCoin foundation and its partners dictates. Unlike the consensus in this thread I think there's a lot to like and explore for a privacy token that chooses a different set of tradeoffs but the opaque governance, token holder distribution/circulating supply and lack of acknowledgement to the Monero project really sets it back.

The MobileCoin Foundation only publishes software, the nodes decide whether they want to run that software or not. Ultimately all of the nodes can run whatever code they want and call it MobileCoin if they can agree upon it.

The governance is actually quite simple: a set of decentralized nodes individually choose what software to run and who to peer with. Consensus is an emergent property of that trust graph.

What do you do differently from Stellar or Ripple at the consensus layer which both started out with similar ideas, but quickly found that their validators fall apart due to the strongly-connected validator set requirement not being met? In other words, how do you avoid the exact same fate that both Stellar and Ripple ran into in their consensus models when they also tried to let "node individually choose"?

Consider asking this on their community forum to get more eyes on it: https://community.mobilecoin.foundation

Sounds like “proof of authority” which is often used for testnets, where reliability is far more important than decentralization.

> In order for signal to compete in the 21st century with messaging apps around the world they need a payment story.

No, it does not.

There are two distinct groups of people using Signal. None of these groups needs MobileCoin-based payments.

Group one is probably the biggest and consists of "normal" users which use Signal because it's the free messenger that is NOT affiliated to Facebook and has a good reputation with regard to privacy and data protection. There's another messenger with similarly good reputation, Threema, but that one costs money, hence Signal is the more popular choice. These users may indeed find a simple payment solution through their messenger a useful feature, but they want to send each other "money", not "MobileCoins". Those are not interchangeable for this kind of user; they expect to send whatever is their local currency, USD or EUR or whatever, and they expect the entirety of the money they send to arrive at the target - having 20% crypto market swings within minutes eradicate 20% of their share of last week's restaurant check while they're transferring it to their friend is a non-starter for this group. So are exchange fees for USD-MOB/EUR-MOB exchanges before and after sending money, even if the exchange execution itself may be automatically run in the background. This is true especially since there are already well-known and established solutions out there specifically targeting this particular need - PayPal Friends and the Cash App for example. Sure, it would be nice to have messenger integration, but if the only way to get that is to transact in MOB instead of USD and always send 10% more value than you intend to pay just to ensure the receiver gets "enough", the established out-of-band solutions which don't have those problems will simply be used. Also, this group doesn't really have strict anonymity requirements, because they usually send money (and messages) to people they know in real life as well. Whether your awesome crypto coin is more anonymous than PayPal thus doesn't matter at all for these guys.

Group two consists of those that actually depend on Signal's security, privacy and anonymity features because they need exactly that in a messenger. Think whistleblowers, journalists, people doing stuff that's illegal where they live. A lot of these want to send information to their contacts, not monetary value, and don't have any use for a payment option in a messenger. And even those that do want to transfer monetary value won't exactly be enticed by a one-click crypto transfer feature in their secure messenger, since they can be assumed to be technically competent enough to utilize the already-existing cryptocurrencies (especially those with a much longer history of privacy protection, such as Monero) and crypto exchanges to perform whatever monetary exchange they want to do. I would even say that these people would explicitly NOT want to use a messenger-integrated cryptocurrency, because that limits them in their choice of cryptocurrency and fiat on/off-ramps, which are crucial decisions to be made carefully if you want to preserve your anonymity. And the entire idea that these guys would switch from Signal to WeChat just because "WeChat has a money sending function" is blatantly absurd.

I do not see any sufficiently large group of people that might get any value out of this MobileCoin-Signal-integration feature. Hence I predict this feature to ultimately fail due to lack of user interest. But that will only become clear AFTER a lot of good-will from tech- and privacy-minded people has been burnt by this unnecessary stunt, as can be seen for example here in the HN comments.

Hi,Josh: If MOb can be used by Signal user, there must be a stablecoins. You said your team has plans around stablecoins in short order, can you tell the relationship between mob and stablecoins ?

Can you talk about scaling issues. What are your projections for the size of the MobileCoin blockchain, assuming it is successful and people want to do >1000 transactions/second.

We've tested MobileCoin at ~100 transactions per second right now using low core count boxes. We suspect we can scale to 10,000/second on the existing tech stack by throwing bigger boxes at it AND doing some performance tuning. SCP has been shown to hit very large tx/s numbers so it's just a matter of tweaking it until we get those numbers out. 100 tx/s is more than adequate for quite some time for our use case.

I was thinking more along the lines of storage requirements. How much space would be consumed on a full node by a network running at constant 1000 tx/sec?

We designed it to scale to 1B users. I can grab someone from eng to give the exact numbers but it'll be a long time before we have issues with storage.

I'm pointing to the foundational problem that led to the Big vs Small block debate in the context of Bitcoin and which is the argument for second layer networks.

Presumably you've come across this question in your four years of development and would have exact numbers (perhaps not for my chosen value of tx/sec) already at hand. The fact that we're three comments deep into this, leads me to believe you are dancing around the question.

There’s no dancing going on. He said he doesn’t know the exact numbers but is asking the engineers to dig it up for you. Please don’t be rude and please don’t put words in other people’s mouth.

As I say, this is a foundational issue that every blockchain project should address. Before I asked my initial question, I searched the documentation to see if it had been addressed. Such answers might be a second layer story, or some form of transaction aggregation on the base layer blockchain. I could not find anything that obviously looked like that.

At this point I think it's perfectly fair to start with the assumption that a new Crypto is a scam and it needs to do the legwork to show that it isn't. To claim that a blockchain (the most ludicrously inefficient data-structure ever devised) can scale to a billion users is an outrageous claim. The technical means they found overcome this problem should be front and center in their documentation.

I am going to do an AMA over at r/signal on Tuesday at 10am; please save questions for over there as I have to get back to work. I'll say this: the punchline here, as I'm sure you're aware, is that there are limitations to layer 1 scaling. We haven't discovered those limits at MobileCoin, but they surely exist.

The question becomes: what is tx throughput at N billion users? What are the scaling strategies that will get us there? It is zk-rollups (or zk-zk rollups)? Is it sharding? Is it moving to custom hardware circuits? I suspect it will be some combination of all of the above.

We don't know what the answer is yet and we will devote tremendous resources to figuring it out. I don't want to give the impression that MobileCoin as it is written today will scale to Alipay levels of tx throughput, but I do believe there is a path to get there that requires a ton of work.

Does that answer your question?

It answers it, in the sense that it acknowledges that the question remains to be answered.

Grin can be used in signal,whatsapp,telegram,email, carrier pigeon, paper note..

Your privacy belongs to Signal which stores your data,MOB is a centralized,premine ,hidden ico.

Convince me.

''This is not a pump and dump scam''(!). We have been very careful in the design, operation, and development of this system

MobileCoin Inc....

Are there any considerations using signal as an identity verification platform for other services?

I can’t speak for signal but I don’t expect them to ever scan a driver’s license or passport.

I meant an anonymous identity system linked to blockchain technology.

Do you have a design proposal for such a system?

No, but: https://democracy.earth uses a couple of systems to connect to it (https://fortmatic.com,https://www.portis.io, https://walletconnect.org) - I don't know why they ditched https://metamask.io.

Overall the adoption of these systems is too difficult. Something that could be overcome with signal/mobilecoin.

Democracy earth is just an example application. Overall I would appreciate to own my data and have it secure (like signal provides), when it comes to the whole ecosystem of the future for: social media, voting, contracts, etc.

>2) MobileCoin Inc. intends to maintain an extreme minority of the coins once the dust settles.

In other words, cha-ching! then what?

Then we build services for users to help them use MobileCoin for commerce. The goal is to make a real decentralized payments network.

Every time Matrix is brought up here, the federation and open spec is criticised as being too slow moving compared to Signal's BDFL approach. Well, this is what happens when the interests of the BDFL and community diverge. If New Vector decided to fuck up Element on the other hand, you could just move to a new client and not deal with marketing a network move to your social network.

> the federation and open spec is criticised as being too slow

To be fair I don't think that the slowness and complexity is being put forward as an example of why Matrix is "bad", but rather as an example of why it can't compete with Signal for "normal" users — and if you want to create something that competes with Messenger, Whatsapp or Snapchat, you need to put "normal" users first, it can't be an afterthought.

What stops a Matrix client producer from putting "normal" users first?

Is it that all such producers plan to do something evil once they have enough users locked in, which an open protocol like Matrix would impede?

Or is it that the protocol is not yet mature enough? In which case, a deliberate approach to evolving the spec may be for the best so long as it eventually gets to where it needs to be?

A couple years ago the Riot client was unusable on Mac. Now Element seems to be fine. Why won't it continue to get better?

> you need to put "normal" users first

Normal users primarily want what their peers already use for communication. Hence a power user who is able to use two messengers and switch between them has a disproportionately big market impact. /s

Matrix being slow has a lot more to do with their crappy implementation than it has to do with the nature of a federated network.

Did anyone ever consider that this is actually on purpose to deter people from using Signal by it's authors?

Lets imagine, theoretically, some three letter agency in the US has forced signal to backdoor their platform somehow, and so signal stops posting source code to the clients, and everyone just keeps on using it for a year even though the authors thought that maybe this would be a big red "DANGER" signal to the users (who they're not legally allowed to inform, or shutdown the platform for any more) then how else could you try and mitigate this?

Pushing a shitcoin onto a largely tech user base may do the trick eh?

Or maybe I just put on my tinfoil hat this morning..

That's highly unlikely and not the way one deals, with this kind of thing. The responsible thing to do in that case is to shutdown your operation, just what lavabit did back in 2013.

See: https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_ord...

Theories like this are interesting because if you have a hundred of them one is probably true. It's definitely plausible even if it seems on the face unlikely. It's interesting enough that this is what I'm going to take from the story anyway so thx for putting on the hat

Reminds me of the so-called "10th man rule" made famous in World War Z.


Never ascribe to malice what can be ascribed to incompetence.

The problem with this theory is that this is four years in the making[0], aka since the last cryptocurrency bubble.


I think it's just a bad call. I don't think there's anything nefarius to it. I'm unsure why they didn't use a real cryptocurrency that is somewhat popular like ethereum or monero. I would prefer none of that and to add more convenient messaging features.

I'm a little surprised that nobody is mentioning that any kind of blockchain payment system creates a permanent, public ledger. One US Attorney called Bitcoin's blockchain "prosecution futures" as it's only a matter of time before the sender/receiver addresses for transactions are correlated with unique individuals. This permanent, public record of a transaction between a Signal account and another user or a service flies in the face or Signal's presumed goal of completely private e2ee communication.

MobileCoin uses a combination of two other private coins, Monero and Zcash. There are no addresses on the MobileCoins's blockchain to be correlated. Didn't it cross your mind that a private messenger would probably use a private cryptocurrency?

MobileCoin does not use any Zcash technology. It is Monero + stellar consensus protocol.

...and SGX, which is very interesting and a choice worthy of scrutiny imo.

With a "private" crypto-currency you're still making a bet that there's no exploit. Roping payments into a message app increases the attack surface for both.

Monero's primatives are pretty well researched [0]. Of course there is always the chance of bugs in the implimentation but it looks MobileCoin's crypto primatives library has at least been audited [1].

[0] https://www.getmonero.org/resources/research-lab/

[1] https://github.com/RustCrypto/AEADs/issues/87

While I like your line of thought and agree that pairing meta information from messages and financial transaction might weaken anonymity, the trajectory of cryptocurrency development (like zk-SNARKS) will make this incredibly difficult.

A very good point.

Signal's tying encrypted messages and phone numbers to a publicly available ledge of transactions?

It looks like MobileCoin is a mix of Monero and Stellar Consensus so the transactions will be protected by Ring CT (https://www.getmonero.org/resources/moneropedia/ringCT.html).

Only if they get hold of your phone and you give them your password.

That’s true for a lot of crypto but not for something like monero which has an anonymous blockchain.

It's anonymous with some caveats. The transaction graph is still there, it's just that there are decoy inputs/outputs which provides plausible deniability. However, over repeated transactions the plausible deniability weakens. ie. having an output to a darknet market in one of your transaction is easily explainable by bad luck, but it's present in several transactions it becomes suspicious enough that the police can start investigating you.

This might be true of the particular decoy approach used with Monero, but I don’t think it’s true in general; e.g. with mixer/tumbler services. If every transaction that everyone does has some outputs to darknet markets (because they’re popular and high-volume), and some outputs to legitimate businesses (because they’re also popular and high-volume) then that really is reasonable doubt that any particular individual did anything bad.

It’s like how you can’t charge someone with possession of cocaine because there’s cocaine on the US dollar bills in their pocket: there’s actually trace amounts of cocaine on every US dollar bill.

>If every transaction that everyone does has some outputs to darknet markets (because they’re popular and high-volume), and some outputs to legitimate businesses (because they’re also popular and high-volume) then that really is reasonable doubt that any particular individual did anything bad.

The problem is that transacting with a darknet market will still bring your illicit output % above average. Right now monero has 10 decoy outputs per transaction. If the proportion of illicit addresses to legitimate addresses were 50%-50%, then a legitimate transaction would have an average of 5 illicit outputs but a illicit transaction would have an average of 6 illicit outputs. The same applies to inputs. The difference between 5 and 6 might be small enough to be indistinguishable from background noise, but that result is heavily dependent on the proportion of illicit vs legitimate address. If the proportion is something like 95%-5%, then the difference would be 0.5 vs 1.5, which is significant. I won't bother to do the probability calculations for this, but I'm going to estimate you can get to 95% certainty within 10 transactions.

>It’s like how you can’t charge someone with possession of cocaine because there’s cocaine on the US dollar bills in their pocket: there’s actually trace amounts of cocaine on every US dollar bill.

The interesting bit is that they don't have to charge you based on that alone. If they're 80% sure you bought illegal drugs, they'll either get a warrant to search your house or perform surveillance on you and wait for you to slip up.

I get what you mean, I think — you’re talking about traffic fingerprinting. But you can use the same anti-traffic-analysis techiques used elsewhere in systems like Tox. For example, the darknet market itself could use some of its revenue to pay for “noise transactions” (wash transfers through the mixer, then intentionally “black-laundered” in the market) to keep the number of darknet-market-spent outputs constant per mixer step, by asking for advance notice from buyers for when transfers targeted at their sellers will happen, and then running N fewer “noise transactions” during the appropriate mixer steps.

Though also, you’re assuming a constant “your account” in the above. If you mix 100% of your holdings every time you transact, setting it so that a set amount goes to a darknet market, and the rest goes back to a newly-created public-key-hash that you just generated the keypair for — and then when you want to use money from that address, you fully consume it to mix it again — then nobody ever gets the opportunity to fingerprint “your” traffic. There’s no stable “you.”

(I have a theory that this is the goal Satoshi was aiming at with Bitcoin UXTOs, but never finished that element of the design, and launched it half-baked.)

This also means that the mixer gets to eat a percentage fee off of your complete holdings every transaction, so it kind of sucks, but what can you do.

> If every transaction that everyone does has some outputs to darknet markets ... and some outputs to legitimate businesses ... then that really is reasonable doubt that any particular individual did anything bad.

It says that no particular individual made a Bad Guy payment, but that all of them facilitated it by providing cover noise.

Are you facilitating a Bad Guy payment if you use a bank that the Bad Guy also uses?

This isn't the case, monero employs stealth addresses so there is no way to tell who the recipient is just just by observing the blockchain.

Blockchains and privacy are antithetical. The whole purpose of a blockchain is to keep track of transactions so that everyone knows how many coins everyone else has in order to prevent double-spending. You can try to achieve anonymity through obscurity but this will never work in principle or in practice.

The process of reaching consensus on the current state doesn’t have to involve reaching consensus on the past state for all participants. A blockchain can be built such that all historical previous state + the txs required to get to those historical states are discarded after a quorum of nodes reach consensus on it, leaving only the current state.

(This is basically what already happens if you do a “network version upgrade” on a Cosmos-based network: everyone keeps their balances, but just in the form of a new genesis block that all the nodes from the previous generation of the network separately deterministically generated from the state, but which new nodes have to just trust. If you join the network during the new generation, you just download the new genesis, and so can’t “see back” past that point.)

Just make the whole network do an automatic “network upgrade” every block — and keep all the state in-memory in the meantime — and now you’ve got a blockchain with forward secrecy.

(To be clear: nobody’s done this yet.)

Honestly I don't see how this would help. If every bit of transaction history is public at some point in time, then the transaction history is public, since it is impossible to make someone forcefully forget something.

Transactions don’t need to ever be broadcast to the network as a whole (e.g. via a gossip protocol) — they only need to be submitted directly to the quorum that will execute them.

Think about physical replication in a DBMS: you only need to transact with the master. Physical replication receivers don’t see logical TXs; they just see the new state (= WAL segments) that the master decided on.

Of course, in a Proof-of-Work network, the quorum could be anybody, so your OPSEC is “leaky” — it’s like having forward-secrecy enabled on a public chatroom that anyone can enter and sit in listening/recording.

But in a Proof-of-Stake or Proof-of-Authority network, the quorum only consists of the stakeholders. So, as long as the stakeholders all intentionally discard transactions, then there’s nobody to recover the data from. It’s very similar to private corporations whose service involves intentionally discaring (or avoiding logging) user interactions, e.g. “private” / “anonymous” email services. Just scaled into a federated, “open-but-audited membership” system. In such a system, network governance would likely declare that new stakeholders must have their infrastructure setup security-audited by auditors chosen by the existing stakeholders, at the new stakeholder’s expense, before being allowed to run as a validator for the network.

wouldn't mean there wouldn't be any rolling back by consensus since there is nothing to roll back in case of an issue? Wouldn't the software have to perfectly retain state in the present since it always deletes old transactions?

Sure, this applies for bitcoin, because bitcoin is legacy technology and has no features or utility. Monero does not work like bitcoin


Monero has been shown to not be completely anonymous on more than one occasion despite the claims. It's not as safe as people say. It's better than bitcoin in that respect though.

That’s the hope but remember that it’s irrevocable: you’re gambling that they got the implementation perfect, the network is operated securely without practical side channels or timing analysis, no unrecognized attacks will become practical, and that your clients will not have any bugs or backdoors — for the rest of your life!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact