[InfoSec Handbook] The articles How to use Signal more privacy-friendly and Signal messenger myths could be much more actionable

The @infosechandbook guys suggested they participate on this forum and Reddit. (Do you prefer the Reddit-style or this forum’s style of discussion?) Anyway, here we are.

I wonder how much actionable advice were you able to extract from the articles How to use Signal more privacy-friendly and Signal messenger myths’s if you were a privacy enthusiast of average technical level. As I see these articles they certainly make you more curious but you have to connect the dots. A lot of them.

How to use Signal more privacy-friendly starts with stating some people don’t want to install Signal on their smartphones and suggesting signal-cli, the command line tool. So far so good, I was able to set it up and get a verification code. Now what? The article then suddenly jumps to recommendations on how to set up the mobile app without mentioning that now we are in the mobile app and not in the command line setting up our phone number. Which we didn’t even set up. How does signal-cli and the mobile app add up?

Signal messenger myths Myth 2: You have to disclose your cellphone number to use Signal is equally murky. It’s quite easy to get a verification code to a throwaway number, real or virtual, but then what? Maybe it’s just me but the guide doesn’t mention what happens to your Signal number when you eventually upgrade your smartphone or computer or operating system or hard drive or Android ROM. Or am I missing something and you are not about that? Either way you do not mention anything about how permanent your temporary Signal number is going to be.

The articles are clearly written by someone (Benjamin) who understands what he is talking about. But I say writing good documentation is an art in and of itself. You (team InfoSec) claim on your site that you lecture at various universities. That’s awesome! But would you consider the above guides as actionable handbooks to your students (of average technical level) or more so just teasers to pick the interest of more advanced students who can fill all the dots themselves? A good technical guide usually features lots of descriptive screenshots (if necessary, but why not) and command line walk-throughs for sure. It’s not me who calls your website handbook, it’s you. :wink:

How is your Signal guide fundamentally different from the dozens of other Signal guides out there? Maybe it really isn’t and I’m seeing too much into it. That said, I wonder how much actionable advice the community can get out of it specifically. I appreciate your work.


Thank you for your feedback. :slight_smile:

Regarding guidance

As already suggested here, we aim to revise our articles to tell readers more about the why should I do this. We have already started to review our articles (we do this continuously), but so far, we didn’t update the articles mentioned by you.

Students vs. readers

Of course, giving lectures or conducting workshops goes much more into detail than our articles. We can’t put the material or interactions of 2- to 6-hour classes into a blog article. Furthermore, the skill levels of the students or participants of workshops are more uniform than the skill levels of our blog readers. For instance, someone wrote an e-mail last year, asking why ssh root@[ip-address] doesn’t work. The reader copied this command in his terminal without changing the placeholder [ip-address]. Is this his fault? Maybe, maybe not. We can’t target every skill level.

Regarding our “myth” articles

The goal of the series is to debunk common myths that we read from time to time. Many myths originate from gossip that may lead to insecurity because most people just repeat the myth without checking the facts. For example, in the case of Signal, many people still claim that you must provide your phone number. However, this isn’t true.

Regarding screenshots and being a “handbook”

Our students and workshop participants learn the general concepts and ideas, not the tools. If you only learn starting a fire with a lighter, you might be unable to start a fire in the wild without it. However, if you learn the general process of starting the fire, you may be able to do this in every environment. In other words, we try to impart general knowledge and add some concrete examples and tools. We don’t provide detailed tutorials for specific software on purpose. The GUI often changes, leaving outdated screenshots. And if the software becomes unmaintained, the whole article becomes obsolete. However, knowledge, general concepts, and ideas don’t become outdated so fast.

1 Like

And thanks for your quick reply.

To be honest I was really curious about what actionable advice have other forum members got out of your Signal guide but it probably takes some time until we get a few more participants to join the conversation. You gave me some general principles on what your site in general is about. But let’s concentrate on your Signal guide in particular!

TL;DR: The Netherlands authorities communicate about COVID-19 at an 8th grade level. Which is probably the right thing to do as talking to people not in the Netherlands who do not receive their information in such an organized fashion tend to have all sorts of weird ideas about the disease and what to do about it as individuals and as a society. Might be applicable to a Signal guide too. What kind of people would you like to instruct about using Signal? I’d put my own technical level somewhere between @shellSignal, the OP of the Signal Community thread and the people he coaches about the app. So the adage “explain me like I’m 5” cold be turned into “explain me like I’m 14!” Like a smart 14 year old interested in infosec. That may be a good staring point but most people who you’d possibly like to instruct on how to use Signal properly are people who are definitely not so keen on infosec. The people who read your blog/handbook (it’s always confusing to me) sure, they are, but their friends and the friends of their friends, the general segment of the population you would like to see adopting Signal probably aren’t geeks by the majority of them. Do you envision your readers at the smart 14 year old level to forward your Signal guide to their nongeek friends as well?

About being an instructional handbook. To give you an analogy I’m learning Linux. A step by step command line guide with an explanation is always just a quick search away for nearly all the questions I can come up with. The results are from multiple sources but I tend to find my places to go directly. Yes, learning about Linux often seems like you are just blindly entering commands into a terminal without learning anything especially when you are a beginner but I still feel I’m on my way of learning something.

Your reply seem to focus on what you try to accomplish with the your blog/handbook(?) in general. But ideas in general are too generic to me. OK, I can certainly wait for you to update your Signal guide in particular. Hopefully that will answer my specific questions. Regarding how your guide’s parts discussing the command line and the mobile app connect to each other if at all, how permanent my temporary number is, and how different your Signal guide is from the dozens out there or maybe it truly isn’t and I’m just seeing to much into it. Though I’m not familiar with your future plans regarding what direction do you want to evolve your site in.

It’s interesting that you gave a complete paragraph to the topic of screenshots in your answer though I put the topic in parentheses. Maybe we have different priorities. :slight_smile: It’s also interesting that you imply that your Signal guide is intended to be a guide for creative people to fill in the blanks (if I understood you correctly, if I misunderstood you I apologize) not a simple 'how to" guide for the should be popular chat app similar to the easy to follow Linux command line guides I come across.

Maybe, we look differently at the website (assuming this especially after reading your last two paragraphs :slight_smile: ). Let’s look at two extremes:

  • The security experts: Our readers shouldn’t become “security experts.” Putting the knowledge of 10–15 years in the InfoSec industry into articles isn’t realistic, and you won’t become a security expert by reading articles. Besides, there isn’t the hoodie-wearing “hacker” in reality, but information security is a vast domain with many different job roles.
  • The checkbox folks: On the other hand, we don’t want to be a resource of checklists that our readers process. Security doesn’t work by configuring something and installing some software. However, many guides on the internet do this: They create the impression that you can configure or install security and privacy.

(Most of) our articles should should be thought-provoking: Our readers should read the article and think “Oh, I never read about the pros/cons of this. Now I understand both sides, and I can find a better solution for me.”

If our readers want to learn more about service- or product-specific configuration examples, it is better to read the original documentation.

Signal, for instance, provides different features for the Desktop, Android, and iOS versions. Covering them all and showing the “best” configuration isn’t possible. Full coverage requires continuous updates and we aren’t a Signal-only blog after all. :slight_smile: On the other hand, there is no “best” configuration as everybody has different use cases or threat models.

So, what is the difference here? Other websites say “Hey user, configure Signal this way, and you are secure!” We say “Hey user, these are the purposes of certain features and you have to decide if they should be turn on or off.”
(As written before, we continuously improve all of our articles. So if you think that the message isn’t clear in the articles, it should be clearer in the future.)