Moxie Marlinspike Makes Encryption for Everyone

Not for people who don&#x27;t want Google on their device.<p>He only wants distribution via Google, and even went as far to demand that free&#x2F;libre Play-alternative F-droid removed their build of TextSecure.<p>See: <a href="https:&#x2F;&#x2F;fdroid.eutopia.cz&#x2F;" rel="nofollow">https:&#x2F;&#x2F;fdroid.eutopia.cz&#x2F;</a>

Moxie&#x27;s been a huge inspiration for me in tech, i first discovered him through his blog post Career Advice: <a href="https:&#x2F;&#x2F;moxie.org&#x2F;blog&#x2F;career-advice&#x2F;" rel="nofollow">https:&#x2F;&#x2F;moxie.org&#x2F;blog&#x2F;career-advice&#x2F;</a>

With people like Moxie the future doesn&#x27;t look that bleak anymore. The guy is really dedicated to what he is doing and, quite honestly, it is pleasing to see someone in the tech community who is not egocentric around creating his online persona. I&#x27;m not trying to insult anyone, just expressing gratitude that there&#x27;s people who care about code, not striving to become rock stars.

Watch his documentary &quot;Hold Fast&quot; to get a glimpse of just how unique and interesting a character he is. Anarchists yachting? Yes, more, please

I&#x27;ve respected Moxie Marlinspike ever since he made sslstrip, a simple illustration of the fundamental insecurity of browser-based HTTPS.<p>However I do question his premise that criminals already have the wherewithal to opt in to &quot;clunky&quot; strong encryption before engaging in criminal activity.<p>In fact there are many scenarios where criminals simply go with the default security configuration in consumer devices, either because they (a) did not plan the crime in advance or (b) aren&#x27;t as smart about opsec as you might expect.<p>There are many good arguments to make strong encryption the default for consumer devices, but here I feel he was attempting to take an easy way out by pretending it&#x27;s orthogonal to investigating crimes. In fact it is a tradeoff, granting us security from cybercriminals and bad state actors (if there&#x27;s even a difference), while making it harder for law enforcement in some scenarios.

To be honest, I don&#x27;t understand what substantial benefit end-to-end encryption actually brings in an environment of (almost-)mandatory updates.<p>- If someone from Facebook&#x2F;Telegram&#x2F;Signal&#x2F;etc wants to know what you&#x27;re writing, they can just instruct their app (via update) to send them your key. For closed-source services, you&#x27;d theoretically have to decompile and audit each update to make sure they are not doing that.<p>- If they want to know what you have written in the past, they can instruct the app to send them the conversation log.<p>- If Google (or Apple or Microsoft, respectively) want to know what you&#x27;re writing, they can instruct the OS to send them the data. (Google&#x27;s &quot;Android Backup Service&quot; for example also backs up &quot;third party settings and data&quot; [1]. I don&#x27;t know about the details of the backup service, but this shows to me it&#x27;s quite possible that your key or conversation logs might even land accidentally on some providers&#x27; servers without them having any bad intent.)<p>- If (three letter agency of your choice) wants to get the data, they can just force any of the above companies via NSLs to get it for them.<p>- If any of the US strategic partners want to get the data, they can likely make a deal with an intelligence agency.<p>- Lastly, if the messenger company wants to mine or sell user data, they still have a lot of stuff that cannot be encrypted for operational reasons (such as your contact list and the phone numbers of all your contacts).<p>That leaves to me the only group for which &quot;overlay encryption&quot; brings an actual benefit political activists in a country not at all affiliated with the US - or highly knowledgeable individuals who carefully control which updates they get. Both groups are important to consider but likely had ways to protect their communication before.<p>To actually protect communication not just from &quot;the government&quot; but also from the private industry, we would at least need some independent party to vet app updates.<p>[1] <a href="https:&#x2F;&#x2F;support.google.com&#x2F;nexus&#x2F;answer&#x2F;2819582?hl=en" rel="nofollow">https:&#x2F;&#x2F;support.google.com&#x2F;nexus&#x2F;answer&#x2F;2819582?hl=en</a>

Moxie makes encryption for the majority of people, not for everyone.

Oh the irony of an article about encryption on a site sans encryption.

&gt; that has garnered praise by everyone from Snowden to filmmaker Laura Poitras<p>The idiom &quot;everyone from X to Y&quot; is supposed to demonstrate breadth of support, where X and Y are very different sources, but Snowden and Poitras are most certainly <i>extremely</i> similar sources.

Three cheers for Moxie!

slightly OT: has anybody made a bot or alternative client for Signal (even basic functionality)? I&#x27;d love to see a code example and was surprised that I couldn&#x27;t find anything.

Not for everyone, their crypto is GPL only and GPL can&#x27;t be deployed everywhere.