TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

76% Positive

Analyzed from 2158 words in the discussion.

Trending Topics

#signal#wire#should#https#phishing#messenger#matrix#data#blame#something

Discussion (56 Comments)Read Original on HackerNews

arianvanpabout 5 hours ago
Working on the foundation of this (getting Wire deployed at and certified by the BSI) was my first job out of college 7 years ago and how I ended up in Berlin. And once you end up in Berlin you can never leave, it seems.

I was actually on site at the Bundeskanzleramt and they had requirements of being able to install the entire server stack airgapped. We ended up building quite a cool delivery method based on Nix to ship the whole closure of the system and the containers inside and spin up a Kubernetes cluster with it. I'm wondering if it is still being used.

Amazing to see it's still going strong :)

raihansaputraabout 5 hours ago
What was the media for updates? Send them a CD or a flashdisk and they plug it in? I assume the PVC backing etc they handle on their own?
arianvanpabout 4 hours ago
Yes, updates were delivered using a flash drive.

> PVC backing

Yeh. But wire's storage is based on Cassandra which handles replication of storage. So you could deploy it on local nvme drives as well using a local storage CSI.

That's also how the wire.com cloud is/was run. Large Cassandra cluster on top of EC2 Instance Store as opposed to EBS.

rrr_oh_manabout 5 hours ago

  > first job out of college 7 years ago
  > Amazing to see it's still going strong
Yup, sounds like a government project...
looperhacksabout 4 hours ago
The earliest doc I can find quickly shows that the BSI already recommended Wire in 2021 (at least; couldn't find anything earlier). The actual authorization seemed to have happened some time in 2024, but it's possible that just nobody asked for the formal approval before that.

What I'm saying is - just because the BSI authorizes something, doesn't mean that it has to reach the Bundestag ;)

Arathornabout 5 hours ago
there is a definite irony in switching from being vendorlocked to Signal (open source but closed and locked to a US non-profit) to being vendorlocked to Wire (open source but closed and locked to a German/Swiss for-profit) - talk about jumping from the frying pan into the fire :)

Meanwhile the rest of Europe (and much of the rest of Germany) seems to have converged on Matrix as a genuine open standard with various different commercial vendors (Element, Rocket Chat, Famedly, connect2x etc), avoiding vendor lock and so giving actual digital sovereignty: https://element.io/matrix-in-europe

ofrzetaabout 2 hours ago
Also NATO, I understand. https://element.io/de/case-studies/nato
raffael_deabout 4 hours ago
i suppose that's what you get when you desire secure communication on one hand but at the same time strive for total surveillance. i'm not sure what data wire is able to provide when legally requested but at least they know where to send the letter.
newscrackerabout 1 hour ago
I’ve used Wire in the past and liked that it uses email addresses for registration (as pointed out in this article). Wire also had multi-device message sync long before Signal did.

But on a different point, Wire is inferior to Signal. Signal has a painfully slow data transfer when switching devices. But given some time, the data transfer does work completely.

On Wire, my experience has been that all media in chats are stored on the Wire servers and the backups don’t contain the media. They contain links to the media, while the media may be erased on the servers after sometime. I’ve lost a lot of media from chats on Wire when switching devices and restoring the backup from the original device. Only the text of the messages remain. At that time, Wire’s backups were also device/platform specific.

Since I place a very high level of importance on retaining and transferring data, I wouldn’t recommend Wire to anyone who wants to retain chats for longer durations.

c0l0about 5 hours ago
One of my most esteemed former co-workers used to say that whenever you succeed in making something idiot-proof, the universe will create a better idiot, undoing any progress you made.
vidarhabout 4 hours ago
I'm very curious where that saying comes from now. I haven't found anything conclusive, like [1]'s friend I thought it might have been Douglas Adams, but a few references refers to it as "Grave's Law". After a few searches, I can't find any references to that which I can date further back than '99. But variants of the saying is at least as old as '89 (Rick Cook's version in [1]), but it's the kind of thing that sounds like a sufficiently "obvious" extension of the far older view that human stupidity has no bounds that it feels surprising if it is that recent.

[1] https://www.samyoung.co.nz/2025/03/building-better-idiot.htm...

episodeivabout 4 hours ago
The form I know is attributed to Douglas Adams[1]:

“A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.”

[1] https://www.goodreads.com/quotes/6711-a-common-mistake-that-...

vidarhabout 3 hours ago
That's from Mostly Harmless, 1992, so newer than Rick Cook's version.

But also sufficiently different that I have no doubt a lot of people have independently coined some variant or other. There's also the decades older (sometimes attributed to Einstein, but there appears to be no evidence that he said it) "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." It seems sayings about the extent of human stupidity are quite widespread in many variations.

IndySunabout 2 hours ago
This side note (a better idiot)is the best part of this post.
eembeesabout 6 hours ago
> The Bundestag administration actively provides Wire as an alternative to commercial platforms such as WhatsApp or Signal.

Any idea why Signal is deemed a "commercial platform" by DBT administration?

anthonjabout 5 hours ago
It's owned by an American no-prrofit with a dedicated subsidiary, so still a commercial product and (more relevant) usa-based with all the potential implications. Wire is for profit but german-swiss.
andrewinardeerabout 3 hours ago
What USA based implications are you referring to? It doesn't matter what country they reside in, if a valid court order is produced it must comply.

And my understanding is that there is minimal meta data to hand over as the message contents are unreadable without the keys.

anthonjabout 3 hours ago
The implication that eu is (rightfully) butthurt and don't what to relay on usa if there is the risk of meddling of any kind or blackmailed with denial of service (regardless if it makes sense here or not, this is entirely political).

And there is also the darker side of some eu parties pushing for more surveillance, and in that case stuff like signal would be kind of a problem as well.

mr_mitmabout 5 hours ago
Wire is also a commercial product though
zarzavatabout 5 hours ago
It's a commercial entity that is within EU jurisdiction, whereas Signal is within US jurisdiction. The distinction is important if for example a hostile country were to invade the territory of an EU member state, let's say a large island...
internet_pointsabout 6 hours ago
Wire seems fine, better than many alternatives, but ditching Signal because of the possibility for phishing seems very odd?
beeforporkabout 5 hours ago
Odd? No, it's normal politician behaviour. Julia Klöckner herself got hacked because she is not aware of phishing. To distract from her incompetence, she urges to switch to Wire to implicitly blame Signal. It's obvious what's going on, but people have so little knowledge about digital communication and security that she will get away with it. Poor woman got hacked by insecure Signal, people will remember.
iugtmkbdfil834about 5 hours ago
As an argument, it barely passes initial scrutiny suggesting the real reason is not that.
Grumbledourabout 5 hours ago
The bundestags president, Julia Klöckner, was recently a victim of phishing on signal. While there could be different motives behind her suggestion, I think they are just another facet of her not really understanding technology and security practices.

She thinks she was "hacked" on signal, and now wants to switch to something which is clearly better! Let's wait where she will want to go once she gets "hacked" there too...

While there are valid reasons for germans not to want their politicians to use private messenger apps on their private phones for official business, and american ones at that, this switch would of course change nothing about all of these problems. But at least they can claim they did something, right?

iugtmkbdfil834about 4 hours ago
<< While there are valid reasons for germans not to want their politicians to use private messenger apps on their private phones for official business, and american ones at that,

Personally, I am starting to think we should ban politicians from using smartphones altogether possibly followed by other technological restrictions. It is part of my: "They Will Hate it: Good" portfolio of ideas to improve the world or at least make it a little more funny.

tostiabout 5 hours ago
My tin foil hat says it has something to do with chat control, i.e. being able to intercept messages or to siphon messages from Alice or Bob directly.
internet_pointsabout 5 hours ago
She's suggesting her own group of contacts should switch to something that makes it easier to intercept her own messages?
rrr_oh_manabout 5 hours ago
Ding ding ding
dmos62about 5 hours ago
Anybody care to give their take on which alternative messengers are better for everyday use? Alternative as in not owned by mega corps. Does Signal have the best UX for non-technical people or casual use? Would be nice to move some conversations over to such a messenger, but don't want to force the other parties to experiment too much.
throawayontheabout 5 hours ago
signal 100% has the best UX for non-technical users out of messengers i'd actually consider reasonably secure

the best on ux is probably telegram, but i'm trying to move a few people off it anyway

boredishBoiabout 5 hours ago
Beeper is owned by Automattic (of Wordpress fame). They’re a corp but I wouldn’t call them mega and they use matrix which is an open federated protocol.

You can run your own matrix server but tbh it’s easier for someone else to do it.

Not to mention the obvious advantages of their bridges into the closed networks of WhatsApp/fb/x/instagram etc

Mashimoabout 5 hours ago
I have 70+ year old relatives who use Signal. It works quite nice. Similar to whatsapp.
jraphabout 5 hours ago
Are Wire, Signal, Telegram backed by mega corps though?
dmos62about 5 hours ago
I meant that as some candidates that aren't backed by mega corps.
jraphabout 5 hours ago
Ah, okay. I see you rephrased.
hutattedonmyarmabout 4 hours ago
I'd say that Threema has better UX than Signal, but both are fine. Neither great, but fine
Markoffabout 4 hours ago
the ones most of your contacts use, what's the point finding perfect messenger if nobody you know use it and you must move people over there and anyway keep installed other app for most of the contacts?

here you have chart comparison

https://www.messenger-matrix.de/messenger-matrix-en.html

and alternative

https://www.securemessagingapps.com

personally I like Element (Matrix) and Threema

edit: btw. signal best UX? do they finally show users how to force send unencrypted SMS or you still have figure it out with google? I remember their great UX when they were forcing PIN verification with nag screens taking half or whole screen, which was the last drop I moved with whole family away from that PoS, let alone how unreliable it was, whole network down because admin in US sleeping waiting hours until he fix it, their approach (aka hatred) to users reminds me Firefox devs, left Signal even before it became popular

dmos62about 1 hour ago
> https://www.messenger-matrix.de/messenger-matrix-en.html

That's a nice comparison table.

fsfloverabout 5 hours ago
https://matrix.org
Havocabout 5 hours ago
> often, the technology is not the weak point, but the human.

Also doesn’t help that the humans doing the legislating tend to be of the “I print out my emails” generation

tirpenabout 4 hours ago
That's not nearly as big a problem in Germany as the US.

The median age of Bundestag members is 45.4

https://data.ipu.org/parliament/DE/DE-LC01/

In the US Senate It's 63.9.

https://data.ipu.org/parliament/US/US-UC01/

looperhacksabout 4 hours ago
Now, I'm pretty confident to say that this is obviously just a red herring to distract from the fact that Frau Klöckner simply fell for a phishing attack. The usage of Signal wasn't the real problem (besides that it isn't formally approved for comms).

But since this whole ordeal started, I'm divided where to place the blame (besides the attacker, of course):

- Can we really victim-blame someone for falling for an attack? Sure, people in positions this important should know better, but I don't think we should put the blame on the victim. - Should we blame Signal for even providing the functionality that allowed the phishing in the first place? Signal announced changes that supposedly makes phishing harder, so apparently, something could've been improved before? - Should we blame the software-world entirely that having credentials that can be shared is even a thing? (Looking at passkeys) - Should we blame society that the knowledge about phishing attacks isn't ingrained into every person? (being a bit hyperbolic here) - Should we blame the administrative staff that allowed exposed politicians to even have apps that make phishing possible? It would be possible to make a super-secure messenger that needs much more verification than just "having the credentials". It's just super annoying and impractical for most people. Should we prevent exposed politicians from even having access to not super-secure messengers?

I feel like things could be improved to prevent phishing attacks in the future. I just don't know what is the most sensible point to start.

throwaway270925about 3 hours ago
Sure, but maybe your red herring is just another red herring: the phishing attack is just as good an excuse as any to switch from an US based messenger to an EU based one.
fwnabout 2 hours ago
> Can we really victim-blame someone for falling for an attack

The victims may well be those who are potentially endangered by the leakage of information caused by the decision maker. Regardless of that hypothetical, the person responsible for the leak is not the victim.

If you deal with highly confidential information in your day-to-day work, you should be held accountable for keeping it confidential. This is nothing new in the corporate world, so I don't see why public officials should be held to different standards.

Remember: It was apparently a phishing attack. Someone literally asked her for her credentials. It is within the capabilities of an adult to refrain from handing out important information when asked in a no trust environment. If that's truly beyond their capabilities, they should consider another profession.

I'm not arguing for a witch-hunt or anything against this specific person. Learnings should be constructive and this could have happened to many other public officials. Just, maybe.. if you or I breach protocol, let's not call us the victims.

Media education would be a great start.

delis-thumbs-7eabout 5 hours ago
This site seems to demand cookie consent for access (is that legal in EU anyway?) so can somepne provode tl;dr?
victorbjorklundabout 5 hours ago
It is a grey zone. Some of the data protection authorities in EU have said that it's okay to do pay or consent while others have said it's not okay and it hasn't been tested by the EU court yet.
Grumbledourabout 5 hours ago
I think the law is actually pretty clear on that front, that it is not ok, but in the meantime, all the big publishers do it and make so much money, they actually don't care much about fines, especially given the chance they might get levied against a competitor first, at which point they can quickly change that behaviour.

As so often, the biggest GDPR problem is missing enforcement.

solarkraftabout 5 hours ago
It’s called “pay or okay” and condemned by noyb: https://noyb.eu/en/noybs-pay-or-okay-report-how-companies-ma...

But actual enforcement of GDPR has always been shoddy. First the “legitimate use” loophole, now this.

It’s a bit ironic that heise does this, since they probably have one of the most sensitive readerships to this.

fmajidabout 4 hours ago
The EU Data Protection Board, which unlike noyb is an official part of the EU, albeit not from the judicial branch, has also come out against pay-or-consent.
crimsoneerabout 5 hours ago
This seems silly. Signal is great, let's not all start spinning up our own dedicated, not interoperable national messenger applications.
dmos62about 5 hours ago
Europe wants to use European infrastructure. Reasons given are politeness.
PeterSmitabout 5 hours ago
Which makes total sense given the current political situation.
Grumbledourabout 5 hours ago
The problem though is, using undocummented communication channels on private phones by people not technically inclined. That Signal is an american company and subject to NSA scrutiny while the users a politicians of a foreign goverment only makes this worse.

So, national messengers, controlled by experts, that archive communication and run on trusted hardware, would be the best solution for the work of democratic goverments I would think.

Of course, the possibility of software quality and security experts in service of the goverment is probably just wishful thinking.

otabdeveloper4about 5 hours ago
Kumbaya?

Good idea, let's all live in peace and harmony. (But first we need to sanction and regime change all the bad countries.)

Advertisement