Moxie Marlinspike Profile picture
Founder @signalapp
5 subscribers
Jun 6 8 tweets 2 min read
Easy to overlook: most people's first encounter with despotic systems is not usually with the KGB or Gestapo knocking at their door. Instead, it's usually with clean streets and improved material conditions.

I don't think the way we talk about this stuff serves us well: The truth is that there are real perceivable benefits to living in a police state! Your bicycle won't get stolen, your car window is safe.

The problem is that you've swapped every street gang for One Big Gang, and that turns out to almost always be really bad in the end...
Nov 15, 2022 8 tweets 2 min read
One unique thing about software as an engineering discipline is that it offers abstractions which allow ppl to start contributing in the field w/o having to understand the whole field.

To be great, though, imo understanding what’s under the abstractions is really important:

1/
These abstractions are the “black boxes” in your work.

Maybe you make HTTP requests all the time, or submit queries to a DB, or read and write to files, or make a syscall, or even type useState—but have never interrogated what’s happening under the abstraction when you do.

2/
Dec 23, 2021 4 tweets 1 min read
Since my last NFT was banned, I made another NFT and dApp. This time for autonomous art: autonomous.graphics

It's a collective work. Anyone can mint a token for it by making a visual contribution, and the price to mint is paid to all previous contributors. Wow, that was fast. There are already three visual contributions!
Dec 23, 2021 9 tweets 2 min read
It's amazing to me that after all this time, almost all media coverage of Telegram still refers to it as an "encrypted messenger."

Telegram has a lot of compelling features, but in terms of privacy and data collection, there is no worse choice. Here's how it actually works:

1/
Telegram stores all your contacts, groups, media, and every message you've ever sent or received in plaintext on their servers. The app on your phone is just a "view" onto their servers, where the data actually lives.

Almost everything you see in the app, Telegram also sees

2/
Oct 12, 2021 5 tweets 2 min read
I created an NFT, but the image renders differently based on who's looking at it.

For example, on OpenSea: opensea.io/assets/0x5c61a…

...vs on Rarible: rarible.com/token/0x5c61af…

...vs if you own it, it currently renders as a large 💩 emoji in your wallet. How this works:

1/n
NFT image data is not on-chain (too costly). Instead, what's on-chain is just a URL that *points* to the image. But surprisingly, there is no hash commitment in the NFT for the image at the URL. This means whoever controls the URL host can change the NFT image at any time.

2/n
Jul 9, 2020 14 tweets 3 min read
I've had a bunch of discussions with people here about Signal PINs over the past day.

I don't usually spend this much time on Twitter, so parallel to the direct discussion, these are a few of the adjacent thoughts that have come up for me:

1/14 1) I think it's increasingly important to consider how discussions around technology are perceived across the full spectrum of backgrounds (from technical to non-technical) for everyone interested in the topic of their own privacy/security -- which is basically everyone now!
May 2, 2020 5 tweets 1 min read
Many trends in modern programming language design seem to focus on developers pressing fewer keys on the keyboard. To me, that's a strange priority.

For large systems where the industry spends most of its time, I think "readability" is much more important than "writability."
1/5
For example, even simple features like "type inference" feel like misplaced priorities to me.

People say "it's annoying I have to write String foo = new String()," but realistically, you're more often writing "String foo = bar.getBaz()"

If that becomes "val foo = bar.getBaz()"
Apr 10, 2020 10 tweets 2 min read
First look at Apple/Google contact tracing framework:

1) Once a day, your device derives a new key ("daily tracing key").

2) It uses that to derive a new "proximity ID" every time your device's bluetooth address changes (15min), which is broadcast to nearby BT sensors.

1/10 3) Your device keeps track of all "proximity IDs" it sees.

4) If someone tests positive, they choose to publish their (previously secretly) "daily tracing keys."

5) Your device frequently DLs all published daily tracing keys and KDFs to see if they match recorded proximity IDs.
May 30, 2019 4 tweets 1 min read
When I think about why tech often fails to serve our interests, I think about rooms like this. So long as software requires large rooms of people staring at computers all day, every day, forever -- I think there will often be a mismatch b/t how we wish tech worked and how it does Many hope to make technology serve us better by making it "distributed." I (controversially) don't think that would be the outcome, in part because distributed systems are usually *more* complex and difficult to reason about, potentially requiring even larger rooms than this one.