The thing about threats, and security, is it isn’t about intent. It doesn’t matter where the money came from. It’s about capabilities. What can your adversary do. That’s all that matters. Doesn’t matter what they will do, just what they can do.
So funding by your adversary isn’t a problem. Because you have to pay attention to capabilities regardless of the funding source.
Things I would like to see signal do to remove any taint from historical funding, keep the server open source and keep the updated source published, don’t store encryption keys in the cloud. Don’t trust SGX vaults. Or at least allow people to opt out of them.
The thing about threats, and security, is it isn’t about intent. It doesn’t matter where the money came from. It’s about capabilities. What can your adversary do. That’s all that matters. Doesn’t matter what they will do, just what they can do.
So funding by your adversary isn’t a problem. Because you have to pay attention to capabilities regardless of the funding source.
Things I would like to see signal do to remove any taint from historical funding, keep the server open source and keep the updated source published, don’t store encryption keys in the cloud. Don’t trust SGX vaults. Or at least allow people to opt out of them.