89
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 06 Sep 2024
89 points (95.9% liked)
technology
23758 readers
157 users here now
On the road to fully automated luxury gay space communism.
Spreading Linux propaganda since 2020
- Ways to run Microsoft/Adobe and more on Linux
- The Ultimate FOSS Guide For Android
- Great libre software on Windows
- Hey you, the lib still using Chrome. Read this post!
Rules:
- 1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
- 2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
- 3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
- 4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
- 5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
- 6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
- 7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.
founded 4 years ago
MODERATORS
Are private chats not end to end encrypted? They should be, so it shouldn't be possible to moderate.
If not, it sounds like the app is a complete joke.
They never were and never advertised as such. There's secret chat's that only work from the originating device to the receiving device that are e2e.
Group chats were never encrypted because they're convenience chats, not places to tell secrets. IE you can look back at all the history and shared files from any device you log into. You can search for a message from 2 years ago to remember something that was discussed previously.
I'm a big telegram defender because it's the nicest cross platform chat app to stop your parents from creating the n+1th mms group chat from their iphones, torturing all android users. It's also not a Meta app, and doesn't have the nerd requirements of an actual encrypted chat.
Why Telegram over Signal?
Signal is cia
Lol and Telegram seems to be throwing in the towel.
Telegram is also CIA
Have you used both of them?
Signal UI/UX is like using a cheap SMS app. This is a big deal for getting people to use it.
It doesn't sync to other devices (it does, but it's manual).
Telegram I can grab the device in front of me and it shows exactly what is on any other device.
As does any XMPP chat.
Alternatively there's Teleguard, by SwissCows. They claim e2e for all comms, noting stored on their servers. It's like using Telegram.
Yes, I really like the Signal UX. It does everything I need it to and very few pointless gimmicks. Telegram feels a lot more scuffed and further from a normal SMS app. Granted I've never used either on desktop.
Signal is CIA. Stop promoting it.
I use it for work and I find it clunky and an overall mid messaging experience. It feels like groupme from 7 years ago. I know the "nothing to hide trope" is shit, but sometimes you actually are saying little of substance and you want a nice user experience day-to-day rather than sacrifice features and UX for a privacy boogieman.
It will be interesting to see if anyone on the payroll at Signal is subjected to the same process.
I don't trust Signal one bit. Never have. The original creator Moxie Marlinspike has been neck-deep in Silicon Valley culture for decades. During his tenure in charge of Signal's technical development he made a lot of strange decisions. Forcing his "Mobilecoin" cryptocoin scam in the standard Signal app. Denigrating the concept of warrant canaries. Refusing to allow non-Signal-owned servers to communicate with Signal apps. Requiring that only Signal apps distributed on Google and Apple's app stores be allowed to communicate with Signal-owned servers, etc. Requiring phone numbers for account creation. I don't buy for a moment that he or his colleagues are pro-privacy activists.
It's dumb, but it's also not really marketed and is easy to forget that it exists even when using the app daily.
He consulted with lawyers and they said that removing/not updating a warrant canary would likely have the same legal consequences as violating the court order by simply announcing the subpoena. Also, a warrant canary is nearly useless even in the ideal case because it just says that they got a secret warrant, not what the subpoena was for or any other details. You wouldn't know the exact date, what was requested, or even what country made the request. And it becomes even less useful after receiving the first secret warrant.
Also, not all subpoenas are secret. Signal posts all government requests, including the full documents of all communication between Signal and the government, at https://signal.org/bigbrother
And, since Signal is E2EE, they don't have any useful data to share when they receive a warrant anyway.
Signal isn't federated and it's not intended to be. If you're using a private server, you'd only be able to talk to people also on your servers. If that's a feature you want, you can simply choose a different messaging solution. It's a design decision, not a security flaw.
Here's an official apk download: https://signal.org/android/apk
Yeah, it's kinda weird. They started as an SMS app which obviously requires a phone number and just haven't got rid of the requirement. They added usernames and hide your phone number by default, so you can at least message others without sharing your phone number.
In the end, phone numbers streamline signup and account management and Signal is meant as a texting replacement, not a social media/texting hybrid like Telegram or Discord, so phone numbers help the less tech-literate to use the app. As long as the encryption is sound, phone numbers don't really add that much security risk and the point is to bring high-grade encrypted messaging to everyone, not to be an ultra-anonymous hardened messaging platform to avoid state-level targeted attacks.
All good points!
I think Signal likely could be used to avoid state-level hacks and to be ultra-anonymous, but in that case you'd want to take extra precautions like using a burner and, to your point about metadata, there are other ways to identify who you are than your phone number, especially if you're an organization comprised of many people. Realistically, anyone that has a real need to protect themselves against state-level threats either has the resources available to do so properly with their own tech, or is so hopelessly outmatched that it doesn't matter regardless.
Imo encryption is more about being a roadblock than an impenetrable shield. Even for organizations with infinite money and technological expertise, there are easier ways to identify you and get your data than breaking even moderately good security implementations. News stories of feds getting access to Signal convos are all about getting access to a phone and simply reading the messages, not breaking encryption or setting up honeypots on Signal servers.
The beauty of E2EE is that you don't need to trust the servers at all, once you verify that you're actually connected to the person you intend to be. Doesn't matter if the server is trying to con you, keys are generated locally and everything is signed and encrypted locally before being sent off-device. As long as you can verify that the app you're running matches the published source code, and that the source code isn't duping you, you should be good to go. I haven't reviewed the Signal protocol in a few years, but I don't believe there are any servers that require trust, like say SSL has.
As for hostility towards 3rd party apps, it's pretty common for orgs to want everyone to only use first-party software when interacting with their service. It's nearly ubiquitous today. I think probably all of us on Lemmy prefer platforms that allow for 3rd party apps, but there are legitimate reasons not to and I wouldn't say it's a security flaw.
I think this ties back to the encryption vs wrench scenario. If you're organizing a protest, you're screwed no matter what you use because the cops just need to join the group themselves or take someone's phone. Self-destructing messages can prevent this, and hostility towards 3rd party apps help in that case since you can be more certain that nobody is using some shoddy implementation that ignores self-destruction or improperly deletes things.
If you're organizing a military operation, you shouldn't be using civilian messaging apps full stop.
If you're somewhere in between like a cartel or terrorist organization, please stay off any app I use to send memes to friends.
100%, but it's a hell of a lot less useful than Facebook Messenger, my grandma can set it up in 5 minutes without any trouble, I don't have to maintain any servers, and know that it's supported by well funded top-notch engineers that aren't going anywhere anytime soon.
Literally same.
My favourite funny hacker-to-fed pipeline story is Beto O'Rourke. Everyone nowadays knows him as a failed DNC puppet. But he spent much of the 1980s as a founding member of the famous hacking group Cult of the Dead Cow under the handle "PsychedelicWarlord".
hmm
Damn, TIL about Deviant Ollam's wife...
Crap, my third eye is getting tired from having to stare at more and more people. I never would have thought Ian McCollum would be the worst from that little InRangeTV clique 5-7 years ago which Deviant is adjacent to
Damn I didn’t know this about Deviant, though I always got that ick from him. Guess it’s not so easy to wash away the pig stink
Hmm.jpg
I don't know what to do with that information. I was such a fan of the CDC as a kid. That's even worse than when L0pht sold out.
I believe Signal received funding from the CIA’s VC firm. These apps need to be secure enough for dissidents and spies to use, but like you said, I imagine the state is content with its security or else they would be more heavy handed.
Matrix as well, although that's Mossad.
the CEO of the company i work at is ex-NSA and he is always pushing everyone to use Signal so that leads me to believe it is completely compromised
Signal is CIA
Oh and backdoor access to your severs.
Telegram has a few different chat type options:
Public, which is what it sounds like, available for groups. Server-side encryption, so Telegram (the company) can see everything.
Private, which is like an unlisted/unsearchable public group chat, same encryption limitations.
Secret, which are strictly one-on-one, and default to server-side encryption. The user can select end-to-end encryption for these on a per-chat basis. It can't be made the default.
Oh it always has been from a security perspective. They use a homegrown E2EE known-to-be-flawed protocol called MTProto instead of using a professionally-audited one like in Matrix.
If I were to choose one app, it would probably be Matrix due to the fact that is supports E2EE not only in private messages, but in chatrooms, and due to the fact that you can self-host it (this is a simple requirement which all these other "apps" fail). But it Matrix isn't a panacea either. From my understanding, while the cryptography is considered to be sound, the protocol itself reveals a lot of metadata. If I were going to use Matrix for ninja shit, it would absolutely not be on a publicly federated server. It would be a private, unadvertized server which only the cool kids get told about.
If it were a matter of life or death, the only thing I'd really trust is GPG and dead drops.
I agree on Matrix. It's not ideal right now but it's easily better than the alternatives. I don't trust systems that can't be self-hosted.
I like the cut of your jib.
For reference, the metadata leaked is: Sender id, recipient id, if the recipient saw the message, when the message was delivered, all reactions and the length of the message.
For example, this is what the server sees in an encrypted message:
And after decryption, you get this:
Why would private companies encrypt your chats