3/n #infosec #IdentityTheft

Lessons learned (a growing list):
- Trust your instinct! If something feels off, stop whatever you are doing. Exit. Take time to think carefully before you act. There is no downside to this.
- If it involves your personal identifiable information (#PII) then you should absolutely not reveal it without rock solid proof of who you are talking too, the security of who or what is receiving the info, and so on. Small puzzle pieces and complete the picture for the thieves.
- Multiple malicious actors may be involved, tricking you by various means into verifying each others’ credentials.
- Avoid linking accounts at multiple institutions to each other. It makes it easy for the bad guys to get in. Detach and compartmentalize everything that is sensitive.
- Have very strong password manager and encryption on your devices. NEVER have PII or sensitive financial information stored as plain text on any of your digital devices.

Ugh. There is a lot more that can't be shared now. I just wanted to take advantage of a teachable moment. Peace and good luck!

@cartocalypse @sigmasternchen @pallenberg Gibt zuviele Indizien:

#PII wie #Rufnummer wird abgefragt; Geolokation bzw. Service-Beschränkungen aufgrund dessen erfolgen

• Dienst ist nicht per-se für Nutzer aus #Embargo-Staaten (#ITAR) wie #Kuba, #Iran, #Russland, #Nordkorea, ... gesperrt, was #Sondergenemigung durch #US-Regierung bedarf!

Aus den #USA = #CloudAct greift

• #AWS = #GAFAMs als #Hosting
• Das genutzte Datacenter ist in Spuckweite zu #CIA & #NSA
• Absichtlich #zentralisiert als #SingleVendor & #SingleProvider Lösung.

Struktur und Setup ähnelt #ANØM und "Ausfälle" erinnern an #EncroChat .

• Und diverse weitere Ungereihmtheiten wie Kamerazugriff um es am #PC zu nutzen.
• Keine #SelfCustody und kein #SelfHosting möglich.

Wenn @signalapp so sicher wäre wie beworben dann wären #Moxie und @Mer__edith seit Jahren in #Beugehaft wegen #Missbrauch durch Nutzer*innen.

• Ich kann die ganze Woche weiter machen, aber die Tatsache dass #Signal durch ein AWS-#Datacenter down geht zeugt von schlampiger Infrastruktur und Mehr Geld als Verstand!

Jedenfalls ist es kein deut besser als #CryptoAG - technisch sogar schlechter denn letztere versuchte wenigstens nicht dauerhaft Kritiker*innen zu gaslighten sondern wurde in der #Schweiz hinter ne #Tarnfirma gepackt.

• Wenn #Signal sicher wäre, würde es wie #OnionShare und #XMPP+#OMEMO #dezentral, (über @torproject / #Tor) und #SelfHosting - fähig sein.

Es stinkt jedenfalls wie #OperationIronside aka. #OperationTrøjanShield!

@DarkWebInformer why would anyone use #Telegram instead of #IRC over #Tor?

• Espechally given Telegram being neither #private.nor #secure and in fact collecting #PII in the form of #PhoneNumbers...

Seriously, #Signal / @signalapp is bad and everyone who relies on @Mer__edith et. al. to not break when handed a duely issued warrant (or being held at gunpoint) by #US authorities is as dellusional as the users of #ANØM and #EncroChat!

There's no valid excuse to collect #PII like a #PhoneNumber!

• And Signal being not just able but entirely willing to "restrict services" based off the presumed location of the users is just a big red flag.

If they took #Security seriously, they'd use #XMPP+#OMEMO over #Tor and let users have 100% #SelfCustody of all the keys as well as completely #decentralize, including the ability to #SelfHost on @torproject.

https://www.youtube.com/watch?v=tJoO2uWrX1M&t=887s

@Jerry FOR WHAT FUCKIBG PURPOSE DOES @signalapp EVEN WANT #Location DATA BUT #Spying ON IT'S USERS?

• Also demanding #PII like a #PhoneNumber which at best is pseudonymous amd trivial to #deanonymize IS the #IllicitActivity!

Also it's not even #FLOSS (why else is there no #Signal #App on @fdroidorg ?)

• My verdict is that Signal - like #ANØM - is a #HoneyPot… I don't have evidenye - yet - but so far my track record has been excellent…