Mastodawn

@Soeren_loeg the fact that @signalapp not only does "#KYC with extra steps" by mandating a #PhoneNumber to this day as well as being solely under #CloudAct whilst basically being a #centralized, #proprietary, #SingleVendor & #SingleProvider solution makes them the ideal candidate for a longterm #HoneyPot like #ANØM aka. #OperationIronside aka. #OperationTrøjanShield.

By the sheer size of users, it's a statistical inevitability that they got #Subopena'd and since they don't implement real #E2EE (with #SelfCustody of all the keys!) @Mer__edith would be in jail *if there wasn't a #Govware #backdoor as mandated per telco laws in every juristiction (see "#LawfulInterception!")…

Not to mention #Signal ticks way too many "#sus" boxes…

Kevin Karhan :verified: (@[email protected])

My [reservations](https://infosec.space/@kkarhan/114234551915193036) and [criticism](https://infosec.space/@kkarhan/114862595629371002) re: #Signal are not just valid, but the reality is *even worse than I thought*: - The fact that @[email protected] requires not only their shitty #Android #App, and a #PhoneNumber but literally won't allow people to use their shitty #Desktop-App unless they have an Android device with a camera pointed at it makes it utterly unuseable for certain users *who don't have a fucking #camera in their Android*… Seriously, do they expect folks to deal with that shit? - It's already worse in terms of #UX than #telegram and #discord and that too makes #XMPP+#OMEMO clients like @[email protected] / #monoclesChat & @[email protected] / #gajim easier and faster to onboard #TechIlliterates onto. - Whichever asshole decided that a *replacement for #SMS* should mandate #PII like a #PhoneNumber & not be natively cross-platform should be banned from doing any #tech in their life. Trying to circumvent this shit and helping folks with it makes me so fucking angry that I'm now explicitly refusing to support it! FIX THAT SHIT, @[email protected], and if it means you need to kick some devs in their crouch then consider this a necessary *"investment"*… #sarcasm #TechSupport #TalesFromTechSupport #Enshittification #SignalSucks #TelegramSucks #Messengers

Infosec.Space

Kevin Karhan

Mar 25, 2025

@walkinglampshade @jrredho @fj It's basic #InfoSec, really:

@signalapp has no "#LegitimateInterest" to demand #PII like a #PhoneNumber and they use and abuse that to restrict functionality of their App (it doesn't matter that they merely claim "comply with #sanctions" [their #MobileCoin #Shitcoin #Scam disqalifies them even more!] because they have the tech to distinguish and discriminate users)...

Thus #Signal fails at protevting #Journalists and theor sources because they do have that data and can be #subopena'd for it if they don't already provide #BulkSurveillance & #LawfulInterception #API|s to comply with #CloudAct. (Or are you guys so naive and believe @Mer__edith will risk dying of old age in jail for non-paying users?)

This entire "thread vector" just doesn't exist with #XMPP+#OMEMO nor #PGP/MIME!

And if you believe "this won't ne used/abused me because I'm from 'Murica!" and point at #ANØM as an example, then you really ignored all tze #Cyberfacism since 9/11…

thaddeus e. grugq on Twitter

“I’m gonna tell you a secret about “logless VPNs” — they don’t exist. Noone is going to risk jail for your $5/mo https://t.co/Q2aOQJkG4g”

Twitter

Show thread

Kevin Karhan

Jan 10, 2025

@tejan the only correct way to deal with this is using proper #E2EE like #PGP/MIME & anonymous eMail accounts.

Providers can only #decrypt and #read for what they have the keys!

Same goes with #Messengers, which is why I only recommend #XMPP+#OMEMO (i.e. @monocles / #monoclesChat & @gajim / #gajim ) & PGP/MIME (i.e. @delta / #deltaChat & @thunderbird / #Thunderbird), because unlike #proprietary #SingleVendor & #SingoeProvider solutions, they offer #SelfCustody so even if a provider is cooperative or served a #subopena or got theor equipment seized, they can't decrypt the contents!