Mastodawn

Ákos Dián Mar 25, 2025

Frédéric Jacobs

When Signal was designed, our threat model was protecting the communications of civil society, journalists, just regular citizens ...

The threat model of military operations & sharing your hate of Europeans was not what Signal was designed for. Ephemeral messages and cryptographic deniability are not fit for communications that require accountability.
But I appreciate their effort to make government more efficient by adding journalists to the chat instead of requiring to go through FOIA.

Frédéric Jacobs Mar 27, 2025

Trump said “Signal could be defective, we're going to have to find out”.
And now we hear that Elon and DOGE are getting involved.

I don't know how to say this respectfully, but the go-to Elon person in DOGE for Cybersecurity doesn't seem at all up to the task. It's the person who designed the flawed encrypted DMs on X, which very much are defective ...

https://thehill.com/homenews/administration/5215547-white-house-asks-musk-investigate-signal/

Soatok Dreamseeker Mar 27, 2025

@fj I can't wait for Website Boy to conclude that Curve25519 is broken because Twitter chose P-256 instead, and no other basis for such an argument.

Sophie Schmieg Mar 27, 2025

@soatok @fj it is not FIPS! Of course it's insecure. Only FIPS can ever be secure. Or so I was told. /s

GunChleoc Mar 27, 2025

@fj Tome for @signalapp to ensure they have a legal entity and servers outside of the US, so they can get the hell out of Dodge when this becomes necessary - that point in time can come sooner than you think.

αxel simon ↙︎↙︎↙︎Mar 27, 2025

@fj Blame the tools rather than the obvious operational fuck up: "‘Elon Musk has offered to put his technical experts on this to figure out how this number was inadvertently added to the chat, again to take responsibility and ensure this can never happen again’ she added."

It was added because they were inadvertent. Because they didn't follow procedure and rules.

And in a fascistic mindset, given all that matters is power and the power balance, this is just another way to test their power.

Tom DB 🦣Mar 27, 2025

@fj The whole Trump admin is defective, not Signal.

📎Mar 27, 2025

@fj this worries me. I hope I won't have to quit Signal because of Elon's team

Hans van Zijst Mar 27, 2025

@Frederic Jacobs Let me venture a guess...

Signal is bad, and the Radical Woke Left is in cahoots with them to do damage to King Trump. Signal probably helped the Atlantic to get into the chat.

Subpoenas coming for @Meredith Whittaker and Jeffrey Goldberg in 3... 2... 1...

I hope @Signal is thinking about moving out of the jurisdiction of Agent Orange. Move to Europe, for example.

Dźwiedziu Mar 27, 2025

@hans
This is the unfortunate byproduct of centralization.

Not everything has to be federated, until the BDFL looses their citizenship.

BTW, Signal seems to be on the @guardianproject repo (available in @fdroidorg, but turned off by default).

Hans van Zijst Mar 27, 2025

@Dźwiedziu Yup, that's why I prefer Matrix over Signal. I use both, but I try to get as many people as possible to Matrix.

Scott Wright 🏳️‍🌈🏳️‍⚧️Mar 27, 2025

@fj
Sorry to barge in - but, it seems to me, this is yet another example of shifting the narrative.

What matters is that Signal was not approved for sensitive comms. (One would hope that approved apps are, to the extent possible, checked for defects). They were using it, contrary to THE LAW, both for convenience and quite likely to avoid official records of the communications. THAT’S the story.

pablonatalino Mar 29, 2025

@fj Trump lies so much that it's uncertain whether something is true or a lie. Moreover, I'm not sure if anyone in the government who isn't strictly military would have any chance of success in this matter (encrypt***). The doors of the Secretary of Defense are exclusive to military personnel.

pablonatalino Mar 29, 2025

@fj I'm not exactly sure, but there's a deep chasm completely separating the military personnel and the rest of the civil government of the United States. And eventually some politicians, and advisors and consultants, who are neither military nor civilian, trying to find out exactly what the US military wing is doing or wants to do. In the explicit case of attacks on pirates: the US military wing is independent.

Frédéric Jacobs Apr 12, 2025

Needed the new laptop sticker 🙊

Bill Apr 12, 2025

@fj Want.

Wendy Nather Apr 12, 2025

@fj @joebeone 🥰

bdf2121cc3334b35b6ecda66e471 Mar 25, 2025

@fj oopsy daisy, sorry, your FOIA request couldn't be processed because we used self-deleting messages, our bad teehee 🤭

Jen Mar 25, 2025

@bdf2121cc3334b35b6ecda66e471 @fj see also UK politicians saying "oops, the WhatsApp messages got lost when I switched phone, there's no evidence of wrongdoing."

bdf2121cc3334b35b6ecda66e471 Mar 25, 2025

@JetlagJen @fj Can you say, "Destroyed Evidence"?
"Destroyed Evidence"!
Oh no!

@fj I still think @signalapp has fundamental flaws like demanding #PII (#PhoneNumbers can't be obtained anonymously around the globe and are trivial to track down to devices and thus users), being subject to #CloudAct as an unnecessary & 100% avoidable risk as well as #Shitcoin-#Scam shilling (#MobileCoin) and it's #proprietary, #SingleVendor & #SingleProvider nature that makes it inferior to real #E2EE with #SelfCustody like #PGP/MIME & #XMPP+#OMEMO!

CyberFrog Mar 25, 2025

@kkarhan @fj some of these are issues, but to be real the suggestion to use PGP and MIME instead of signal is laughable, not only is it nonviable as a replacement, but also is just bad to deal with and use in comparison

firstly, try to achieve similar security as signal with only PGP (or OMEMO), secondly after pulling off that technically impossible feat, try to use it without causing 100x more avoidable security issues than signal does right now

after doing that I think you can appreciate that although signal has many flaws (phone numbers being my biggest issue with them) they are actually still doing state-of-the-art security/privacy/cryptography services and can't easily be replaced by random other tools like this lol

bdf2121cc3334b35b6ecda66e471 Mar 25, 2025

@froge @kkarhan @fj Also XMPP is just bad, not only from a security standpoint (which I trust security experts on, not being one myself) but also as a protocol designed... before smartphones, basically. Being totally married to being connection- instead of session-oriented is basically why Matrix exists, at all.

@bdf2121cc3334b35b6ecda66e471 @froge @fj maybe but it's better than a #proprietary, #SingleBendor & #SingleProvider solutiom as it just works even on #throttled, sub-#2G speeds over #Tor...

And you get real #E2EE with #SelfCustody of all the Keys!https://infosec.space/@kkarhan/114223266562515116

Kevin Karhan :verified: (@[email protected])

@[email protected] @[email protected] I'm not replacing @[email protected] with *"random tools"* but good options. Like @[email protected] & @[email protected] as well as @[email protected] / #monoclesChat & @[email protected] which owrk flawlessly over @[email protected] / #Tor using @[email protected] / @[email protected] / #Tails and @[email protected] / #Orbot respectably. - Also these allow not only #SelfHosting but just work and I'd highly recommend #monocles as a hoster which finances iself by users paying *and* allows #anonymois accoubts & payments including not just #Monero but also #CashByMail! Considering the costs of even acquiring and upkeeping an #anonymous #SIM, I'd rather pay €2 p.m. for #XMPP+#OMEMO and #PGP/MIME-supported #eMail with thr option of self-custody than $2,50+ p.m. just to keep a phone number. - Plus I don't run around with a #tracking device that could be used to #deanonymize me any second...

Infosec.Space

@froge @fj I'm not replacing @signalapp with "random tools" but good options.

Like @delta & @thunderbird as well as @monocles / #monoclesChat & @gajim which work flawlessly over @torproject / #Tor using @tails / @tails_live / #Tails and @guardianproject / #Orbot respectably.

Also these allow not only #SelfHosting but just work and I'd highly recommend #monocles as a hoster which finances iself by users paying and allows #anonymous accoubts & payments including not just #Monero but also #CashByMail!

Considering the costs of even acquiring and upkeeping an #anonymous #SIM, I'd rather pay €2 p.m. for #XMPP+#OMEMO and #PGP/MIME-supported #eMail with the option of self-custody than $2,50+ p.m. just to keep a phone number.

Plus I don't run around with a #tracking device that could be used to #deanonymize me any second...

Or is anyone here expecting @Mer__edith to risk jail for life amd not comply with #CloudAct?

If #Signal was as secure as advertised, it would've been shutdown like #EncroChat and #SkyECC!

It stenches like #ANØM, because NOTHING IS FOR FREE and running a #VCmoneyBurningParty is expensive...

Kevin Karhan :verified: (@[email protected])

@[email protected] If your #OpSec, #InfoSec, #ComSec and/or #ITsec relies on @[email protected] and/or @[email protected] [risking jail *or worse*](https://web.archive.org/web/20210908180219/https://twitter.com/thegrugq/status/1085614812581715968), you fucked up! - If #Signal was secure, it would've been shutdown like #EncroChat & #SkyECC. Seriously, to me #Signal stenches #Honeypot like #ANØM & #CryptoAG. - All Signal fans do is #FUD #PGP/MIME and#XMPP+#OMEMO which are truly #decentralized and allow real #SelfHosting as well as #SelfCustody for complete control of all the data and keys... That's why I get people setup with it!

Infosec.Space

CyberFrog Mar 25, 2025

@kkarhan @fj that's fine, I actually really like deltachat and a few others, but none of them pretend to match the same level of security as Signal because they're not actually the same level of security/privacy/confidentiality in the real world, I don't really trust signal self hosting their servers either but that doesn't mean these alternatives match the same level of privacy and security on a technical level

for example the encryption used by Deltachat openly has flaws and doesn't support perfect forward secrecy in the cryptography, this is on purpose, they mention it several times in the documentation, because their goal is to be compatible with existing email systems and that requires protocol constraints and trade offs

Fact is deltachat (and many others on this list) are not as cryptographically secure as signal, and they're not trying to be, and that's fine as long as you understand many of these tools make tradeoffs in their privacy/security in unique ways for their use cases

still doesn't mean any of them will provide the same level of secure and private service that signal does, even if they are more decentralized and cheaper/easier sometimes for some people

Brahms Mar 25, 2025

@froge @kkarhan @fj decentralization is something you generally dont want, unless you properly solve it at the protocol level. Thats why matrix sucks and will always be inferior to a centralized solution like signal (unless fixed at protocol level, which most likely wont happen).

and yeah, most "competitors" arent really ones, if they think PFS is optional ...

CyberFrog Mar 25, 2025

@brahms @kkarhan @fj I do personally like that Deltachat is secure against a server compromise, and their efforts to hide metadata and content from hostile servers are nice, I think that has something over signal... but the lack of PFS (and indeed the ability to send unencrypted data by default) means other known attacks could be mounted instead, so to say it matches signal is still probably wrong on a technical level

besides a lot of these tools only work if you're smart enough to securely deploy and maintain an entire server yourself, and that is.... not possible for most of the population, even if they're a programmer or work IT-adjacent jobs

Demi Marie Obenour Mar 25, 2025

@kkarhan @froge @fj @signalapp @delta @thunderbird @monocles @gajim @torproject @tails @tails_live @guardianproject @Mer__edith Signal has been asked for data before. I believe they responded that they have the timestamp the user registered and the timestamp they last logged in, and nothing else.

The CLOUD Act does not allow the US government to force Signal include a backdoor into its clients.

@alwayscurious @froge @fj #CloudAct alone not, but it's just the tip of the iceberg.

I bet you that @signalapp & @Mer__edith will comply with even the most illegal and cyberfacist orders when facing "rubberhose cryptoanalysis", which is a valid and likely risk factor in the #USA...

Again: The only #security is #decentralization!

This is why @torproject is still up and running: It cannot be shutdown even when all maintainers are being held at gunpoint.

#Signal is as vulnerable as #EncroChat if it's not a #Honeypot like #ANØM!

NosirrahSec 🏴‍☠️ guillotine enthusiast Mar 25, 2025

@kkarhan @froge @fj @signalapp @delta @thunderbird @monocles @gajim @torproject @tails @tails_live @guardianproject @Mer__edith Someone explain to me how this isn't a bot just hashtagging random words.

john r red-horse Mar 25, 2025

I can't help but believe that you're confusing "private" with "anonymous"?

Dźwiedziu Mar 27, 2025

@kkarhan
PGP leaks metadata by design, and doesn't have forward secrecy by default.
(There is sequoia-pgp, that supposedly “unstuck” the PGP development, but being OOTL I've missed it.)
https://www.latacora.com/blog/2019/07/16/the-pgp-problem/

XMPP+OMEMO has a lot of problems.
https://soatok.blog/2024/08/04/against-xmppomemo/

You're left with Matrix, which has some problems, with a wonky security culture (like not hard-depreciating libolm) and leaking metadata.

Still, if you're against Signal, you're left with Matrix on the top.

The PGP problem

The PGP problem

Latacora

@dzwiedziu @fj @signalapp not really, as the #Metadata #FUD cited by #Signal is mitigateable with proper measures.

You can't even run Signal over @torproject and even if that point is moot when you're forced to quasi-#KYC by virtue of a #PhoneNumber aka. #PII they have neither legitimate interest nor technical reason to demand in the first place!

Every claim that things like #ITsec, #InfoSec, #OpSec & #ComSec can be solved with "Just use Signal!" is "#TechPopulism" at best if not being a "#UsefulIdiot"!

All #centralized, #SingleVendor & #SingleProbider systems are inherently insecure!

#EOD #thxbye #next

adison verlice Mar 27, 2025

@kkarhan I thought I was able to run signal over tor once. I think it was for messages rather than calls but it still worked

Bandersnatch Mar 25, 2025

Reminder: #Trump kept #topsecret docs in his shitter.

This #administration isn't serious about #security because this administration is purposefully and intentionally making us weaker in soft & #military power for #Russian benefit.

It's a feature, not a bug.

Ozzy Mar 25, 2025

@fj I think this post deserves an 11/10
🏆

volkris Mar 25, 2025

@fj sharing your hate?

Did you read the release? There wasn't hate of Europeans. There was only discussion of the terms of partnership and normal concerns of political framing.

MacCruiskeen Mar 25, 2025

@volkris @fj True Vnace didn't exactly say "I hate Europeans" he just said he hated doing anything that benefited Europe. This is also after he said Denmark was being a bad ally for not letting Agent Krasnov have whatever he wanted. And lectured Europe about 'free speech.' So I think we can see where he stands in regards to Europe.

volkris Mar 25, 2025

@maccruiskeen ha, I'm not sure you can see where he stands in regard to Europe 🙂

Because I read that exchange in the complete opposite way, talking about the outlines of strategic partnership and how the different groups interact, which has absolutely absolutely nothing to do with hating or not hating Europe.

At worst it's neutrality when setting the terms for partnership. But I think it's more about supporting Europe to follow a path that he thinks would be better for everybody, Europe included, promoting European success as he sees it.

So no, not hatred at all. Support if anything.

Maybe it takes more understanding of the context in which these statements are made, though. It's just like how many misinterpreted Trump's stance on NATO during his first term.

MacCruiskeen Mar 25, 2025

@volkris @fj This administration has a weird idea of 'support' for Europe if that's how you see it--I mean, 'support' doesn't usually include random punitive tariffs, treating visitors like criminals, and threatening to take their territory by force.

volkris Mar 25, 2025

@maccruiskeen to be clear, I'm not saying I agree with it.

Keep in mind that the culture these guys are coming from is shallow and thinks it knows better what everybody should be doing, and when it can it sees a moral Duty to impose that better option on others.

So it's not a weird idea of support. It's actually a very common idea, too common in my opinion, thinking they can help people by telling them what they should be doing.

This is just one example of it. There are so many, but maybe it's something to keep in mind when trying to understand what this administration is doing.

MacCruiskeen Mar 25, 2025

@volkris @fj you're being way more generous to these sociopathic fucks than they really deserve.

volkris Mar 25, 2025

@maccruiskeen Well think of it this way: have you ever had a family member, maybe an older one, who thinks they know what's good for you better than you do? Who has inappropriately tried insert themselves into your business with the best of intention even if they're, well, full of it, and it's not appreciated?

Yes, a couple of these people are sociopathic fucks. I actually agree with that.

But I think a lot of them are just well-meaning but really really stupid, and really really out of touch, and really disconnected from reality.

I think it's a really common experience when somebody with best of intentions tries to tell you what to do with your own life because they think they know better, even though they're completely off base. I think that explains a whole lot of what we're seeing out of the folks in charge right now.

irelephant Mar 25, 2025

@volkris @fj They were talking about Europe being "freeloaders".

volkris Mar 25, 2025

Yeah, and that's not hatred. In context of support provided by US policy over the course of administrations that even has more to say about the US than about Europe.

This administration has been describing previous US policy as giving too much, so this is a continuation of complaining about the direction of US policy over administrations, and a pivot based on themes of the campaign that got them elected.

Not about Europe, about the US.

Optimistic Moron Mar 25, 2025

@fj
Use Tick-Tock or VKontackte instead and remove the middleman.

@fj "In order to avoid FOIA requests, all high level meetings will now be held at Denny's."

CockneyLaurie Mar 25, 2025

@fj of course Signal is no different to WhatsApp...
Both are secure BUT not if you ask someone outside your intended group to join of course and shouldn't be better used for government meetings and secrets for many reasons...

Not least that these w**kers are doing it so as to avoid all the oversight and scrutiny that was put into place over such things as email - all government communications are supposed to be kept - (Trump's argument was about this exact issue with Clinton using a private email server in 2016!!!)

przemelek Mar 25, 2025

@fj I think NSA or some other agency recommended several months ago to US officials using Signal (and stuff using Signal protocol), so ;-)

Neil Kandalgaonkar Mar 25, 2025

@fj I know this was just a joke, but is there any work on what sorts of communication practices and protocols would be appropriate for both accountability and security?

i.e. non-repudiable, verifiable, archived in a way that can be revealed to legitimate authorities, court orders, or enough time passing

RejZoR Mar 25, 2025

@fj Competence is not current USA admin highlight. Like, can you remember the last time government fucked up in such dumb laughable way? And it's clowns like this talking about bombing shit. It's like giving a pack of baboons some pink dildos and sending them in combat. That's the look of current America.

dirtside Mar 25, 2025

@fj I guess this is the "radical transparency" Muskrat was talking about

obscurestar Mar 25, 2025

@fj Pfft. If they really cared about efficiency the Trump administration would be using Telegram to more quickly relay plans and get direction from Russia.

Darwin Woodka Mar 25, 2025

@fj wow….

BetsyStansell Mar 31, 2025

@fj Does not talk of bombing, killing people violate the standards of discourse on Signal? Everyone in that thread should have a Signal timeout.