Signal is open source, so our code is regularly scrutinized in addition to regular formal audits. We also constantly monitor [email protected] for any new reports, and we act on them with quickness while also working to protect the people who rely on us from outside threats like phishing with warnings and safeguards.
This is why Signal remains the gold standard for private, secure communications. 5/
Bbno$ hat mich gefragt ob ich Signal habe und ihn treffen möchte jetzt bin ich mir nicht mehr sicher ob das ne normale Honey trap war/scammer was tun?
Der ist hot Linus
Ach fgg ich hab den kleinen Ami nicht gefunden der geheult hat weil er aufgewacht ist und Trump immer noch lebt und das einzige was mir eingefallen ist um ihn zu trösten ist zu erzählen. Das Musk Raketen Engelsfürze im Himmel Himmel hinterlassen die aussehen wie Rosetten
@signalapp But is it idiot-proof? Can you give examples on things that would be idiotic to do, which might undermine security of a top secret conversation?!
Would you say that it is compatible with the requirements of the US government to safeguard conversations for either legal or historical purposes? Or would that just be a really stupid use of the software?!
Please provide clear, verifiable examples of governmental user stupidity, thanks! 😏
@gmc @delta @signalapp tried just now, but this do not allow call, nor video call (rather than Signal, WhatsApp and telegram). So, looks like Google chat (just messages, photos, and audio). Anyway, looks like a very good app. Ty
--
Atm, i try also Jami (this seems to allow call and video call).
52 Posts, 30 Following, 1.57K Followers · Born from Signal, built for freedom. Molly is an independent Signal fork for Android, with a strong focus on security and hardening. #mollyim #signal #signalapp
@guardianproject @signalapp @fdroidorg
'Our secure messenger is open source and auditable, except for the fact that we allow a data-mining company to inject arbitrary code into our binaries and don't provide a build that doesn't do that' is somehow a less compelling argument than it may first appear.
@david_chisnall @guardianproject @signalapp @fdroidorg That's a perpetual myth that seems to have no basis in reality. The libraries in question have not been shown to be able to inject arbitrary code unless a malicious OS (which already has the capability to inject code into any program it hosts) has instructed them to do so.
(To be clear, this means on a Googled Android, you're just as vulnerable to Google's whims as you already were by running a Google OS, and on deGoogled Android you do not appear to be vulnerable.)
If this is incorrect, I'd like to see evidence.
Still I think on principle Signal should remove all Google code. There's no reason for it to be there and it hurts trust.
@david_chisnall @guardianproject @signalapp @fdroidorg No, they're fixed code that contains exactly whatever code was there at the time Signal acquired and linked them in. Regardless of whether you have the source, this is analyzable, and if it doesn't have backdoor communication channels, the likelihood of harm is low even if you haven't done detailed analysis.
"Arbitrary code execution" would mean that they phone home to dynamically obtain code that Google could alter at any time to change the behavior after Signal shipped the app. That's the apparently false allegation folks are making about Signal.
@dalias @guardianproject @signalapp @fdroidorg
When you are making a claim of security as a result of being open source, the fact that that you allow someone else to provide a binary and then inject it into your final build is a problem.
I can only assume that you're arguing for the sake of arguing, rather than making a real point.
@david_chisnall @dalias @guardianproject @signalapp @fdroidorg
I see a real point challenging your overstatement. This doesn't strike me as arguing for the sake of arguing, but rather as correcting the myth of live code injection into signed builds.
This converts the original overstatement from "signal (and everything else?) will run arbitrary code downloaded at runtime" into "blobs are a risk".
This is a much less compelling and startling (headline-worthy) claim.
@tab2space @dalias @guardianproject @signalapp @fdroidorg
At no point did I say anything about arbitrary code downloaded at run time, I said that they could inject arbitrary code. That arbitrary code comes in the form of a blob that I strongly suspect Signal is not disassembling and auditing.
Now, possibly, they run Signal on some test environments with random Google accounts and monitor every network connection that it makes, MITM those connections via faked certs, and monitor the code that to see if it is detecting the MITM attack and see if any control flow diverges based on them.
But if they're doing all of that, then someone could do the same work with the Signal binary itself and being open source buys you very little in terms of security.
@dalias @guardianproject @signalapp @fdroidorg
Okay, I am not going to argue any more. Allowing a third party to inject arbitrary code is literally what you do when you link a closed-source binary with no sandboxing.
If you think it's bad-faith criticism to state a fact, I am just going to mute you. Especially when you follow it up with 'usually promoting scammy fake secure messengers', which is something I was definitely not doing (and, if you pay attention to my previous posts, you'll see that I have encouraged people to use Signal rather than other things).
Signal
s3nnet.de
Harm
linuzifer
grob (teeth era) 🇺🇦🏳️🌈🏳️⚧️
Viola
ubrummack
dex77
Tobias Migge
jan commandante ullrich
Joel 
Tea time.
John
James Just James
Salvatore Noschese 🇮🇹
gmc
Delta Chat
Danie van der Merwe
erdling
Adam Lein
IZ5WGA
Fossman
Guardian Project
David Chisnall (*Now with 50% more sarcasm!*)
Cassandrich
Richard Johnson