SignalRight now there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging and its nuances. Which means there’s misinfo flying around that might drive people away from Signal and private communications. 1/
One piece of misinfo we need to address is the claim that there are ‘vulnerabilities’ in Signal. This isn’t accurate. Reporting on a Pentagon advisory memo appears to be at the heart of the misunderstanding: https://npr.org/2025/03/25/nx-s1-5339801/pentagon-email-signal-vulnerability. The memo used the term ‘vulnerability’ in relation to Signal—but it had nothing to do with Signal’s core tech. It was warning against phishing scams targeting Signal users. 2/
Phishing isn’t new, and it’s not a flaw in our encryption or any of Signal’s underlying technology. Phishing attacks are a constant threat for popular apps and websites. 3/
In order to help protect people from falling victim to sophisticated phishing attacks, Signal introduced new user flows and in-app warnings. This work has been completed for some time and is unrelated to any current events. If you’re interested in learning more, this WIRED article from February 19th (over a month ago) goes into more detail:
https://wired.com/story/russia-signal-qr-code-phishing-attack/ 4/
https://wired.com/story/russia-signal-qr-code-phishing-attack/ 4/
Threadbane@signalapp
The technical level of security of Signal is irrelevant. Even using its vulnerability as an argument against it for secure government communications is merely a red herring, since the main issue is not the security breach, but the the Trump administration skirting government accountability and effectively creating an unaccountable shadow government outside the normal intelligence community..
The technical level of security of Signal is irrelevant. Even using its vulnerability as an argument against it for secure government communications is merely a red herring, since the main issue is not the security breach, but the the Trump administration skirting government accountability and effectively creating an unaccountable shadow government outside the normal intelligence community..
JamesTDG@Threadbane @signalapp exactly, the security of a tool is only as strong as its connections. It takes only ONE idiot to screw up the security of ANYTHING.
Disco3000@Threadbane @signalapp yep, and accidentally invite a journalist. Which wouldn’t have happened if a tool designed for secure military communications would have been used. There would be no journalist to add, because he wouldn’t have the security clearing. And most probably there would be an approval workflow (e.g. 4-eyes-principle) if someone is being added to a high security communication.
dexternemrodAnd that's why you do not want shadow-IT in your company (not sure if it was in this case, but looks like a pretty good example for me).
Still, trusting Signals encryption itself is a good decision.
Enno Rehling@disco3000 @Threadbane @signalapp that tool would also be created with federal and presidential records acts in mind. Add those to the felony charges for transmission of national defense information, and every official involved should go to jail for several years.
baconandcoconut@Threadbane @signalapp I think the technical level of security in Signal is relevant to the people using Signal for non-classified conversations which seems to be who they're addressing here.
Supermoosie@Threadbane
Military comms are designed to only allow personal that are pre vetted. You can't accidentally invite an outsider. The hardware is also secure.
These people have security comms people that travel with them to set up access to secure comms.
The other thing is Signal is not allowed on official phones and can't be downloaded.
This was on personal mobiles, which are unsecure and likely targeted and compromised by foreign intelligence.
It doesn't matter the encryption if Russia has a keylogger and screen capture software installed on the phone.
One of the party had just gone through Russian customs and would have had to hand their phone over and likely had software put on their phone.
China has also been in the US mobile system. So another way to put software on their phones.
Authoritarian countries have used routinely use spyware to surveil journalists, lawyers, political dissidents, and human rights activists
https://en.m.wikipedia.org/wiki/Pegasus_(spyware)
This is not the fault of Signal, but the underlying operating system of the phone. Particularly when up against adversaries with State level resources to target individuals.