Mastodawn

Anyone who expects me to install yet another app for their garbage can kindly fuck off!

Fix your shit and give me a compelling reason to even consider making an account in the first place.

I won't but seeing folks who actually take privacy serious and thus have their #cameras removed from their #Android device struggle makes me fucking angry.

By comparison: @monocles / #monoclesChat has actually good #support and they don't ask for #PII like a #PhoneNumber and allow for #SelfCustody of all the keys.

Personally, I wished @delta / #deltaChat had a plugin for like @thunderbird / #Thunderbird so that it can be used as #Chat in it and sort the inbox. Would make it the superior solution for #corporations that already have #eMail #Archival setup for legal compliance…

Kevin Karhan :verified: (@kkarhan@infosec.space)

One thing that really pisses me off personally is the #regression in terms of #Messenger #Apps. My personal distaste and dislike for #proprietary, #SingleVendor & #SingleProvider #services like #Signal [¹](https://infosec.space/@kkarhan/114234551915193036) [²](https://infosec.space/@kkarhan/114935952643402592), #Telegram, #Discord [³](https://infosec.space/@kkarhan/114865723904157014) [⁴](https://social.treehouse.systems/@krutonium/115157611977216372), #WhatsApp [5](https://infosec.space/@kkarhan/114873895410403238), #Slack, #MicrosoftTeams, etc. aside: - *WHY* is there no #CrossProvider #Messenger to handle that shite? - *WHY* does everyone of these shitty providers think people want to download their #bloated #WebApp that takes up triple digit Megabytes if not entire Gigabytes and will gobble up all the #RAM and #CPU each of them can?? This problem ain't new and *already got [solved for corporate social media](https://infosec.space/@kkarhan/114862619013462466) ages ago!* (Not to mention actually good messengers!) - And no, [bridges](https://toots.ch/@dalai/114862754556459439) *[don't](https://swecyb.com/@troed/114862774972645542) count*! - I mean `API 0` - [style](https://digipres.club/@foone/112685423773959519) access because obviously [none of the platforms](https://digipres.club/@foone/112685414638522984) will *allow, endorse or support such an endeavour* and [*actively fight the developers and users*](https://digipres.club/@foone/112685441496803574) ! So yeah, consider this a call for a @gajim@fosstodon.org / #Gajim or @pidgin@fosstodon.org / #Pidgin *for garbage platforms!* - Cuz back in the day we had *way worse messengers* yet people actually made #AIM, #ICQ, #MSN, #QQ, #IRC & #XMPP work just fine from one single *"phat" client*! - Can we please get that back? Cuz #WastefulComputing pisses me off! #api0 #Enshittification

Infosec.Space

Also why doesn't @signalapp / #Signal just accept a #screenshot of said #QRcode as a means to authenticate?

Seriously, there's no valid reason they can't do it like #Telegram and just send a message in-app to ask:

"Do you want to add/authenticate [instert device name here] at [IP Address]? Here's a unique pairing code to enshure that's correct!"

Like the #UX is worse than early versions of #OTR on #Pidgin back in those days...

https://www.youtube.com/watch?v=tJoO2uWrX1M&t=887s

Seriously, #Signal / @signalapp is bad and everyone who relies on @Mer__edith et. al. to not break when handed a duely issued warrant (or being held at gunpoint) by #US authorities is as dellusional as the users of #ANØM and #EncroChat!

There's no valid excuse to collect #PII like a #PhoneNumber!

And Signal being not just able but entirely willing to "restrict services" based off the presumed location of the users is just a big red flag.

If they took #Security seriously, they'd use #XMPP+#OMEMO over #Tor and let users have 100% #SelfCustody of all the keys as well as completely #decentralize, including the ability to #SelfHost on @torproject.

Signal's Terrible MobileCoin Betrayal

YouTube

@signalapp @Mer__edith @torproject and yes, #Matrix is not good either.

It's worse than #XMPP+#OMEMO!

@kkarhan and don't forget, remove all PII requirements. and yet they market themselves as "being not as bad as Whatsapp" yet they literally are Whatsapp and are probably running it. they just won a profit, now care about security. tor does a lot of stupid shit, but guess what? tor at least, is open source, and comes in different sizes. besides, that "stupid shit" mainly comes in the browser, which means you can simply make a fork of the browser for your own and boom, you can remove some of those mistakes. also, tor is doing something knew. they are building a new application which uses the actual VPN endpoint, and uses arty which is in rust. I will use tor more than signal

@adisonverlice plus #Tor both shields users and hosters, neither can locate the other, thus neither can be forced to snitch on the other.

I've been using @torproject / @guardianproject #Orbot to use #XMPP anonymously for 15+ years now on mobile so it does work for #messaging even in #EDGEland!

@kkarhan well soon I think orbot will go away, because tor, like I said, has a brand new solution. I think it's in the works and it's in beta, but it's designed to be like an actual VPN rather than just a socs/http proxy on a VPN.
even more, it's built-in rust. i'm excited

@adisonverlice I don't think #Orbot is going away.

In fact it does support leveraging the #VPN-#API of #Android & #iOS…

@kkarhan yea but this doesn't just leverage some API. I think it's actually called "tor VPN" but I can't remember what it is

@kkarhan of course, what I do know is that it's supposed to be better than orbot in the fact it's an actual VPN endpoint pointing to an onion service, not just a proxy tunneled through a VPN.

@kkarhan @signalapp I think telegram Is just a dumpster fire these days. They're less secure Then all the other encryption apps at least when it comes to the encryption algorithms.

@adisonverlice ALL #SingleVendor, #SingleProvider #Messengers that are #proprietary by virtue of not having everything #FLOSS'd are inherently bad.

#Telegram is obviously just a slopps #honeypot. @signalapp's @Mer__edith at least knows how to professionally lie in front of an audience like the fmr. #CryptoAG #CEO did.

If that shit was actually secure, it would've been abused so hard that she'd be in jail for refusing to comply with #CloudAct and duely issued warrants as well as being complicit in the "abuse" of said platform.

thaddeus e. grugq on Twitter

“I’m gonna tell you a secret about “logless VPNs” — they don’t exist. Noone is going to risk jail for your $5/mo https://t.co/Q2aOQJkG4g”

Twitter

@adisonverlice tell me if I'm wrong but AFAIK @signalapp, unlike @delta doesn't get sued by #Russia into handing over #data and is able to argue that it cannot provide data by virtue of not having said data in the first place!

Which #Signal evidently has and #deltaChat doesn't have…

Cuz how else is Signal able to "comply with sanctions" for their #Shitcoin known as #MobileCoin?

We Tried Signal's MobileCoin So You Never Have To...

YouTube

@kkarhan @signalapp @delta Yeah the problem is Signal has a bunch of metadata. Even if they don't have your encrypted messages, they still have a bunch of meta data on you. And someone has access to that server. An administrator? A VPS provider? We could even in theory say the national security agency? We don't know who. But someone does. Someone knows where the data lives.

@adisonverlice the fact that @signalapp demands #PII like a #PhoneNumber for no "legitimate reason! whatsoever already makes them noncompliant woth #CloudAct and thus failing my #privacy test!

@kkarhan @signalapp @delta Also keep in mind that a hash doesn't mean that it's encrypted. Yes they store your phone number in a hash. But that could easily be dehashed And found. That's like telling you that I put your password in a hash algorithm. In reality all that means is I just randomized get into letters and numbers. It's not encryption. Nor is base 64 encoding.

@adisonverlice @signalapp @delta it's absolutely trivial to just brute-force all valid phone numbers in a matter of hours if not less.

Espechally since there are only few valid lenghts for each nation and their phone systems and the international extensions ars piblicly known.

See #BPjMleaks…

@kkarhan @signalapp @delta Yes but you forgot about 1 thing. The fact that they use a proprietary SMS gateway that has experience5 or 10 hacks at this point? Twilio? And I think someone even got hacked on signal simply because of the twilio gateway that was sending the messages. This isn't some advanced SS7 attack. Not even some advanced spoofing attack on the network level that could be done by an intelligence agency. All they had to do was hack signals twilio gateway space or something, and then boom. It's like wiretap. It just works. I can't remember where the article was but I think it happened at some point

@adisonverlice @signalapp again: #KYC is the illicit activity and demanding #PII and/or sending confirmation #SMS is inherently bad.

Compared to i.e. @delta / #deltaChat or @monocles / #monoclesChat it's already a no-go to demand a #PhoneNumber, and the latter one is actually #sustainable.because it's paid for by users and not a #VCmoneyBurningParty!

https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.esd.whs.mil/Portals/54/Documents/FOID/Reading%2520Room/Personnel_Related/22-F-0350_DDS_Comms_Policy-Signal.pdf&ved=2ahUKEwjx5KmWteKOAxVzm2oFHdKYNI4QFnoECCoQAQ&usg=AOvVaw23ytjVQuFp9TvKJtfDLyAa

@kkarhan @signalapp @delta @monocles Yeah. Once again, I have to wonder why the trump administration used signal a couple of months ago. And without getting into detail, I here under the grapevine that they're still using signal when the couple of ways. Not even for non-classified information. Totally classified! And by the way, I found that article or that memo that tells dod not to use signal for classified information.

Sebastian Crane Jul 29

@adisonverlice @signalapp @delta @monocles Once again you speak a lot of sense, @kkarhan@infosec.space. Phone numbers operate with a barely-functional, mostly-centralized digital transport for an ancient* analogue communication system (*1860s). As for privacy, well, the 'phone maintenance van used for illicit wiretapping' is a common film trope for a reason.

And on this of all mechanisms is what the finance industry and most governments have decided to send 'security codes' 😐

@seabass @signalapp @delta @monocles Phone numbers were never meant to be private.

Sebastian Crane Jul 30

@adisonverlice @signalapp @delta @monocles Sorry, I should have been more precise: phone calls and SMS messages are themselves still largely unencrypted, which opens them up to all kinds of man-in-the-middle attacks. This might be unimportant for some kinds of communication but is highly problematic for verification messages (one-time tokens and the like). In my opinion, online services should avoid linking identities to phone numbers if at all possible for this reason. Whether a user wants to publicly declare their phone number or keep it private is only partly related, I would say.

@seabass @signalapp @delta @monocles Oh it's possible for signal to do that. They could just get rid of phone numbers entirely. What they don't choose to do that.

@kkarhan not sure if I would directly agree, maybe Russia doesnt see any real thread in Signal, because they can more easily block access to the App, Servers, distribution etc.
While DeltaChat relies on E-Mail, therefor is decentralized in nature and harder to block/control.
The US also investigated the PGP creator back than for "illegal arms exports" since PGP was considered that "dangerous".
I dont think Signal hands over data to Russia.
As for the US, they "just" have to...
1/x
@adisonverlice

@kkarhan ... monitor all incoming traffic to Signals servers, as to know where it's coming from(remember most VPNs are in 5/9/14- eyes countries). In addition Google/Apple (Push) infrastructure is most likely easily accessible to them and tightly integrated with most systems. Not to mention Cloudflare(which distributes Signal Messages quickly AND pinpointed accross the globe) and others. So there are plenty of options, as intelligence service I would be less worried about 0.1% 2/x
@adisonverlice

@kkarhan ... using some specific very secure service but about the masses using something making them 10% more secure.
Imagine everyone in the EU dropping big US services, pretty inconvenient, I'd say.
3/3
Also whi knows if they bully @signalapp too much they might leave the US making it harder to monitor this 0,1%, of which they at least currently know exatly where messages being send end up or come from(unsecure by unobscure, but well my 2ct).
@adisonverlice

@kkarhan @adisonverlice see also:
NSA tooling: https://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/

Signal attack using cloudflare teleport(while being fixed for private actors, still a vector for intelligence services'): https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117#cloudflare

And there is more, just look how insecure TelcomNetworks are etc

Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic

Latest batch of documents leaked shows NSA’s power to pwn.

Ars Technica

@nick @adisonverlice I'd still say @signalapp / #Signal has the same stench as #CryptoAG and #ANØM had...

@nick @kkarhan For privacy come the best way to not comply is to not have any data to give. From what I've noticed it seems delta isn't exactly able to do that unlike signal. Signal was able to hand over piii that you wouldn't want hand it over. And don't get me started on so-called child safety. If the US thinks it's a great idea to subpoena signal for child safety they absolutely could. They have expressed the willingness to violate their own laws come or make agreements with other countries so they don't even have to violate their own laws they can just have another country do it for them. So what makes you think That they won't do that either?

@adisonverlice @nick precisely.

Whereas @delta couldn't hand over any data even if they wanted to and since it's #FLOSS any attempts at i.e. hardcoding a #backdoor or #blocking domains would be trivial to detect and undo by virtue of #forking.
Whereas with @signalapp one has to rely on @Mer__edith et. al.'s promise that the code they release - regardless if app but esoechally backend - is the code they run.

Which is doubtful at best aka. "#TrustMeBro!" - level of guarantee…

Also #Signal's business is unsustainable as unlike @monocles they don't recoup operational costs from their users but act as #VCmoneyBurningParty, and that will inevitaboy backfire…

@kkarhan @nick @delta @signalapp @Mer__edith @monocles Yeah. End signal requires internet to run. Which means if you are in the threat model where you want to make your own air gap messaging system for whatever reason you can't. Which is not possible. India. Venture India. Venture capitals aren't that great. I guess they're great if you really really really really need a head start. But often you have to do whatever virtual capital tells you to do. Or whatever it's called. It should be donation based. Not based on adventure capital

@adisonverlice @nick well, since @delta is based on #eMail it can be deployed in a uucp-based, #airgapped #Sneakernet...

Cuz smuggling some high-cap data drives works great and is being used around the globe.

It's how Rimjin-gang sources can communicate.
https://en.wikipedia.org/wiki/Data_mule
https://en.wikipedia.org/wiki/Sneakernet

UUCP - Wikipedia

@kkarhan @nick @delta No I'm talking about signal. I'm very specifically mentioning signal. But we can apply this to other things too like whatsapp. They want to have this used in markets like Iran and china and Russia. But they're doing it so wrong that it's laughable. Sneaker net is something that's not usable in this case because it needs internet connection. OK you could argue that the proxy server you can run connect from other IPS so OK. In that regard sure. But even for the 1st initial steps. Good luck with that! It requires you to give it a phone number

@adisonverlice @nick Personally, I think that @signalapp is just a #Honeypot like #ANØM:

Cuz the lack of consequences re: rampant (by vortue of being statistically inevitable!) abuse lets me believe they have their shit backdoored jist for "compliance" reason...

If @Mer__edith / #Signal were pro-#privacy they'd not demand a #PhoneNumber to begin with or expect people to have cameras in their Android devices...

@nick @kkarhan Also if it's designed right they don't, have, to hand over data. They could simply make a decentralized, make it not have a phone number, then boom. We've already seen how great this worked with telegram. We know we know even the telegram founder is not going to take a wrench to the head for your data. Disregarding the encryption for a minute, we know that telegram founder was not going to take a wrench in the head in jail for your data.

@adisonverlice @nick well, #Telgram is a similar shitshow requiring #PII in the firm of a #PhomeNumber as well...

When push comes to shove whoever is in charge will snitch! and I expect @Mer__edith to do so as well imstead of rotting in a jailcell for the rest if her life.

thaddeus e. grugq on Twitter

“I’m gonna tell you a secret about “logless VPNs” — they don’t exist. Noone is going to risk jail for your $5/mo https://t.co/Q2aOQJkG4g”

Twitter

@kkarhan @nick @Mer__edith Exactly! Just as I said earlier. None of these founders Are going to take a wrench to the head for your data. Signal, whatsapp, telegram, none of them!

@adisonverlice @nick And it's not even that I'd see it as bad.

I just wished @Mer__edith & @signalapp were honest to begin with...

@kkarhan @signalapp @Mer__edith Yeah. Makes me Want to know why exactly The trump administration used signal for classified documents. In fact I actually have a memo from the defense digital service which tells DOD people *not* to use Signal for classified documents. If you want it I can give it to you it's public.

@adisonverlice worse even is that they didn't just use @signalapp but a shady #3rd party client so in this case it's NOT @Mer__edith et. al. who are to blame, but the folks that REFUSED TO ENFORCE #ITsec & #ComSec!

Cuz there's a reason they got hired and paid to say "no" and why there's a full suite of dedicaded, applianced hardware for any sensituve comms!

But then again #AgentKrasnov is an #InfoSec, #OpSec & #NatSec nightmare!

@kkarhan @signalapp @Mer__edith Yeah. And tell me if I'm wrong because I could well be, you seem to know more than I do in terms of signal, but hasn't their protocol and their server code or whatever been out of date for a while? Again tell me if I'm wrong.

@adisonverlice @signalapp @Mer__edith yes.

They ain't #FLOSS and I'd not count on their released code to be true because it cannot be verified that it is in fact the infrastructure they run off.
https://www.youtube.com/watch?v=tJoO2uWrX1M

Same problem with any #VPN really, which I too consider #DigitalSnakeoil at best!

Signal's Terrible MobileCoin Betrayal

YouTube

@adisonverlice I think the (released) open source server code was outdated for some time, however right now it seems to be pretty up-to-date: https://github.com/signalapp/Signal-Server
@kkarhan @signalapp @Mer__edith

GitHub - signalapp/Signal-Server: Server supporting the Signal Private Messenger applications on Android, Desktop, and iOS

Server supporting the Signal Private Messenger applications on Android, Desktop, and iOS - signalapp/Signal-Server

GitHub