Mastodawn

Anyone who expects me to install yet another app for their garbage can kindly fuck off!

Fix your shit and give me a compelling reason to even consider making an account in the first place.

I won't but seeing folks who actually take privacy serious and thus have their #cameras removed from their #Android device struggle makes me fucking angry.

By comparison: @monocles / #monoclesChat has actually good #support and they don't ask for #PII like a #PhoneNumber and allow for #SelfCustody of all the keys.

Personally, I wished @delta / #deltaChat had a plugin for like @thunderbird / #Thunderbird so that it can be used as #Chat in it and sort the inbox. Would make it the superior solution for #corporations that already have #eMail #Archival setup for legal compliance…

Kevin Karhan :verified: (@kkarhan@infosec.space)

One thing that really pisses me off personally is the #regression in terms of #Messenger #Apps. My personal distaste and dislike for #proprietary, #SingleVendor & #SingleProvider #services like #Signal [¹](https://infosec.space/@kkarhan/114234551915193036) [²](https://infosec.space/@kkarhan/114935952643402592), #Telegram, #Discord [³](https://infosec.space/@kkarhan/114865723904157014) [⁴](https://social.treehouse.systems/@krutonium/115157611977216372), #WhatsApp [5](https://infosec.space/@kkarhan/114873895410403238), #Slack, #MicrosoftTeams, etc. aside: - *WHY* is there no #CrossProvider #Messenger to handle that shite? - *WHY* does everyone of these shitty providers think people want to download their #bloated #WebApp that takes up triple digit Megabytes if not entire Gigabytes and will gobble up all the #RAM and #CPU each of them can?? This problem ain't new and *already got [solved for corporate social media](https://infosec.space/@kkarhan/114862619013462466) ages ago!* (Not to mention actually good messengers!) - And no, [bridges](https://toots.ch/@dalai/114862754556459439) *[don't](https://swecyb.com/@troed/114862774972645542) count*! - I mean `API 0` - [style](https://digipres.club/@foone/112685423773959519) access because obviously [none of the platforms](https://digipres.club/@foone/112685414638522984) will *allow, endorse or support such an endeavour* and [*actively fight the developers and users*](https://digipres.club/@foone/112685441496803574) ! So yeah, consider this a call for a @gajim@fosstodon.org / #Gajim or @pidgin@fosstodon.org / #Pidgin *for garbage platforms!* - Cuz back in the day we had *way worse messengers* yet people actually made #AIM, #ICQ, #MSN, #QQ, #IRC & #XMPP work just fine from one single *"phat" client*! - Can we please get that back? Cuz #WastefulComputing pisses me off! #api0 #Enshittification

Infosec.Space

Also why doesn't @signalapp / #Signal just accept a #screenshot of said #QRcode as a means to authenticate?

Seriously, there's no valid reason they can't do it like #Telegram and just send a message in-app to ask:

"Do you want to add/authenticate [instert device name here] at [IP Address]? Here's a unique pairing code to enshure that's correct!"

Like the #UX is worse than early versions of #OTR on #Pidgin back in those days...

adison verlice Jul 29

@kkarhan @signalapp I think telegram Is just a dumpster fire these days. They're less secure Then all the other encryption apps at least when it comes to the encryption algorithms.

@adisonverlice ALL #SingleVendor, #SingleProvider #Messengers that are #proprietary by virtue of not having everything #FLOSS'd are inherently bad.

#Telegram is obviously just a slopps #honeypot. @signalapp's @Mer__edith at least knows how to professionally lie in front of an audience like the fmr. #CryptoAG #CEO did.

If that shit was actually secure, it would've been abused so hard that she'd be in jail for refusing to comply with #CloudAct and duely issued warrants as well as being complicit in the "abuse" of said platform.

thaddeus e. grugq on Twitter

“I’m gonna tell you a secret about “logless VPNs” — they don’t exist. Noone is going to risk jail for your $5/mo https://t.co/Q2aOQJkG4g”

Twitter

@adisonverlice tell me if I'm wrong but AFAIK @signalapp, unlike @delta doesn't get sued by #Russia into handing over #data and is able to argue that it cannot provide data by virtue of not having said data in the first place!

Which #Signal evidently has and #deltaChat doesn't have…

Cuz how else is Signal able to "comply with sanctions" for their #Shitcoin known as #MobileCoin?

We Tried Signal's MobileCoin So You Never Have To...

YouTube

adison verlice Jul 29

@kkarhan @signalapp @delta Also keep in mind that a hash doesn't mean that it's encrypted. Yes they store your phone number in a hash. But that could easily be dehashed And found. That's like telling you that I put your password in a hash algorithm. In reality all that means is I just randomized get into letters and numbers. It's not encryption. Nor is base 64 encoding.

@adisonverlice @signalapp @delta it's absolutely trivial to just brute-force all valid phone numbers in a matter of hours if not less.

Espechally since there are only few valid lenghts for each nation and their phone systems and the international extensions ars piblicly known.

See #BPjMleaks…

adison verlice

@kkarhan @signalapp @delta Yes but you forgot about 1 thing. The fact that they use a proprietary SMS gateway that has experience5 or 10 hacks at this point? Twilio? And I think someone even got hacked on signal simply because of the twilio gateway that was sending the messages. This isn't some advanced SS7 attack. Not even some advanced spoofing attack on the network level that could be done by an intelligence agency. All they had to do was hack signals twilio gateway space or something, and then boom. It's like wiretap. It just works. I can't remember where the article was but I think it happened at some point

@adisonverlice @signalapp again: #KYC is the illicit activity and demanding #PII and/or sending confirmation #SMS is inherently bad.

Compared to i.e. @delta / #deltaChat or @monocles / #monoclesChat it's already a no-go to demand a #PhoneNumber, and the latter one is actually #sustainable.because it's paid for by users and not a #VCmoneyBurningParty!

https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.esd.whs.mil/Portals/54/Documents/FOID/Reading%2520Room/Personnel_Related/22-F-0350_DDS_Comms_Policy-Signal.pdf&ved=2ahUKEwjx5KmWteKOAxVzm2oFHdKYNI4QFnoECCoQAQ&usg=AOvVaw23ytjVQuFp9TvKJtfDLyAa

adison verlice Jul 29

@kkarhan @signalapp @delta @monocles Yeah. Once again, I have to wonder why the trump administration used signal a couple of months ago. And without getting into detail, I here under the grapevine that they're still using signal when the couple of ways. Not even for non-classified information. Totally classified! And by the way, I found that article or that memo that tells dod not to use signal for classified information.

Sebastian Crane Jul 29

@adisonverlice @signalapp @delta @monocles Once again you speak a lot of sense, @kkarhan@infosec.space. Phone numbers operate with a barely-functional, mostly-centralized digital transport for an ancient* analogue communication system (*1860s). As for privacy, well, the 'phone maintenance van used for illicit wiretapping' is a common film trope for a reason.

And on this of all mechanisms is what the finance industry and most governments have decided to send 'security codes' 😐

adison verlice Jul 30

@seabass @signalapp @delta @monocles Phone numbers were never meant to be private.

Sebastian Crane Jul 30

@adisonverlice @signalapp @delta @monocles Sorry, I should have been more precise: phone calls and SMS messages are themselves still largely unencrypted, which opens them up to all kinds of man-in-the-middle attacks. This might be unimportant for some kinds of communication but is highly problematic for verification messages (one-time tokens and the like). In my opinion, online services should avoid linking identities to phone numbers if at all possible for this reason. Whether a user wants to publicly declare their phone number or keep it private is only partly related, I would say.