wuffel4d ago

Ich hab eine Frage an alle, die politsche Arbeit machen:

Wurde dir schon ein Signal-Account gelöscht, ohne dass du eine "Sicherheits-SMS" bekommen hast?

Die Frage ist ernst gemeint.
Betrifft es dich? Bitte melde dich.
Gerne teilen, das ist nicht unwichtig.

A question to all doing political work:
Have you lost a signal account without havin received some "security SMS"?

No joke. Are u affected? Please contact me.
Please spread, this is important.

#chatkontrolle #sms #security #klartext #telefonnummer #signal #bigbrother

HINWEIS: Ich mecker hier nicht über Signal.
Es geht um Phonetracking.

Show threadSteldamm3d ago

@wuffel

Einige Mobilfunkanbieter haben eine "SMS-Firewall" - hier das Beispiel Telekom

Besser man nimmt nur Messenger die nicht auf der Mobilnummer laufen, wie z.B. Threema , welches bereits über 12 Mio. User in DE haben und welches man über Ostern wieder kostenlos bekommen kann.

#Signal #Whatsapp

Show threadAlexTECPlayz

@Steldamm @wuffel Threema isn't great. It has no built-in forward secrecy - it relies on their network to provide this functionality, and they make amateurish mistakes in their cryptography.

https://soatok.blog/2021/11/05/threema-three-strikes-youre-out/

Threema: Three Strikes, You’re Out - Dhole Moments

Threema boldly claims to be more secure than Signal. Does this hold up to scrutiny?

Dhole Moments
Apr 4 at 8:00amWeb
Show threadSteldamm3d ago

@alextecplayz @wuffel

Theses 5 yrs old information is all outdated!

Update your mind:
https://threema.com/press-files/2_documentation/security_analysis_ibex_2023.pdf

Show threadAlexTECPlayz3d ago

@Steldamm @wuffel It's really not, if you were to read the recommendations at the end of the report.

Threema still does not achieve forward secrecy.

Also, the report focuses on the theoretical/conceptual security of the Ibex protocol, without any pentesting, and assumes a few things.

I'm no cryptographer, but the conclusions and suggestions do not seem all that different.

Also, Threema punched down to a group of a few graduate students that also found 7 more issues - which were quite serious (!), which says a lot about how they treat security disclosures: https://soatok.blog/2023/01/21/how-you-respond-to-security-researchers-says-everything-about-you/#threema

And Threema still spreads FUD about Signal, they haven't changed at all their messenger comparison page: https://threema.com/en/products/private/messenger-comparison#messengerTab-1

Show threadSteldamm3d ago

@alextecplayz @wuffel

Some thoughts on the ETH's Threema "Analysis"

https://blog.dbrgn.ch/2023/1/14/threema/

Some thoughts on the ETH's Threema Analysis - blog.dbrgn.ch

Some thoughts on the Threema analysis carried out by a research team at ETH Zürich.

Show threadAlexTECPlayz3d ago

@Steldamm @wuffel yeah that's fine, it's just an engineer at Threema that simplifies how they fixed the issues, it's just some technical stuff.

He does not (nor should he) talk about the way Threema punched down to the ETH students' report on Twitter and on their blog post (https://threema.com/en/products/private/messenger-comparison#messengerTab-1)

"none of them ever had any considerable real-world impact", "unrealistic prerequisites", "One finding (#1) is of purely theoretical interest and has no practicable applicability whatsoever." (when in the engineer's blog post he assumes that in the PoC the researchers modded the app to dump the keys instead of having root-level access and specifically targeting the bytes belonging to the key), etcetera etcetera

The point being that Threema considered that these issues were too complex to ever apply in the real world, neglecting the existence of state-level bad actors or hacker groups, or private individuals/corps with enough resources.

Messenger Comparison

Threema
Show threadSteldamm3d ago

@alextecplayz @wuffel

Signal is not secure....

1
It supports #surveillance
https://www.counterpunch.org/2025/03/07/the-revolution-will-not-be-signaled/

2
#SignalApp acts #Trump friendly
https://therecord.media/signal-no-longer-cooperating-with-ukraine

3
It collects your #Metadata like #WhatsApp
https://primal.net/e/note14hf9d3fkkhrsygkyzz8snuwyukckd4yqx0cq62z35cwp53a20a8suw457j

4
Everyone can spy you
https://heise.de/-10515774

5
#FBI, #CISA Warn Russian Hackers Are Targeting High-Value Individuals Through Signal
https://cybersecuritynews.com/fbi-cisa-warn-russian-hackers/

6
Meet Paragon: An American-Funded, Super-Secretive Israeli Surveillance Startup That ‘Hacks WhatsApp And Signal’
https://www.forbes.com/sites/thomasbrewster/2021/07/29/paragon-is-an-nso-competitor-and-an-american-funded-israeli-surveillance-startup-that-hacks-encrypted-apps-like-whatsapp-and-signal/

7
Carlson said that, as he was working on setting up the interview, “the NSA broke into my #Signal account, which I didn’t know they could do.”
https://www.westernjournal.com/tucker-working-secret-plan-nsa-broke-secure-text-messages/

8
Free Tool Can Spy #WhatsApp and #Signal Without Users Detection
https://www.cyberkendra.com/2025/12/free-tool-can-spy-whatsapp-and-signal.html

#UnPlugBigTech #UnPlugTrump #Diday #DUTgemacht #Didit #Dataprotection #Privacy

The Revolution Will Not Be Signaled

We are constantly told that the messaging platform Signal is totally secure and benevolent. While Signal may be preferable to the dominant alternatives

CounterPunch.org
Show threadKenneth Karlsson 🇩🇰3d ago
@Steldamm Not really evidence in these article - just a lot of speculation and maybes - and come on - Tucker Carlsson - not really a trustworthy individual ....
Show threadAlexTECPlayz3d ago

@Steldamm
1. Fair enough, CounterPunch provides enough evidence to question how Signal is run, but they do run off with the allegations that CIA/NSA/the government controls Signal and the Signal Foundation

2. Untrue. Signal doesn't work with any government, the only source for this is a LinkedIn post (https://www.linkedin.com/posts/serhii-demediuk-a383521aa_signal-activity-7303700457040809984-5dWZ) from UA's former deputy secretary of the NSDC. Meredith Whittaker has a response (https://mastodon.world/@Mer__edith/114160644341691299)
3. Not only is it FUD, the person just so happens to sell Threema licenses (https://primal.net/e/nevent1qqspq5fvhrqfwt0uppwj5p9n0cnwzfqh9ae94lkr8gnfas3lvv66g7cwtfh2c)
4. Wrong title. It's the same thing as 8, the RTT of message delivery confirmations to determine how many devices a user has via 'silent' pings. There's no actual spying or interception.

Ukrainian Cyber Defense: Stable, but new tactics and actors observed | Serhii Demediuk posted on the topic | LinkedIn

Ukrainian Cyber Defense The situation on the cyber front remains stable, with no critical changes. Throughout the last months of winter, russian hacker groups have primarily focused on obtaining intelligence from military situational awareness systems, compromising mobile devices to intercept communications of military personnel and government officials, and targeting the mobile devices of Ukrainian diplomatic representatives abroad. New tactics are being observed among russian hacker groups, leveraging social engineering to infiltrate government information and communication systems (ICS) and critical infrastructure. The most commonly exploited threat vector remains the Signal Messenger, with ongoing campaigns aimed at compromising the accounts of military personnel and government officials to extract intelligence for enemy operations. Following the suspension of U.S. military aid to Ukraine, #Signal’s administration has also stopped responding to requests from Ukrainian law enforcement agencies. As a result, Signal has become the second-largest abuse-resistant messenger. Additionally, at the end of February and the beginning of March 2025, an increase in malicious activity driven by financial gain has been observed. Notably, these threat actors are not only from russia but also from countries that have previously positioned themselves as Ukraine’s partners and allies. The most destructive and intelligence-driven activities have been carried out by the following threat actors: UAC-0001, UAC-0010, UAC-0002, UAC-0006, UAC-0020, UAC-0024, UAC-0091, UAC-0091, UAC-0133, UAC-0150, UAC-0173, UAC-0212, UAC-0218, UAC-0050, and UAC-0057. A separate focus should be placed on UAC-0057, attributed to the intelligence services of the Republic of Belarus, which until recently conducted their operations exclusively against EU countries. Does this indicate yet another shortage of russian “specialists” and a lack of necessary capabilities? This issue is under investigation. The war continues!

LinkedIn
Show threadAlexTECPlayz3d ago

@Steldamm 5. This is just phishing? Has nothing to do with the security of Signal. Phishing can be performed on any platform, including your beloved Threema.
6. These are claims. Paragon has no website, it's state-sponsored mercenary spyware. If Signal and WA can be allegedly hacked, rest assured Threema can also be hacked by Paragon.
7. Are you seriously quoting Tucker Carlson and The Western Journal, a far-right conspiracy news website that's explicitly anti-leftist, promotes 'traditional American values' and upholds traditional Christian values?

Unless Tucker Carlson's phone was swapped or completely compromised, and the Signal app was swapped for a modified one, the NSA could not intercept or break into his account, from a security standpoint.

8. The tool can tell if you're online or not. You can mitigate this by just disabling the last seen indicators and enabling 'Block unknown account messages' on Whatsapp.

Show threadAlexTECPlayz3d ago

@Steldamm Signal still comes out on top despite the privacy concerns related to phone numbers' metadata.

Also, Signal has post-quantum cryptography (https://signal.org/blog/pqxdh/). Threema does not.

Signal has PFS. Threema doesn't achieve PFS as per that report you linked.

When it comes to state-level actors, Signal would still fare better (and especially hardened forks like Molly that also encrypts the database).

If Signal can be allegedly hacked by Paragon's spyware, I can bet my bottom dollar Threema, Matrix, XMPP and other similar platforms/protocols can be hacked as well.

I think this conversation is over, I have no interest in further replies.

Signal has genuine privacy concerns related to its centralization and leadership structure, the phone number requirement, the (very minimal) metadata leakage, but Threema has worse security and spreads FUD.

If I had to choose one of the two, my choice is clear.

Quantum Resistance and the Signal Protocol

The Signal Protocol is a set of cryptographic specifications that provides end-to-end encryption for private communications exchanged daily by billions of people around the world. After its publication in 2013, the Signal Protocol was adopted not only by Signal but well beyond. Technical informat...

Signal Messenger