I think Signal is the most private messager so far

#22
"...is built by Open Whisper Systems (aka Quiet Riddle Ventures), an opaque for-profit organization run by Moxie Marlinspike (not his real name). Marlinspike likes to keep the details of his biography wrapped in mystery. He poses as an anti-government radical in the mold of Jacob Appelbaum, who selflessly works for the greater good, risking life and freedom building super-secure communication technology powerful enough to stand to the National Security Agency. It’s a nice story. The reality is something different: Marlinspike made a bunch of money selling his previous encryption startup to Twitter in 2011. Right after that, he began partnering with America’s soft-power regime change apparatus — including the State Department and the Broadcasting Board of Governors — which led to them funding his next venture: a suite of encrypted chat and voice mobile apps. Signal is a direct result of this project."

"... Signal depends on NatSec cash for continued survival. Exactly how much cash is hard to gauge, as Open Whisper System refuses to disclose its financing structure. But if you tally up documents released by Radio Free Asia’s Open Technology Fund, we know Marlinspike’s outfit received $2.26 million in the span of the past three years — not exactly pocket change. And the NatSec cashflow shows no sign of ending."


"Signal runs on Amazon AWS cloud service — and Amazon is itself a CIA contractor. Signal also requires that users tie their app to a real mobile phone number (their identity) and give unrestricted access to their entire address book (the identities of all their friends, colleagues, fellow activists and organizers and sources). Troubling on an even more fundamental level: Signal depends on Apple and Google to deliver and install the app. As one respected security researcher recently pointed out, this is a serious problem because both companies partner with the NSA and can modify the app (at request of, say, the NSA or CIA) without anyone getting wise."

“Google usually has root access to the phone, there’s the issue of integrity. Google is still cooperating with the NSA and other intelligence agencies. PRISM is also still a thing. I’m pretty sure that Google could serve a specially modified update or version of Signal to specific targets for surveillance, and they would be none the wiser that they installed malware on their phones,”
 
Reactions: Clip
#23
I feel like Edward Snowden is controlled by US for marketing such apps. Having Snowden to release outdated tech and win people trust is not a problem for US.

Huge manipulation. Almost like a Hollywood movie. Seems US leverage him as a spy in Russia too.
 
#25
wonderwhat said:
There were some tweet from reputable journalist that Signal had founding from NSA's shell VC. I can't recall where I saw this. It was like few years back.
Click to expand...

Signal is basically a company covertly funded by the US government. Signal was seed funded by Open Technology Fund which is funded by the US government directly . Don't know what the U.S is up too but best to avoid Signal totally.
 
Reactions: wonderwhat
#26
That's why Moxie open sourced Axolotl and renamed it Double Ratchet. There is lots of good videos where he talks about choices that were made and why like defcon interviews where true foilhats question his choices. Like why use commercial Amazon servers or use phone numbers as contacts. Well he worked for commercial company idea is to make money.

But his creation which has now evolved to triple ratchet etc. Did create concept of forward secrecy. You capture session key but you only get one message vs pgp, OTR, Diffie Hellman. It's very hard to construct backdoors to something like this and I mean the source code. Signal and Whatsapp have their own " implementations" so it's hard to say what's behind there.

But I recommend watching videos, you will always have to compromise something as there is no perfect product. You just try to make decryption so hard and perfect that it's pointless to try.

I still haven't seen any court papers where signal has been hacked or messages extracted from server. Problem is android and ios. When device security is breached wickr, signal, telegram store msgs in in sandboxed folder in plaintext.

Mostly people just give passwords, don't delete conversations etc. Simple as that.
 
#27
Open source thingie is to win trust of people. Cryptography is specially complicated thing. I bet a normal average programmer can't understand it so here it open a lot opportunities for the governments to exploit the complication.

PGP is secure but hard for average Joe to use. OTR is easy but can be intercepted at ISP level.
Because of that reason, companies like Signal start to build user friendly apps. Again, it exploit the complication.

You certainly can put backdoors in complicated things.
 
Last edited:
#28
I don't trust Signal, because it is US owned. Like Martin Everson said in post 5.

wonderwhat said:
PGP is secure but hard for average Joe to use. OTR is easy but can be intercepted at ISP level.
Click to expand...
How can it be intercepted as ISP level? Where is the weakness?

By the way, here is a quite good comparison of some different messengers:
https://framapic.org/ocWD5sCdPJEW/h23jYkiJ4aye.png
I personally do trust Threema most, because it is owned by Swiss company. And it is not free to use. So I have a chance to be the customer and not the "product".
 
#30
I think you need to start by assessing your risks and threats rather than look for something that's absolutely and always best and most secure.

If you want something that your local police, tax authority, and most intelligence services can't decrypt (without compelling you to disclose your passwords), you're probably fine with Signal, Riot, or even closed-source solutions (although I don't believe in security through obscurity). Even Apple's iMessage has proven difficult for some law enforcement. Basically, just avoid normal email and SMS. Go one step beyond the bottom of the barrel and you've already made it much more difficult.

But if you're drawing attention from the likes of CIA or NSA, you are in some deep trouble and need to get more creative. While in theory Signal, Riot, and others provide provable security in their messaging protocols, the real weakness, as Blackbird points out, is often the device itself. Yours and your recipients' devices can be intercepted.

I wouldn't get hung up on idolizing specific countries. Switzerland does not respect the privacy of foreigners. It's a fiercely neutral country and manages to be so by not stepping too much on anyone's toes. Read up on Onyx and Crypto AG.

It's ultimately a personal choice you make based on your threat assessment and understanding of the technologies.
 
Reactions: Silvio, khinkali, Back2Matters and 1 other person
#31


OTR generally use different keys for each of message, but the implementation is varies for client software's. In most cases, OTR implemented in wrong way.

Most clients use older OTR key implementations with weak cryptography. ISPs do log enough data to crack these keys, depends on client, the government may have to crack a lot of keys. It's not cumbersome but if you are a drug dealer, they would go higher length.




Swiss based privacy tools, the word "Swiss" is generally a marketing trick, and they honor to US gov requests; otherwise, they would have to be prepared to get bankrupt. You might be interested to use "China" based one.

PGP is the right way to go. No more questions 'bout it.
 
Last edited:
Reactions: Marcus2233, Blackbird and Marie Manila
#32
wonderwhat said:
PGP is the right way to go. No more questions 'bout it.
Click to expand...

You can hate Moxie or like him but I'll add a video here which is a good explanation how PGP, OTR, Diffie Hellman key exchange and Axolotl works. It's explained so that most people get bit better understanding of the encryption software they are using even if they don't have too much knownledge of the concept.


You can rewind to 12:50 and it lasts maybe 10min. I have shown this to clients many times even it's from year 2014.

I like this thread because people don't take this stuff seriously. It's not about that you have nothing to hide but it's the right to your privacy. Think that maybe you send a message to you relative about stomach problems and then you get call from insurance company that they will raise your health insurance because you have stomach problems. It was a private conversation, but I guess you have nothing to hide and it shouldn't bother that they have listened in on your conversation. We all have things that are private, it's part of what makes us persons and creates your own identity.
 
Reactions: Sulu
#33

Axolotl is a complex protocol. It need cryptography background to review this so I can't comment on specifics. I avoid the *complex* ones much as I could.

World Population is 7.7 Billion. Telecom companies follows court orders and interception orders made by Government not by Insurance companies. It's really difficult to listen everyone even for the NSA. NSA use keywords search voice transcription made by ML Models.

Probably, these VPN companies sells your data (NordVPN, ExpressVPN) to hedge funds, insurance companies even ad networks.
 
Last edited:
#34

That's why I'm in encrypted phone business. People are ready to pay for privacy and anonymity to avoid all that
 
#35

Seems interesting , but how can I ensure my phone wouldnt be hac
wonderwhat said:
There were some tweet from reputable journalist that Signal had founding from NSA's shell VC. I can't recall where I saw this. It was like few years back.
Click to expand...
so u think Signal is untrustable?
 
#36
offshoreisfun said:
Seems interesting , but how can I ensure my phone wouldnt be hac

so u think Signal is untrustable?
Click to expand...

Encrypted phones are built with Zero Trust Policy. If device is physically tampered they have secure enclave, Titan M or similar chips which pretty much should take care that phone will wipe it self or stop working. So if there is signs of physical tampering phone will not work or connect to server. New phones have locked USB ports so this means opening the phone it self which should lock the phone.

Phones have strict mobile device management (MDM) policy. Basically there is one app only and everything is sealed, any changes or attempts to root will cause phone to stop functioning. Onlybtrafgick allowed is via privaye vpn to server. If there is something else detected phone will get blacklisted and it will stop functinoining.

There is always max time to messages to delete. You can't store them for ever and max on most phones 7 days. By that time even if for some reason company would have to comply with legal request there is nothing left.

If you are a journalist for example and you are taken in custody, your organization can remote wipe or brick device depending on device.

As for hacking there is no stopping anything from getting hacked. Anybody who says something is unhackable has wrong approach to security standards. These phones are built in manner that if they detect a hacking or breach attempt they simply stop working. Zero Trust security concept on anything, if something looks wrong or is out of place you can assume everything is compromised.

There is much more, security and other features. Of course people who build these phones think of ways how they can be hacked/compromised etc. And have been doing so for 10+ years. Most of them have started with RIM/Blackberry background. So they have just one task, only to make phone/messaging as secure as possible.
 
Reactions: Back2Matters
You must log in or register to reply here.
Menu
Log in
Register