Too positive. From a cryptographical perspective the protocol is solid.
The problem is that if you are actually using signal to transmit sensitive (as in worth a lot of money,peoples lives, state secrets) information you are making a huge mistake.
Sure no one is going to break your communication on the network. But what they are going to do is use a zero day, get into your phone and extract the signal message db and listen in on your mic and keyboard.
Signal has been promoted all over the place but no one mentions this fact, and when someone does it is dismissed.
There are better solutions out there but they cost money.
That is a risk with everything, it is turtles all the way down. There are not 'better solutions' available for the general public out there and anyone who claims otherwise is selling snake oil. What Signal (and similar efforts like Riot/Matrix/etc) offer is the ability to drastically raise the cost of targeting an individual and eliminate almost all risks from bulk dragnet operations. If you, specifically you, are they target of a major government then they are going to get you and there is nothing you can do about it other that to stop using electronic communication, but if you are not already a target then Signal provides a level of security and privacy that had previously been unavailable or difficult to use.
Signal and to a much greater degree WhatsApp is used all over the place where it has no business being. A large number of politicians use these apps for communication all over the world for information that is actually classified.
The reason it is in all these places because it is free, easy to use and supposedly secure. That the information contained can be exfiltrated would be news to them. All they know is that security proffessionals recommend Signal so that is what they use.
Just use Signal has been a mantra in tech circles for a long time. This obvious fact I am bringing up is always obvious yet no one mentions it.
No one mentions it because this 'fact' is both self-evident and is in no way specific to Signal or any other piece of software. If I can own the platform then there is NOTHING you can do to stop me from owning all of the information you put into that platform. It has nothing to do with any specific tool you use on the platform and any attempt to tie this fact to a specific tool or program is an indicator of an attempt to muddy the waters (most likely so you can try to sell some 'solution' that does not actually solve the problem.) In almost all cases these so-called solutions end up being so inconvenient and painful to use that people actively route around them using mechanisms that are even less secure than the original tool that is being 'fixed' -- there is a reason no one uses Qubes and why everyone tries to avoid a SCIF if possible...
It it is self evident to people who understand security. It is far from self evident to everyone else. To many who actually need security and are given the mantra to just use signal.
For an article with "Here are the cold hard facts" I wanted to put [citation needed] on quite a lot of claims. I also feel like mentioning to the author the Internet is also a government op if we go that way.
Yasha has published rubbish trying to link the Open Tech Fund/Radio Free Asia to the CIA for years. It's not. To be honest he continues to be pushing such dangerous false conspiracy theories that risk real people, doing real work. I work on Umbrella (https://www.secfirst.org), a free open source project to help journalists and activists learn about and manage digital and physical security. It was initially funded by OTF.
I am from Ireland, i've worked my entire life in human rights, including campaigning against CIA black sites, Iraq, NSA/GCHQ spying etc (along with the global range of issues from China to migrants). Why would I or anyone of the other hundreds of projects, work with OTF if somehow it was a CIA front? In our case, the linking of projects like ours to stupid conspiracy theories like this has endangered myself and some team members. We've had doxing and death threats from people from countries as varied as Ireland to Vietnam trying to say we are CIA/US stooges because of this crap.
I'm not sure what you are saying here. That Open tech fund is not related to the CIA or to Radio Free Asia or that Radio free Asia is not related to the CIA? There's no doubt what agenda Radio Free Asia has and who runs it (U.S. Agency for Global Media). Something doesn't have to be directly under the CIA to do their bidding (that would be real bad spy agency work).
>Why would I or anyone of the other hundreds of projects, work with OTF if somehow it was a CIA front?
Im not saying they are or aren't (I have no idea) but how would you know if the CIA were behind something if they didn't tell you?
> As you can see from the way Parler was shutdown last week — when our imperial oligarchy wants to cancel an app, it can do so instantly and with a vengeance.
I was not under the impression that Parler was shut down by the government, but more by the "cancel crowd". Was it a government operation ?
As for the article, it seems the main arguments are that :
- Signal was financed by Radio Free Asia (US government propaganda operation), at least 3 million.
- If the crypto was effectively unbreakable, it would not be recommended by big companies like FB, Google, etc...
It's interesting and it's always good to be a bit paranoid, but the evidence is a bit thin for me.
Correct, government did not force Parler to shut down.
> If the crypto was effectively unbreakable, it would not be recommended by big companies like FB, Google, etc...
This claim falls apart given that Google started encrypting traffic on private links after learning of us gov snooping on their traffic. Also, why would Google care about breaking signal traffic at all?
Parler was shut down by Amazon for hosting hate speech in violation of Amazon's terms of service -- despite repeated attempts by Amazon to address the issue in more amicable fashion.
Most of these points are also true for other cryptography related projects (e.g. Tor), simply because the majority of all non-profits, regardless of agenda, is funded by the government.
I would say mister Levine gives the government too much credit. Just because signal has received government funding (allegedly) does not immediately mean it's a honey pot like he is insinuating. The "government" is not a single entity there are different organizations with in it with different priorities and different interests.
And the internet is a byproduct of the military industrial complex, so I guess we should all log off now.
This op-ed speculates that the CIA has somehow compromised Signal by merely funding it. There's no there there, at least not without some more compelling evidence that the CIA and Silicon Valley are colluding to spy on all the recent Signal converts. I don't know enough about Signal and e2ee, but I'm guessing more evidence would have to be supplied to cast doubt on the robustness of Signal's code.
I’ve tried Signal multiple times but after Telegram it’s like moving from Facebook to MySpace from 2004. No, thank you. I’m kinda surprised people are not annoyed by Signal or WhatsApp and keep using them, to me they’re simply unbearable.
Same. Even if telegram has their own issues and prolly not the best encryption. Its an amazing chat client that is not centered in the US or five eyes.
I’ve never used Telegram. What am I missing? WhatsApp is simple and works really well for what I’m using it for, keeping in touch with friends and family.
It's a great tool to keep in touch with family. For secure and private communication? Not so much unless you believe Facebook is a pillar of privacy and truth and you follow the "I have nothing to hide" fallacy.
Thanks, that’s my sense of it too. However the other poster seemed to claim the experience of using Signal and WhatsApp is ”unbearable” compared to Telegram, so I wonder what it has in terms of features or user experience that makes it so much better. My guess, and pardon me if I’m a bit rude, is that the difference is features I probably don’t care about. But I’m open to be evangelized.
I want to like Telegram, I really do. But even with the "privacy" settings as strict as possible, I get unsolicited messages from random strangers at all hours of the day with no ability to mute them. I get 2-3 of these messages per day on both of my Telegram accounts. I don't know how anyone can consider Telegram private or trustworthy.
It's as simple as: WA and Signal (same protocol) are believed to be still the publicly available state of art in e2ee (by default) consumable by your average person. Telegram has an opt-in setting for e2ee in specific contexts, otherwise you can assume your conversations are slurped by some agency (telegram also has some government-approved versions).
That's even before we get into their past security issues / breaches. From security/privacy point of view it's really not better.
At the end of the page, after some unsubstantial conspiracy hints, all that's left is:
> I’ve written at length about the deeper history of Signal’s government backers and the way in which crypto fits into America’s imperial machine. In fact, I dedicated two whole chapters of my book to the subject. I won’t reprint it here. But if you want to know the whole story, you can pick up Surveillance Valley at your local bookstore. Or you can check out some of the articles I’ve…
> …This is a preview of a full letter that is only available to subscribers. To support my work and read the rest, sign up and read it here.
I can absolutely see the objectives of US foreign policy (enable citizens of foreign powers to evade domestic surveillance) conflicting with domestic policy (bulk communications collection).
It doesn’t necessarily compromise Signal, but simply highlights that government isn’t always internally efficient or consistent.
Such a lazy "article". How many audits have Open Technology Fund bankrolled? Are all those companies "Linked to Government". Seriously, it reads like someone who found that RFA started OTF and wants to ride the "Signal = bad" wave. Literally, zero value.
> Signal was developed by Open Whisper Systems, a for-profit corporation run by “Moxie Marlinspike,”
- OWS was disolved for one. Signal is now developed by the "Signal Foundation" which is a registered 501(c)(3)non-profit.
- Brian Acton (ex-WhatsApp) paid $50m startup money also
> Moxie began partnering with America’s soft-power regime change apparatus — including the State Department and the Broadcasting Board of Governors (now called the U.S. Agency for Global Media)
- So what. The Senate has literally approved Signal for use as a means of communication.
- The US Govt. is not unified by any stretch of the imagination, there are plenty of competing interests. Some agencies want to support freedom of information, some want to suppress it.
This smells like a hit-piece. Also, both the client and server source-code is freely available for review and has been reviewed independently.... https://proprivacy.com/privacy-service/review/signal
Realistically only the client matters, as it promises end-to-end encryption regardless of how secure/non-secure transport is.
The NSA etc doesn't need to "buy" apps in this manner anyway. They just go to the manufacturer of the devices/chips/components, throw them a National Security Letter and get ring-0 exploits (or hack their way in).
I honestly enjoy how Yasha equates the fact that a project received money from some tentacle of the american government (which at least for me, as an european, is perfectly understandable in a situation of prolonged cold war with Russia and China) to the more spooky hypothesis that the guys behind some of the most vetted open source privacy projects do work for the man.
His well known position (many years of pando) makes me think "yeah, right, just what we need: another conspiracy that convinces people that there's no alternative and therefore any effort to step away from silos does no good to them". Sigh.
The layperson only slightly interested in privacy does not want (or need) mathematical proofs: they operate by trust. Chains of trust in people, friends, activists, journalists or self-proclaimed "experts" that recommend tools or dissuade them from sharing too many data in the places where everybody of a certain age has to be to socialize. So this kind of gray insinuations, with big logical jumps and with zero consistent evidence (other than the US has an interest in promoting encryption and is pouring money on that horse too, probably orders of magnitude less than it pours in big monopolistic, closed source and privacy-mining tech companies) does more damage than good to the public it pretends to inform.
But hey, I guess that's the pitch from which he manages to make a living, and it must have his public, which I might not totally be getting.
Has anyone read his book by the way? Does he develop his "most of open source crypto project work for the CIA" in some interesting or novel way? Something that gets my attention is how he sells himself as unveiling the "secret" military history of the internet, when all that I read from him is public knowledge. I guess the wistleblower myth is quite attractive, even for him.
While I agree with you, I feel like I should point out that is it indeed because people operate by trust that, maybe, accepting money from a "tentacle of the american government" is not a great PR move. Add to that the shady crypto stuff...
Were this to have any semblance of truth, that would - interestingly - mean the government is "endorsing" crypto now, with the whole Mobile Coin situation ...
Now, -that- would make it an interesting "experiment" ...
For the sake of the downvote: Note the tentative nature of my giving this any credence - "were this to have any truth".
The point still holds: It'd be interesting ...
This article breeds uncertainty, without bringing a solution, or even a path, to the table. The references and language used, speak rather clearly that the author is part of the informal "independent research community", ie. conspiracy theorist (which unfortunately I had to acquaint myself with, because of family reasons).
While I'm open for convincing, I'll chalk it up as FUD until convinced otherwise.
> I won’t reprint it here. But if you want to know the whole story, you can pick up Surveillance Valley at your local bookstore. Or you can check out some of the articles I’ve…
> …This is a preview of a full letter that is only available to subscribers. To support my work and read the rest, sign up and read it here.
Says it all really. PSA's aren't supposed to be behind paywalls.
60 comments
[ 2.4 ms ] story [ 57.5 ms ] threadThe problem is that if you are actually using signal to transmit sensitive (as in worth a lot of money,peoples lives, state secrets) information you are making a huge mistake.
Sure no one is going to break your communication on the network. But what they are going to do is use a zero day, get into your phone and extract the signal message db and listen in on your mic and keyboard.
Signal has been promoted all over the place but no one mentions this fact, and when someone does it is dismissed.
There are better solutions out there but they cost money.
The reason it is in all these places because it is free, easy to use and supposedly secure. That the information contained can be exfiltrated would be news to them. All they know is that security proffessionals recommend Signal so that is what they use.
Just use Signal has been a mantra in tech circles for a long time. This obvious fact I am bringing up is always obvious yet no one mentions it.
Whether it’s true or not, it makes me question what I’m using for conversations. I suppose it doesn’t matter anyway.
Is there something I can self-host for just my family? The issue of having them commit to another chat program isn’t a problem.
So I suspect this post is really just an elaborate bit of spam.
This post can pretty much be boiled down to “Open Whisper Systems received 3 million in funding from Radio Free Asia, therefore its a government op.”
The argument is standing upon legs composed of two individual twigs, shaky and weak would be an understatement.
I am from Ireland, i've worked my entire life in human rights, including campaigning against CIA black sites, Iraq, NSA/GCHQ spying etc (along with the global range of issues from China to migrants). Why would I or anyone of the other hundreds of projects, work with OTF if somehow it was a CIA front? In our case, the linking of projects like ours to stupid conspiracy theories like this has endangered myself and some team members. We've had doxing and death threats from people from countries as varied as Ireland to Vietnam trying to say we are CIA/US stooges because of this crap.
>Why would I or anyone of the other hundreds of projects, work with OTF if somehow it was a CIA front?
Im not saying they are or aren't (I have no idea) but how would you know if the CIA were behind something if they didn't tell you?
I was not under the impression that Parler was shut down by the government, but more by the "cancel crowd". Was it a government operation ?
As for the article, it seems the main arguments are that :
- Signal was financed by Radio Free Asia (US government propaganda operation), at least 3 million.
- If the crypto was effectively unbreakable, it would not be recommended by big companies like FB, Google, etc...
It's interesting and it's always good to be a bit paranoid, but the evidence is a bit thin for me.
> If the crypto was effectively unbreakable, it would not be recommended by big companies like FB, Google, etc...
This claim falls apart given that Google started encrypting traffic on private links after learning of us gov snooping on their traffic. Also, why would Google care about breaking signal traffic at all?
This op-ed speculates that the CIA has somehow compromised Signal by merely funding it. There's no there there, at least not without some more compelling evidence that the CIA and Silicon Valley are colluding to spy on all the recent Signal converts. I don't know enough about Signal and e2ee, but I'm guessing more evidence would have to be supplied to cast doubt on the robustness of Signal's code.
This article is waste of time.
That's even before we get into their past security issues / breaches. From security/privacy point of view it's really not better.
> I’ve written at length about the deeper history of Signal’s government backers and the way in which crypto fits into America’s imperial machine. In fact, I dedicated two whole chapters of my book to the subject. I won’t reprint it here. But if you want to know the whole story, you can pick up Surveillance Valley at your local bookstore. Or you can check out some of the articles I’ve…
> …This is a preview of a full letter that is only available to subscribers. To support my work and read the rest, sign up and read it here.
It doesn’t necessarily compromise Signal, but simply highlights that government isn’t always internally efficient or consistent.
- OWS was disolved for one. Signal is now developed by the "Signal Foundation" which is a registered 501(c)(3)non-profit. - Brian Acton (ex-WhatsApp) paid $50m startup money also
> Moxie began partnering with America’s soft-power regime change apparatus — including the State Department and the Broadcasting Board of Governors (now called the U.S. Agency for Global Media)
- So what. The Senate has literally approved Signal for use as a means of communication. - The US Govt. is not unified by any stretch of the imagination, there are plenty of competing interests. Some agencies want to support freedom of information, some want to suppress it.
This smells like a hit-piece. Also, both the client and server source-code is freely available for review and has been reviewed independently.... https://proprivacy.com/privacy-service/review/signal Realistically only the client matters, as it promises end-to-end encryption regardless of how secure/non-secure transport is.
The NSA etc doesn't need to "buy" apps in this manner anyway. They just go to the manufacturer of the devices/chips/components, throw them a National Security Letter and get ring-0 exploits (or hack their way in).
His well known position (many years of pando) makes me think "yeah, right, just what we need: another conspiracy that convinces people that there's no alternative and therefore any effort to step away from silos does no good to them". Sigh.
The layperson only slightly interested in privacy does not want (or need) mathematical proofs: they operate by trust. Chains of trust in people, friends, activists, journalists or self-proclaimed "experts" that recommend tools or dissuade them from sharing too many data in the places where everybody of a certain age has to be to socialize. So this kind of gray insinuations, with big logical jumps and with zero consistent evidence (other than the US has an interest in promoting encryption and is pouring money on that horse too, probably orders of magnitude less than it pours in big monopolistic, closed source and privacy-mining tech companies) does more damage than good to the public it pretends to inform.
But hey, I guess that's the pitch from which he manages to make a living, and it must have his public, which I might not totally be getting.
Has anyone read his book by the way? Does he develop his "most of open source crypto project work for the CIA" in some interesting or novel way? Something that gets my attention is how he sells himself as unveiling the "secret" military history of the internet, when all that I read from him is public knowledge. I guess the wistleblower myth is quite attractive, even for him.
Enough said
Also why would Snowden continue to use (and support it) it if it was the case?
Now, -that- would make it an interesting "experiment" ...
https://thriveverge.com/
https://itexamquestions.com/
https://dumpsarchive.com/
https://www.washwm.com/
While I'm open for convincing, I'll chalk it up as FUD until convinced otherwise.
> …This is a preview of a full letter that is only available to subscribers. To support my work and read the rest, sign up and read it here.
Says it all really. PSA's aren't supposed to be behind paywalls.