Exactly. Moxie is right. Telegram isn't secure by default. Signal is the way for tons of dark net criminals, terrorists and extremists to use it to conduct their activities without seeing any side of the conversation, thanks to E2EE which that is a known double-edged sword by many. [0]
The real problem is what Moxie doesn't want to tell you is that they want to release a private untraceable cryptocurrency called MobileCoin [1], which not only the majority of the coins are owned by the founders. [2][3] so basically orchestrating a pump-and-dump, this coin (like Monero) enables these dark net criminals, scammers and extremists to fund their operations anywhere in the world and it is totally untraceable.
Now I see why Moxie is out there hyping the Signal / MobileCoin pump-and-dump scheme again?
Are we seriously equating e2e encryption defeated more than a year ago by owning the physical device in a certain state (previously unlocked and with keys in-memory) to plain text messages stored on a central server?
Signal is subject to the same warrants. And yes, because the OP is specifically talking about privileged attacks. Why would it matter if the database was plaintext? It's only a problem if your adversary has privileged access to your device, either physically or via an exploit.
So Signal's "encrypted" database is literally marketing. It doesn't prevent anything. Cellebrite can access it, as can another app with the right series of zero days.
Signal's encrypted database is as secure as Telegram's plain text database, because both require privileged access, and Signal isn't more secure (the encryption has been pwned by multiple companies).
You might have missed the part where Telegram stores messages on a central server without e2e encryption by default. You can find more old pwnage quotes (come on, only two?), it will not change the fact that one only uses e2e implementation that is not known to be broken in the last 2 years and never without physical access to device, while the other's default mode of operation is effectively plain text stored in the cloud.
Signal may be liable to receive those warrants from Russian gov, though I'm sure moxie will publish and mock each one. With Telegram, all you need is to hack a server and/or send an agent with a $5 wrench to one of the guys who runs it (or just ask nicely, they are cooperating after all).
Hardly related to the OP, and Telegram secret chats have been audited multiple times.
On the other hand, Signal's "E2E" encrypted chats regularly have critical bugs such as those that send private image content to random people on your contacts list, an utterly inexcusable error that suggests poor engineering standards. [1]
I think I'll take audited E2E encryption over E2E encryption that fans out private images at random to your contacts.
I appreciate your point, but the idea of the OP was that Telegram is insecure by default, not as a result of a bug but as a design decision. Sadly, no one I know is using Telegram secret chats.
7 comments
[ 4.2 ms ] story [ 30.1 ms ] threadThe real problem is what Moxie doesn't want to tell you is that they want to release a private untraceable cryptocurrency called MobileCoin [1], which not only the majority of the coins are owned by the founders. [2][3] so basically orchestrating a pump-and-dump, this coin (like Monero) enables these dark net criminals, scammers and extremists to fund their operations anywhere in the world and it is totally untraceable.
Now I see why Moxie is out there hyping the Signal / MobileCoin pump-and-dump scheme again?
[0] https://www.theverge.com/22872133/signal-cryptocurrency-paym...
[1] https://support.signal.org/hc/en-us/articles/360057625692-In...
[2] https://mixin.one/assets/MobileCoin-Whitepaper-EN_FINAL.pdf
[3] https://github.com/UkoeHB/Mechanics-of-MobileCoin/blob/maste...
It might as well be plaintext.
[1] https://www.forbes.com/sites/thomasbrewster/2021/02/08/can-t...
[2] https://cellebrite.com/en/cellebrites-new-solution-for-decry...
And never forget Telegram's promise to cooperate with Roskomnadzor in the name of fighting 'extremism' (https://www.independent.co.uk/news/world/europe/telegram-rus...).
I am not even looking at Cellebrite’s plug all the way from 2020 (because https://signal.org/blog/cellebrite-vulnerabilities/).
So Signal's "encrypted" database is literally marketing. It doesn't prevent anything. Cellebrite can access it, as can another app with the right series of zero days.
Signal's encrypted database is as secure as Telegram's plain text database, because both require privileged access, and Signal isn't more secure (the encryption has been pwned by multiple companies).
Signal may be liable to receive those warrants from Russian gov, though I'm sure moxie will publish and mock each one. With Telegram, all you need is to hack a server and/or send an agent with a $5 wrench to one of the guys who runs it (or just ask nicely, they are cooperating after all).
On the other hand, Signal's "E2E" encrypted chats regularly have critical bugs such as those that send private image content to random people on your contacts list, an utterly inexcusable error that suggests poor engineering standards. [1]
I think I'll take audited E2E encryption over E2E encryption that fans out private images at random to your contacts.
[1] https://www.bleepingcomputer.com/news/security/signal-fixes-...