49 comments

[ 2.9 ms ] story [ 67.8 ms ] thread
> Screenshots aren’t really crucial to anything being discussed here, but I like to provide only the best blog posts to my tens of readers ....

A sentence clipped from a point a little past the introduction, but catchy nevertheless.

I suspect there will be more than "tens of readers" shortly.

Since Anom, we need a new word than “honeypot”. The next secure messenger will not be created by these types. But many will be incrementally marketed, and each campaign will succeed in reaching a new batch of near-hit recruits.
This is why signal’s encrypted phone number lookup system is so cool. The server uses a bitwise xor when querying for numbers using hardware encrypted ram. The result is that even if you’re examining the machine at the most basic levels you can’t tell the difference between a negative or positive hit for the phone number unless you’re the phone requesting the api.

Obviously ratelimiting is a separate and important issue in api management.

The thing about building secure systems is that there are a lot of edges to cover.

I don't think it's cool at all, a secure messaging app should not require personal/tracking identifiers like phone numbers in the first place.
Such a nice design on server-side.. and yet on the client side, it uses system address book - something that Google backs up on the server, and many carriers back up too, and many apps (like Whatsapp) save it too.

"Hey, _we_ don't store your contacts, we are good! Instead you have to manage them yourself, and in process share your presumably "secure" Signal contact list with Apple, Google, Facebook phone carriers and everyone else. But it's not on our servers, so we don't care"

I love the quote the article starts with:

> Neither of us had prior experience developing mobile apps, but we thought, “Hey, we’re both smart. This shouldn’t be too difficult.”

I think, 40 years from now when we're writing about this last decade or so of software development, this quote is going to sum it all up.

> 2025-12-09: Freedom Chat notifies us issues have been patched

Have they?

Feels a little like clickbait "MAGA-themed", never heard of Converso.

That said, the analysis itself is interesting and worth a look, if nothing else it's a general pattern you can follow for many chat applications to see how secure it is.

When something is "super secure" you know it's full of holes. It's right up there with "impossible to hack" and "military grade" aka lowest cost bidder.
Yup. As the guy who put together the most secure FOSS messaging system*, it's not "impossible to hack". It's a caveat ridden, inconvenient to use, tedious to setup, hardware-isolated, multinode application, with long must-read documentation, and that requires experience with electronics and soldering.

* github.com/maqp/tfc

> but I like to provide only the best blog posts to my tens of readers

It may not be pertinent to the subject, but clearly I have found a kindred spirit in this author.

The emoji :facepalm: was invented for exactly this...
(comment deleted)
Does Freedom Chat® have a feature to prevent journalists from joining your group chat? Asking for a friend that works at the DoD (sorry, DoW)
I stumbled upon a GOP jobs board a year ago that stored submitted job applications in the same search index as the job listings themselves, so all you had to do was search "bob" and find a bunch of resumes and application answers for people who had applied, I couldn't believe it.
Freedom Chat just looks (and sounds) like a grift tbh.

The website doesn't really spark any confidence.

Never heard of it and I'd be surprised if they have more than 100 users.

It's crazy how many security vulnerabilities are just people pinging http endpoints in ways they didn't expect. You would think in order to "hack" a system in 2025 you would need to be doing some crazy computer science wizardry but it really is just lazy engineers. Like how do you ship an API and have no rate-limiting. It literally takes a line to implement in Nginx.
Ratelimiting doesn't solve anything, you can just parallelize your queries across IP addresses.
> You would think in order to "hack" a system in 2025 you would need to be doing some crazy computer science wizardry

Never heard of the wrench technique? It's always gonna work out great. Way cheaper and easier than "wizardy" too.

I once went to a B-Sides talk of a person that paid off their mortgage via API related bounties - you wouldve confused their presentation with a Postman 101 video if you were only half listening.
Why in the world would any sane person utilize such an app, knowing what kind of people will be "at the other end" of communication, and what topics would be discussed, even if the most secure piece of software ever developed?
The president of the USA is on the equivalent alternative to Twitter.
It appears that one of the most central aspects of MAGA is a postmodernist rejection of the very existence of expertise- except, ironically, in the art of grifting itself because they see “recognized experts” in any field as just very successful grifters. Hence replacing competent government employees at every level with incompetent employees. It would track that technology developed for and by the MAGA community is developed with the same philosophy. Anyone planning to buy the Trump phone?
Accusing someone else of a crime/problem/whatever that you're also currently doing? Well that's just the MAGA way.
The comments here are a disaster. Who could have predicted this???
This is the same thing that sent weev to jail when he and JB did it against AT&T to determine the email addresses (instead of PINs) of every iPad 3G user.
I'm curious why a Canadian is so hell bent on causing more division in America by embedding his political views in an otherwise decent vulnerability analysis.

He makes it sound he's on some sort of a mission...like the users of the messaging app ( which I have never heard of before until today ) should face some sort of backlash for their own political views opposite of him....which is amusing to say the least as Canadians seem to have permanently marked conservatives, not just in their own country but all over the world as "MAGA".

also I'd appreciate if we can keep politics out which just detracts focus on technical end of things

> I'd appreciate if we can keep politics out

This is an app specifically built for a specific political group, a group that is wreaking havoc on our science and technology. "MAGA" has become the go-to term for a global movement, because there is a global alt-right movement to undo progress and dominate others into their world view.

It's going to be a part of HN like it was the first go around. Being apolitical is how political groups like this come to power.