- cross-posted to:
- technology@beehaw.org
- cross-posted to:
- technology@beehaw.org
You must log in or register to comment.
I know Lemmy hates telegram but it should be common knowledge that all platforms process requests from authorities.
The repeated posting of this story the last few days seems artificial.
I think the point is not that Telegram (the company) sucks, it is that Telegram (the app) sucks. A proper messenger like Signal leaves the provider with no information to hand over.
Many people still seem to be under the false impression that Telegram is private, so it’s worth spreading around.
I don’t really have any special hate for Telegram myself, and I never saw it as a secure communication platform. I have more problem with Signal because people treat it like it’s paragon of privacy and security.
Many Signal alternatives also have security issues of their own, often making them less secure than Signal. This includes Matrix and XMPP. In the blog post regarding XMPP+OMEMO, the author replies to a question about which would be better than Signal, Matrix, and XMPP with this suggestion:
Anyone who cares about metadata resistance should look at Cwtch, Ricochet, or any other Tor-based solution. Not a mobile app. Not XMPP. Not Matrix.
In regards to Ricochet, not having a mobile app version makes it difficult to recommend to less tech savvy people.
Matrix, even if it was a siv, would be better than Signal, because it doesn’t know your phone and passport numbers.
Sure, every platform has its own set of problems, and it’s fine to make an informed decision that you’re willing to accept the deficiencies of a particular platform you’re using. The issue I have is with people pretending that Signal doesn’t have the problems that it has as we can see happening in this very thread.
I’m with you there. I brought up the issues regarding Matrix and XMPP as they are often recommended as alternatives to Signal, and after learning about this blog in a previous conversation I had about this topic, I thought it would be a good resource to bring up so people can be informed about those platforms and some alternatives that may be better than Signal while being metadata resistant.
I’d be curious to hear your criticisms of Signal! While I haven’t seen anyone describing it as a “paragon of privacy and security” I do think it is a highly accessible SMS replacement that is also open source, end-to-end encrypted, and operated by a nonprofit.
I wrote a longer one here: https://dessalines.github.io/essays/why_not_signal.html
The short version is, that it’s a centralized, US hosted service. All of those are subject to National Security Letters, and so are inherently compromised. Even if we accept that the message content is secure, then signal’s reliance on phone numbers (and in the US, a phone number is connected to your real identity and even current address), means that the US government has social connection graphs: everyone who uses signal, who they talk to, and when.
Man I don’t even have the time to break down all these very clearly wrong insinuations. There’s no reason to believe Signal collects metadata, and every reason to believe they don’t. They’ve been served subpoenas and they shared them, as well as their responses, publicly, and the only thing they included was when the last time the user connected to their server.
I’ll give you a €10 gift-card to whatever popular online store you want. I ask for nothing in return. Absolutely no stipulations. The only thing is that you have to give me your credit card number and the expiration and the numbers on the back. I’ll just verify it’s real with a €1 charge (and then return the €1). That’s it. Not gonna do anything with the data. In fact, I’ll delete the data afterwards. Want €10?
Security cannot be based on trust. Period. If an actor is in a position to collect data then it must be assumed that they do so. You either do not understand the subject you’re opining on, or you’re intentionally spreading misinformation here.
It is not based on trust. It’s called “zero knowledge encryption” for a reason. You don’t have to trust them, because you give them nothing to trust them with.
Except that it is based on trust because you have to use your phone number to create the account, and you have to trust the company operating the server in regards on how that information is used. What part of this are you struggling to understand specifically?
Building on this, I’d be curious to hear your thoughts on GrapheneOS as a whole. The OS recently bundled a new app “store”/repository, "Accrescent”, along with the usual basic apps like a calculator & camera. On Accrescent, the hardened fork of Signal, Molly, is offered on there. I’ve alsoheard one of the Graphene devs has voiced some chuddy politics.
I’ve still installed & use Molly to chat with my closest friends who I was able to get off of big tech platforms previously used for our group chats, but I have been aware of the RFA/Signal connection for several years (your blog post really ties it together) & I do try to remind these friends about it. Really we just use Signal to shitpost and organize hangouts, so I’m not yet locking myself in a bunker over using it for those purposes, but all this has got me considering building a server & hosting a different secure chat service on it.
I learned about possible Unit 8200 connections with the Matrix protocol within the past year or two, but don’t recall exactly what that entails. I haven’t heard much about Briar, but it being android only would make it a harder sell for getting people to switch over to it, so I suppose that leaves simpleX to proselytize.
I don’t know enough about grapeneOS to comment on it.
Any signal app forks still have to use signals main servers, so they still got your phone number and identity.
Matrix was originally funded by an Israeli company until it spun off, but unlike signal, it’s entirely open source, self-hostable, and can be run in a private manner. Phone numbers and identifiers are not required, so even if you connect to a malicious server, the most they get is your matrix id, and things you’ve explicitly leaked about your identity.
The most we could say is that specific servers are compromised, but its also possible to host it outside a five-eyes country, unlike signal.
Cheers, helpful stuff & thank you for developing Lemmy!
No probs!
You are literally incorrect.
You have provided literally nothing to back up your assertion.
Signal does not know who talks to whom. It’s kind of the main thing about the double ratchet.
You sign up to use Signal using your phone number which is a personally identifying piece of information. Signal clients send messages to the server that routes the messages to their destination. It is not a p2p system where clients talk directly to each other. Therefore, the server must know both the sending and receiving accounts for the messages it routes, and it has the phone numbers associated with this accounts. All these things together make it trivial for the server to know which phone numbers talk to each other.
Unless you compiled the app yourself from source code that you understand, you don’t really know what the app might be saying to Signal’s servers. Almost everyone just trusts that the pre-compiled app supplied by Apple or Google aren’t compromised. But we know from history that Big Tech and the military-intelligence-industrial complex are in bed with each other.
The most obvious one that has been explained to death here is that Signal collects vast amounts of metadata. It’s also a centralized service that’s operated in the US, and it doesn’t even make reproducible builds for the Android client.
Where did you read that they are collecting vast amounts of metadata? Not challenging your claim just that I have been trying to find more info and came up empty. Signal says “we don’t collect analytics or telemetry data” but that’s about it.
You need a phone number to sign up. Phone numbers are metadata that uniquely identifies people, and this data constitutes a network of connections. If this metadata is shared with the government, then it can be trivially correlated with all the other information collected about people.
I agree it’s a problem, but not for any of the reasons you listed. A phone number is not metadata, it’s just data. In order to be metadata, there would have to be other information connected to that data, which there isn’t (in Signal), other than the last time you connected to their server. They don’t know who you talk to or when, thus no network connections.
Phone numbers are metadata, and the fact that you don’t even understand this shows that you have no business making uninformed comments on this subject. Metadata is understood to be data that’s associated with messages being sent, but isn’t the content of the messages themselves.
In order to be metadata, there would have to be other information connected to that data, which there isn’t (in Signal), other than the last time you connected to their server. They don’t know who you talk to or when, thus no network connections.
One has to be an incredibly gullible individual to actually believe this. You have no way to audit the server, and security cannot be based on trust. If a company has a way to store and use the information it collects it has to be assumed that it is doing so. Signal is very obviously in a position to do this. Once the phone number is collected, it’s associated with your account. Any time you send a message through signal to another account that’s a connection in the graph of your social network.
Anybody with a functioning brain can understand that this graph is highly valuable to intelligence agencies in the US. If they have a person of interest and they know their identity, they can trivially use the metadata collected by Signal to see whom this person wants to have private conversations with.
Ignorant people such as yourself confidently speaking on subjects they don’t understand present a public danger to society.
In my book a phone number is not “vast amounts of metadata” but I see your point. Again, I have never seen someone describing Signal as a “paragon of privacy and security” 9usually it’s presented as an improvement over SMS) but if they do I will put on my Trilby and correct them.
It’s the volumes of phone numbers collected collectively that constitute vast amounts of metadata. Meanwhile, I’ve seen plenty of people advocate using Signal as the best option for privacy. And any time there is a criticism of Signal then then brigades of people inexplicably appear to vigorously defend it.
Welp then I think we have to sue them to oblivion S/ But really can’t blame most people whose Are Accustomed to using TeleGram And WhatsUp
This is a difficult topic for me. On the one hand, I believe everyone has a right to privacy and we need to fight for that right. On the other hand, I’m enough of an adult to understand that law enforcement needs to be able to effectively investigate criminal activity. There has to be a middle ground there, somewhere. I just don’t know where that is.
It’s the warrant process and true encryption. If the cops think you’ve done something bad, they go and get a warrant. The provider turns over what they have, which should just be account info and metadata. Then the cops do good old fashioned police work and get a warrant for your personal stuff which they’ll seize and analyze.
giving the pigs and the feds more powers isn’t gonna help anything lol
There exist no middle ground.
If able to invade privacy of child abuser, able to invade privacy of any person. Then your “privacy” only is trust in authority to not abuse that not actually have privacy.
How that end you can see in china.
There’s no middle ground. Either we’ll have privacy or we won’t.
If they actually wanted to do something about child abuse they’d go after the conserative scum who have historically supported it and still do. Its the ones that vote for far right parties, are anti higher-ed, pro homeschooling, anti secularism, pro religious indoctrination, anti feminist, anti age of consent laws, anti sex ed, anti criminalisation of marital rape, anti combating domestic violence, pro child marriages etc instead they are constantly trying to attack human’s right to privacy which only exist on paper.
But isn’t advocating for the privacy of criminals the same as advocating for the crime, itself? Sure, let’s go after the politicians…but are you REALLY okay with letting child molesters, etc. hide their activities from law enforcement online? Like I said, there has to be a middle ground. We just need to find it.
“Child molesters etc” have been online since the internet has existed and very little is done about it. They have also been active offline and very little is done about that too. If they wanted to go after them they would. They don’t, because it is not in their interest to. The threats they will go after are people they disagree with and who their higher ups want targeted. You are always in more danger from authorities than “bad guys” are.
The moment you dissolve rights to privacy for X scenario, you open dissolution for Y and Z as well
The moment you protect criminal behavior, you become complicit in their crimes.
“If you’re not with us, you’re against us”
I think this is the moment you’re overreaching.
Alternatively what you’re saying is that all gun manufacturers should go to jail for multiple counts of homicide.
Just look at the Patriot Act. Did it catch a single terrorist?
And now you know why we’ve been telling you not to use Telegram.
I hear signal is not a good alternative. What is a good one, then?
I imagine Signal is probably fine unless you’re doing some real weird shit.
It doesn’t have to be “real weird shit” though for it to be a problem, coordinating about protests or other political activism on Signal is sketchy because of the phone number requirement, and just having your phone number be associated with another suspect phone number from inferred conversations is enough to potentially get you in trouble. Or if some national anti-abortion or anti-LGBTQ law happens and they put serious effort into enforcing it, activity on Signal, which is not anonymous, could be used against you and people you had conversations with. Yet I’ve seen multiple groups who shouldn’t be using Signal use it anyway and people thinking they’re anonymous on the platform because it keeps getting recommended. SimpleX and Cwtch have weaknesses also, but both of them take anonymity more seriously than Signal does.
https://lemmy.ml/comment/15999861
In the blog posts I read where the author, a security engineer, audited and/or reported vulnerabilities with two E2EE chat protocols commonly recommended as Signal alternatives–Matrix and XMPP–both had implemented half-baked solutions or refused to solve the issue at all in some regards, and both had evangelists that gave dismissive responses. The XMPP chud dev gave a laughably childish response, and the Matrix dev even admitted the team being aware of the olm vulnerability and deliberately refused to fix it for years. Not that Signal cultists are any better and not negating the legitimate security and trust issues with the Signal platform, but Signal is still a decent platform for most people’s threat model, though it would be nice if there was an alternative that could compete with Signal to recommend to most people instead. If you care about metadata resistance and your threat model involves high stakes if your assets are compromised, the blog author suggests Tor-based solutions such as Cwtch and Ricochet Refresh.
This better not be a “computers received pentagon funding when the first Vaccum tubes were being made”.
Signal is an excellent choice. Literally forces cops to get a warrant for your phone and hope you didnt purge your messages after a few days.
If you want anonymity on top of that than simplex
I would encourage you to think critically about the nonsense being shared here. Do some research and read about people who actually know things about security and you’ll find a common pattern: basically all of them hold Signal up as a gold standard in privacy and security.
Depends on your threat model. Signal is fine if you just want to communicate with average joe. If you want something more anonymous look into secureX,
Where are you hearing this?
Matrix, simplex, xmpp.
Signal is an excellent alternative if you’re looking for an E2E encrypted SMS replacement your grandmother can use.
What seems crazy to me is how many people they managed to convince that they were private when they most definitely are not.
Any criminal with half a brain knew what’s up
Brain dead normies lapring edge lord on there were just useful idiots for their handlers
