💯It's driving me crazy having to explain to relatives that "yes hammers are perfectly good tools if you don't intentionally aim them at your own balls..."
Sometimes I pause at the "Bank level security" text on my bank app and think "I sure hope not."
"[serious organization]-level" is what people throw around when they don't know anything. If someone cracks Signal, we'll likely know because it's a career-making resume piece for whoever does it.
People also fail to make a distinction between compromising an application itself, compromising something else (say the device on which it's being used) and a user granting access or sharing information by accident or because they were manipulated.
although they are wrong they are close to a truth.
State-level bad actors Crack into cellphone backdoors. Signal is P2P and is safe, but if someone is keylogging what you put in signal, you're still made.
It's why there's government devices and protocols for sensitive info.
I don’t think that anyone in this Administration knows what a SCIF is. I’m also convinced that not a single member of it should have a security clearance, let alone for SCI. (Which I held when I was in the military; we had actual standards back then, and this bunch of clowns couldn’t pass muster.)
All the "Signal isn't secure!" takes have been so weird. People in a position with no excuse not to understand opsec invited a reporter into their chat and the app is taking the blame.
Signal is not secure enough for DoD (as their own internal memo stating that it should not be used.) It should not be used for official government business. It's not the app, it's that it is not secure enough for who was using it and what it was being used for.
I do tend to make clear to folks that security is a spectrum and since most phone OSes aren’t totally secure, a skilled actor could penetrate your phone and steal your keys. What I don’t know is whether mass key collection is in progress, but with vendor coordination it is in principle possible.
Also we don’t have reproducible binaries on phones so it’s difficult to say whether a version installed on my phone matches that clean looking source code signal posts on GitHub.
Basically phone security is a nightmare. Signal isn’t per se the problem but it’s a highly visible concern.
im just surprised (?), no ones leaning on signal to be based and leak info on the government using their services for free(ish)… if oracle or microsoft caught them using teams for free theyd sue them into oblivion
Yeah the keys to decrypt your conversations are stored on your device. Signal doesn't get those keys and they don't store copies of the messages — they only transmit them for you.
You should set your conversations to delete over time for even more security. What isn't stored cannot be leaked!
signint is maybe 1% savants that break codes, and 99% beuorcrats sitting in windowless offices, knowing that maintaining great opsec requires inhuman efforts, so it's just a question of when, not if their targets will make a mistake.
For every $1B to develop zero day, you have thousands of simple, not less successful, "i'm calling from your internet provider please text me your password".
Fair. If invited to a Signal chat, everything is encrypted Double-ROT13. The new government encryption standard. Better than Triple-DES and Musk approved!
the last couple days is like, damn, should I listen to all the credentialed infosec experts I've followed for years, or should I listen to the rude and anonymous assholes who keep demonstrating that they don't understand the topic of discussion?
tough call but I'm gonna side with Ian on this one
would be much better if ppl were describing that sensitive info systems should verify if ppl seeing it have the authorization rather than just saying signal has vulns when most of said vulns are actually "human/social" vulns. as in, u fukked up and got phished, or u added the wrong phone to a chat..
I must say I think I’m relatively quiet out here but really enjoy following you. Yeah I come across as suckup. But it’s more like genuine Midwest vibe. Anyway thanks for putting it out here.
If I believed in 5d chess I would become a Signal truther about now and think that this whole thing was intentional just to cause mass hysteria to erode the trust of probably the best secure comms people could use right now at a time when many people needed it most.
It's not lost on me that the dumbest libs will see "Trump admin Signal group chat leaked" and immediately come to the conclusion that Signal is an crappy insecure app used by shitty people and probably terrorists too for good measure, without ever having heard of Signal before or doing any research
People failing to read beyond headlines is a universal problem of course and I think when (not even if) Signal is targeted for real it will be obvious, but also it's already happening with Musk blocking Signal links on Xwitter.
What’s the difference between “the dumbest libs” and this Administration? The “dumb libs” aren’t actively trying to kill people.
There are problems with Signal, as demonstrated by this incident. It involves incompetent people in positions they are unqualified to occupy. #PeterPrinciple
Burning down the secure comms that scores of people so desperately need right now just because it fits a narrative is still pretty dumb tho and it's going to get people killed too
Liberals are not immune to having dumb beliefs or tribalistic behavior just for being liberals. Not everyone with left leaning values is going to have great critical thinking skills, especially in this country. So they misunderstand what the problem with Signal is in this context.
I think it's fair to distrust software in general and I don't understand why so many people are trying to convince others that "no known vulnerabilities" means "safe". There were "no known vulnerabilities" in ingress-nginx 3 days ago, right?
Worth noting that there is a lot to be validly said about what *exactly* it is that Signal claims; but to claim that it's bad at what it does is more than a bit silly.
Too many people use Signal and go "✅ secure" like sorry that's not all!
I think there's a *bit* of nuance here in the sense that non-infosec types are likely to go "oh yeah that's the secure one ✅", but tbh that's better tacked w people directly and isn't Signal's fault
The nuance doesn't apply to the normie use-case — yes, my phone can be compromised, and my use of Signal monitored, same for my mom & dad, or either of us could be phished via Signal; but Signal never purports to secure against those.
There's, tho, the category of compromises to the Signal app/protocol and what it does claim to do; there's no nuance to it, PoC||GTFO, mom and dad can comm thru Signal securely.
I had someone insisting yesterday that it was widely hacked and I pushed back... and was told that "you wouldn't text your doctor with it" and I was amazed at the goalpost moving/stupidity of how certain these people are of nonsense.
They know someone issued some kind of advisory about it, the words "Russia" and "infiltrate" were im there somewhere, QED it's clear that Signal Has Been Hacked.
Give me a break. He said the hysteria over the texts is like the girls in The Crucible saying that various women were in the woods with the devil. The problem with this piss-poor metaphor is that those girls were lying. Computer expertise is not outstanding, his comment is moronic.
I’m not even sure you know what the duck you’re upset about anymore, but may I suggest putting down the phone/computer and doing some breathing and count to four:
I've heard from internet source that Signal is a subhuman monster with an oversized head and giant teeth that eats its own babies, engages in terrorism, and intentionally spreads disinformation to fuel violence and unrest. I hear Signal has WND and a ditty bomb as well.
Comments
"[serious organization]-level" is what people throw around when they don't know anything. If someone cracks Signal, we'll likely know because it's a career-making resume piece for whoever does it.
Military grade is for cheap BS that isn't mission critical lol
Obviously console cowboy is the equivalent of black belt.
And it's even worse than I thought.
State-level bad actors Crack into cellphone backdoors. Signal is P2P and is safe, but if someone is keylogging what you put in signal, you're still made.
It's why there's government devices and protocols for sensitive info.
Oh you poor sweet thing
Basically phone security is a nightmare. Signal isn’t per se the problem but it’s a highly visible concern.
You should set your conversations to delete over time for even more security. What isn't stored cannot be leaked!
signint is maybe 1% savants that break codes, and 99% beuorcrats sitting in windowless offices, knowing that maintaining great opsec requires inhuman efforts, so it's just a question of when, not if their targets will make a mistake.
tough call but I'm gonna side with Ian on this one
I don’t even need to be one of the world’s greatest technical minds to know that he’s just a dipshit that fat fingered the number.
(what's POC in this context?)
You hacked the thing? Prove it
There are problems with Signal, as demonstrated by this incident. It involves incompetent people in positions they are unqualified to occupy. #PeterPrinciple
Like, your take is batshit but it's way more that 280 chars for me to explain it. I can't put 25 years of experience into a few short paragraphs.
I get told that every review season at work already lol
Too many people use Signal and go "✅ secure" like sorry that's not all!
(Oh wait)
Be gone silly troll!!!
https://pbskids.org/videos/watch/when-you-feel-so-mad-song/105305
Also stop misgendering them they go by THEY/THEM pronouns