Comments

You must log in or register to comment.

ziq OP wrote

It began when US officials got involved in the development of An0m, a supposedly secure encrypted messaging app, which was then sold to organised crime networks.

The FBI helped to infiltrate the phones into 300 criminal groups in more than 100 countries, Calvin Shivers of the FBI’s criminal investigative division told reporters in The Hague.

In a pattern repeated elsewhere, one Australian underworld figure began distributing phones containing the app to his associates, believing their communications were secure because the phones had been customised to remove all capabilities, including voice and camera functions, apart from An0m.

4

AnarchyRVA wrote

What’re the chances signal and telegram are similar stories. I’ve heard shot about signal having a back door but this story makes it hard to trust any encrypted communication app. But I’m also pretty ignorant of phone opsec stuff so correct me if I’m off track

5

86944 wrote

Signal is open source and set up so you don't need to trust the server. You can't even compare it to mystery software on a phone you bought off the internet.

Telegram isn't even encrypted for the most part, there's no need to compromise it. Mix in the questionable homebrew encryption they use on their "secret" chats and I feel it's no more secure than SMS.

6

celebratedrecluse wrote

Signal refuses to let anyone else run their own server and mocks federated approaches, uses phone #s for user identification, and boasts about their "world class opsec"

Signal's app is open source, but the servers are not. This is to purposefully obstruct privacy enthusiasts from forking the project, to make sure they can keep control of the millions of dollars they collect from philanthropists affiliated with some of the worst privacy-killing platforms in existence.

We have to simply take at their word that, the server doesn't have any more useful info than what they say they have, which is the time the account was registered and the last time it was accessed.

However, random people can find out you have joined signal, if you are in their contacts list and they are also a user. This makes it quite easy to develop a list of everyone phone number in the world, which uses signal. Not sure if this is still a feature, don't use signal for this and many other reason

There is also the "MobileCoin" fiasco, where they are apparently selling out the app to promote a garbage crypto which will be KYC compliant and cooperate with the US government to that end. Not sure where Signal Foundation is at, with regards to implementing this in the app, but it was reported in a confusing way.

5

another_i wrote

Signal is "open source". The servers and client code were published to a repository on github, and for the past year, they weren't updated at all. Only recently there was an update to the repository for the server. Its clear the public repository is not the canonical repo, so how can anyone trust what they're actually running. Having a zero trust hash signature of the codebase from the servers would be nice

5

celebratedrecluse wrote (edited )

I agree, great suggestion. How could one implement this? Perhaps other apps will do this, which could indirectly pressure Signal to adopt best practices.

also, yes, you are right that I was mistaken-- Signal does publish that "source code", but as you said it is not updated or the actual full code running on their servers.

3

another_i wrote

Yeah , good question. I'm thinking like returning a sha1 hash salted by the client on the running server processes bytecode. But..... I don't know how the client could prove that is the hash of the server process.

4

celebratedrecluse wrote

Additionally, signal uses WebRTC for calling etc, which to my knowledge breaks any VPN connection the user has for the rest of their device.

4

CameronNemo wrote

Personally I have concerns about Graphene, another service where you send your device to them and they flash their software.

4

another_i wrote

If you're talking about GrapheneOS, I've been running the OS myself for the past year.

I didn't send them my device to flash, I compiled it from their repository and flash my device myself.

With that said, the project is complex and the likelihood of an individual to verify there are no exploits seems pretty low.

Moreover, the Over-the-air updates are nice for my lazyass, but its another attack vector

4

CameronNemo wrote

Is your boot loader unlocked? Do you have a secure root of trust active on your device? From what I understand, flashing the image in a locked down way is a difficult process on many devices. More difficult than just unlocking the boot loader and disabling all of the secure boot functionality.

3

another_i wrote (edited )

No, not unlocked. I followed these instructions. It was straight forward from what recall. IIRC, now that i think about it more, I used a precompiled binary, but checked the hash before installing it. That's not to say I can trust their hashes, but I'm counting on the community to raise hell otherwise.

https://grapheneos.org/install/cli

3

CameronNemo wrote

Ah. It looks like Graphene OS is updating the trust store so that you can re-lock the bootloader after flashing.

Unfortunately my device is not supported. I wanted a replaceable battery and expandable storage :/

3

another_i wrote

Fwiw, a lot of phones with removable batteries, also have an embedded battery. I'm sure you can validate which models do before you acquire yours.

Removable battery is desirable, for sure.

I don't mind my device, its nice, but yeah, I acquired it specifically for Graphene.

3

Bettywhite4dinner wrote

Ziq, it's me, could i email you please? Its regarding your guide for security tags!! Pleaseee!

I dont know how to come back and see if u replied sonif so, email me at freakkatslate666@gmail.om ok ty!!!

0