@dave_andersen even @signalapp has to comply with #CloudAct.

• And we can be very shure they did simply because it's a statistical inevitability by the sheer amount if users they have…

Only real #E2EE (= #SelfHosting-capable with #SelfCustody of all the keys) can be considered safe.

• Demanding #PII like #PhoneNumbers is #KYC, and KYC is the illicit activity!

@signalapp It's not #disinfo when one points out that you demand #PII aka. #PhoneNumbers from Users and that is literally a architectural vulnerability, alongside your #proprietary & #Centralized #Infrastructure.

• #Signal being a #SingleVendor & #SingleProvider #Solution is literally the reason why I consider it #insecure.

Not to mention the lack of @torproject / #Tor support with an #OnionService or the willingness to fulfill #cyberfacist "Embargoes" or shilling a #Shitcoin #Scam named #MobileCoin!

• #KYC is the illicit activity!!!

And don't get me started on the #cyberfacism that is #CloudAct.

• If you were secure, criminals would've used your platform so hard, it would've been shutdown like #EncroChat and #SkyECC.

I may nit have allvthe.evidence yet, but #Signal stenches like #ANØM: #Honeypot-esque!

@lauren no, because @signalapp is subject to #CloudAct (= incompatible with #GDPR & #BDSG if you ever care!) and collects #PII in the firirm of #PhoneNumbers, which are at best pseudonymous but trivial to track and at most means that people inviting others without their consent comitted an illegal disclosure if PII!

• Use real #E2EE with #SelfCustody of all the keys that isn't a #proprietary #SingleVendor & #SingleProvider solution that peddles a #shitcoin #scam!

Give #XMPP+#OMEMO a shot: @monocles / #monocles & @gajim / #gajim.

1 2 3 4 5

@ai6yr people need to fucking learn proper #InfoSec, #OpSec, #CkmSec & #ITsec and that means learning to proper use #XMPP+#OMEMO & #PGP/MIME.

• #Lazyness is not an excuse!

@tails_live / @tails / #Tails exists. @gajim / #Gajim exists. @monocles / #monoclesChat exists. @delta / #deltaChat exists. @thunderbird / #Thunderbird exists. @cryptoparty@mastodon.earth / @cryptoparty@chaos.social / #CryptoParties exist.
#Documentation in writing and videos exist.

• Only #SelfHosting-capable, #MultiVendor & #MultiProvider solutions that implement proper #E2EE & offer you #SelfCustody of all the keys can be considered #secure.

• Everyone who demands #PII like #PhoneNumbers, including @signalapp, must be seen as inherently insecure by design - espechally when they are subject to #CloudAct!

@halva @lynn @signalapp @deilann

The problem is one needs to literally acquire a phone number and have access to it, and the demand of a phone number itself is bad. This makes it unnecessarily complex and expensive compared to using @monocles / #monoclesChat.
(Cuz if I've to pay to communicate, I might just choose a provider that isn't a #VC #MoneyBurningParty but a long-term sustainable solution based off #OpenStandards!)

• I'm sorry for your location. My sincere condolences!

Still, #Signal doesn't allow #SelfCustody of all the keys & #SelfHosting, which makes it vulnerable as a #proprietary #centralized, #SingleVendor & #SingleProvider solution.

• Just because @Mer__edith isn't having #Roskonmadnozr pointing a gun at her head doesn't mean she'd risk jail for a user when push comes to shove.

And with #CloudAct on one hand and #Trump wanting to "Speedrun Hitler", I'd not rely on Signal.

• The "Metadata" #FUD is just a marketing bs because Signal will comply with warrants, whereas nothing prevents me from buying a Thin client, setting up an #OnionService to tunnel everything over @torproject / #Tor and rig it to disconnect power if tampered with or upon command.

I have setup comms for critical operations (incl. helping people flee Russia!) and I'd rather choose #OnionShare over #Signal if #Metadata is a real concern.

• Internet Access, even in "P.R." #China, is something feasible to workout given the massive prevalence of public #WiFi. Also it's easier to spoof/anonymize a MAC than an #IMEI or even #IMSI, so making one dependent on #PhoneNumbers to even sign up is inherently bad!

@Mer__edith that's a #Marketing #Lie as @signalapp / #Signal collects and demands #PII like #PhoneNumbers to this day, and unlike #WebRTC-based options like #JitsiMeet and #WebCall, one cannot #SelfHost Signal!

So please stop such bs claims, because they insult the intellect of everyone who's even halfassing #ITsec, #InfoSec, #OpSec & #ComSec...

https://infosec.space/@kkarhan/113467293263701678

@halva @lynn @deilann

Wrong, as you need a #PhoneNumber just to sign up to @signalapp / #Signal and Signal does use that to discriminate against users and restrict functionality.

And since an increasing number of juristictions don't allow anonymous #PhoneNumbers / mandate #KYC even for #Prepaid numbers, that Phone Number is not only explicit #PII but also Signal never had any "legitimate interest" to demand one, nor is it "technically necessary" in any shape or form (unlike if they still offered #TextSecure to encrypt #SMS and used said phone numbers to update, authenticate and exchange Public Keys)...

@lynn @deilann or rather XMPP & OMEMO and/or eMail & PGP...

• Cuz @signalapp does collect #PII like #PhoneNumbers for no "legitimate reasons" whatsoever!

Remember: KYC IS THE ILLICIT ACTIVITY WHEN IT COMES TO COMMUNICATION!

https://infosec.space/@kkarhan/113462254071994018

You use XMPP+OMEMO because you think it's neat.

I use XMPP+OMEMO because all centralized, single-vendor and/or single-provider messengers are inherently garbage, collect PII like phone numbers for no "legitimate reason" and don't offer proper End-to-End - Encryption with self-custody of all the keys, making them either honeypots or prime targets for warrants.

• We are not the same!

@GrapheneOS @signalapp I didn't say all of them have it...

Re: #Signal I'd not consider it #disinfo as we've seen more elaborate Setups like #EncroChat & #ANØM fall.

• Given the fact that one cannot #SelfHost #Signal's backend, they shilled the #MobileCoin #scam and use #PII like #PhoneNumbers to enforce 'selective availability' as well being incorporated in the #USA all rubs be unpleasantly...

• "The" correct way to do things (sarcasm OFC!) is to do #OfflinePGP but we can all agree it's not practical...

I remember when #Signal did a good #E2EE Messenger (#TextSecure) and that had a reason to use #PhoneNumbers as it merely encrypted #SMS, but that OFC has other issues.

• In terms if "proper #E2EE" with #SelfCustody if #keys, @delta / #deltaChat does fit even the stingest criteria - including #encrypted #GroupChats!

@GrapheneOS I think both apps are shit as *both #Telegram and @signalapp demand #PII in the form of #PhoneNumbers.

• #Signal at least has their #client's source code published so similar to like #Tarsnap it's more trustworthy by virtue of better #transparency...

OFC Telegram is (by my personal observation) almost exclusively being used by #Scammers and other #TechIlliterate criminals.

• Trusting Telegram is like trusting #EncroChat or #ANØM aka. #OperationIronside aka. #OperationTrøjanShield: It literally has #Govware #Backdoors because the #UAE of all plaves would've swatted their "HQ" if not forved #Durov at gunpoint to integrate it into it if it wasn't there...

@rysiek also #Telegram - like @signalapp - demand and collect #PII like #PhoneNumbers which ain't possible to acquire anonymoisly in more and more juristictions.

• Plus, both are #centralized, #SingleVendor & #SingleProvider solutions that don't allow for #SelfCustody of all the keys nor #SelfHosting and thus violate #KerckhoffsPrinciple, meaning they are inherently #insecure.

Using #XMPP+#OMEMO by contrast is secure and adding @torproject / #Tor to tunnel it makes it even more anonymous.

• So don't expect any messenger to cover your 6, but instead go out of your way so that even when held at gunpoint, they can't decrypt comms!

Cnsider every #Messenger that doesn't #decentralize and support #Tor oit of tue box to be insecure!

@delta @netzpolitik_feed @edri I'm just wary about the "fine words" by @Mer__edith from @signalapp because to me they didn't even bother to "clean their house" and make themselves incapable of compliance to even have data they can pin on a person.

Instead they still collect #PII like #PhoneNumbers and restrict features based off that because they decided to remain under juristiction of the #CloudAct...

https://infosec.space/@kkarhan/112636697476321915

@joinjabber @lo__ @kc3yqi @signalapp Y'know that #Signal collects way more threatening stuff than just #metadata?

• They collect #PII like said #PhoneNumbers, and as a #Company in the #USA (Regardless if "#nonprofit" which is merely a #taxation-based distinction!) they do fall under seriously #cyberfacist laws.

Like #CloudAct...

Also not only can I not #SelfHost or even *#AirGap" any Signal Server, I have to blindly rely on their claims re: their backed infrastructure.

• Even if they provide me completely reproduceable builds of their Apps, I've to still trust them, and that's the problem!

Whereas with #XMPP+#OMEMO I can just decide to trust noone and self-host everything in my basement...

@kc3yqi nodds in agreement

The cool people do real #decentralization, and that means not using @signalapp / #Signal and their #Shitcoin-infested garbage, but doing #XMPP+#OMEMO instead...

• #MobileCoin is bad and Signal is not only able but willing to exercise #Sanctions and restrict availability of their services based off obtained #PII like #PhoneNumbers for which they habe no legitimate interest into!

@pixelcode @alshafei again: That is mitigateable by having plausible deniability of said identities and using @torproject / #Tor to connect to said services.

In fact, just using #Orbot and @monocles / #monoclesChat allows you to connect to any XMPP Service, including those that have an #OnionService.

It takes mere seconds to get someone setup and ready to go!

Whereas with #centralized, #proprietary & #SingleVendor / #SingleProvider services, your only security is said provider/vendor saying "#TrustMeBro!"...

Espechally tying accounts to #PhoneNumbers is a big no-go IMHO because that's trivial if not already being spied upon by LEAs and in more juristictions than ever before it's basically illegal to acquire any #SIM without "identification" aka. self-doxxing towards the provider!

And if you really need like an organization group chat, self-hosting #Zulip is an option, as the messages are kept on the server and you just kick user accounts if they get arrested or their equiment confiscated.

#ComSec & #InfoSec necessitate proper #OpSec & #ITsec anyway...