Friendly reminder that Signal is funded by (tax-deductible) donations. And you can donate crypto:
​
(TBH, I had never really thought about how they were funded until I noticed the "Donate" link while reading their response.)
Here's how my dumb brain understands it:
His friend sent him a youtube link in WhatsApp. WhatsApp does link previews in its messages--and somehow, when the link loaded, Youtube knew that it was this dude looking at the link.
Fun fact: that's a classic OSINT technique to find people who are on the run. Send them an email with an embedded image saved on one of your websites, and then just wait for him to open the email--when he does, you can see what IP address loaded the image and boom--now you know where he is.
Also fun fact: Signal has taken steps to prevent this from happening: https://signal.org/blog/i-link-therefore-i-am/
I just downloaded Signal to try it out, it's open source, and co-founded by Brian Acton who co-founded WhatsApp and left Facebook after the merge when they asked him to lie to the EU about their intentions to merge WhatsApp and Facebook Messenger. It seems to be nice, haven't tried it in anger. The desktop version is its own app, I'd have preferred a browser based option like WhatsApp web but that's a minor quibble.
Unlike a lot of other technology projects, Signal is structured as a non-profit. We're supported directly by users like you, similar to organizations like Wikipedia. You can donate here: https://signal.org/donate/
We will never sell ads, and we've designed Signal to not know anything about anything (including no trackers or analytics), so we couldn't target ads even if we wanted to (which we don't).
I have a hunch it could be related to https://signal.org/blog/cellebrite-vulnerabilities/ and the followup https://hothardware.com/news/cellebrite-physical-analyzer-software-no-longer-supports-iphones
What kind of phone does your wife have that they inspected?
Developer on Signal Desktop here.
IMO, Signal does not have an issue here, but of course I'm biased.
We go to great lengths to avoid the "metadata problem". We've been subpoenaed a few times and have been able to produce very little. We know when someone signed up for an account and when they last accessed the Signal service, but that's basically it.
We achieve this, in part, with something called "sealed sender". It's like a letter with no "from" address written on the envelope.
We also do limited logging and don't hold onto messages after they're delivered.
As others have mentioned, we're also working on adding usernames. Please know that this is a massive technical effort (the biggest I've seen in my time here) and will take some time, but it's definitely a priority.
As a developer on the Desktop app, I know full well that Signal is far from perfect. But I don't think our service suffers from the "metadata problem".
For people using SailfishOS, CopperheadOS, and other Android-app compatible operating systems that don't include Google Play, the following might be equally (if not more) newsworthy:
Today, Open Whisper Systems (the team behind Signal) set up a way for people to install the official Signal Android client from outside of the Google Play Store: https://signal.org/android/apk/
When announcing it on the OWS Community Forum, Moxie Marlinspike said that this is a "harm reduction strategy since people are already running random APKs signed by other random people".
You can use real private messaging. Right now virtually uncrackable encrypted messaging exists but no one uses it for some reason.
For the people asking about it: https://www.openpgp.org
It looka like Signal is a better solution: https://signal.org/
This is the same company that Moxie Marlinspike absolutely embarrassed in a blog post recently after they claimed they could extract data from Signal. https://signal.org/blog/cellebrite-vulnerabilities/
Beep. Boop. I'm a bot.
It seems one of the URLs that you shared contains trackers.
Try this cleaned URL instead: https://signal.org/blog/keeping-spam-off-signal/
If you'd like me to clean URLs before you post them, you can send me a private message with the URL and I'll reply with a cleaned URL.
That's why when I'm tonsil-deep in pussoir, I use Signal.
Its end-to-end encrypted communication ensures that my taint reaches my eyes unmolested by man in the middle interlopers.
The Signal team have vouched for WhatsApp in the past https://signal.org/blog/there-is-no-whatsapp-backdoor/
Granted that was a few years ago and there’s no telling if WhatsApp has changed since then. But Signal haven’t announced a change in stance regarding WhatsApp, so it’s probably safe enough, assuming you’re ok having your metadata mined…
Speaking of fire, Signal's very recent blog post as a response to a company, Cellebrite, claiming to be able to extract data from the app is pure gold. Their response could be summarized as "Just don't" but that does in no way make the full read any justice. It's a mood lifting read!
Direkt zum Original:
https://signal.org/blog/cellebrite-vulnerabilities/
"By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me."
Haha, klar "vom LKW gefallen"... Sympathisch, ja. Aber glaubwürdig?
PGP is hard to use and not very practical for direct messaging.
Signal is a much better suggestion, slick UI and easy to use. Also very secure (especially if you verify each other's private key) and open source.
End to end encryption betekent dat facebook niet kan meelezen. Wat ze via whatsapp wel weten is met wie jij praat en wanneer, wie er in je contactenlijst staan, in welke groepen je zit, wanneer je online bent, en als je dat aan hebt staan je locatie.
Edit: Een goed alternatief voor whatsapp is signal, die houden niks van je bij (bestaan van donaties) en gebruikt dezelfde encryptie als whatsapp (Eigenlijk is de encryptie in whatsapp bedacht door een van de mensen achter signal). Ik gebruik signal om te communiceren met de paar mensen in mijn vriendengroep die wel wat geven om privacy, maar het is lastig om de rest van whatsapp af te krijgen.
Signal is the only widely available, multi-platform secure messaging tool. True end to end encryption (you and your recipient have the only keys) and minimal metadata (Signal logs only the age of your account and the last time you used the service. thats it). Stop using other messaging tools if the contents of your messages are private. https://signal.org
re: online status and location, Signal does not have this by design. It would be a privacy leak. Signal actually gives a shit about real privacy. https://signal.org/bigbrother/central-california-grand-jury/
Just a reminder, Open Whisper System is a non-profit, who run a privacy conscious service for free. They don't get the benefit of billions of dollars of advertising money here compared with FB and WhatsApp.
Please do donate if you value their service. https://signal.org/donate/
Not too long ago, Cellebrite announced "support" for Signal Messenger. This "support" is only for unlocked phones where Signal Messenger is also unlocked. Cellebrite makes devices that download any available info from many phones, locked or unlocked. An Android phone that is freshly restarted will expose minimal data. A decrypted phone (after you enter your password the first time), even when the screen is locked, will offer a little more data, still not much though. Something to note is that some things, like the alarm you set and named "Remember to dump the body from the drum," are accessible from your encrypted & locked phone.
The Signal organization "found" a Cellebrite UFED that "fell off a truck" and they found numerous vulnerabilities. Read the blog post here. It's not very long nor technical. Pay attention to the last paragraph, LMAO.
It's possible that law enforcement is looking for the pretty little files that "don't do anything" that Signal Messenger uploaded to a few random people's phones. I read a legal blog post suggesting that the US government might try to prosecute someone under the CFAA if these files do damage to any of their Cellebrite UFED machines, possibly with the goal of going after Signal Messenger.
Just a thought.
https://twitter.com/signalapp/status/1261364662840385536
> Giphy was just acquired by Facebook, but GIF searches in Signal have been protected by a privacy-preserving proxy from the very beginning. The Giphy SDK isn't included in the app at all. You can read more about our approach to handling animated GIFs here: https://signal.org/blog/signal-and-giphy-update/
Signal has already been subpoenaed by the FBI and couldn't produce content, https://signal.org/bigbrother/eastern-virginia-grand-jury/. You won't find Telegram recommended by security advocates because it doesn't have the reputation Signal does.
Looks like they've changed it a couple months ago; here's an archive: https://web.archive.org/web/20180702223031/https://signal.org/workworkwork/
I actually copied it from a message I sent a friend when I first read it. (Over Signal to boot, hah.)
Signal is open source, tried and tested, and end to end encrypted. It requires your number so you can communicate with anyone in your contracts (those without Signal).
They've proven through a court order that they could not help the big brother.. The only things they were able to share were the time the user registered and the last time they've used Signal.
I don't think any of the other alternatives have this much battle experience and trust.
Signal is basically an alternative to your regular SMS and calling app, so of course it will require those permissions. If you only want to communicate with Signal users, then go the route explained in the article you linked and use a burner number and not all any permissions.
It's interesting that they still have access to Facebook and WhatsApp. It is unfortunate that Signal is no longer domain fronting though I know Telegram was doing this as well (and for some reason hasn't gotten a similar letter?). I'm not a networking guy, but wouldn't encrypted DNS help resolve this issue? Not that people have access to it on their phones, but my understanding is that you'd have to shutoff access to the DNS (like CloudFlare (1.1.1.1
)or Google (8.8.8.8
)).
Signal explains quite nicely how "disappearing messages" should be treated.
> Disappearing messages are a way for you and your friends to keep your message history tidy. They are a collaborative feature for conversations where all participants want to automate minimalist data hygiene, not for situations where your contact is your adversary — after all, if someone who receives a disappearing message really wants a record of it, they can always use another camera to take a photo of the screen before the message disappears.
We like them today because they responded to a subpoena last week with basically "lol, we don't know anything".
We like them over the long term because they're a messaging app that just sends messages.
>In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
For those who missed it this particular company specializes in getting data from phones that have already been unlocked and requires the phone to be physically present.
There was an interesting blog written in April by the CEO of Signal (a secure messaging client) where he basically got a hold of one of their boxes and had a close look https://signal.org/blog/cellebrite-vulnerabilities/ that some of you might like to read.
Why Telegram? Telegram is known in crypto circles to be a bit shady to put it mildly. They invented their own encryption algorithms which is a big no-no when it comes to crypto. Is based or originated out of Russia meaning Russian state can try to interfere and/or influence. Ultimately is a privately help for-profit company meaning they can change their direction any moment they want to turn a profit.
If we really want to recommend a truly privacy-first messaging app, it should be Signal (https://signal.org) not Telegram.
Ircin uusi virta tulee IRCv3:sta eikä mistään VC-tyypin pöhinästä.
Sanokaa minun sanoneen, tämä on jonkun GitHubin ja Discordin tarinasta voimaantuneen idea tehdä helppoa rahaa. Ei minun irkilläni rahaa tehdä.
Hajautetuilla järjestelmillä ei tehdä fyrkkaa ja kuten IRCv3 osoittaa hajautettuja järjestämiä on vaikeaa päivittää, ja irc.com haisee ajatukselta tehdä keskitetty ratkaisu.
Softat voivat skaalautua, yhteisöt eivät kovin helposti.
https://signal.org/bigbrother/cd-california-grand-jury/
The top level of the link where this doc is from. Only the PDF of court docs opened for me
Before people strap on the tin foil, please consider that your data in signal is end to end encrypted and they are unable to provide anything, especially chat transcripts to the court
I just donated to them - they are a non-add / non-subscription app. If you like their platform, I would encourage anybody here to do so as well. Signal >> Donate to Signal
Imo, I don't see any advantage of telegram over signal
edit:
From /u/redditor_1234 on /r/privacy
>Unlike Telegram, Signal does not need a 2FA option to protect against SS7 vulnerabilities. > >The Telegram servers collect every Telegram user's contact list and every message, photo, video and document that they send in the default chat mode, and unless the user has enabled the 2FA option that is buried in the app's settings page, the service allows anyone who can hijack the user's phone number or intercept their SMS messages to instantly have access to all of that user's cloud based data. > >In contrast, the Signal servers don't collect any contact lists and all Signal communications are end-to-end encrypted. If someone were to intercept a Signal registration code or hijack a Signal user's phone number and use it to register on a new device, the attacker would not gain access to any of the user's data, because it would all be stored locally on the targeted user's own device(s). The user's safety numbers would change, and the app would automatically alert everyone who has previously communicated with the targeted user's number, preventing anyone from accidentally calling or sending sensitive information to the hijacked number.
Signal is trustworthy. I've tried intercepting their VOIP streams and was unable to on either end. Admittedly it's been a few years since I've done any professional security analyses and I may be behind on the latest and greatest tools, so grain of salt.
Properly deployed encryption is unbreakable. Even the still in-vitro quantum computer would only be able to slightly shorten prime factorization in asymmetric ciphers.
Paranoia is good and healthy. But knowing the capabilities of your adversary is equally important. Real-time decryption of even weak cipher suites isn't feasible, real-time processing and analytics is another beast entirely. So I wouldn't be worried about being randomly eavesdropped.
However if you're being targeted, they're are plenty of ways to exploit the biggest weakness there is in encryption. The user.
Edit: added link
If one reads the actual post on the Signal blog, the author notes the Windows-based Cellebrite software includes s couple Apple DLLs, apparently in violation of Apple licensing.
The blog also says they're not putting landmines on every device, just randomly placing them on a small percentage of devices.
A couple quotes from Signal...
Just funny:
> By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.
About the DLLs:
> It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users.
About the landmines:
> In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
This isnt the first time and wont be the last. Unless its a huge conspiracy it appears Signal does not have access to anything as it all encrypted and they only have access to the timestamps and creation date. https://signal.org/bigbrother/central-california-grand-jury/
Signal uses the Firebase notification service which depends on Google Play Services. They do not send your messages through the Google Service, but they will use it to notify the app, that there is a new message to be downloaded. If you removed Google Play Services, then that service doesn't work in the background.
I'd recommend downloading the Signal APK installer from https://signal.org/android/apk/ which uses a custom notification service (uses more battery than the Google version) and updates itself.
They can if they never store it in the first place. There are no laws saying you’re required to store customer data.
Relevant post from Signal yesterday: https://signal.org/bigbrother/central-california-grand-jury/
I too suggest this, excellent tool that allows you to form mesh networks over Bluetooth and wifi. If this is too advanced, Signal messenger is another excellent tool for end-to-end encrypted communication over Cellular and the Internet.
They are very much involved in mass surveillance. For example
I find that pretty hard to believe, but that's not based on a whole lot. Its feasible in theory, just feels unlikely given the proficiency of our government. While its not directly related, I do know that ASIO works with big consulting firms to leverage "big data" (sorry for the cringey corporate term).
ASIO maintains a list of individuals who are considered to be "of interest", however this list is far larger than feasible to have humans monitoring its members. In other words, there aren't enough ASIO members to track all activities of members on the list. So instead they have systems that look for behavioural patterns, and flag those who deviate from their "normal" patterns. That narrows down the list significantly, so that ASIO can keep an eye on those who might be preparing for something. If it can be determined that someone intends to commit a terrorist activity, ASIO might be able to stop them right before any innocent people are hurt.
Coming back to your original question, I say its feasible in theory because we know voice recognition is absolutely possible and easily accessible - so it stands to reason that if ASIO can access your phone calls, a bot could theoretically flag those that include specific keywords. Its unlikely because the sheer volume of calls that would be flagged would be enormous - and those terms on their own aren't indicative of intention to commit a terrorist act.
If you're a fan of your privacy, you might like to swap out your SMS app for Signal - its open source and has the best encryption I'm aware of in a messaging app. https://signal.org
Signal posted the story themselves. I don't see what RT being a russian propaganda outlet has to do with it.
It's sparking outrage because it's outrageous. This isn't some made up story, it happened and it's a topic that lots of people are concerned about.
Если (когда) менты отберут у вас телефон и разблокируют его, им нужно будет вытащить из него информацию. Есть два способа: 1) глазками прокликать иконки на рабочем столе, просмотреть чаты и документы 2) вытащить информацию на компьютер и исследовать её с удобством. Для этого есть специальные программы.
Один из производителей такой программы для властей разных стран — Cellebrite, недавно публично хвастался, что умеет вытаскивать данные из Signal. Это правда, если власти смогли разблокировать телефон, то они могут вытащить из него все чаты, так же, как могли бы увидеть их глазами. Эта программа используется спецслужбами по всему миру для проведения официальных и не очень официальных криминологических экспертиз.
Сегодня Signal выложили ответочку. Они где-то раздобыли (в оригинале «fell from the truck» — «свалилась с телеги, нашли на дороге») официальную коробочку с этой программой, исследовали её и обнаружили в ней тонну уязвимостей. Таких уязвимостей, что можно составить специальный файл, который при наличии его на телефоне жертвы получает полный доступ над компьютером, который пытается вытащить с него информацию (жертва и агрессор меняются местами). Можно заставить софт Cellebrite написать что угодно во все криминологические экспертизы, которые есть на этом компьютере. Не только в текущий, но и все последующие.
Пост они закончили следующим абзацем: «мы теперь начнем прикладывать к Signal'у специальные красивые файлы. Они не несут никакой пользы, просто эстетически очень приятные. Причем файлов у нас много и они разные. Приложим мы их только давно зарегистрированным пользователям и только части отловить и исправить все ошибки у вас не получится. Никакой связи с предыдущим текстом этот абзац не имеет. Просто нравятся они нам.»
Троллинг 90го уровня.
Ах да, ещё они обнаружили, что Cellebrite нелегально использует библиотеки Apple в нарушении лицензии. У Apple дорогие и хорошие юристы.
All they're doing is reposting their own version of a post on Signal, rewritten and sensationalized.
https://signal.org/blog/the-instagram-ads-you-will-never-see/
Russian propaganda sites should be permanently banned from Reddit.
> “Signal Technology Foundation is an independent nonprofit charity and tax-exempt under section 501c3 of the Internal Revenue Code.”
From https://signal.org/donate/
So they're allowed to use the word “Donate” on Google Play.
Just an FYI for all of you who don't want your chat apps spying on you. To be secure you need to use an app that Is end to end encrypted by default, Is fully open source and auditted and does not save unencrypted backups of conversations. Whatsapp fails on the unencrypted backups and not being open source and auditted. The two you want to look at are:
Since you're passionate about the topic, it might make sense to read a bit about why Signal chose MobileCoin as well as MobileCoin's design goals.
It's notable that Signal's announcement of the payments beta refers to "the first payments protocol we’ve added support for," implying there will be others.
Personally, I wish Signal hadn't added the feature. For people like you and me who don't want payments in Signal there is good news: We don't have to use it. We can still send payments the way we always have. Nobody is making us send payments using Signal.
ELI5
Signal he's referring to is https://signal.org/en/ the non-profit messaging app, not publicly traded.
Signal Advance Inc SIGL is a company in Texas whose share price has hovered around 10 cents for year, lost $125,000 last year and last tweeted in 2016. I would imagine they are very confused right now.
Jesus, people.
> I don’t think there is anything at this time to suggest they plan to close the source.
Also: they can't! While 3rd party contributors don't retain copyright due to the CLA, the same CLA asserts that they can make proprietary licensed derivatives, but they assert that all those contributions are always made available under an OSI approved license:
> Your Contributions and such derivative works, as well as the right to sublicense and have sublicensed all of the foregoing rights, through multiple tiers of sublicensees, provided that in all cases, Signal Messenger will make Your Contributions available under an OSI-approved open source license.
I guess they technically make a proprietary Signal client and server, but it wouldn't really make a lot of sense given that they would basically require a full-time lawyer to start separating source repositories :'-)
EDIT: IANAL
You can get an official apk at https://signal.org/android/apk. They've got the signing key there for you to verify the download. Plus you'll get notifications when there's an update to download.
Also fantastic how they reverse-engineered the iPhone cracking system from Cellbrite, say that 1) it's a hot mess security wise, thus 2) it's vulnerable to running outside code that can modify the output of the Cellbrite system so that output is totally unreliable and 3) by the way, we are moving various files around in our system that we are not saying are code to mess with Cellbrite if you ever try to use Cellbrite on a device with Signal, but... we ARE moving odd files around, just sayin'.
https://signal.org/blog/cellebrite-vulnerabilities/
It's both hilarious and amazingly brutal.
der Signal Messenger (engl. Website, offiziell)
Leider wenig verbreiteter aber guter Messenger. Quelloffen, so sicher wie es aktuell so wird.
O Signal (aquele app de bate-papo) em Maio rodou uma série de anúncios na plataforma do Facebook exatamente pra demonstrar o nível de espionagem dos caras.
https://signal.org/blog/the-instagram-ads-you-will-never-see/
Os anúncios que o Signal subiu na plataforma são apenas com um texto escrito, mas extremamente específico, sobre a pessoa que o visualizava. Por exemplo:
"Você está vendo esse anúncio porque você é um instrutor de pilates recém-casado e você adora desenhos animados. Esse anúncio foi restrito à sua localização (La Jolla, em San Diego na Califórnia). Você curte blogs sobre paternidade, e está pensando em fazer uma adoção LGBT."
No artigo linkado tem esse e outros exemplos.
Social media is specifically designed by billion dollar companies to get you addicted, to feel left out, to condition you to look for headlines and not the story. Honestly, it's pretty toxic, the only people who use social media and aren't slaves to it are the elderly who have no idea how it works much less how it's "supposed to" work.
All the while they collect private information about you and sell it to the highest bidder. A lot of people think, what's the big deal? I don't mind if companies know I love my dog or what I eat for brunch, but you'd be surprised how much they really know about you: https://signal.org/blog/the-instagram-ads-you-will-never-see/
I've entered the phase in my life where I don't really have many friends. I've shed most of the people that were barely friends or just acquaintances and now have a lean 4-5 friends that I talk to regularly and I know I can count on them for anything from a birthday greeting without social media prompting them to all the way to if I need to bury a body. I'm honestly pretty happy with the friends I have and we don't need social media to keep in touch. We send each other photos, gifs, and funny stuff and have actual conversations about how their kids are doing, if they're thinking about buying a new car, etc. You know, stuff that actually matters.
When it comes to keeping up with news, scores, whatever else I'm interested in, Google does a much better job of figuring out what I like and giving me credible (after I changed a bunch of settings) articles/sources better than my cousin I never talk to could.
I will admit I do still have an Instagram account but I never post anything on it I don't really follow anyone I know. I just scroll mindlessly for a laugh if I have 10 minutes to kill while waiting for someone.
TL;DR social media is toxic and quitting it had no consequence to my life.
You can reach them via one of their social media accounts https://signal.org
I sent them a link tip via https://support.signal.org/hc/en-us/requests/new
So far the link has not been claimed, but I'm sure they are fucking busy at the moment as their user numbers skyrocket.
>With Signal you must tell them your Phone number.
This is just to register. The phone number is stored in a cryptographically hashed form.
​
>Signal is subject to the CLOUD Act, which allows US Federal agencies to access the data.
Signal stores three things:
Phone number (in an encrypted format)
Date and time of registration
Date of last use
See here for how useful that information is to law enforcement.
>the timestamp is not stored in the server
The date specifying the day (not to last hour) is stored on the server, as far as I know and can interpret this text.
>We’ve designed the Signal service to minimize the data we retain about Signal users, so the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.
>
>https://signal.org/bigbrother/eastern-virginia-grand-jury/
Everybody says this is bad, but Signal has been collecting all of this information anyway, but nobody said anything then. This is best demonstrated by using Signal on multiple devices, where Signal saves your contacts that use Signal from your phone on their servers (provided you give them access). Signal does not see the content they steward because private keys are generated on devices (this is the code you can verify with someone else).
Signal has also passed third party audits and proven to be cryptographically sound. Everything in regards to stored content is done using its protocol. The exception are services that use it that aren’t Open Whisper Systems, such as FB Messenger or Skype, because they were not included, nor open-source. https://eprint.iacr.org/2016/1013.pdf
Signal has also been tested against governments, namely the US government. The first was a gag order in Virginia, where the FBI issued a gag order to Signal during the investigation. Signal was unable to hand over anything. There was another incident during Michael Cohen’s trial, his Blackberry (an Android presumably) was seized by the FBI for his Signal messages. However it is believed Cohen provided access himself as the FBI was unable to obtain information through Open Whisper Systems.
https://signal.org/bigbrother/eastern-virginia-grand-jury/
Everyone raised a fit with stickers because it’s wasted memory on your device. This pin code is not a concern, it is an optional convenience feature. I understand many are paranoid, but this is a false alarm. It should be more of a concern Signal’s focus is social aspects, not privacy/security features their platform started on. Maybe this is part of that, but Signal has proven they are trustworthy, but not deserving of this FUD.
Did you hear the creative way Signal wanted to use it for private contact discovery? https://signal.org/blog/private-contact-discovery/
Its #1 use is still going to be DRM, but it does have a legitimate use or two up its sleeves
I don’t know the answers to some of these questions but Signal has posted its response to subpoenas in the past. See: https://signal.org/bigbrother/central-california-grand-jury/
Could Signal be ordered to collect IP information secretly on a target, such as what happened to ProtonMail in Switzerland? I don’t know! It’s a good question.
🌹🇮🇳🙏 A Proud Moment For All Indians 🌹🇮🇳🙏
A poor villager's son from Uttar Pradesh who passed from IIT with a gold medal has created an app called Signal.
The App has been awarded as the Best New App of 2021 by NASA 🚀 and UNESCO 🌍 because it is the first ever app which has used code from Sanskrit to create the app.
This App is better than WhatsApp and has been proudly created by an Indian 🇮🇳
Request all Indians to download this app which is a huge boost to Atmanirbhar Bharat, and make India shine in front of the world.
Also WhatsApp will be shut down in six months because their servers are not able to handle the traffic of 💐Good Morning💐 Messages sent in India. Download Signal to keep sending Good Morning Messages to your near and dear ones.
Forward this message to 10 contacts and win ₹500 Voucher from Flipkart.
🇮🇳 Jai Hind 🇮🇳
It's pretty much Messenger on steroids + end to end encryption, minus all the tracking and story bs.
You can crop and edit media, react, send voice messages (without holding onto the mic button too), use stickers (there are custom packs you can build/install, but you can't browse them from the app besides opening packs others have shared), make calls and video calls and a whole lot more.
The real question is, can you bloody get my friends to use it?
Hi there it works purely off phone number and that's it. If you really want to know how it works the source code is available here https://github.com/signalapp any issues you can ask over at r/signal and if you just want to install the app just go to https://signal.org/install and it should open in app store or ios depending on what phone you are using.
If you want "Secure Messaging"
​
One of the first things you see when you visit its website is a 2015 quote from the NSA whistleblower Edward Snowden: “I use Signal every day.
and apparently it's true.
>How are link previews retrieved? Link previews are built on the same foundation that was previously developed for the animated GIF search feature in Signal. Before you send a link preview to another Signal user, your Signal client does the following: * The TCP connection is proxied through the Signal service, which acts like a VPN to obscure client IP addresses from the site that is being previewed. * A TLS session is negotiated directly with the previewed site to ensure that the Signal service never has access to the URL. Previews are not generated for non-HTTPS links. * As described in more detail here, the preview image is retrieved using overlapping range requests so the Signal proxy service only sees repeated requests for a fixed block size when downloading an image.
https://support.signal.org/hc/en-us/articles/360022474332-Link-Previews
A distributed service would not be that much harder to censor than a centralized one. See this comment by Joshua Lund:
>It's trivial to block several distributed hosts simultaneously. An aspiring censor would simply find the most common federated endpoints for a given service and block all of them. Only the users of that software would be affected. There wouldn't be any collateral damage. > >If the censors somehow didn't hit every single worthwhile federated endpoint, users would still be left wondering why they couldn't communicate with most of their friends. Moving between federated hosts would also necessitate an entirely new identifier, so users would need to rebuild their social graph again. > >In addition to being ineffective against censorship, there are several other properties and trade-offs that make federation a difficult proposition for an application like Signal: https://signal.org/blog/the-ecosystem-is-moving/
This is not at all accurate. Signal wasn't cracked, cellebrite has the ability to read messages off your device. Protip: e2e encryption, what signal provides, isn't enough to protect your data from people, you also need to either encrypt it at rest, or get rid of it.
Just to make them remember not to spread this kind of FUD, Moxie followed up and virtually kicked them in the balls:
The problem is making changes to the protocol(s) going forward. From the 2016 post Reflections: the ecosystem is moving, and making a comparison to XMPP:
> Like any federated protocol, extensions don’t mean much unless everyone applies them, and that’s an almost impossible task in a truly federated landscape. What we have instead is a complicated morass of XEPs that aren’t consistently applied anywhere. The implications of that are severe, because someone’s choice to use an XMPP client or server that doesn’t support video or some other arbitrary feature doesn’t only affect them, it affects everyone who tries to communicate with them. It creates a climate of uncertainty, never knowing whether things will work or not. In the consumer space, fractured client support is often worse than no client support at all, because consistency is incredibly important for creating a compelling user experience.
(emphasis mine). But the whole post is worth reading to get the general rationale behind quite a few of the decisions about the Signal architecture.
Inhakend op signalen en persoonsgegevens: stap nu over over op Signal (privacyvriendelijker dan Telegram)
use signal or wickr for sending messages or files you don't want saved on a server owned by facebook or microsoft forever.
https://www.wickr.com/personal/
Set the time for messages to expire in either rather than use whatsapp or fb messenger.
you love to see it.
Here's the article from signal: https://signal.org/blog/cellebrite-vulnerabilities/ the paragraph at the bottom is the fun one.
> The completely unrelated > > In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
I don't think it's one or the other. Matrix has important features for workplaces that more closely reflect email and Slack, Mattermost, etc., but doesn't have the easy user experience that is absolutely critical for something to replace iMessage, Google Messages, WhatsApp, etc. I think federated services will soon compete with Slack and it's clones in market share, but Matrix is not trying to solve the same problem as Signal. Something like Signal, pragmatically speaking, needs to be centralised.
Regarding phone numbers, Signal seems to be working toward removing that dependency: "like addressing that isn’t based on phone numbers and chatting with contacts that aren’t saved in an address book".
I'm fine with it being centralized. Moxie has his reasons to keep it this way. What I am extremely hesitant about is the requirement of a phone number. No system will ever be privacy friendly if it has a phone number as a requirement for anything.
Yeah I do wonder why they do that. Maybe it's part of the "handshake" it does to start the encryption process to make it more of a behind the scenes operation than sending an sms as your first message and explaining why it's doing that.
Idk if you have seen this yet but it was something that boosted my faith in how secure it is. Combine that with the fact that it's open source and everyone on the internet would love to tear them to pieces of they could find fishy stuff leads me to trusting them way more than Facebook.
> Is this something to be worried about?
Not really, provided you trust how Signal handles things. And if not, then you shouldn't use Signal regardless of if they use Giphy or not.
> The Signal service essentially acts as a VPN for GIPHY traffic: the Signal service knows who you are, but not what you’re searching for or selecting. The GIPHY API service sees the search term, but not who you are. https://signal.org/blog/giphy-experiment/
The owner will need to get an exception from the Terms of Service that prohibit "sending illegal or impermissible communications such as bulk messaging, auto-messaging", and any other applicable terms. They should have read the terms before starting such a service.
>Is Signal safe?
>
>No, Celebrate cannot ‘break Signal encryption.’
The answer to this question should be yes, and the Cellebrite issue should be its own thing to prevent confusion.
If you allow your communication to be spied on, then maybe you are the one (at least partially) at fault. We shouldn't be ASKING for privacy, we should be enforcing it ourselves, we can all do this in 30 seconds...
The article provides a decent TL;DR
>With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.
>
>We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly. Our team is only a few people, and developing new techniques will take time. Moreover, if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited. If you’d like to help, we’re hiring.
>
>In the meantime, the censors in these countries will have (at least temporarily) achieved their goals.
First of all thank you! The contribution to the EFF is awesome. Since privacy is under attack globally more donations to FOSS organizations with a focus on privacy and security can go a long way for mainstream citizens. One recommendation I have would be to donate to OpenWhisper Systems.
Moxie and team have been changing our secure communications for the better over the years and I would love to see a large boost in development around both the Signal protocol and Noise protocol framework. We all win with open privacy technology of the like!
Thanks again for your generosity.
Unfortunately, there is currently no way for the server to know if a user has uninstalled Signal.
Your friend's account will eventually be deactivated, but only if they haven't connected to the server in an entire year. If you don't want to wait an entire year, ask your friend to unregister:
I think that's probably one of the main reasons for why it's taking them so long to implement that feature. The obvious solution is to route everything through a proxy so that Signal users' IP addresses aren't leaked, but then the issue becomes, how can we be sure that the proxy isn't logging any traffic? Signal's developers have said:
>We simply don’t want people to have to trust us. That’s not what privacy is about.
They are now working on a system that will let people independently verify that the Signal contact discovery service is running the exact same code that they've published on GitHub and nothing else. I think they might be able to use that same approach to also run a verifiably non-logging proxy for link previews.
They also have the last day you contacted the server.
OP, you can verify what information they have by looking at Signal’s responses to subpoenas they have received.
I interpreted it as "[Having the ads published] was never their goal. It was about getting publicity [from them being rejected]" due to how much conversation has been generated about the topic since.
This got posted many places on reddit, for example.
Just an FYI. While Telegram is better than WhatsApp (it isn’t under the FB umbrella) it isn’t perfect either, its far from private and isn’t encrypted end to end (meaning Telegram can see what you say). Also, under GDPR regulations Whatsapp’s changes wont affect us here in Europe the same way they will for others in the US.
For a privacy oriented chat platform you should check Signal (here’s more info and also over at r/privacy )
In case you haven't donated yet, imo the guys at Signal have earned some coffee or a few pizzas for the pile of work they have atm to get everything running again :-) https://signal.org/donate/ ...and an additional per-month donation will surely do some good concerning the exploding user-base they currently have. Would be nice if they get out of this server issue not only better in terms of technical but also financial stability.
🌹🇮🇳🙏 A Proud Moment For All Indians 🌹🇮🇳🙏
A poor villager's son from Uttar Pradesh who passed from IIT with a gold medal has created an app called Signal.
The App has been awarded as the Best New App of 2021 by NASA 🚀 and UNESCO 🌍 because it is the first ever app which has used code from Sanskrit to create the app.
This App is better than WhatsApp and has been proudly created by an Indian 🇮🇳
Request all Indians to download this app which is a huge boost to Atmanirbhar Bharat, and make India shine in front of the world.
Also WhatsApp will be shut down in six months because their servers are not able to handle the traffic of 💐Good Morning💐 Messages sent in India. Download Signal to keep sending Good Morning Messages to your near and dear ones.
Forward this message to 10 contacts and win ₹500 Voucher from Flipkart.
🇮🇳🙏 Jai Hind 🙏🇮🇳
Your contact probably had Signal installed and then deleted the app off his phone without unregistering their account. Have your friend go to this link, they'll get a text message with a code and they'll have to enter the code on this site.
Signal does voice and video, indeed. It works on Android and iOS and Linux and Windows and MacOS: https://signal.org/download/
Alternatively, Wire (which also does text, voice, and video and has cute things like drawing) also has an Android and iOS client, as well as macOS, Windows, (experimental Linux) and browser clients: https://wire.com/en/download/
Both are free, secure, and open source.
>That and Signal for android relies on Google Play Services, which for any mobile phone that doesnt have Gapps, means it will not work.
Actually, the Signal Android client has not relied on Google Play Services since March. I've used it on a phone that doesn't include Gapps, and both messaging and calling have worked fine. If your device does not include the Google Play Store, you can download the official APK here: https://signal.org/android/apk/
Edit: Cut some cruft.
Edit 2: In case you see a notification complaining about the lack of Google Play Services: The app will show that notification if your device included GPS when you registered on Signal and you later decided to disable or remove GPS. At that point, you just need to re-register and the app should fall back on WebSockets.
This is exactly what apple intends to happen - annoy you into getting an iphone. It's bullshit.
I like to try to get my people to use Signal. It's very similar to iMessage (so it's familiar to iOS people), and it works cross platform. It also has the reactions so they can continue to do that and it'll work on your end too.
Switch to Signal: https://signal.org/install
They have many vulnerabilities which they refuse to disclose to be fixed because their business model requires leaving millions of devices vulnerable. Here's a rundown of how they do things and a post about signal's founder finding vulnerabilities in cellebrite's software which can corrupt the results and make their tools useless. Hopefully that's enough to prove their data is unreliable and therefore not admissable in court.
https://sites.google.com/site/endpointforensics/how-cellebrite-works
https://signal.org/blog/cellebrite-vulnerabilities/
>Cellebrite makes software to automate physically extracting and indexing data from mobile devices.
>[...]
>Their products have often been linked to the persecution of imprisoned journalists and activists around the world
>[...]
>we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.
>For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at rando
>[...]
>In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.
Pendant ce temps, chez Signal: https://signal.org/bigbrother/central-california-grand-jury/
> TL;PL: Le bureau du procureur des États-Unis du district central de Californie assigne Signal de fournir des documents sur les informations qu'ils détiennent à propos de certains utilisateurs. Signal leur répond qu'ils ne connaissent que la date de création du compte et la date de la dernière connexion au service. C'est tout.
Here's a tip - in an internet full of fifth hand articles by sites seeking traffic, always post the original source when you can. This is linked to at the bottom of the article you shared.