They may be sponsored by the US Government, or by cryptographers with ties to the government.

https://thebaffler.com/salvos/the-crypto-keepers-levine

It’s a long read, but it’s quite good. Here’s a snippet to whet your palate where he describes some of the prominent people behind these projects:

At least that’s how they saw themselves. My reporting revealed a different reality. As I found out by digging through financial records and FOIA requests, many of these self-styled online radicals were actually military contractors, drawing salaries with benefits from the very same U.S. national security state they claimed to be fighting. Their spunky crypto-tech also turned out, on closer inspection, to be a jury-rigged and porous Potemkin Village version of secure digital communications. What’s more, the relevant software here was itself financed by the U.S. government: millions of dollars a year flowing to crypto radicals from the Pentagon, the State Department, and organizations spun off from the CIA.

For context: I have become very interested in the debate amongst app users such as Telegram, Signal, Threema, etc… and I know that many people claim that Signal is the very best amongst all of them but there’s something really sketchy about its location (US based) and the fact that the government can for anyone to comply with their orders and forbid them from telling anyone about it via gag orders (see Durov’s comments on this: https://t.me/durov/59).

Both are fascinating reads, and certainly help me appreciate platforms like Telegram and Threema even more. Regarding Threema, today they posted a comparison between their app and the competition, and found this interesting tidbit regarding Signal:

https://threema.ch/en/blog/posts/messenger-comparison-2021

Signal enjoys an outstanding reputation among experts, and it’s certainly a good alternative to WhatsApp. However, just like WhatsApp, it requires users to disclose personally identifiable information: Providing a phone number is mandatory. As a US company, Signal is also subject to the CLOUD Act, which entitles US authorities to access data from IT service providers that are based in the US.

Also: I just learned that FB spends millions of dollars every year on marketing and trying to influence people to not use platforms such as telegram.

  • ☆ Yσɠƚԋσʂ ☆@lemmygrad.ml
    link
    fedilink
    arrow-up
    14
    arrow-down
    2
    ·
    4 years ago

    The thing to remember is that cryptography is very tricky business, and even when an algorithm is sound on paper that does not guarantee that it’s implemented in a secure way. A famous example is when NSA “helped” develop the Diffie-Hellman cryptographic key exchange standard and introduced a vulnerability that nobody noticed for a very long time.

    Any standard that’s been developed in conjunction with US agencies should be considered compromised in my opinion.

      • ☆ Yσɠƚԋσʂ ☆@lemmygrad.ml
        link
        fedilink
        arrow-up
        9
        ·
        4 years ago

        Yeah exactly, if you know a specific exploit then it’s not that hard to design the system in a way that looks innocuous, while being compromised. Without knowing the nature of the exploit it can be incredibly difficult for a third party to find it.

  • riccardo
    link
    fedilink
    arrow-up
    12
    ·
    edit-2
    4 years ago

    I appreciate that we are discussing this. Although Signal is like what every cryptographer is suggesting to use, the fact that it is a company based in the US has always overly bugged me. Also considering that as a no-profit, in its early days, the government funded a considerable part of its development.

    From a privacy point of view, though, I wouldn’t suggest to use Telegram over it. I strongly believe Durov is driven by the right principles and that he would rather shut everything down and throw the servers into a volcano instead of sharing his users’ data with governments or mine them for advertisers, but Telegram is still vulnerable to hacks and data breaches and I wouldn’t like my data to appear in some torrent zip if shit happens.

    I’m trying to move friends and family to Signal, but just because Threema and Element are not free (as in “free beer” of course) or as user-friendly as Signal is. The chats I’m unable to move will stay on Telegram. The chats I do not really care about that much will stay on WhastApp. As of today (and after an effort that has been lasting for almost an year), I’ve been able to move a three people group chat to Signal (plus I some friends have it installed on their phone so I can write them there). I like to take part in discussions about messengers too (because it’s effectively the app that most people can’t really live without - messaging apps are the heart of our social life), but these discussions are only theoretical to me because once I have to log off and try to actually move my circles somewhere, I have to face the harsh reality and clash with a number of social and educational obstacles that are really hard to overcome. So I end up resorting to the same cheap arguments such as “Telegram has a ton of cool stuff, let’s move our chat there” and “Signal has the same functions as WhatsApp but at least it’s not facebook, we should try it out” and the ethical aspect completely fades out. And (with Signal in particular) the chat will move back to whatsapp as soon as we have to add a new member I haven’t been able to “brainwash” with my propaganda /rant

    So after writing these paragraphs, I’ve only now noticed that the article you’ve linked is something that Durov used to share often a few years ago on twitter and on Telegram. Yes the story is actually quite creepy, it almost sounds like a novel. I actually believe he might have romanticized it a little bit to be honest, but at least it explains why he’s so opposed to anything that comes from the US. He recently said he doesn’t actually care about how much Telegram is gaining in popularity in the US after the recent (current) surge in global downloads lol

    • kitsunekunOP
      link
      fedilink
      arrow-up
      3
      ·
      4 years ago

      Yeah, I think it’s important to point out that I’m not saying that Signal is a bad app or that it doesn’t do what it claims it does. But when it comes to who’s funding these projects, it matters a lot. In contrast, look at telegram, whose main backer is a libertarian semi-anarchist billionaire. He’s been backing up the entire operation for a long time now although they will move into using ads and offering plus services to make it self-sustainable in the future. On that front, I trust Durov more than I would trust Signal coders and people affiliated to the project who, in turn, have ties to the feds in the USA. So all in all, at least in my case, I will be sticking to Threema and Telegram for the foreseeable future.

      • poVoq
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        edit-2
        2 years ago

        deleted by creator

        • kitsunekunOP
          link
          fedilink
          arrow-up
          1
          ·
          4 years ago

          Yes, the same applies for example to Proton VPN/Mail. It makes me sometimes wonder, but Proton VPN being in Switzerland does help them quell some skepticism for sure.

  • PyotrGrowpotkin
    link
    fedilink
    arrow-up
    7
    ·
    4 years ago

    The more I try to understand this the clearer it seems that XMPP/jabber is still really the king of the hill here.

  • oriond
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    4 years ago

    Too bad it does not have an F-droid Version. I would have installed otherwise.

      • lelgenio
        link
        fedilink
        arrow-up
        2
        ·
        4 years ago

        Is it even possible to find this URL on the website?
        I go to signal.org/download, search for APK, find nothing
        Clicking on “Android” opens a new tab with Google PlayStore and closes the signal.org tab, come on the developer cannot be serious!

  • poVoq
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    edit-2
    2 years ago

    deleted by creator

  • oriond
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    edit-2
    4 years ago

    It has always created a conflict to me the fact that Signal is open source and yet there are no forks out there. You would think someone would come with a fork outside the US or something.

    Sometimes I have even thought that Signal may be a social engineering effort from the NSA, or some three letter agency to bring and spy on all the “people that have something to hide” I mean, wouldn’t it be brilliant?

    Besides, on any centralized service, you never know that they are actually running the published “open source” code and not a modified one.

    For security, I would go to Matrix in a self hosted server.

    *Edit: minor typos

      • nutomicA
        link
        fedilink
        arrow-up
        10
        arrow-down
        1
        ·
        4 years ago

        There reason there are no big third party clients is that the devs don’t want to have to deal with bugs in third party clients/maintaining API stability etc… Also, a bad implementation could potentially lead to compromising the Security of the people using it.

        That is no reason to prohibit f-droid.org from compiling Signal from source and distributing it. That point alone is very suspicious for me.

        The whole point of Signal is that everything is E2EE, so you don’t even have to trust the server.

        You have to trust the Google Play server that the Signal apk it sends is actually built from the published source code.

  • fidibus@lemmy.161.social
    link
    fedilink
    arrow-up
    3
    ·
    4 years ago

    Why is everyone hating on signal and not on TOR for example, which has many of the same problems, but obv also still is the best solution we have.

    • kitsunekunOP
      link
      fedilink
      arrow-up
      2
      ·
      4 years ago

      I’m not sure that Signal is the best solution as you say, but it is a solution with hopefully more to come.

  • freedomenjoyer@sh.itjust.works
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    Signal has not been able to provide the US gov with personal data as they only store the date of account creation and a signal ID number. Look at how signal handles these information requests right now.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      You’re totally right. Signal has demonstrated its full proof against US courts. But perhaps not against security agencies. Signal stores private keys in the cloud. Relying on SGX extensions to keep them from being trivially broken. Signal could be compromised, SGX could be compromised, something we don’t realize in that supply chain could be compromised. So it could just be a long-term honeypot. But if you’re a threat model does not include US security apparatus, you’re fine