What's your take? Do you think I'm letting Proton and Signal off the hook here? Leave your opinion here and let's discuss. Then make sure to watch my video on the 12 Privacy & Security tools I use EVERY DAY: th-cam.com/video/XNOAOQktG6U/w-d-xo.html
4:48 yeah, a proponent of censorship, looks bad… Not sure what “apparent” intelligence connections means, but paired with supporting censorship, could be really bad. “Free service” has tended to mean we, (our data) is the product.
@@TrggrWarning Agreed. Sure, the code is the code, but Signal's leadership were the ones who decided that phone number are still required. Signal has a huge trust problem. Also, Durov has a valid point: Signal doesn't have reproducible builds on iOS. Telegram does. And Meredith Whittaker, who worked 10 years for Google before she realized that surveillance capitalism is a problem, lies about this and claims that Apple prevents Signal from having reproducible builds.
I agree that criticism from anyone regarding a widely used e2ee protocol ought to be corroborated by evidence. But then again, much of the criticism on Telegram relies on its protocol, mtproto, being "homebrew", or the company founder being Russian, or its creators not being world-famous cryptographers. A few minor flaws on Telegram have been proven in the past, they were acknowledged and readily patched by Telegram, and bounties paid. It's not as technically secure or private as Signal, to be sure, but I think Telegram has another paradigm and focuses on a different risk profile. It's much more like Discord, and way better in every respect.
The rumours that fly around online about supposedly dodgy applications can sometimes be instigated by the government whenever it decides it doesn't fit in with their agenda for control......no privacy allowed. I think we need to do some research of our own before deciding which applications are safe to use, and not rely too much on hearsay, as well as ensuring that we set up and use our systems with the best possible security and privacy.
There have been multiple* court cases where law enforcement agencies submitted a subpeona to signal. And signal replied "Sorry, we have no data" If it were a front for the US govt the result SHOULD be different. HOWEVER if enough people were made to believe that Signal was insecure, they might abandon an actual secure platform.
And as it's said, the security is only as good as the user. If you're messaging someone on Signal and that person gets arrested and that person gives up their code to get into the app, then all your messages are there if they don't delete them or aren't on a timer. It's the same thing with iMessage; it's end to end encrypted, but once someone has the passcode to your phone, it doesn't really matter anymore.
This is what so many people don't seem to understand, a company HAS to hand over data asked of them by law otherwise they will get shut down and possibly get employees jailed. You have to minimise what data you give to ANY service.
one of the things that can end this is, for example, a law that the EU wants to approve, which prohibits encrypted communication, so services like Proton and the like could have a serious problem :/ of course, there are a lot of other options, but every other option takes away "comfort"
Hello, I studied the protocol behind Signal, and it's ignorant to say that Signal is insecure. It uses edge technology when it comes to cryptography. It will be BIG BIG news if it's broken by someone.
Which company created the encryption libraries? I always trusted Signal because Snowden promoted it as a save communication tool. But once someone replied to me stating this me that the libraries used were not to be trusted.
Personally I still use Proton and have for over a year now. In my case it is because I wanted a service with a good reputation and does not have any notable security issues. I also take into account that the level of security of my account is truly on me not Proton. Proton provides the service and Proton is a Swiss owned company. If you want something secure, it is YOUR job to make it secure over the provider.
@@OH2023-cj9ifBeing headquartered in Switzerland means they are protected by Swiss laws, and Switzerland has some of the most privacy focused consumer protection laws in the world.
@@1AEGISI saw them too and it comes down to growing pains. You have to look at the dates of the reviews, you have to look at things with a more neutral point of view, and you also have to be willing to take a risk. I have been going on 3 years and Iove their services and I am glad I did.
I appreciate you talking about the big picture instead of being emotional and reactive like so many tend to be. I'm still going to use Proton. I'd also like to have people ask themselves one thing. If you're abandoning Proton due to fear of security, who exactly are you switching to? Proton is still the best available without making your own email server and making sure everything is encrypted with nothing overlooked in terms of security. Instead of freaking out and shooting yourself in the foot, think through what you're going to do, be reasonable and rational and then make your decisions.
Well even if you self host a secure service. If the gov asks you to hand over data, you either comply or go to jail and get your servers taken by force. So.... yeah... let's be reasonable here.
I've been using Proton services for a while now and I must say this is the only company which provides both anonymity and convenience at there highest levels.
Great video! Especially the last part where you state the obvious fact - something that most people in this always online world fail to realise - don't share every damn part of your life with the rest of the world.
@@AllThingsSecured I don't remember where I read it but a while back I saw someone posting something like this: "the Internet is down at the moment so I went out into the real world. Here I'm shouting to everyone I see how I'm feeling, what I just did, what I got for breakfast and so on. So far it's going great - I've already got three followers, a doctor from a psych ward and two police officers".
@@henrik2117hilarious and so true but I'm concerned that the US wouldn't be able to care for homeless influencers if the Internet ever really did break
Given the open source nature of Signal I have a feeling that IF somebody's Signal messages were compromised and used against them in court, it wasn't because of a flaw in Signal, but because they made some other mistake with their OPSEC. Perhaps their device, or the device of the person they were talking to, was infected with some sort of malware that could read the messages after they arrived on the device. End-to-end encryption only means from one end to the other, but the messages have to be decrypted once they arrive on a device or else they couldn't be read, so malware running locally on the device could potentially read them. It's also possible, though less likely that they managed to add a device to somebody's Signal account and they didn't notice it because they don't regularly check which devices are authorized to send/receive messages for that account. With how modern encryption works, it's much easier to trick somebody into installing a piece of malware than it is to break the encryption.
It's not as opensource as you think some years back a fork called librasignal appeared which removed a dependency on some Google services components which some folks felt could reveal metadata. The client was banned from the signal servers due to 'load concerns' the authors of the fork offered to run and pay for their own servers if they could federated onto the signal network, federation was expressly denied as it would limit the speed of new features. This is documented in github issues on the signal client. Last time I looked certain backend components are not opensourced (admittedly several years ago) so I do not believe its possible to run a parallel network. I still use signal, as that's certain friends comm tool of choice. I'm just pointing out this wouldn't be the first 'smell' around signal, and as per the video practice opsec. One final thought how do we know the apk from the Google store is built from the public code?
This was Tucker Carlson's issue, they got to his private signal messages through his phone's vulnerabilities (possibly deliberate) not through Signal itself.
I know I'm late to this discussion, but having the contents of your device used against you (and accounting for poor opsec as mentioned in the video) is very common. If they haven't already taken your device, you often have to give it up for discovery purposes (US). They've got your device. They've got access to your data.
Signal is open source and has gone through several law suits. Proton is very similar in that the law suits it is gone though proves that they will only give over what they keep, which is nothing. This is very similar to Private internet access.
This only applies to VPN. Everything on there web servers, mail servers, and database servers is logged. You can access Proton's website through tor. But, you can no longer create a proton account through tor which means the account is linked to you. Personally, the only VPN I trust is Mullvad.
@@imFruzzythis argument holds very little water. The tour project used to get DOD funding but they are very clearly not a Honeypot. There has been plenty of actual court cases that have proved that the US government cannot abuse that Network in fact, the US government uses Tor and I'm pretty certain the same situation exists with the EU and proton. The EU probably pays proton a little bit of money because the EU uses proton. Also saying that proton is funded by the EU is a little bit stupid because proton is not a donation-driven company. They are funded by their users. They may have gotten a few EU grants, but that's very different from being funded by the EU
Proton yeah, but Signal is open source I've looked at the code myself, your data is 100% safe, because Signal by design is made so that the company (even if it wanted) can't access any of your data except for your number (which the person requesting your data already needs) and account creation date.
Github code may be secure but if you take closer look in 0:18, it says Signal doesn't allow researchers to verify the app deployed in iPhone is the same as the code in Github 😅
@@NomadKev it's a claim based on no evidence, I also say the US bank was compromised. People seem to forget Signal is competition to Telegram, he has everything to win by saying that baseless claim.
It amuses me how people seem to be worried that Proton provided an email address in response to a court order and yet didn't seem to care about the subsequent apprehension of a terrorist 🤔 I also saw a TH-camr recently bemoaning the fact that Proton do NOT mine and analyse your emails so that they can serve targetted ads 🤦🏻♂ Thank you Josh for being a voice of reason in an increasingly crazy world!
So Proton only provides email addresses of terrorists & draws the line on “for targeted ads” scanning. Folks pay for some of their products, which helps everyone bypass ads. Also, for a good percentage of users are “free” which tends to mean they, their data, is still the product. So, your phrasing leaves a lot to the imagination, providing email addressees, merely addresses? Sure seems pointless. If they are scanning, but NOT for ad placement, why? To find email addresses of terrorists? Lol wat?
@AllThingsSecured read his comment again more carefully. You're misinterpreting what he said about scanning. He's not claiming that proton scans emails. He was referring to how crazy it was... that he saw somebody complaining about Proton not scanning emails.
If your goal is to hide from government then using any of these services is not enough because they are legally compelled to hand your data over. If your goal is to protect yourself from other kinds of threats then absolutely use these services.
When we know that Google and Apple llisten to every conversation we have within range of a mobile device, and without our consent. , I'd say it's never been more incumbent on the public to be aware and act to protect against handing them too much power.
When will people stop trying to make email private? NEVER send or receive sensitive information over email. If you need to send documents, send links over email that require authentication. You'll notice that any bank ever will not send statements over email: it's not secure. Never was, and never will be.
Thank you for making this video. The message here isn't letting these vendors off the hook; it's a reality check for the digital frontier as a whole. More specifically "due process". It's the only 'real' sense of security we need to focus on, "did an agency use due process?" But also (and more importantly) are software vendors 'only' providing information under circumstances of due process? As a systems administrator, I applaud the message of User responsibilities and as a personal privacy advocate, I salute the message of due process. Fear mongering and baseless accusations run rampant over social media outlets as it is. Thank you for providing a voice of reason and a means of laying a basic framework of the legal challenges.
The reality is this: If you are online, there is no way to be completely secure from online threats. Proton and Signal give you better tools to safeguard your privacy than others, by a significant margin. They are still however online. It took a multi-national government order with proof of terrorism to just get the recovery email address. If that isn't secure, then what is? Well created video, thanks for sharing.
Rather than give up, collectively it's improtant we make it as difficult as possible. They are few we many. They may have the keys to the citadel, (you can tell i am not techie!), but it beocmes a lot harder to get in when virtually everyone is trying to hold them at bay. It's aboujt protecting privacy from big government and big tech collusion. It's not about "I'm alraight, Jack , I have nothing to hide "
Couldn’t agree with you more. There are a lot false information on the internet creating FUD. Be smart, question everything and do the research if you have to!
I keep seeing not only news but messages from friends and other acquaintances in Linux and privacy communities that keep propagating a lot of these conspiracies. I agree most of the time that people are not just doing their jobs in the security field right. Thanks for going over them in such a manner! 🤩
People should always be finding sources and verifying. Seems like if people even see something at all that they just share it without validity as a thought at all even afterthought. I mean its ridiculous. On the other end not everything can be verified so i dont believe only speaking about verified stuff especially with the ACT checkers... People need to look at who would benefit from each thing... Possible motives... Credibility... Then it could be clearly seen when people are being put in a situation to discredit themselves and others in the long term by not considering these things. The long term is more important.
Well reporeted, Josh! I can’t count on my fingers, toes, and other appendages how many people I have to educate that software is not a cure-all. It takes human intervention and understanding for it to work 99.9999% of the time.
One thing that I feel like people never mention is the extensive list of terms and conditions for iOS & Android, considering that’s where proton and signal appear to be used the most. Although signal and proton themselves may never store any information, how are we suppose to feel secure in the fact that the operating system we’re running these apps off of aren’t spying on us equally as bad as people would fear one of these messaging apps would? I’m curious for your take on that
well, that's exactly the point. If your threat model includes big govt/big tech, using a proprietary mainstream OS already invalidates every action you take further - which was more or less confirmed in 2013 by Ed and hasn't changed since, more or less gotten worse. Everything you do in that OS can and is being recorded, the OS can take and does make screenshots for example. Some people don't realize this, but as long as you don't know what the OS underneath is doing, no E2EE, Signal or Protonmail is gonna help. These solutions only make sense if the threat model is 3rd parties and ad companies.
@@PvtAnonymous makes sense, but in that case signal shouldn’t make itself seem “encrypted” because if the operating system can and does use the info you type then it may as well not be encrypted, I personally don’t give a damn about ad traffic or anything along those lines, the entire point of using signal is for encrypted messaging, which if that’s undoable via a normal Android/iphone shouldn’t be available on the App Store/play store
@@WaturDzn for an app to work like that you'd never be able to read anything except the encrypted data and would have to manually run the decryption math by hand to get the message. If you want anything other than a long hash string to appear on your device screen it needs to be decrypted and stored somewhere on your device to do so
Proton might still be able to support recovery email without storing it in plain text - same what's done for passwords, i.e. just to hash it and store the hash. Then when you need to recover, you'd have to provide the same recovery mail address and it would only be allowed if the hashes match.
Your title is borderline clickbait. It comes off as "You should stop using it" not "Should you stop using it". All falls on personal OpSec, as you mentioned.
7:03 Excellent video! I'm glad you included that second part, _don't _*_send_*_ comprising pictures,_ because people shouldn't be shamed for taking compromising pictures of themselves. Don't get me wrong, I advise my friends and family against it, especially women, but I wouldn't shame them for it. On a related note, I have personally always wanted to journal. I've always wanted to have a place where I could write my most intimate thoughts. Preferably on a secure digital journal, because I've had bad experiences as a kid with the security of physical journals. But most journaling apps don't have end-to-end encryption, which is why I have never done it. I don't want to keep everything in my head because writing can be really cathartic. It can help people heal.
You could just write your journal using a local app on your laptop and make sure the drive is encrypted. Or there are ways to create encrypted "files" which can contain multiple files, folders, etc. You decrypt it, update your journal, and re-encrypt it.
@@Ck87JF I hear you, but in terms of UI & UX it's not practical. I want a specific app designed for journaling. And those exist, but they're not end-to-end encrypted (E2EE). I have heard of DayOne, which is a promising E2EE journaling app, but they are not natively E2EE so I have some reservations. That said, the biggest hurdle for this magnificent app is that it's only available for Mac and I use Windows. They said they are working on a Windows app though, but I suspect that will take forever as they seem more dedicated to Mac users.
The same people complaining about companies legally being required to hand over data they have are here in a TH-cam channels comment section… a Google app.
I believe in the case of Signal, it was an OS level zero-day that allowed the attacker to add a hidden member to a chat, turning it into a "group" chat. Encryption wasn't broken or backdoored, the chat key was just shared with a hidden third party.
How many people review the open source code, and then compile it themselves? If not, how do you know the installed code matches the open source version?
Good job on this video! You eliminated all the diagrams or explanations for HOW these 2 companies encrypt your data, reducing or eliminating unnecessary confusion in order to make your larger points. You made the whole video accessible to a consumer level audience, The exact group who do not know how to evaluate the accusatory assaults made by telegram or by privacy advocates objecting to there being any form of legal compliance with the country you're operating in. Good choices, resulting in very easy to understand video about something very important and critical.
Unless I suddenly need to run from the law, these particular things don't really worry me too much. Yes, if Proton was hacked, they could see my recovery email, but I have a strong password and use security keys to sign in to my account. I am still learning how to become better at cyber security (my anxiety suddnely made me hyper aware of it). While I am very concerned about privacy, I would want law enforcement to be able to find a dangerous criminal.
I don't think your privacy has to connect in any way to law enforcement finding a dangerous criminal. It's simply how we handle our own data, not expecting a company to do everything for us.
I don't know about Proton, but as far as I can tell, Signals protocol is sound. I spent some time developing my own XMPP Server and Signal afaik is based on XMPP with an extension that enables encryption. They made that extension themselves and published an extensive paper on it and it was analyzed by experts many times and it seems to hold really well. It's a really nice double ratchet encryption scheme with a chain of keys, so even cracking one key doesn't give you the entire conversation, just one little piece of it before the key got rotated. So unless AES-256 in CBC and #7 padding is actually cracked completely, it's practically impossible to crack any conversation using this mechanism
The thing about them being open source is that while we do have access to a source code, we don’t necessarily know that’s the exact same code that was compiled and is being run on the servers. This is just one of the many flaw that makes people over trust open source for security reasons. Unless they let people do on the spot disassembly of the running process to see if those binaries are a match to the source code you can’t be sure. You may believe they’re running vanilla while they are actually running version b that doesn’t really encrypt stuff.
Great video! I would love to see a video on how we can develop habits for using the internet and social media in a safe and responsible way. It would be really helpful to get some tips on protecting our privacy and avoiding common online risks. Thanks for all your awesome content!
Proton has just disclosed a user's IP address to the Swiss police, which was used to get its identity. Using Proton doesn't give you better privacy or security than any other regular email provider over Tor.
In the video, you brought up the point about being careful of what recovery email you specify. If the recovery email is from iCloud or Microsoft or Google, then I understand the point that the authorities will have to hand any email id to the authorities. What if it was another Proton email account itself?
Simply have two accounts take one message off to the SD card, move it to a different computer and send it on. Just use divide and be secure... What You Mum said just do not put all the eggs in one basket... Signal and proton are easy to use and better also mean more complicated and less useful.
Operational security is what 99.999X% people don't care about. Everyone expects the next person to take care of them, or the next company, but doesn't do anything to make sure they're practising active security.
I forgot this "weak" area and thank you for bringing it up. Assessing Proton via a different IP. I wouldn't think that Proton will disclose this data? I trusted them not to store this data. And this is actually a new good point to keep in mind like many VPNs claiming that even if you do disclose some personal information, it is not stored. Proton could have these policies if they are so Pro privacy, but they do not implement such policies.
Hey Josh, I can't afford a security key, however i have a usb flash drive. Is there's any way I can turn my usb flash drive into a security key? If you can then please make a video on that.
There are 2 majors problem, the error 18 aka between keyboard and chair, and the platform used to access websites or run applications. And in case of anything related to messaging, the same problems on the other counterparts of these exchanges. Put differently one might be the problem, no end-to-end encryption tools.
Hey Josh. I love your videos and have started my own journey online to erase my online identity and public identity in general as much as possible. However, I have been seeing where people are saying that when you file taxes or do anything else that deals with government or some other things that you have to give all aliases used. Is this true even if the fake persona is not used for anything illegal?
Being open source doesn’t mean anything without a guarantee that the code submitted by signal or protonmail to the Apple App Store or Google Play Store is the same exact code that they show the sources code for.
This tends to be because in large drug busts, where smart phones are seized and they are able to get into the Signal account, they can then use those messages in the court cases against the traffickers. This is a example of messages used in court, perfectly legitimate use by the authorities.
Hi I keep getting this message in my Google authenticator "Syncing will continue when your device is online and you refresh your Authenticator codes" I just can't figure out what is the issue. It would be great if you make a video addressing this issue.
Ever since I saw the video from Computerphile about: Elliptic Curve Back Door, I had my doubts about a lot of the encryption we've been using and about how secure they really are.
I really like your channel because most of the time is not time consuming like is always straight to the point but I don’t really like the excessive use of clickbait thumb nails and titles in your recent videos but good video still
I love that you made another great informative video. But what concerns me about 2024 into 2025 is what are we going to about TPU being implemented? I truly hope you have a chance to see these comments and either reply or think about wanting to make a video on this subject. It will absolutely affect E2E. Thanks so much in advance ☺️ 😊
So I have a question: Is there any reason to keep recovery email on if you know you won't lose the password? As in, are there other cases where you could get locked out of your account unless you use a recovery email?
Hi there there first thank you for the amazing content I learn a lot by watching your content I would add that you have to understand the core of the technology you are using. You have to know exactly what happens when you send an email. You have to know how does encryption work. And it’s always evolving so you have to update your knowledge as well. Only there it make sense to choose proton or signal or whatever so it would have been cherry on the cake if you link in the description videos where you talk about the technical aspect of it. I was wondering though.. is it possible that an open source software has a different code than advertised and nobody realises it ?
Well, When you say I was wondering though.. is it possible that an open source software has a different code than advertised and nobody realizes it? open source software has a different code than advertised you could mean let's say the compiled application then yes a compiled version of software could have different code running in the application but you can look at the source code and compiled by source to check what's happening in the application.
About encryption, there are sometimes backdoors built-in, so even if the software itself open-source the choice of some parameters that are supposed to be random on the site where the software is running can heavily jeopardize the encryption strength. So in here we have to trust that Signal and Proton have not allowed external agents to push them to leave some holes that we may not even know about (Crypto AG being the most iconic example, Tetra is another one).
That is correct, but we have to use the tools we are provided, and we have to trust those that are more knowledgeable than us. Simply because building our own secure tools is mostly a braindead idea. No homegrown solution will be as secure and as foolproof as tools created by professionals. I am using both Proton and Signal and I would much rather trust these two companies with minimal (if any) security problems in the past than most other apps that are out there somewhere. And having said that, if there are security problems, they'll most likely stem from my own stupidness or the people I communicate with.
@@stephanhuebner4931 Indeed, I was just reminding that even with open-source software, when it is hosted somewhere there is always uncertainty and one can never be sure 100% of the full confidentiality of the data.
Looks like some people here in the comments think privacy and anonymity are same banana. Unfortunately Josh even with the great clarification you gave there are people that are stubborn with their beliefs where no one can change them
I agree with ya on nearly everything. Except the (Im paraphrasing you here) "its safe cause it's open source". Open source is awesome for that kind of thing. But it means nothing if no one is actually looking at the code in an auditing sense. I am an open source zealot personally, but we need to stop using this point in our arguments unless we can form a security group that is actively doing audits of code. Maybe it could give these projects a "seal of approval" or "security audit passed on..." type of badge of honor.
And also not using encryption by default, giving people a false sense of security because they "have" end-to-end encryption... But the so called "Secret Chat" function only works mobile-to-mobile.
@@blackpurple9163 Besides, isn't Telegram closed source? How can we even verify it's end-to-end? If we try to sniff for the packages sent, they will all be encrypted in transit so it would be very hard to decode to try and find out, especially since they use a proprietary encryption algorithm called MTProto that they won't open source even if they do give a detailed description of how it works (and it was analised by a few people, it has several security flaws too). And the same encryption is used to send regular messages and end-to-end to their servers. We should just assume that they don't have the key to decrypt the secret chats too?
Personally I use Signal - I said as much in the video. Beyond that, it gets really hard to migrate to a new platform AND get all your contacts to do the same.
I have been using signal since 2015. I also use duckduckgo. I never get junk mails nor spam calls. I am very particular about my setting. I don't use yt app but use it through my browser.
Searching for privacy while using third-party networks, devices, or operating systems is essentially wishful thinking. Consider three neighbors living side by side. The first and third neighbors want to have a conversation in their backyards. As they start talking from their respective gardens, the second neighbor, situated in the middle, can always hear their conversation. This analogy illustrates the basic principle: you can build a temporary communication channel (like a pipe) for the neighbors to talk privately, but this pipe must be entirely your own construction, not provided by services like NordVPN or OpenVPN. Once people grasp this concept, the issue becomes clearer. As long as you rely on third-party systems, true privacy is unattainable, which is the case for 99% of users. Genuine privacy is nearly impossible in these scenarios. If you truly desire privacy, consider having face-to-face conversations, perhaps during a walk in nature or while swimming.
The send and deliver info can be encrypted if both accounts work with the same protocols. It probably requires each account to run its own instance of decryptors and receive larger chunks than what's meant for them and process with its own decryption keys then discard what is still cyphered.
No surprise for me, for privacy I have my own ejabberd server and also a matrix server. Both work like a charm if you know how to proper configure them. Cheers!
Just a version of a software is open-source does not imply that the version you are downloading from their website or app-store is the same version, unless you are downloading the open source code and building it from the source, there is always risk.
Dude you're using an Iphone and asking this question? You could ask the same question about IOS don't you know IOS is proprietary? and the bootloader for iPhone is locked? Why are you using an iPhone if you care about privacy.
There are 2 fundamental points on Proton: (1) Even if you use a VPN or TOR whenever you access Proton's website to configure or read emails ... as soon as you run one of their apps, e.g. ProtonVPN or Proton Drive as local app on your machine ... Proton will automatically get your IP address (unless you additionally use TOR or onion service) Isn't it? (2) Most people think, that Proton or Signal have no possibility to get your private key, which is used for their end-to-end encryption, but it could be easily sent encrypted... and whether this actually is done or not... fully relies on how well their Open Source code is audited in this regard, isn't it?
Great video. People now days react with the first thing they hear without looking at all aspects. Is mind boggling how the truth can be misconstructed these days.
Naomi Wu did a very good breakdown of why Signal isn't a secure app, before she got vanned by the Chinese government for talking too much. In fact it was probably her discovering and making public those vulnerabilities that led directly to her vanning.
I love that Telegram tries to shit on Signal but doesn't really support end-to-end encryption apart from maybe direct chats... but even that encryption gets shit on by security research regularly
If you know you are going into nefarious activities, you must already understand your communications pathways are already compromised to various degrees thus you have to practice opsec, comsec and offline encryption one time pads. Nature of the old school operative game, tradecraft.
A one-time pad is an encryption mechanism consisting of combining a stream of key material with the data to encrypt, using a reversible operation; this combination can be very simple, and even doable by hand (without a computer), and still retain security as long as the key material (the "pad") is as long as the data ...Feb 8, 2016
Best security related advice on TH-cam, period. Nothing is black and white, you should build threat models based on what your concerns are and be aware of what you are sharing and who potentially can see it. All this commotion about "proton bad" "telegram bad" "mullvad bad" only has meaning if you understand the weaknesses of each tool and how they apply to your situation. Thank you and have a sub
It seems more likely that signal messages would be revealed by law enforcement getting their hands on a device with Signal on it and then exporting the signal chats, rather than encryption being broken.
Stories like these just let me know what I should avoid, and help me keep in the loop. It also lets me know the lengths authorities have to go if they need your recovery address and and a 3rd party to help them get your data. If anything that's ensuring, and just lets me know that recovery email is flawed to begin with, just like email is flawed and I should use E2EE messaging apps instead of email for sensitive data.
@@AsunaYuukiSAO3 I've been using Linux for months now actually. I made the change because a friend of mine helped me get initially into it, and I started dual booting. Then I stopped dual booting after hearing about Co Pilot and now am an 100% Linux user.
I suggest that the next episode be about the best artificial intelligence services (such as GPT chat and...) that respect user privacy (alternatives to Google Bard)
Does this fact that they give over the data they have also apply for their VPN service? Proton VPN has the encryption keys would they had that over too? i have always praised Proton VPN for being the best free VPN
@@joeking5211 1) They are audited on an annual basis, so it is proven that they don't store data. 2) Swiss law treats email and VPN very differently, no Swiss company is obliged to hand over VPN data, even if they did store them.
It's absolutely silly that people have this notion that private email services will provide you with total anonymity. In my opinion people fear monger when these companies get subpoenaed for information as if Google would not hand over every bit of data they have when asked. If your goal is complete and total anonymity then a subscription based email service clearly isn't going to be a part of your threat model. Or they fundamentally misunderstand what exactly a service like this is supposed to do for you. It's like some of these content creators forget who exactly these products are marketed toward and that's average everyday users who are simply looking for a slightly better alternative to the all seeing eye that is Google and it's web of tech. When you look at these services through that lens Protonmail is fantastic. I appreciate your level headed take about this. Too many fear mongers
when making an email in proton, dont give your real name address and use vpn before creating an email. if something goes wrong, they wouldnt know who you are you are. even choose vpn company wisely
Encryption may be useless with the looming push for client side scanning, MS Recall is a perfect example. Logging keystrokes and taking screenshots being sold as AI, or a convenience utility. I understand it's target on all devices from desktops to mobiles. See Rob Braxman
2 Things: 1. The people who had their "Private Signal Messages" compromised probably had it all on their phone and either the phone was compromised and swiped or the authorities gained physical access to the phone when they arrested the person in question, none of which are signals fault - good OPSEC here would be to not leave signal logged in on your phone. 2. FUD is interesting, I treat FUD as a means and reason to look deeper into claims - false or not, and learn more about the issues they have. FUD has such negative connotations, but really is a great means of criticism and a good reason to improve something - yours or not. Ignoring FUD just proves that a person is both Arrogant and Ignorant.
What's your take? Do you think I'm letting Proton and Signal off the hook here? Leave your opinion here and let's discuss. Then make sure to watch my video on the 12 Privacy & Security tools I use EVERY DAY: th-cam.com/video/XNOAOQktG6U/w-d-xo.html
4:48 yeah, a proponent of censorship, looks bad… Not sure what “apparent” intelligence connections means, but paired with supporting censorship, could be really bad.
“Free service” has tended to mean we, (our data) is the product.
@@TrggrWarning Agreed. Sure, the code is the code, but Signal's leadership were the ones who decided that phone number are still required. Signal has a huge trust problem. Also, Durov has a valid point: Signal doesn't have reproducible builds on iOS. Telegram does. And Meredith Whittaker, who worked 10 years for Google before she realized that surveillance capitalism is a problem, lies about this and claims that Apple prevents Signal from having reproducible builds.
I agree that criticism from anyone regarding a widely used e2ee protocol ought to be corroborated by evidence. But then again, much of the criticism on Telegram relies on its protocol, mtproto, being "homebrew", or the company founder being Russian, or its creators not being world-famous cryptographers.
A few minor flaws on Telegram have been proven in the past, they were acknowledged and readily patched by Telegram, and bounties paid. It's not as technically secure or private as Signal, to be sure, but I think Telegram has another paradigm and focuses on a different risk profile. It's much more like Discord, and way better in every respect.
I'm more concerned about the NSA and Clearview AI, since they've collected the data of almost everyone in the world.
The rumours that fly around online about supposedly dodgy applications can sometimes be instigated by the government whenever it decides it doesn't fit in with their agenda for control......no privacy allowed.
I think we need to do some research of our own before deciding which applications are safe to use, and not rely too much on hearsay, as well as ensuring that we set up and use our systems with the best possible security and privacy.
There have been multiple* court cases where law enforcement agencies submitted a subpeona to signal. And signal replied "Sorry, we have no data" If it were a front for the US govt the result SHOULD be different. HOWEVER if enough people were made to believe that Signal was insecure, they might abandon an actual secure platform.
That makes sense.
@@JohnTurner313 the fact it is open source says otherwise.
Only the client unfortunately
how about Signal handling messages of Tucker Carlson to the alphabet agencies? Signal is broken, they all are. Don't be naive.
And as it's said, the security is only as good as the user. If you're messaging someone on Signal and that person gets arrested and that person gives up their code to get into the app, then all your messages are there if they don't delete them or aren't on a timer. It's the same thing with iMessage; it's end to end encrypted, but once someone has the passcode to your phone, it doesn't really matter anymore.
This is what so many people don't seem to understand, a company HAS to hand over data asked of them by law otherwise they will get shut down and possibly get employees jailed. You have to minimise what data you give to ANY service.
Exactly 👏
one of the things that can end this is, for example, a law that the EU wants to approve, which prohibits encrypted communication, so services like Proton and the like could have a serious problem :/ of course, there are a lot of other options, but every other option takes away "comfort"
Lavabit shut down their company rather than give out information
@@matejkuka797are you serious? They got USB-C & now they want to HTTP all the things? 💀
Not so
Hello,
I studied the protocol behind Signal, and it's ignorant to say that Signal is insecure. It uses edge technology when it comes to cryptography. It will be BIG BIG news if it's broken by someone.
no point in breaking it, when key loggers and app monitors send data out from the device
@@ghostrider-be9ekthen every app is insecure
Which company created the encryption libraries? I always trusted Signal because Snowden promoted it as a save communication tool. But once someone replied to me stating this me that the libraries used were not to be trusted.
isn’t it made by the people that also control the particle accelerator?
Personally I still use Proton and have for over a year now. In my case it is because I wanted a service with a good reputation and does not have any notable security issues.
I also take into account that the level of security of my account is truly on me not Proton. Proton provides the service and Proton is a Swiss owned company.
If you want something secure, it is YOUR job to make it secure over the provider.
💯🙌
Being in Switzerland doesn't make it safe or immune!
The main offices for Eurojust are there and have the power to inspect data and records.
@@OH2023-cj9ifBeing headquartered in Switzerland means they are protected by Swiss laws, and Switzerland has some of the most privacy focused consumer protection laws in the world.
how proton has good reputation?????????? most of their reviews are bad
@@1AEGISI saw them too and it comes down to growing pains.
You have to look at the dates of the reviews, you have to look at things with a more neutral point of view, and you also have to be willing to take a risk.
I have been going on 3 years and Iove their services and I am glad I did.
I appreciate you talking about the big picture instead of being emotional and reactive like so many tend to be. I'm still going to use Proton. I'd also like to have people ask themselves one thing. If you're abandoning Proton due to fear of security, who exactly are you switching to? Proton is still the best available without making your own email server and making sure everything is encrypted with nothing overlooked in terms of security.
Instead of freaking out and shooting yourself in the foot, think through what you're going to do, be reasonable and rational and then make your decisions.
Agreed 👍🏻
I love proton mail and tutanota
Tutanota.
Well even if you self host a secure service. If the gov asks you to hand over data, you either comply or go to jail and get your servers taken by force. So.... yeah... let's be reasonable here.
I've been using Proton services for a while now and I must say this is the only company which provides both anonymity and convenience at there highest levels.
But there's still need for personal OPSEC!
@@AllThingsSecured - Best to delete the recovery email and store the encryption keys locally on an encrypted storage. imo
yes of course, they accept crypto
Whats your view on NPU that bypass E2E encryption? Watch Rob Braxman Tech new video.
get tutanota. Its much better than proton and cleaner.
Great video! Especially the last part where you state the obvious fact - something that most people in this always online world fail to realise - don't share every damn part of your life with the rest of the world.
ha! I know, right?
@@AllThingsSecured I don't remember where I read it but a while back I saw someone posting something like this:
"the Internet is down at the moment so I went out into the real world. Here I'm shouting to everyone I see how I'm feeling, what I just did, what I got for breakfast and so on. So far it's going great - I've already got three followers, a doctor from a psych ward and two police officers".
@@henrik2117hilarious and so true but I'm concerned that the US wouldn't be able to care for homeless influencers if the Internet ever really did break
@@henrik2117the disparity between how internet conversation and human conversation
Given the open source nature of Signal I have a feeling that IF somebody's Signal messages were compromised and used against them in court, it wasn't because of a flaw in Signal, but because they made some other mistake with their OPSEC. Perhaps their device, or the device of the person they were talking to, was infected with some sort of malware that could read the messages after they arrived on the device. End-to-end encryption only means from one end to the other, but the messages have to be decrypted once they arrive on a device or else they couldn't be read, so malware running locally on the device could potentially read them. It's also possible, though less likely that they managed to add a device to somebody's Signal account and they didn't notice it because they don't regularly check which devices are authorized to send/receive messages for that account. With how modern encryption works, it's much easier to trick somebody into installing a piece of malware than it is to break the encryption.
Very true.
It's not as opensource as you think some years back a fork called librasignal appeared which removed a dependency on some Google services components which some folks felt could reveal metadata.
The client was banned from the signal servers due to 'load concerns' the authors of the fork offered to run and pay for their own servers if they could federated onto the signal network, federation was expressly denied as it would limit the speed of new features. This is documented in github issues on the signal client.
Last time I looked certain backend components are not opensourced (admittedly several years ago) so I do not believe its possible to run a parallel network.
I still use signal, as that's certain friends comm tool of choice. I'm just pointing out this wouldn't be the first 'smell' around signal, and as per the video practice opsec.
One final thought how do we know the apk from the Google store is built from the public code?
This was Tucker Carlson's issue, they got to his private signal messages through his phone's vulnerabilities (possibly deliberate) not through Signal itself.
I know I'm late to this discussion, but having the contents of your device used against you (and accounting for poor opsec as mentioned in the video) is very common. If they haven't already taken your device, you often have to give it up for discovery purposes (US). They've got your device. They've got access to your data.
Likely the malware is Pegasus@@Peglegkickboxer
Thank you so much, many people need to hear this and use their minds before making judgements!
Thanks 🙏
That would require actually thinking for themselves and making a personal opinion - not sure the majority of people are ready for that.
Signal is open source and has gone through several law suits. Proton is very similar in that the law suits it is gone though proves that they will only give over what they keep, which is nothing. This is very similar to Private internet access.
True.
This only applies to VPN. Everything on there web servers, mail servers, and database servers is logged. You can access Proton's website through tor. But, you can no longer create a proton account through tor which means the account is linked to you.
Personally, the only VPN I trust is Mullvad.
Maybe, but Proton was funded by the EU and are funding nefarious projects. The company you keep says a lot about you...
@@imFruzzythis argument holds very little water. The tour project used to get DOD funding but they are very clearly not a Honeypot. There has been plenty of actual court cases that have proved that the US government cannot abuse that Network in fact, the US government uses Tor and I'm pretty certain the same situation exists with the EU and proton. The EU probably pays proton a little bit of money because the EU uses proton.
Also saying that proton is funded by the EU is a little bit stupid because proton is not a donation-driven company. They are funded by their users. They may have gotten a few EU grants, but that's very different from being funded by the EU
PIA was purchased buy some mossad bros
Proton yeah, but Signal is open source I've looked at the code myself, your data is 100% safe, because Signal by design is made so that the company (even if it wanted) can't access any of your data except for your number (which the person requesting your data already needs) and account creation date.
Github code may be secure but if you take closer look in 0:18, it says Signal doesn't allow researchers to verify the app deployed in iPhone is the same as the code in Github 😅
Thanks for sharing.
Telegram CEO is referring to Tucker Carlson, TC interviewed Pavel Durov last month, Tucker claims his Signal was compromised
@@NomadKev it's a claim based on no evidence, I also say the US bank was compromised. People seem to forget Signal is competition to Telegram, he has everything to win by saying that baseless claim.
@@NomadKev it's a baseless claim.
It amuses me how people seem to be worried that Proton provided an email address in response to a court order and yet didn't seem to care about the subsequent apprehension of a terrorist 🤔 I also saw a TH-camr recently bemoaning the fact that Proton do NOT mine and analyse your emails so that they can serve targetted ads 🤦🏻♂ Thank you Josh for being a voice of reason in an increasingly crazy world!
Thanks 🙏
So Proton only provides email addresses of terrorists & draws the line on “for targeted ads” scanning. Folks pay for some of their products, which helps everyone bypass ads.
Also, for a good percentage of users are “free” which tends to mean they, their data, is still the product.
So, your phrasing leaves a lot to the imagination, providing email addressees, merely addresses? Sure seems pointless.
If they are scanning, but NOT for ad placement, why? To find email addresses of terrorists? Lol wat?
Confusing comment. Please stay on one topic for goodness sake.
What makes you say that Proton is scanning? Where are you getting this?
@AllThingsSecured read his comment again more carefully. You're misinterpreting what he said about scanning. He's not claiming that proton scans emails. He was referring to how crazy it was... that he saw somebody complaining about Proton not scanning emails.
One groups “terrorist” is another groups freedom fighter. So yeah, privacy is privacy…….
If your goal is to hide from government then using any of these services is not enough because they are legally compelled to hand your data over. If your goal is to protect yourself from other kinds of threats then absolutely use these services.
if u want to hide from gov, become the gov, lol. climb ranks on ladder and rule it, then u delete ur files
When we know that Google and Apple llisten to every conversation we have within range of a mobile device, and without our consent.
, I'd say it's never been more incumbent on the public to be aware and act to protect against handing them too much power.
When will people stop trying to make email private? NEVER send or receive sensitive information over email. If you need to send documents, send links over email that require authentication. You'll notice that any bank ever will not send statements over email: it's not secure. Never was, and never will be.
Links wont work. Company will be made to comply.
Thank you for making this video. The message here isn't letting these vendors off the hook; it's a reality check for the digital frontier as a whole. More specifically "due process". It's the only 'real' sense of security we need to focus on, "did an agency use due process?" But also (and more importantly) are software vendors 'only' providing information under circumstances of due process? As a systems administrator, I applaud the message of User responsibilities and as a personal privacy advocate, I salute the message of due process.
Fear mongering and baseless accusations run rampant over social media outlets as it is. Thank you for providing a voice of reason and a means of laying a basic framework of the legal challenges.
The reality is this: If you are online, there is no way to be completely secure from online threats.
Proton and Signal give you better tools to safeguard your privacy than others, by a significant margin. They are still however online.
It took a multi-national government order with proof of terrorism to just get the recovery email address. If that isn't secure, then what is?
Well created video, thanks for sharing.
Rather than give up, collectively it's improtant we make it as difficult as possible.
They are few we many. They may have the keys to the citadel, (you can tell i am not techie!),
but it beocmes a lot harder to get in when virtually everyone is trying to hold them at bay. It's aboujt protecting privacy from big government and big tech collusion. It's not about "I'm alraight, Jack , I have nothing to hide "
Thanks Josh. I’m glad you speak with a voice of reason!
Thanks! 🙏
Couldn’t agree with you more.
There are a lot false information on the internet creating FUD. Be smart, question everything and do the research if you have to!
Absolutely 👍🏻
there is only one way to solve this, my app
Would using another separate proton email account as the recovery email for your primary proton email account solve this problem?
Yes you are right
Do people not read the TOS and Privacy Policy? I recently read Proton's, and this is not new information to me.
No, most don’t.
Why even pst this comment? Of course, most people dont.
In general, the TOS is full of legal jargon that is difficult for the average user to decipher, and it is also usually as long as the LOTR.
@@Physis_88exactly the TOS can take literally hours to comb through. Who actually has time to read through it?
Ignorance or sarcasm?
I keep seeing not only news but messages from friends and other acquaintances in Linux and privacy communities that keep propagating a lot of these conspiracies. I agree most of the time that people are not just doing their jobs in the security field right.
Thanks for going over them in such a manner! 🤩
Thanks for watching and commenting 🙏
People should always be finding sources and verifying. Seems like if people even see something at all that they just share it without validity as a thought at all even afterthought. I mean its ridiculous. On the other end not everything can be verified so i dont believe only speaking about verified stuff especially with the ACT checkers... People need to look at who would benefit from each thing... Possible motives... Credibility... Then it could be clearly seen when people are being put in a situation to discredit themselves and others in the long term by not considering these things. The long term is more important.
Well reporeted, Josh! I can’t count on my fingers, toes, and other appendages how many people I have to educate that software is not a cure-all. It takes human intervention and understanding for it to work 99.9999% of the time.
Thanks 🙏
One thing that I feel like people never mention is the extensive list of terms and conditions for iOS & Android, considering that’s where proton and signal appear to be used the most. Although signal and proton themselves may never store any information, how are we suppose to feel secure in the fact that the operating system we’re running these apps off of aren’t spying on us equally as bad as people would fear one of these messaging apps would? I’m curious for your take on that
well, that's exactly the point. If your threat model includes big govt/big tech, using a proprietary mainstream OS already invalidates every action you take further - which was more or less confirmed in 2013 by Ed and hasn't changed since, more or less gotten worse. Everything you do in that OS can and is being recorded, the OS can take and does make screenshots for example. Some people don't realize this, but as long as you don't know what the OS underneath is doing, no E2EE, Signal or Protonmail is gonna help. These solutions only make sense if the threat model is 3rd parties and ad companies.
If you are concerned about that you can always use a privacy-respecting fork of Android like GraphineOS or CalyxOS.
@@PvtAnonymous makes sense, but in that case signal shouldn’t make itself seem “encrypted” because if the operating system can and does use the info you type then it may as well not be encrypted, I personally don’t give a damn about ad traffic or anything along those lines, the entire point of using signal is for encrypted messaging, which if that’s undoable via a normal Android/iphone shouldn’t be available on the App Store/play store
@@WaturDzn for an app to work like that you'd never be able to read anything except the encrypted data and would have to manually run the decryption math by hand to get the message. If you want anything other than a long hash string to appear on your device screen it needs to be decrypted and stored somewhere on your device to do so
Proton might still be able to support recovery email without storing it in plain text - same what's done for passwords, i.e. just to hash it and store the hash.
Then when you need to recover, you'd have to provide the same recovery mail address and it would only be allowed if the hashes match.
Your title is borderline clickbait. It comes off as "You should stop using it" not "Should you stop using it". All falls on personal OpSec, as you mentioned.
7:03 Excellent video! I'm glad you included that second part, _don't _*_send_*_ comprising pictures,_ because people shouldn't be shamed for taking compromising pictures of themselves. Don't get me wrong, I advise my friends and family against it, especially women, but I wouldn't shame them for it. On a related note, I have personally always wanted to journal. I've always wanted to have a place where I could write my most intimate thoughts. Preferably on a secure digital journal, because I've had bad experiences as a kid with the security of physical journals. But most journaling apps don't have end-to-end encryption, which is why I have never done it. I don't want to keep everything in my head because writing can be really cathartic. It can help people heal.
Very interesting thought on the journaling. Thanks for sharing.
You could just write your journal using a local app on your laptop and make sure the drive is encrypted. Or there are ways to create encrypted "files" which can contain multiple files, folders, etc. You decrypt it, update your journal, and re-encrypt it.
@@Ck87JF I hear you, but in terms of UI & UX it's not practical. I want a specific app designed for journaling. And those exist, but they're not end-to-end encrypted (E2EE). I have heard of DayOne, which is a promising E2EE journaling app, but they are not natively E2EE so I have some reservations. That said, the biggest hurdle for this magnificent app is that it's only available for Mac and I use Windows. They said they are working on a Windows app though, but I suspect that will take forever as they seem more dedicated to Mac users.
Loved this video. Do you have a video on what are the "doors and windows" that can be left accidently open and how to close them?
The same people complaining about companies legally being required to hand over data they have are here in a TH-cam channels comment section… a Google app.
Feel free to jump over to Odysee for those who don’t want to use a Google app!
Odysee and rumble are good alternatives to this.
I believe in the case of Signal, it was an OS level zero-day that allowed the attacker to add a hidden member to a chat, turning it into a "group" chat. Encryption wasn't broken or backdoored, the chat key was just shared with a hidden third party.
How many people review the open source code, and then compile it themselves? If not, how do you know the installed code matches the open source version?
Most people don't, but you can be sure that it is being reviewed by people who are looking for bug bounties at the very least.
Good job on this video! You eliminated all the diagrams or explanations for HOW these 2 companies encrypt your data, reducing or eliminating unnecessary confusion in order to make your larger points. You made the whole video accessible to a consumer level audience, The exact group who do not know how to evaluate the accusatory assaults made by telegram or by privacy advocates objecting to there being any form of legal compliance with the country you're operating in.
Good choices, resulting in very easy to understand video about something very important and critical.
I think there's a difference between privacy and anonymity....you can use this services for privacy and not for anonymity
Great point 🫡
Exactly my take away. If you are using Protonmail for "anonymity" there is a flaw in your threat model long before email services come into play.
In public wifi, someone can have some sensitive data?
If yes, is a vpn more than enough?
New here, thanks in advance.
VPN will protects you 🤫
Unless I suddenly need to run from the law, these particular things don't really worry me too much. Yes, if Proton was hacked, they could see my recovery email, but I have a strong password and use security keys to sign in to my account. I am still learning how to become better at cyber security (my anxiety suddnely made me hyper aware of it).
While I am very concerned about privacy, I would want law enforcement to be able to find a dangerous criminal.
I don't think your privacy has to connect in any way to law enforcement finding a dangerous criminal. It's simply how we handle our own data, not expecting a company to do everything for us.
@@AllThingsSecured👍🏼
I don't know about Proton, but as far as I can tell, Signals protocol is sound. I spent some time developing my own XMPP Server and Signal afaik is based on XMPP with an extension that enables encryption. They made that extension themselves and published an extensive paper on it and it was analyzed by experts many times and it seems to hold really well. It's a really nice double ratchet encryption scheme with a chain of keys, so even cracking one key doesn't give you the entire conversation, just one little piece of it before the key got rotated.
So unless AES-256 in CBC and #7 padding is actually cracked completely, it's practically impossible to crack any conversation using this mechanism
The thing about them being open source is that while we do have access to a source code, we don’t necessarily know that’s the exact same code that was compiled and is being run on the servers. This is just one of the many flaw that makes people over trust open source for security reasons. Unless they let people do on the spot disassembly of the running process to see if those binaries are a match to the source code you can’t be sure. You may believe they’re running vanilla while they are actually running version b that doesn’t really encrypt stuff.
If you are in Europe and have doubt about the data collected just use your right under GDPR to get a copy of the data a company holds from you.
Great video! I would love to see a video on how we can develop habits for using the internet and social media in a safe and responsible way. It would be really helpful to get some tips on protecting our privacy and avoiding common online risks. Thanks for all your awesome content!
Shoot. So what services to use ? What VPN service use for anonimity and no logs policy ?? Because I am protons user for a while...
Mullvad is a VPN service that helps keep your online activity, identity, and location .
Mullvad
License model
Paid • Open Source
Never have illusions about the tools you use. It's a lesson I've learned (sometimes in hard ways) over the years.
Extremely well presented, discussed and dissected, with zero drama, only reasonable facts well-explained. SUBBED
Proton has just disclosed a user's IP address to the Swiss police, which was used to get its identity. Using Proton doesn't give you better privacy or security than any other regular email provider over Tor.
I've opened this video thinking "another video to scare people and make views" but i was wrong. Really good video. You have a new follower
Thanks 🙏
In the video, you brought up the point about being careful of what recovery email you specify. If the recovery email is from iCloud or Microsoft or Google, then I understand the point that the authorities will have to hand any email id to the authorities. What if it was another Proton email account itself?
Simply have two accounts take one message off to the SD card, move it to a different computer and send it on. Just use divide and be secure... What You Mum said just do not put all the eggs in one basket... Signal and proton are easy to use and better also mean more complicated and less useful.
Operational security is what 99.999X% people don't care about. Everyone expects the next person to take care of them, or the next company, but doesn't do anything to make sure they're practising active security.
Sad but true.
I forgot this "weak" area and thank you for bringing it up. Assessing Proton via a different IP. I wouldn't think that Proton will disclose this data? I trusted them not to store this data. And this is actually a new good point to keep in mind like many VPNs claiming that even if you do disclose some personal information, it is not stored. Proton could have these policies if they are so Pro privacy, but they do not implement such policies.
Hey Josh, I can't afford a security key, however i have a usb flash drive.
Is there's any way I can turn my usb flash drive into a security key? If you can then please make a video on that.
There are 2 majors problem, the error 18 aka between keyboard and chair, and the platform used to access websites or run applications. And in case of anything related to messaging, the same problems on the other counterparts of these exchanges.
Put differently one might be the problem, no end-to-end encryption tools.
Hey Josh. I love your videos and have started my own journey online to erase my online identity and public identity in general as much as possible. However, I have been seeing where people are saying that when you file taxes or do anything else that deals with government or some other things that you have to give all aliases used. Is this true even if the fake persona is not used for anything illegal?
Being open source doesn’t mean anything without a guarantee that the code submitted by signal or protonmail to the Apple App Store or Google Play Store is the same exact code that they show the sources code for.
This tends to be because in large drug busts, where smart phones are seized and they are able to get into the Signal account, they can then use those messages in the court cases against the traffickers. This is a example of messages used in court, perfectly legitimate use by the authorities.
Hi I keep getting this message in my Google authenticator "Syncing will continue when your device is online and you refresh your Authenticator codes"
I just can't figure out what is the issue. It would be great if you make a video addressing this issue.
Thank you for thorough clarification.
Keep up the good work, you just earned a new subscriber for the amazing content!
Awesome, thank you!
Ever since I saw the video from Computerphile about: Elliptic Curve Back Door, I had my doubts about a lot of the encryption we've been using and about how secure they really are.
The primary message you should be taking away from this is if have something private to say, do it face to face, in an appropriate place.
That's one way to look at it.
I really like your channel because most of the time is not time consuming like is always straight to the point but I don’t really like the excessive use of clickbait thumb nails and titles in your recent videos but good video still
I love that you made another great informative video. But what concerns me about 2024 into 2025 is what are we going to about TPU being implemented? I truly hope you have a chance to see these comments and either reply or think about wanting to make a video on this subject. It will absolutely affect E2E.
Thanks so much in advance ☺️ 😊
With what is currently happening in the UK and the EU, I think we *all* should be concerned about our online security
Hi Rob: Do you have a secure phone one can use? I only know of ones like rob braxman has...are there others you could suggest please..much thanks.
So I have a question: Is there any reason to keep recovery email on if you know you won't lose the password? As in, are there other cases where you could get locked out of your account unless you use a recovery email?
WOW you really hit the nail on this. Things I overlooked myself, especially with legal stuff. Hey, great video sir!
Well-done and informative video. Thanks Josh. I agree with you, the weakest link is the user.
Hi there there first thank you for the amazing content I learn a lot by watching your content
I would add that you have to understand the core of the technology you are using.
You have to know exactly what happens when you send an email. You have to know how does encryption work. And it’s always evolving so you have to update your knowledge as well. Only there it make sense to choose proton or signal or whatever so it would have been cherry on the cake if you link in the description videos where you talk about the technical aspect of it.
I was wondering though.. is it possible that an open source software has a different code than advertised and nobody realises it ?
It would be difficult to do that kind of fraud, I believe.
Well, When you say I was wondering though.. is it possible that an open source software has a different code than advertised and nobody realizes it?
open source software has a different code than advertised you could mean let's say the compiled application then yes a compiled version of software could have different code running in the application but you can look at the source code and compiled by source to check what's happening in the application.
About encryption, there are sometimes backdoors built-in, so even if the software itself open-source the choice of some parameters that are supposed to be random on the site where the software is running can heavily jeopardize the encryption strength. So in here we have to trust that Signal and Proton have not allowed external agents to push them to leave some holes that we may not even know about (Crypto AG being the most iconic example, Tetra is another one).
That is correct, but we have to use the tools we are provided, and we have to trust those that are more knowledgeable than us. Simply because building our own secure tools is mostly a braindead idea. No homegrown solution will be as secure and as foolproof as tools created by professionals. I am using both Proton and Signal and I would much rather trust these two companies with minimal (if any) security problems in the past than most other apps that are out there somewhere. And having said that, if there are security problems, they'll most likely stem from my own stupidness or the people I communicate with.
@@stephanhuebner4931 Indeed, I was just reminding that even with open-source software, when it is hosted somewhere there is always uncertainty and one can never be sure 100% of the full confidentiality of the data.
I prefer open-source software over Proprietary software
Looks like some people here in the comments think privacy and anonymity are same banana.
Unfortunately Josh even with the great clarification you gave there are people that are stubborn with their beliefs where no one can change them
As always. Thanks for watching and commenting.
Thank you for this! I was just thinking along those lines, you confirmed them for me!
I’m glad it was helpful!
I agree with ya on nearly everything. Except the (Im paraphrasing you here) "its safe cause it's open source". Open source is awesome for that kind of thing. But it means nothing if no one is actually looking at the code in an auditing sense.
I am an open source zealot personally, but we need to stop using this point in our arguments unless we can form a security group that is actively doing audits of code. Maybe it could give these projects a "seal of approval" or "security audit passed on..." type of badge of honor.
Pavel criticising Signal is pretty ironic when he's turning his own platform into a Facebook-like nightmare
And also not using encryption by default, giving people a false sense of security because they "have" end-to-end encryption... But the so called "Secret Chat" function only works mobile-to-mobile.
@@APIAlchemist and it's not even advertised as much, considering that's the only encrypted chat
@@blackpurple9163 Besides, isn't Telegram closed source? How can we even verify it's end-to-end? If we try to sniff for the packages sent, they will all be encrypted in transit so it would be very hard to decode to try and find out, especially since they use a proprietary encryption algorithm called MTProto that they won't open source even if they do give a detailed description of how it works (and it was analised by a few people, it has several security flaws too).
And the same encryption is used to send regular messages and end-to-end to their servers. We should just assume that they don't have the key to decrypt the secret chats too?
Do you have personal reco? If signal is not safe anymore.
Personally I use Signal - I said as much in the video. Beyond that, it gets really hard to migrate to a new platform AND get all your contacts to do the same.
Threema is the best of the best! But you need to buy a lifetime Threema license first. Luckily it doesn't cost a lot of money. The license is cheap.
I have been using signal since 2015. I also use duckduckgo. I never get junk mails nor spam calls. I am very particular about my setting. I don't use yt app but use it through my browser.
Searching for privacy while using third-party networks, devices, or operating systems is essentially wishful thinking.
Consider three neighbors living side by side. The first and third neighbors want to have a conversation in their backyards. As they start talking from their respective gardens, the second neighbor, situated in the middle, can always hear their conversation. This analogy illustrates the basic principle: you can build a temporary communication channel (like a pipe) for the neighbors to talk privately, but this pipe must be entirely your own construction, not provided by services like NordVPN or OpenVPN.
Once people grasp this concept, the issue becomes clearer. As long as you rely on third-party systems, true privacy is unattainable, which is the case for 99% of users. Genuine privacy is nearly impossible in these scenarios.
If you truly desire privacy, consider having face-to-face conversations, perhaps during a walk in nature or while swimming.
The send and deliver info can be encrypted if both accounts work with the same protocols. It probably requires each account to run its own instance of decryptors and receive larger chunks than what's meant for them and process with its own decryption keys then discard what is still cyphered.
Great video and you bring up a lot of good points. FWIW, Tucker Carlson said the US gov found out about his trip to Russia via Signal...
Interesting
No surprise for me, for privacy I have my own ejabberd server and also a matrix server. Both work like a charm if you know how to proper configure them. Cheers!
That’s impressive, but beyond the ability of most people to set up.
@@AllThingsSecured I agree, indeed....
Just a version of a software is open-source does not imply that the version you are downloading from their website or app-store is the same version, unless you are downloading the open source code and building it from the source, there is always risk.
How do I verify that the Signal application that I downloaded from the apple app store was built from the open source code that is published?
Dude you're using an Iphone and asking this question? You could ask the same question about IOS don't you know IOS is proprietary? and the bootloader for iPhone is locked? Why are you using an iPhone if you care about privacy.
There are 2 fundamental points on Proton: (1) Even if you use a VPN or TOR whenever you access Proton's website to configure or read emails ... as soon as you run one of their apps, e.g. ProtonVPN or Proton Drive as local app on your machine ... Proton will automatically get your IP address (unless you additionally use TOR or onion service) Isn't it? (2) Most people think, that Proton or Signal have no possibility to get your private key, which is used for their end-to-end encryption, but it could be easily sent encrypted... and whether this actually is done or not... fully relies on how well their Open Source code is audited in this regard, isn't it?
Why and How should always be asked. It's just part of critical thinking. Thanks Josh for being a critical thinker!
My pleasure! Thanks for watching and commenting.
Great video. People now days react with the first thing they hear without looking at all aspects. Is mind boggling how the truth can be misconstructed these days.
Naomi Wu did a very good breakdown of why Signal isn't a secure app, before she got vanned by the Chinese government for talking too much. In fact it was probably her discovering and making public those vulnerabilities that led directly to her vanning.
I love that Telegram tries to shit on Signal but doesn't really support end-to-end encryption apart from maybe direct chats... but even that encryption gets shit on by security research regularly
If you know you are going into nefarious activities, you must already understand your communications pathways are already compromised to various degrees thus you have to practice opsec, comsec and offline encryption one time pads. Nature of the old school operative game, tradecraft.
👍🏻👍🏻
A one-time pad is an encryption mechanism consisting of combining a stream of key material with the data to encrypt, using a reversible operation; this combination can be very simple, and even doable by hand (without a computer), and still retain security as long as the key material (the "pad") is as long as the data ...Feb 8, 2016
so the secure communication are still effective by encrypt end to end by build own software and (or) hardware
Well explained. The biggest security vulnerability of all time is the user.
Best security related advice on TH-cam, period. Nothing is black and white, you should build threat models based on what your concerns are and be aware of what you are sharing and who potentially can see it. All this commotion about "proton bad" "telegram bad" "mullvad bad" only has meaning if you understand the weaknesses of each tool and how they apply to your situation. Thank you and have a sub
It seems more likely that signal messages would be revealed by law enforcement getting their hands on a device with Signal on it and then exporting the signal chats, rather than encryption being broken.
Very well said. These are all tools, but the way you wield them is what defines their effectiveness.
I was on the beta version of proton and have been using it ever since!
The title is a bit clickbait, but i think you videos are still very imparcial and informative.
Stories like these just let me know what I should avoid, and help me keep in the loop. It also lets me know the lengths authorities have to go if they need your recovery address and and a 3rd party to help them get your data. If anything that's ensuring, and just lets me know that recovery email is flawed to begin with, just like email is flawed and I should use E2EE messaging apps instead of email for sensitive data.
Will you use Linux Instead of Windows?
@@AsunaYuukiSAO3 I've been using Linux for months now actually. I made the change because a friend of mine helped me get initially into it, and I started dual booting. Then I stopped dual booting after hearing about Co Pilot and now am an 100% Linux user.
Signal does have Phone Numbers of users so if you sign up with your real number that maybe an issue.
Correct, but you can also use a virtual number for that.
I suggest that the next episode be about the best artificial intelligence services (such as GPT chat and...) that respect user privacy (alternatives to Google Bard)
is there an alt to proton. i like it except for one thing. no delete all mail on their email.
Well said, and thank you for your rational explanation
My pleasure!
Does this fact that they give over the data they have also apply for their VPN service? Proton VPN has the encryption keys would they had that over too? i have always praised Proton VPN for being the best free VPN
It’s different because that data isn’t stored.
@@AllThingsSecured Or so they tell you ???.
@@joeking5211 1) They are audited on an annual basis, so it is proven that they don't store data.
2) Swiss law treats email and VPN very differently, no Swiss company is obliged to hand over VPN data, even if they did store them.
It's absolutely silly that people have this notion that private email services will provide you with total anonymity. In my opinion people fear monger when these companies get subpoenaed for information as if Google would not hand over every bit of data they have when asked. If your goal is complete and total anonymity then a subscription based email service clearly isn't going to be a part of your threat model. Or they fundamentally misunderstand what exactly a service like this is supposed to do for you.
It's like some of these content creators forget who exactly these products are marketed toward and that's average everyday users who are simply looking for a slightly better alternative to the all seeing eye that is Google and it's web of tech. When you look at these services through that lens Protonmail is fantastic. I appreciate your level headed take about this. Too many fear mongers
when making an email in proton, dont give your real name address and use vpn before creating an email. if something goes wrong, they wouldnt know who you are you are. even choose vpn company wisely
Encryption may be useless with the looming push for client side scanning, MS Recall is a perfect example. Logging keystrokes and taking screenshots being sold as AI, or a convenience utility. I understand it's target on all devices from desktops to mobiles. See Rob Braxman
2 Things:
1. The people who had their "Private Signal Messages" compromised probably had it all on their phone and either the phone was compromised and swiped or the authorities gained physical access to the phone when they arrested the person in question, none of which are signals fault - good OPSEC here would be to not leave signal logged in on your phone.
2. FUD is interesting, I treat FUD as a means and reason to look deeper into claims - false or not, and learn more about the issues they have. FUD has such negative connotations, but really is a great means of criticism and a good reason to improve something - yours or not. Ignoring FUD just proves that a person is both Arrogant and Ignorant.