Is Signal Still Secure?

The take home message is that nothing is inherently secure except the secrets only you know and that’s true only as long as „they“ don’t habeas corpus (to torture them out of). The baseline assumption when faced with state actors must be that they have the means to defeat any security mechanism given sufficient time and interest.
Lucky for most of us, we don’t have to deal with state actors (with sufficient interest).
Fly Safe, as someone frequently says.

The Israeli company is not a state actor, but a private company that sells its spy software to whoever that wants to pay.
And a lot of people around the world had there phone hacked. In Apple phone cases the victims didn't even have to say yes to have something installed. The just went straight in via bugs in iMessage. 😐

@@SuperElkjer That isn't true. They are a mobile forensic software that sell forensic software. Its not a spy software, hence why you need physical accesses to the phone. Cellebrite is not a private company but traded under CLBT. Most "news" and article written on Cellebrite are misinformation and its just a game of telephone.

@@Revoc Well, you can call it what you like to, but it is used as spy software. It's like when Putin call an invasion a special millitary operstion. You can call it what ever you want, but all knows what it is🙂
It's created and sold by a company that it well aware what it is used fore, but when calling it something else there are no need to have any moral.
They where the one that where out telling that they had broken signal and they had to withdraw that statement because what they had broken was iPhone. And now they are facing lawsuits in big scale as far as I know.

So I should buy a pinephone?

Phone keyboard apps are the most comprehensive, and I believe most-overlooked security invasion on smartphones. They have access to internet usually (Microsoft Swype, Google Keyboard, all the big names), and access to literally everything you type, and they even know the context as well - the OS will inform them 'this is a password field' so the keyboard can switch to password mode and disable the dictionary - but this of course enables very simple keylogging of sensitive account logins. Even without the password concerns, everything you type can be (and most likely is) reported back to Microsoft/Google/etc at their whim. The good news is that (at least on Android) there are already open source secure keyboards. There's the AOSP basic default keyboard, which is open source and doesn't need internet access, and there's the more advanced 'AnySoftKeyboard' which is open source (available on F-Droid) and also doesn't request/need internet access.

The problem is, if someone can install a keylogger on your phone, they could also install spyware that tracks the coordinates of the screen where you touched it, without needing to compromise the keyboard.

@@nikomitk8091 Eh, since a software keyboard takes place at a much higher level than the touch device, it would require more permission for the spyware to track touches.

GraheneOS and it's super annoying but secure keyboard.

@@m0rthaus I've never considered to turn off internet access for Gboard so I just tried it and uhm, I can disable it for mobile data, roaming and background, but not for wi-fi which is usually an option for every other app. And then I saw the data usage. Gboard exchanged data over my wifi in an interval of about one week, each time with around 28 MB. Of course I don't know what is actually being sent there or if it's just harmless stuff but... it's kinda scary.

You dont know.

you should never trust twitter

@@morzinbo yup, twitter is 100% bs garbage nonsense with some virtue signaling on top

@@morzinbo So true, but for too many years, Twitter is used by the MSM as their main source.

@@matldn2697 MSM's primary source is the government itself. Talking points direct from political party operatives. "The White House". "Retired" generals. Intelligence "analysts". The FBI directly.

@by9798 wtf then ure blind

Why not both?

yup there are court papers that prove how that's all they know and can give

GAG ORDER pleaseee!!!

Phone numbers and other metadata?

Princely that is the issue. Why do you think Signal does not let you use the Linux app without first installing the app in your Google or Apple device. It is because they want their users to be available for hacking by Google or Microsoft. If you really care for privacy and you are not an idiot, you should be using IRC, XMPP, or Matrix.

I deleted Signal a month ago and now use Threema@@DelfinaKS

private key means this is a private-public key encryption setup

I love that it uses a phone number because it makes it easy to contact friends and makes it really hard for spam bots to setup accounts.

Well, you can run it from a computer if you allready have it on a phone

@@LAWRENCESYSTEMS Using a phone and requiring its phone number are two different things. I suppose I hang out in a different technical world as I've never once had a spam bot contact me on any encrypted messenger. Again, I'm not saying it's a threat just an undesirable feature. I look for security, not a friend in my contacts being made easy. There just isn't a good financial model to support it though if it's not as you say "easy" to get others to use it and I understand that.

BRIAR was also recommended for Ukraine citizens, in case of Internet access outage. This app can make conversation using BT or Wifi Direct ;)

I don't have any plans to start using Threema so I don't plan on doing a video about it. I am not aware of any issues with it other than none of my friends use it.

@@LAWRENCESYSTEMS Oke I understand, a honest response thanks! On our side (EU) it may be used a little more. 😆

@@RK-ly5qj Berty is an option for iOS.

@@w1z4rd9 one of the recent blog posts on berty says, it isn't war-ready yet

Signal does not offer text messaging anymore.

That's not true, because you can see the source code of the client. You can understand that no one in the middle can see the traffic.

@@LAWRENCESYSTEMS as the server is responsible for pubkey distribution, I still see potential for compromise here. It would be easily detectable by the two users verifying each other's keys, though. Mind you, people should be doing this anyway, but we both know 99% of users won't, as the entire purpose of things like signal, keybase, etc. is NOT needing to worry about such things.
Of course then we're also left with the question of whether the server code they show us is what's really running on the server, and not something else; end of the day, there's always going to be some degree of trust and faith with any system that isn't self-hosted.

You're not understanding how their cryptography works.

@@LAWRENCESYSTEMS Not sure why it keeps nuking the post, but in any case, yes, the server handles key distribution and relays the messages. This means that it can act as a MITM by storing an extra set of keys for each user and giving the fake pubkey to users the first time they communicate. In my previous two attempts to post this, I included a link to source breaking down what the different components in Signal's infrastructure do and it lays this out. Users would be able to detect this, however it would require out-of-band key validation (users would see that the key their device reports doesn't match the other device, but rather the fake one that server handed out).
I do not think Signal has been compromised, only that it is possible that it can be. There's no justification for closing the source code for what they claim, and no one can verify, is simply spam filtering.
If you still think I'm not understanding how their system works, please do explain. Simply saying "you're wrong" is neither an argument nor does it help correct the alleged misunderstanding.

@@sporkwitch So with the right OpSec it still is secure. Right, no problem. The better take on this is to spread the word on what to do. Even though federation and decentralization are good, UI simplicity are very important to a lot of people in general.

Yes signal is still safe to use here in 2023

Can people who have my number on signal get to my personal info?

Signal is still safe

@@LAWRENCESYSTEMS thanks!🤪

Never used it and because the circle of people I engage with do not use it I am not likely to start using it.

@@LAWRENCESYSTEMS hi thanks for the reply, the circle of ppl using a product is what makes these things so difficult to change. if there was no "oh no facebook is buying what's app and stealing your dataz!!" in the public media (outside of nerd media) we wouldn't even know what signal is ;D and that's a shame in my book.
the good thing is that there are youtubers aka influencers like you talking about it - so keep it up long time fan but never commented tbh ;D

As far as we know Threema a) costs b) gives data out to authorities, even to third party countries without any legal circumstance.

I don't use it or know anyone who does.

I'm interested in learning more about Wickr. Would be great if a security minded person looked into it and did a review. 😁

@@_Thoughtful_Aquarius_ Not really worth reviewing something very few people use.

@@LAWRENCESYSTEMS I know a ton of people that use Wickr...

The Russian Intel Services and the Hacker Kids did not compromise anything close to Signal. But Telegram is actually heavily compromised by everyone lmao

act.eff.org/action/stop-the-earn-it-act-to-save-our-privacy

@@LAWRENCESYSTEMS won’t someone think of the children! 🙄😂

Those are phone / device issues, not signal issues.

@@LAWRENCESYSTEMS GayAnalDildo

Now it has story feature

Made in China you stooge

@@Crazy--Clown that is what CCP stands for genius. Go troll your Nana, you cannot defeat this keyboard warrior.

You can find all there here lawrence.video/swag and there are both with and without logo

Session doesn't even have forward secrecy. Signal is not perfect, but it is more secure than Session.

Also using a phone number is a feature not a bug. Having a phone number to identify my friends as much easier and keeps the spammers and scammers away.

They are ending offering to be the text message app on Android.

Requiring a phone number is not about security. It reduces the spam and makes it easier to find my friends and communicate with them securely.

@@LAWRENCESYSTEMS Thank you!

@@LAWRENCESYSTEMS so why do have to give your number why can't they give you a fake number

@@LAWRENCESYSTEMS exactly. The phone number is about privacy. Which is often confused by many.

🤣🤣😭

time to start making fake twitter accounts to post nonsense about telegram too

You should choose better friends, if they say because of someone who is spreading fake news on Twitter, that something is secure or not, instead of checking for themselves. The code is there, try, check, verify, hack the shit out of Signal.

@@marcogenovesi8570 Telegram is (verified by independent media) actually hacked by the FSB and other authorities. They give full access, if they're requested too. Even during the Ukraine conflict. Telegram was a nice idea, that got flawed by the Russian authorities.

I care more about security than features.

@@LAWRENCESYSTEMS true I just need to send normal texts around securely

it's a messaging app, what features do you need

Thanks, finally getting the new studio dialed in.

@@LAWRENCESYSTEMS ITS really nice man !! good work !!

@@drewthor I like that I can turn on a secret chatt.

@@JasonsLabVideos Not on groups though.

Telegram's source code is not public, so no one really knows how secure it is. Also, a while back I read a story about how the NSA had broken Telegram encryption. Signal source code is public

Me too

Thanks!

Signal is still secure here in 2023

@@LAWRENCESYSTEMS Upgrade the term "secure" to "more secure", then we can agree. There's nothing "secure" out there. But "more secure" (compared to others). Or as we cal it over here: securer. Telegram is secure if you want to keep skids away. Signal is secure if you want to keep state actors away, in sense of not reading your messages from the servers. They will hijack your phone or computer and read all messages anyways. BUT they need more time to do so. If they can't use a 0day, they need to exploit a misconfig. If they exploit a misconfig that takes time. Time to annoy them and keep them away.

Minimize spam and I can better trust the person I'm talking to

@@LAWRENCESYSTEMS my friend, the point is real phone == real ID. It can achieve less-spam through anonymous ways (device fingerprint).

I don't like that they don't give you a fake number 😂

@@MichaelsExplorations NSA likes it, though :) "encrypted comms but plz give me your ID first"

@@jackanderson9258 You're heavily confusing "security" (or safety) and "privacy". Privacy is about your phone number or real id. Security is about hard- or software security. In sense of exploitability and encryption. Keep in mind there's the CIA (Confidentiality, Integrity, Authenticity) that can be used to measure "security" in categories. You won't see privacy in that. Of course there's a requirement that Signal has to collect a bit metadata. But it never claimed otherwise. They only say your messages are encrypted - that fact is true.

yup

the US government and other governments in democratic countries are restricted to law. Of course, they can try to circumvent but as long there's the independent media, they will fail over time. So you don't really have to fear your own government in a democratic country. You should be concerned about countries like China or Russia, which are indeed not democratic at all.

By your logic If you did not make chips, design the chips, build the OS, then write it, you can't trust it either..🙄

do you even trust your own self when it's been shown over and over again that people can easily trick themselves? Nah fam

also you do know they have the source code on github lol

If you blindly trust your own stuff, you're not only stupid, you are living dangerous.

In laymans terms why is it not secure to you?

Signal is secure. There's no audit or attack that proves otherwise. Rob Braxman is a nobody.