Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.3K
active users

ioc.exchange: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.4

Public
Delta Chat

#openpgp traditions and #signal both bind a cleartext identifier, phone number or email address, to a cryptographic key. It opens up attack vectors as the servers/orgs controlling this binding can interfere.

#deltachat avoids such cleartext identity bindings by creating random #chatmail addresses, as transport only. The cryptographic key becomes the identifier and we want it hidden from the transport layer. Only people being in end-to-end encrypted chat need to identify each other, after all.

Public
Linux Is Best

@delta@chaos.social You should also add that Signal's development, servers, foundation, and business are all in the United States, and all subject to US Jurisdiction.

#Signal

👊🇺🇸🔥

@Linux @delta Any significance of this is negated because Signal has very little data about users.

signal.org/bigbrother/

The cops have to provide a phone number, and in all cases Signal can only say "yes, this number was registered". They don't know the identity of the number owner, who they talk to, what they've said, where they're located etc. unlike WhatsApp, Telegram, Facebook Messenger etc.

Signal MessengerGovernment CommunicationWhen legally forced to provide information to government or law enforcement agencies, we'll disclose the transcripts of that communication here.
Apr 08, 2025, 06:31 PM·Quiet public
0boosts·0favorites
Quiet public
Linux Is Best

@Avitus@ioc.exchange @delta@chaos.social In the United States, you're responsible and potentially liable for content that transmit over your services. That is how the government in the past were able to shut down sites and services that eventually were overrun with illegal content, for example. Additionally, in the United States, you can receive a court order, ordering you not to reveal the government's involvement with your products or services. Also, how previous people who have used such products or services, still faced justice.

Now, none of this should worry you if you're not breaking the law. However, laws change, and unfortunately, so does freedom of speech. We have a government regime who is picking people off the streets and sending them to jails in other countries. That same government regime is threatening our allies, such as Canada and Greenland.

What you're saying and doing, right now, may be perfectly legal, right now. I am more concerned with the possible unknown tomorrows.

Quiet public
Delta Chat

@Avitus @Linux sure signal is so far the best central messenger when it comes to handling privacy on potentially hostile infrastructure. However any seized phone can reveal phone numbers of group members. Collecting IP addresses are another attack vector. Cloudflare which serves encrypted blob files may be able to identify IP addresses of all signal group members who download an encrypted file. It's not data that the signal organization itself has access to but certainly an attack vector.

Quiet public
feld
@delta @Avitus @Linux all it takes is the IP address of one identified Signal user participating in a group and then send a warrant to CloudFlare for their logs and you can then find the IP addresses of all other members in the group. More warrants to ISPs/mobile providers and now you've identified the humans that were all in contact with the user.
Quiet public
Linux Is Best

@feld@friedcheese.us @delta@chaos.social @Avitus@ioc.exchange CloudFlare is also not secure in the way people imagine it to be. Many people use CloudFlare, thinking it will mask their server. It does not.

This provider here, will show you the real server of every site behind CloudFlare https://search.censys.io/

CensysCensys SearchCensys helps organizations, individuals, and researchers find and monitor every server on the Internet to reduce exposure and improve security.
Quiet public
👊🇺🇸🔥

@Linux @delta @feld We went from talking about if Signal is safe to now talking about serving subpoenas to organizations other than Signal, and gaining physical access to devices. That in itself is a testament to how safe Signal is. Whether a subpoena is served to CloudFlare, or what a given person's threat model is, is irrelevant to what Signal itself does to protect its users.

Quiet public
Linux Is Best

@Avitus@ioc.exchange @delta@chaos.social @feld@friedcheese.us That you know of. -- That is the point.

When in doubt, pick a provider outside US Jurisdiction.

Quiet public
👊🇺🇸🔥

@Linux @delta @feld "That you know of" doesn't apply when Signal reports the subpoenas they receive and their responses with the data they provide:

signal.org/bigbrother/

This is going in circles. No service is Fort Knox. You have to accept some level of risk whether that be the service itself going bad or some outside force prying sensitive information from the service.

Signal, as shown at the link I've now provided three times and has been totally ignored throughout this conversation, mitigates first and third-party risk by collecting as little data as possible so they don't have it to give.

Signal MessengerGovernment CommunicationWhen legally forced to provide information to government or law enforcement agencies, we'll disclose the transcripts of that communication here.
Quiet public
Linux Is Best

@Avitus@ioc.exchange @delta@chaos.social @feld@friedcheese.us I can spit out well crafted public relation statements too, along with convincing marketing of my fight against the government as well. But I am still in the United States, and if I was the President of Signal, you should not trust me either.

The risk assessment is this: There can be no United States for me to trust anything at the present moment. Because the United States Government has gone rogue and is not even obeying court orders at the moment. This is the justice system you're putting your faith in right now. -- Good luck.

Quiet public
feld
@Avitus @Linux Why does Signal try so hard to hide that Moxie's original funding for Textsecure / Open Whisper came from the CIA?
Quiet public
feld
@Avitus @Linux Also did anyone ever conclude why in 2021 it was observed that safety numbers were not changing when uninstalling and reinstalling Signal which should have wiped all Signal data from the device? How is that even possible unless Signal has a copy of the keys?

I genuinely do want to know wtf is going on here:

https://403forbiddenblog.blogspot.com/2021/06/signal-safety-numbers.html
403forbiddenblog.blogspot.comSignal safety number privacy issueskelly kaoudis: application security, hacking, software engineering blog
Quiet public
feld
@Avitus @Linux @delta Several examples over the last few years showed governments gaining access to Signal chats and interrupting illegal activities. How did they do it? Simple device seizure.

It doesn't matter how secure your chat app is or that it has the greatest key exchange algorithm and implements Perfect Forward Secrecy if you don't immediately delete the chat history off your device.

Literally nobody is being attacked by their government with a MITM. Instead, they're coming for your device which nobody properly secures but encryption enthusiasts always stay focused on the network protocols. Even TLS would be sufficient to stop them from snooping, every additional layer is just bragging rights IMO.
ExploreLive feeds
About