> I'm not sure how exactly Signal and these other messaging apps implement their encryption, but they could easily claim end to end encryption while offering governments a "back door" to decrypt and read everyone's messages.

You should have stopped at "I'm not sure how exactly Signal and these other messaging apps implement their encryption," because you go on to say something that's completely wrong. Signal can't decrypt anyone's messages. The devices that are talking to each other across Signal's infrastructure use local public and private keys that Signal as a company doesn't possess.

The most that Signal could do is make the Signal software take the cleartext messages after decryption and send them somewhere, but the Signal applications are open and auditable, and something like that would be discovered, and would mean the death of the company.

I didn't say it was secure, or good. My point was that just because "encryption" is used doesn't mean there can't be a back door that prevents a 3rd party from reading your messages.

Yeah, but there is some truth here. Every other OS has nearly always been the way to go.

Can we please just go back to 100% being enough... and also not using "100%" as a complete sentence to indicate agreement? I'm getting too old for this shit.

You're modifying the list to fit your narrative, not reality.

Many of the Windows versions you list as good, didn't start out that way, you list Vista as bad when it was actual good if you were running descent spec system (I can point you to benchmarks that's show it was faster than XP on the same hardware). You ignore a whole Windows release because it doesn't fit your narrative.

It's dishonest.

It sort-of does, actually. Windows 10 is the transition OS between not having a TPM, and having a TPM. Any computer shipping with Windows 10 is supposed to have TPM Capabilities. It just wasn't mandated to install and run the OS. However, if you did have a TPM enabled and happened to be using a laptop or tablet, and had a Microsoft account signed in, BitLocker would enable for free.

Sure. Taking a play book from what tech companies have been doing the last several years in general, and having it with a coincidentally timed motive. The modern thing to do today is to take away all of the APIs. All of them! Useful third party application? Banned. Try to work around it? Account / IP ban. Want to archive the site contents? Banned. Want to view public posts first party or third party? Nope, need an account for that - banned if you do anything which steps out of line.

What are these companies trying to hide? This one is at least, fairly self explanatory.

Yep. As Americans do. Instead of talking on a forum that is international in a way that acknowledges country (yes I know Reddit is 50% USA), Americans always default to always assuming the rest of the world knows what someone means when they reference home, their country, or their state.

Y’all think you’re the world.

It's just do dumb... it's like asking a screwdriver how it feels, and then using that screwdriver to scratch into the wall "evil" and then telling everyone that your screwdriver is evil.

I see what you mean however Ericsson is the number 1 supplier of RAN equipment throughout the world. I should have specified I was speaking of the US.

Thanks for the “every reply has to be an argument” reddit treatment. If you ignore the post-release updates to the system, and paint broad strokes because this is just nerd humour and stop taking everything so seriously, you’ve got:

• Win95: good
• Win98: bad
• WinXP (skipping ME because it was a weird mid-cycle release testbed): good
• Win Vista: bad
• Win7: good
• Win8: bad
• Win10: good
• Win11: bad

Microsoft has almost always had good longterm support for their OSes to iron things out, so if you include every major update of course there’s no pattern.

There's no such thing as a secure back door.

A back door is code for "other people can read your message that you thought was secure".

Using signal for sms is like trying to take a train to the corner store. Its not really for that.

Being open source does not mean it is secure. If anything it means people will overly trust it.

Open source libraries have been owned right in front of everyone. OpenSSL had the Heartbleed hole for years, everyone owned. Log4j/Log4Shell owned every device with Java on it including all Android phones for over a decade...

Opening up private messages to a third party isn't a good idea. If you are on Apple, use iMessenger. Apple can already get your info. Same on Google. Using an additional third party client, as well as a desktop client, that opens you up to all sorts of attack vectors even it you trust the company, they can be hacked. Trust leads to intrusions.

See my first sentence.

Actual list of major Windows releases:

Win 95 average

Win 95(B) OSR2 good

Win 95 (C) bad (test bed for 98)

Win 98 bad

Win 98 SE average (livable when running 98lite to remove crashtasic active desktop)

Win ME bad (basically test bed for Win XP features)

Win XP average

Win XP SP1 average-good

Win XP SP2 good

Win XP SP3 great

Win XP 64bit hot garbage.

Win Vista average (bad for old hardware & software and underspec'd machines)

Win Vista 64bit SP1 & SP2good (5-20% performance bump over Win XP on same hardware)

Win 7 good

Win 7 SP1-onwards great

Win 8 bad

Win 8.1 average

Win 10 good

Win 10 1709-onwards great

Win 11 average-good

Yeah there is totally a good bad cycle, if you just put on the ross tinted glasses, and ignore 80% of major releases.

Indexing, and associated ad model revenue, are directly linked, Google search and associated ad revenue would be nothing without the content of others.

I do agree media companies want to have their cake and eat it too, but that is a separate matter from the need to regulate big tech, particularly the profit from harm business model, and the efforts by big tech to manipulate and threaten when it comes to the right of nation states to set whatever laws they deem appropriate for their citizens.

Being open source doesn't make it secure. You can just view the code. There are tons of other attack vectors past that, CI/build, dependencies, ghost users, suveillance masquerading as moderation/spam checking and so on.

Open source libraries have been owned right in front of everyone. OpenSSL had the Heartbleed hole for years, everyone owned. Log4j/Log4Shell owned every device with Java on it including all Android phones for over a decade...

it wasn’t for us, it was so NewsCorp and Murdoch could scratch up some more money.

What are you using a work laptop for non-work messaging for?

They have the ability to attach ghost users, the reason they say is moderation/spam, but no backdoor needed with that. The ghost user is able to decrypt like a regular user and syphon out the info.

This was proven with WhatsApp not too long ago and Signal also has the ability to attach users.

Any "secure" encrypted messenger that allows more than 1 to 1 connections will always have the potential for the "ghost user" problem.

System level some use additional connections/recipients for spam/moderation and the moment you allow any invisible/visible group users in, there is a massive potential for an exploit.

Additionally you have the potential for forking off messaging to other users at the system level for either oversight or spam/moderation/other. Some of the compromised systems out there use this very well.

A sneaky way some of these "secure" messaging apps are also doing this is ghost participants in the chat that can essentially syphon off the messages even without a compromised client. The ghost participant is always under the guise of moderation or anti-spam or telemetry or some other proprietary shim.

> The code shows that the messages were secretly duplicated and sent to a “ghost” contact that was hidden from the users’ contact lists.

Lots of "secure" messaging apps do this for intel and surveillance and not just the white hats.

Other areas that "secure" messaging apps have holes in is the anti-spam/moderation systems that need to view messages and in the clients themselves who have access to the unencrypted content. This is also taking place in other client apps as well: VPN, password managers, extensions, wallets, even build systems and more. Many like VPNs have logs sent elsewhere but deleted locally -- access to entire machine and all network access. People are way too trusting of "secure" systems/apps that are very common today based on trust.

All of these apps/systems would pass code checks, reviews, security inspections and essentially be encrypted/"secure" though a copy is sent off to another area for review. At runtime the leak is in the direction of the data.

Then you also have governmental oversight that opens up holes that can be exploited.

On Ghost Users and Messaging Backdoors

> to add a “ghost user” (or in some cases, a “ghost device”) to an existing group chat or calling session. In systems where group membership can be modified by the provider infrastructure, this could mostly be done via changes to the server-side components of the provider’s system.

> I say that it could mostly be done server-side, because there’s a wrinkle. Even if you modify the provider infrastructure to add unauthorized users to a conversation, most existing E2E systems do notify users when a new participant (or device) joins a conversation. Generally speaking, having a stranger wander into your conversation is a great way to notify criminals that the game’s afoot or what have you, so you’ll absolutely want to block this warning.

> While the GCHQ proposal doesn’t go into great detail, it seems to follow that any workable proposal will require providers to suppress those warning messages at the target’s device. This means the proposal will also require changes to the client application as well as the server-side infrastructure.

> (Certain apps like Signal are already somewhat hardened against these changes, because group chat setup is handled in an end-to-end encrypted/authenticated fashion by clients. This prevents the server from inserting new users without the collaboration of at least one group participant. At the moment, however, both WhatsApp and iMessage seem vulnerable to GCHQ’s proposed approach.)

WhatsApp users can now ghost group chats and delete messages for days WhatsApp's latest updates support increased privacy and second-thoughts.

Other messengers also have issues.

Signal + Telegram

• Default settings in Telegram aren’t encrypted, same with Signal

• Both sides of a Signal or Telegram conversation have to both have the encryption on

• Anti-spam filter has to check actual content (proprietary and third party in some cases)

• Shrouded spectator connections to your chat that may not be visible to you -- part of moderation/spam proprietary hooks. You could have a perfectly clean secure software platform that can still be exposed via normal usage to get data on client or with someone that has access to your comms unencrypted.

• Connected through your phone number and also your location which narrows it down to exactly you, this is more damning than using ADID, UDID or MAC as this WILL follow you across everything.

• Users have to be identity validated before they use the app beyond ID bridging.

• They might be bought someday by someone more unscrupulous with data, all that history going to a private equity firm.

• Clients have full access to unencrypted data, as well as the server with private keys

• Even if you trust them now they may not be trustable in the future, see LastPass for an example or Auth0 or ad blockers/extensions or VPNs or even password managers that you trust. All of those need a client on your machine that will have access to elevated permissions and your unencrypted data as they are clients.

• Source code is delayed after builds. Open doesn't mean much to the end binary if they are putting in proprietary areas and the hash/checksum will be different all the time. Who knows what is in it.

• Signal gets location, number, identity and more and where you are at. Extreme example: if they know when you shit, they can stage a robbery from third party actors and craigslist style contractors while you’re taking a dump, technically. They know when you’re out for the evening.

• Also if you have location tracking off they still have IP and device identifier as well as geofenced notifications that don't need the location permission always on. Geofenced location can wake up the app at any time.

• Signal is recommended by Edward Snowden, Glenn Greenwald, Jack Dorsey and Elon Musk as well as many other potentially sketchy people. Originally these guys were played nice but the people behind them are sketch (Elon being authoritarian funded for instance). Edward Snowden is in Russia and Glenn Greenwald can't say a bad word about Putin. Sketchy that they are the featured testimonials as well as people connected to them.

• Telegram is funded by Pavel Durov who is essentially Russia's Zuckerberg who is also authoritarian funded. Durov made VK (Russia's Facebook from same MailRU/DST Global funding) and then made their "secure" messenger. Brian Acton ran WhatsApp, bought by Zuckerberg, then made Signal a "secure" messenger. Similar story, same sketchiness even if Signal is less sketchy than Facebook/WhatsApp/Telegram. If someone from Facebook/Meta broke off now and created a "secure" messenger would you believe it and use it now? nah. You think the guys that build social media surveillance aren't just better at it with messengers, a big risk. Alarm bells should be going off if you have good opsec.

• Telegram feature exposes your precise address to hackers - Messenger maker has expressed no plans to fix location disclosure flaw.

There are NO secure messaging apps, none, unless you wrote your own encryption and shared it with the third party and encrypted before sending outside of that system entirely. If you send an email, that had like PGP that would have worked for a while until the backdoor (Phil Zimmerman was in decades long cases relate to this). But if you make your own encryption and are sending messages in the clear you will get visits so really only military/intel are allowed that. Spy/intel agencies do that all the time but they shroud the messages in content like in the Illegals Program

There is a reason why these "secure" messengers all exploded in the 2010s...

If you think that there are any secure messengers, you are naive. There is always a way to get access to the input, side channel or through a temporary/targeted hole like how Russia/Saudis/MBS/Trump did with Bezos and WhatsApp. That is another area where these "secure" messengers are compromised, in targeted attacks or temporary holes which just happened recently where 1900 people were compromised and they were targeting 3 numbers in it. There is also the social hole where any member of that chat would also have copies.

> Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.

>Imagine being upset your don’t get a big enough cut of someone else’s stolen money.

Sounds like Wall Street screaming against regulation.

Why the downvotes? This is directly pulled from economics definition...it's a statement of fact.

Fast might have discovered the internet. Give him time, might also be young.

I don't know Signal. I was sort of hoping that you 10,000% won't participate.

Not the level of devotion to privacy that I was hoping for but, I guess it'll do.