@adisonverlice I think that's dangerous disinfo as @torproject actively works against attempts to fingerprint and track #Tor users.

• I do consider Tor more private than any #VPN simply becaise they can neither ban users nor identify them.

In fact, Tor has been designed with the explicit goal to circumvent #Firewalls and #InternetCensorship methods like #DeepApcketInspection.

• Which is why #OnionShare by @micahflee works so great!

As a matter of principle I'd never vouch for any #centralized, #SingleVendor and/or #SingleProvider solution of any kind, including #Session.

• Tor is sufficiently decentralized in that it is not only completely #OpenSource but has proven to not have SPOFs in the form of maintainers and is able to yeet proplematic folks (unlike #WikiLeaks!)…

@adisonverlice it's not just re: #Governments (tho #Project2025 explicitly endorses unsactioned comms to twart attempts at #FIOA or any #accountability for that matter), but individuals or any organization:

• If a system is #centralized as in #SingleVendor and/or #SingleProvider, it's inherently vulnerable.

And if #EncroChat got pwned, who's gonna guarantee @signalapp won't if it's actually secure or isn't an #InsideJob like #ANØM.

After all, both #Signal's Organization and key people like @Mer__edith are known to the authorities by more than just their legal name.

• What's gonna prevent #Trump from doing a "bag&drag" on her or getting his goons to put a gun on,the developers' heads and force them to,#d0x all users and #backdoor everything (if they didn't already got forced to have some "#LafwulInterception" gear in a closet like #Room641A...

After all, Signal can't pull the 5th and refuse to comply!

@bob_zim yeah. Seen it. in the writeup by @micahflee ...

I just hope to find any that ain't #NetLock'd / #SimLock'd to #Verizon and that these support more than #US-#LTE bands...

• Not shure if it needs a valid #SIM or just an #ICCID + #Ki on a #SIM to get going (cuz in #Germany it's hard [imported #SIM] to illegal [domestic SIMs] to get an anonymous SIM since 07/2017.

I just wish @eff wouldn't expect everyone to use #centralized, #SingleVendor & #SingleProvider services like @signalapp in the age of #CloudAct, cuz neither I nor anyone I'd trust would submit #PII to them like a #PhoneNumer as a matter of principle!

@signalapp no it's not.

• Otherwise #OrganizedCrime would choose #Signal so hard, you'd be shutdown within weeks by the #FBI and @Mer__edith would be forced to "pull a #LavaBit" and face jailtime for obstruction of justice or snitch on users!

Being a #centralized, #SingleVendor & #SingleProvider solution subject to #CloudAct makes you inherently vulnerable by your own choice and thus trivial to shutdown compared to real #E2EE with #SelfCustody of all the keys and true #decentralization as well as #SelfHosting (i.e. #PGP/MIME [see @delta / #deltaChat et. al.] and #XMPP+#OMEMO [see @monocles / #monoclesChat et. al.]!)

• Plus neither of those shill #Shitcoin-#Scams like #MobileCoin!

And don't even get me started on you collecting #PII (espechally #PhoneNumbers) for no valid reason, (thus violating #GDPR & #BDSG)...

• Not to mention relying ob #charity and being a #VCmoneyBurningParty isn't sustainable to begin with!

But yeah, I'll be patient to shout "#ToldYaSo" to your annoying cult of fanboys!

@signalapp It's not #disinfo when one points out that you demand #PII aka. #PhoneNumbers from Users and that is literally a architectural vulnerability, alongside your #proprietary & #Centralized #Infrastructure.

• #Signal being a #SingleVendor & #SingleProvider #Solution is literally the reason why I consider it #insecure.

Not to mention the lack of @torproject / #Tor support with an #OnionService or the willingness to fulfill #cyberfacist "Embargoes" or shilling a #Shitcoin #Scam named #MobileCoin!

• #KYC is the illicit activity!!!

And don't get me started on the #cyberfacism that is #CloudAct.

• If you were secure, criminals would've used your platform so hard, it would've been shutdown like #EncroChat and #SkyECC.

I may nit have allvthe.evidence yet, but #Signal stenches like #ANØM: #Honeypot-esque!

@signalapp I disagree because your platform is #proprietary, #SingleVendor, #SingleProvider and doesn't allow for #SelfHosting, #SelfCustody of all the Keys and you demand #PII in the form of a #PhoneNumber which can be used.to track users down!

• If #Signal was as secure as claimed, it would've been shut down like #EncroChat, #SkyECC & others...

@ueeu I think crucial parts is looking at it's components, dependencies, size and for apps permissions.

• Also make shure it uses #OpenStandards, because #OpenSource can be just a "smoke grenade" when it's a #centralized, #proprietary, #SingleVendor & #SingleProvider solution.

#ReproduceableBuilds for example are important, so the actually released source code is what people actually get served as basis.

• Both of the latter points are something that @monocles / #monoclesChat does perfectly and that @signalapp completely fails at!

Plus in terms of #security, choose *real #E2EE with #SelfCustody of all the #Keys!

@petersuber except @signalapp is #commervial as in #VVmoneyBurningParty, #centralized, #proprietary, #SingleVendor & #SingleProvider!

• It really is that simple...

@bdf2121cc3334b35b6ecda66e471 @froge @fj maybe but it's better than a #proprietary, #SingleBendor & #SingleProvider solutiom as it just works even on #throttled, sub-#2G speeds over #Tor...

• And you get real #E2EE with #SelfCustody of all the Keys!https://infosec.space/@kkarhan/114223266562515116

@fj I still think @signalapp has fundamental flaws like demanding #PII (#PhoneNumbers can't be obtained anonymously around the globe and are trivial to track down to devices and thus users), being subject to #CloudAct as an unnecessary & 100% avoidable risk as well as #Shitcoin-#Scam shilling (#MobileCoin) and it's #proprietary, #SingleVendor & #SingleProvider nature that makes it inferior to real #E2EE with #SelfCustody like #PGP/MIME & #XMPP+#OMEMO!

@licho @osman provide evidence the code @signalapp released is actually being deployed.

• Whereas @monocles has #ReproducibleBuilds to the point that @fdroidorg literally pulls their git and builds it from source.

Not to mention pushing a #Shitcoin-#Scam (#MobileCoin) disqualifies #Signal per very design!
https://www.youtube.com/watch?v=tJoO2uWrX1M

• Given the collection of #PII like #PhoneNumbers, the ability to restrict functionality based off those and the fact that #Signal is subject to #CloudAct make it inherently not trustworthy.

And don't even get me started on the fact.it's not sustainable to run it as a #VCmoneyBurningParty!

• As soon as Signal becomes a problem, it will be taken offline, and due to the fact that it is #centralized, #proprietary, #SingleVendor & #SingleProvider that's trivial for authorities.

Same as identifying users: They already got a #PhoneNumber which in many juristictions one can't even obtain without #ID legally, thus making it super easy to i.e. find and locate a user. Even tze cheapest LEAs can force their local M(V)NOs to #SS7 a specific number...

• All these are unnecessary risks, that could've been avoided, but explicitly don't even get remediated retroactively!

Again: Signal has a #Honeypot stench, and you better learn proper #E2EE, #SelfCustody and #TechLiteracy because corporations can't pull the 5th [Amendment] on your behalf!

@encthenet granted, I'd be wary given the fact that @signalapp is a #proprietary, #centralized, #SingleVendor & #SingleProvider solution.

• Tho you are correct in that this entire fuckup should not have been possible to begin with, but the "Chief Moron" decided to not obey existing rules!

@Catwoman69y2k @dragonfriend most importantly:

Only with #SelfCustody of all the keys, #SelfHosting of the entire infrastructure and everything being #OpenSource, one can assure (and [let it be] audit[ed] independently) that the #advertised #promises are in fact true.

• All #centralized, #SingleVendor and/or #SingleProvider solutions - and yes that includes @signalapp as well (!!!) - are inherently insecure because they can be forced into "cooperation" - may it be with #Cyberfacism like #CloudAct or listeally a gun to their head...

Cuz not expecting @Mer__edith to break is the same level of "#TrustMeBro!" assurances as #ANØM, #EncroChat, #SkyECC, #WhatsApp etc. do in their #advetising #lies!

• Remember: Corporations/Foundations/non-profits/... don't have a right to be silent , only individuals, and even then there are certain juristictions that have #KeyEscrow laws (i.e. #France, #Russia, #KSA, #China, #India, #UK , ...) in the books!

@ckrypto if@signalapp@mastodon.world wasn't complying with #CloudAct, @Mer__edith would be in jail.

Not to mention even if Signal keeps their "#OpenSource" code updated - which is doubtful, NOONE can actually #verify that it's the code you actually use - regardless if #backend / #Server or #client / #App!

• #Signal is as secure as #ANØM, otherwise it would've been shutdown ages ago.

Also if Signal was designed for #security, it would've been #decentralized as #XMPP+#OMEMO and not demand #PII like #PhoneNumbers which oftentimes cannot be obtained anonymously in many juristictions at all!

• Only #MultiVendor & #MultiProvider standards can be secure, regardless if OMEMO or #PGP/MIME.

By comparison, @delta doesn't require any PII, only an #eMail account, and @monocles isn't a #VCmoneyBurningParty but sustainable due to #subscription and they don't even require any personal details for #payment: #CashByMail and #Monero are accepted.

• Not to mention neither #DeltaChat nor #monoclesChat are pandering #Shitcoin #Scams like #MobileCoin that don't work even for #TechLiterate #CryptoBros!

Again: It's Signal alone who have to evidence they are trustworthy, and all I get are "#TrustMeBro!" replies, which means they are not to be trusted.

• Not to mention, it's just not sustainable to run a #service without #revenue, even if it's run entirely by unpaid volunteers and gets all it's #hosting and #costs donated, someone has to pay for expenses due to #abuse of a service (which is an inevitability come mass adoption)...

Whereas with #XMPP I can completely setup my own server and client, even build my own if I don't trust anyone else and pay someone to audit the code.

• Signal as a #centralized, #SingleVendor & #SingleProvider service is inevitable vulnerable to #RubberhoseCryptoanalysis, and #Meredith will break if not doing so means jail for life until she does!

Whereas with XMPP & PGP/MIME #eMail I can layer @torproject / #Tor over it, make it an #OnionService and keep that thing under my bed with a literal killswitch...

@colinstu except #discord is worse than #IRC in every possible way...

• Simply because it's a shitty #SaaS that is #proprietary, #centralized & #SingleVendor / #SingleProvider!

At least IRC allows for #SelfHosting and way more granular control...

@htwj @Mer__edith yeah, traded one #proproetary, #centralized #SingleVendor & #SingleProvider solution for another.

• Consider #XMPP+#OMEMO (i.e. @monocles / #monoclesChat) and #PGP/MIME (i.e. @delta / #deltaChat) instead...

@pixelschubsi @dalias @puppygirlhornypost2 that doesn't change the inherent issues of @signalapp being #centralized, #SingleVendor & #SingleProvider compared to #XMPP+#OMEMO as in @monocles / #monoclesChat & @gajim / #gajim.

Or des anyone expect #Signal and it's staff to actually resist?

• Cuz I don't!https://infosec.space/@kkarhan/113999563684987571