Post AtnQOwp7E7fafTG5c8 by SpaceLifeForm@infosec.exchange
(DIR) More posts by SpaceLifeForm@infosec.exchange
(DIR) Post #AtnQFdZDS76mL4NkDw by jwildeboer@social.wildeboer.net
2025-05-05T15:44:48Z
0 likes, 1 repeats
So now that the TM SGNL #Signal story is out, I do have some questions for the Signal foundation. (a short thread)Your app allows users to independently verify the identity of other users with the verification code system.- Will you extend this to verifying the app (version)? So that we users can see what version of Signal or a 3rd party app we are exchanging messages with?- Were you aware of TM SGNL and their implementation of sending chats and attachments to a 3rd party?1/4
(DIR) Post #AtnQFlwCKYFGIfCD9k by jwildeboer@social.wildeboer.net
2025-05-05T15:47:48Z
0 likes, 1 repeats
- Was there a contract or agreement between you and government authorities on accepting TM SGNL on the network?- Was there a contract or agreement between you and TeleMessage on accepting TM SGNL on the network?- Are there more such contracts/agreements with governments/companies for other Signal derivatives?- What process do you have to certify such 3rd party apps?- Can you exclude such apps from the network? If yes, have you done this in the past and now with TeleMessage?2/4
(DIR) Post #AtnQFu1SGtChNHiWSe by jwildeboer@social.wildeboer.net
2025-05-05T15:49:18Z
0 likes, 1 repeats
I ask these tough questions out of my huge respect for Signal and the foundation. I want you to thrive and grow. And that is why I think transparency and honesty is key here. I am looking forward to your public statement that hopefully answers my questions.Yours, jancc @Mer__edith @signalapp FYI (For Your Interest) and attention3/4
(DIR) Post #AtnQG2On80clLyhGwi by jwildeboer@social.wildeboer.net
2025-05-05T16:02:59Z
0 likes, 1 repeats
More context:- https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/- https://micahflee.com/tm-sgnl-the-obscure-unofficial-signal-app-mike-waltz-uses-to-text-with-trump-officials/- https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/- https://sciop.net/datasets/tm-signalAnd my various posts/threads starting last Friday.4/4
(DIR) Post #AtnQKFrB2BPaFaz7vU by maikek@fedifreu.de
2025-05-05T17:16:45Z
0 likes, 1 repeats
@jwildeboer Are we saying here that Signal should prohibit use of any other than their "official" app to be safe?
(DIR) Post #AtnQKZMiV8vikut5E0 by jwildeboer@social.wildeboer.net
2025-05-05T17:20:16Z
0 likes, 1 repeats
@maikek No, not at all. But that users should know they are interacting with an app that is not the official app so they can check if they are OK with that.
(DIR) Post #AtnQLDqtyKqIK7JkpM by maikek@fedifreu.de
2025-05-05T17:37:26Z
0 likes, 1 repeats
@jwildeboer My point is that I would like to have more 3rd party and preferably open source apps. Signal does not support or even allow this as far as I know.
(DIR) Post #AtnQLVmFKNoVutHI4O by jwildeboer@social.wildeboer.net
2025-05-05T17:38:56Z
0 likes, 1 repeats
@maikek It obviously did with the TM SGNL app, that's my point.
(DIR) Post #AtnQLoISTMH9M0UGmG by maikek@fedifreu.de
2025-05-05T17:55:07Z
0 likes, 1 repeats
@jwildeboer It does or did with my sailfish app too. Login and verification are on signal server though, that should not depend on the app in use?
(DIR) Post #AtnQMJz4exmfd9fF0S by jwildeboer@social.wildeboer.net
2025-05-05T18:07:53Z
0 likes, 1 repeats
@maikek I am really not sure what’s so difficult in understanding my simple proposal to Signal to add a feature that tells me that you are using the sailfish version or the TM SGNL version when we chat. So that I can decide if I’m ok with that.
(DIR) Post #AtnQNDPYaCeDXDTfQ8 by maikek@fedifreu.de
2025-05-05T18:22:48Z
0 likes, 1 repeats
@jwildeboer I just do not understand why this would make a difference in security ...
(DIR) Post #AtnQNcEmHPscX1cuae by der_mit_ph@toot.berlin
2025-05-05T18:29:51Z
0 likes, 1 repeats
@maikek @jwildeboer Because if your app archives my chats with you in an insecure way, then my security is somewhat compromised. Not saying yours or Telemetric‘s signal version does, but …
(DIR) Post #AtnQO0qAo23MpxJ7D6 by jwildeboer@social.wildeboer.net
2025-05-05T18:33:36Z
0 likes, 1 repeats
@der_mit_ph @maikek If you use TMSGNL, the TeleMessage Signal version copies everything I send to you to a TeleMessage server (which gets my messages unencrypted) and sends them on to a 3rd party like gmail.
(DIR) Post #AtnQOfb1HHIFEpX5ma by SpaceLifeForm@infosec.exchange
2025-05-05T19:07:48Z
0 likes, 1 repeats
@jwildeboer @der_mit_ph @maikek Security is HardMost people do not understand how difficult it is to do properly. It takes effort, people are lazy, and just want something that 'justs works'. They do not realize that it is a false sense of security.If you can not trust the endpoint, even if the app says it is secure on the tin, it is still security theatre.#Opsec #Encryption
(DIR) Post #AtnQOwp7E7fafTG5c8 by SpaceLifeForm@infosec.exchange
2025-05-05T18:57:19Z
0 likes, 1 repeats
@maikek @jwildeboer It is about the endpoint security.Can you trust the app not to leak?
(DIR) Post #Atp3nOy2KZNSH72hlo by maikek@fedifreu.de
2025-05-05T18:42:57Z
0 likes, 0 repeats
@der_mit_ph ok, that's something I understand. This does not lie within signal's responsibility any more. So if I follow this through, it has to be the one and only signal app, bc you will never be able to check all apps and their behavior in advance ...
(DIR) Post #Atp3nQ9luQMHxnXahU by tomjennings@tldr.nettime.org
2025-05-06T16:21:06Z
0 likes, 0 repeats
@maikekThe questions are about adding information from which you might use in your decision making. It is not about adding certainty. There is no certainty and that is a false goal and impossible. Adding information (eg which app is mine talking to) might make you feel less secure since it added ambiguity; but that ambiguity is already there, now! You just are less aware of it! And ignorance is not security. @der_mit_ph