EDIT: To be 1000% clear, they should not be using personal cell phones for this, which they probably did because everyone in this admin is braindead gutter trash. I’m suggesting that self-hosted Signal over government servers is probably fine for security with potentially some tweaks to the app. Something I neglected to think of however is that this sidesteps record keeping, and probably deliberately so. My contention here was solely about security, but this fact makes Signal use unconscionable in my book because it impedes accountability.
Okay, let’s just be clear here: Signal isn’t just another “private app”; the amount of information they have about your communications is zero (0) with the exception that I believe they can see if you have an account and the last time you connected to the server. Governments absolutely do rely on Signal. The Signal protocol is open and highly robust, the app code is FOSS and has eyes from a shitload of security researchers globally due to its importance, its server code is FOSS (although you don’t have to trust this due to the robust E2EE, and you can even self-host IIRC due to the FOSS server code), and it has reproducible builds.
This fuck-up was strictly due to the fact that they’re incompetent morons just randomly inviting people to group chats and shit with no guardrails. If I had to guess, they’d probably want to self-host the fork the Signal app and make it so that you can only invite people with some form of clearance, but this last thing is total speculation on my part. I’m sure there’s some way to sanely do this. The part about Signal being secure is just objectively true; it’s audited like absolute crazy, both the FOSS app and the protocol. I would trust it more than whatever the US government could homebrew, even.
If you, as a citizen, are looking for secure, private messaging, Signal should be at the very top of your list of possible candidates alongside Matrix, SimpleX, and Session (keep in mind that Element and Session do not yet support forward secrecy, although the Matrix protocol does).
Let’s also be clear: Signal, regardless of their encryption standards, is not an approved system for any kind of classified information. Leaks of this nature have the potential to cost people’s lives. Every single person in that group chat would have known this. Many of them have original classification authority.
Further, not only was the platform not approved for the information, the messages were set to disappear after some time. This is a violation of government record keeping laws and FOIA standards. This wasn’t an oopsie.
I mean we put a fox news anchor in charge, and if he’s even half as dumb as he looks, well that’s pretty fucking dumb. I doubt he understands, or if he does, doesn’t care. Just shameful. But hey, at least the libs are getting owned.
There’s been a few articles recently about Session authors starting with Signal protocol, and then continuing without clear understanding what they do, thus that Session shouldn’t be used.
Matrix is a compromise, it’s not as much about security as it is about just modern FOSS chat.
Just that I haven’t heard of it being as praised as Signal, and since it appears to be intended for chat rooms more than for privacy, there’s natural suspicion that something is missed there.
EDIT: To be 1000% clear, they should not be using personal cell phones for this, which they probably did because everyone in this admin is braindead gutter trash. I’m suggesting that self-hosted Signal over government servers is probably fine for security with potentially some tweaks to the app. Something I neglected to think of however is that this sidesteps record keeping, and probably deliberately so. My contention here was solely about security, but this fact makes Signal use unconscionable in my book because it impedes accountability.
Okay, let’s just be clear here: Signal isn’t just another “private app”; the amount of information they have about your communications is zero (0) with the exception that I believe they can see if you have an account and the last time you connected to the server. Governments absolutely do rely on Signal. The Signal protocol is open and highly robust, the app code is FOSS and has eyes from a shitload of security researchers globally due to its importance, its server code is FOSS (although you don’t have to trust this due to the robust E2EE, and you can even self-host IIRC due to the FOSS server code), and it has reproducible builds.
This fuck-up was strictly due to the fact that they’re incompetent morons just randomly inviting people to group chats and shit with no guardrails. If I had to guess, they’d probably want to self-host the fork the Signal app and make it so that you can only invite people with some form of clearance, but this last thing is total speculation on my part. I’m sure there’s some way to sanely do this. The part about Signal being secure is just objectively true; it’s audited like absolute crazy, both the FOSS app and the protocol. I would trust it more than whatever the US government could homebrew, even.
If you, as a citizen, are looking for secure, private messaging, Signal should be at the very top of your list of possible candidates alongside Matrix, SimpleX, and Session (keep in mind that Element and Session do not yet support forward secrecy, although the Matrix protocol does).
Let’s also be clear: Signal, regardless of their encryption standards, is not an approved system for any kind of classified information. Leaks of this nature have the potential to cost people’s lives. Every single person in that group chat would have known this. Many of them have original classification authority.
Further, not only was the platform not approved for the information, the messages were set to disappear after some time. This is a violation of government record keeping laws and FOIA standards. This wasn’t an oopsie.
The mere fact it was possible to invite a random journalist to the chat is ridiculous. That shouldn’t be an option in a secure environment.
I mean we put a fox news anchor in charge, and if he’s even half as dumb as he looks, well that’s pretty fucking dumb. I doubt he understands, or if he does, doesn’t care. Just shameful. But hey, at least the libs are getting owned.
No.
These fuckwits were handling classified and top secret information in the open on their cell phones.
It doesn’t matter what specific app they used. This is not about the technology. You missed the point.
This is the same team of geniuses that kept classified files, some of which were mysteriously emptied of their contents, in the unlocked bedroom and bathroom of a members-only club in Florida, near the swimming pool whose water mysteriously destroyed all the surveillance video just when the FBI were about to look at it.
Not to mention that, in this case, the phone network was known to hacked and infiltrated by adversaries.
https://en.m.wikipedia.org/wiki/Salt_Typhoon
This hack included JD Vance’s phone who was part of this chat group.
https://www.nytimes.com/2024/10/25/us/politics/trump-vance-hack.html
These peoples phones shouldn’t be considered any more secure than a public bathroom.
There’s been a few articles recently about Session authors starting with Signal protocol, and then continuing without clear understanding what they do, thus that Session shouldn’t be used.
Matrix is a compromise, it’s not as much about security as it is about just modern FOSS chat.
Pray tell. Granted again that Element doesn’t yet support forward secrecy, but describe what you see as specifically wrong with Matrix, please.
Federated with huge load on servers. I’d prefer something like old Skype with auth servers part interacting via activitypub or something like that.
Do you see anything wrong with it security-wise? The wording of your previous comment has me confused where you fall on this.
Just that I haven’t heard of it being as praised as Signal, and since it appears to be intended for chat rooms more than for privacy, there’s natural suspicion that something is missed there.
The clowns in this administration, sure. But the NSA knows what they’re doing when it comes to cryptography.