TheTechnician27

Removed by mod

My lab doesn’t have a retro encabulator for that yet, unfortunately. 😮‍💨

Right??? Like oh my actual god, if a journalist could do this (it’s completely, categorically impossible), then every nation-state on Earth would use it to trivially eavesdrop.

It’s crazy how much Adam has grown since he left BuzzFeed.

I knew who this was going to be before I even clicked, and I highly suggest you ignore her. She speaks well outside of fields she has any knowledge about (she’s a physicist but routinely extrapolates that to other fields in ways that aren’t substantiated) and is constantly spreading FUD about academia because it drives clicks. She essentially hyper-amplifies real problems present in academia in a way that basically tells the public not to trust science.

Hot take: this behavior should get you blacklisted from contributing to any peer-reviewed journal for life. That’s repugnant.

I think the description of vulnerability is subjective in this case.

No, it really isn’t. The Signal protocol enables E2EE, meaning you don’t have to worry about the server infra (that is, even if you don’t buy that they’re using the FOSS server code they say they are, it’s irrelevant). The Signal protocol is open and has been examined forwards and backwards over and over by security researchers around the world. I can’t emphasize how many eyes are on this protocol because of how prolifically used it is, including by government officials worldwide. The app is FOSS, and like the protocol, it has a ton of eyes on it for the same reason. The app is a reproducible build, meaning that if Signal baited you with a fake app, it would be found out immediately.

It could be that signal is inherently more vulnerable than official channels, as Signal is a private corporation that has no motivation to disclose any failures in their security.

They’re a corporation, sure, but in the sense that they’re a 501©(3), not a for-profit. Signal would have every incentive to disclose a failure in “their security” (where here that means their app or the protocol; again, what’s happening on the servers literally, provably, mathematically doesn’t matter). For a privacy org like this, it’s in their best interest to immediately report any problems that might compromise privacy.

I don’t think the article is trying to blame Signal in any way, it’s just not the proper communication channel

Agreed. But here, I agree it’s not the proper channel 1) because it’s on their personal devices which the person you’re responding to clearly stated and 2) a Signal chat (likely intentionally on their part) bypasses crucial records keeping laws. A known vuln for example is if someone has access to your phone, they can link their own personal device and read your messages as they come up. But again, that requires access to your phone, which becomes problematic if and only if you’re using your own personal device rather than a secure government one.

and thus utilizing it is an inherent vulnerability no matter how secure their encryption may be.

No. Again, that’s not an inherent vulnerability. Using it on their personal devices is, but unless you can come up with a vulnerability in the app itself or the protocol itself, then you’re just agreeing with the person you’re replying to.

Do you see anything wrong with it security-wise? The wording of your previous comment has me confused where you fall on this.

Matrix is a compromise, it’s not as much about security as it is about just modern FOSS chat.

Pray tell. Granted again that Element doesn’t yet support forward secrecy, but describe what you see as specifically wrong with Matrix, please.

😎²

EDIT: To be 1000% clear, they should not be using personal cell phones for this, which they probably did because everyone in this admin is braindead gutter trash. I’m suggesting that self-hosted Signal over government servers is probably fine for security with potentially some tweaks to the app. Something I neglected to think of however is that this sidesteps record keeping, and probably deliberately so. My contention here was solely about security, but this fact makes Signal use unconscionable in my book because it impedes accountability.

Okay, let’s just be clear here: Signal isn’t just another “private app”; the amount of information they have about your communications is zero (0) with the exception that I believe they can see if you have an account and the last time you connected to the server. Governments absolutely do rely on Signal. The Signal protocol is open and highly robust, the app code is FOSS and has eyes from a shitload of security researchers globally due to its importance, its server code is FOSS (although you don’t have to trust this due to the robust E2EE, and you can even self-host IIRC due to the FOSS server code), and it has reproducible builds.

This fuck-up was strictly due to the fact that they’re incompetent morons just randomly inviting people to group chats and shit with no guardrails. If I had to guess, they’d probably want to self-host the fork the Signal app and make it so that you can only invite people with some form of clearance, but this last thing is total speculation on my part. I’m sure there’s some way to sanely do this. The part about Signal being secure is just objectively true; it’s audited like absolute crazy, both the FOSS app and the protocol. I would trust it more than whatever the US government could homebrew, even.

If you, as a citizen, are looking for secure, private messaging, Signal should be at the very top of your list of possible candidates alongside Matrix, SimpleX, and Session (keep in mind that Element and Session do not yet support forward secrecy, although the Matrix protocol does).

What role? Clinton works at Columbia now. It’s a matter of fact nonetheless that former officials are often called back to discuss things they have special knowledge of, let alone a Secretary of State of eight years. Would that be used now? No, because Donald Trump is a petulant fucking moron who does whatever braindead, evil, impulsive shit he wants. Would it if we had a competent president? Almost certainly, yes. I’m aware of the principle of least privilege; it does not apply here. It’s especially useful to have in a time of crisis because procedures still need to be followed, and getting clearance takes time. If you need that information right now but their clearance is revoked, you’re screwed.

Donald Trump being an absolute moron and refusing to ever use her expertise isn’t a valid reason to revoke her clearance.

Hillary Clinton was Secretary of State for eight years and has plenty of reason to have a security clearance for her advice. Lumping her in with Trump (let alone saying that Biden and Harris who were just P and VP mere months ago shouldn’t have clearance) is an absolute dogshit take.