They may be sponsored by the US Government, or by cryptographers with ties to the government.

https://thebaffler.com/salvos/the-crypto-keepers-levine

It’s a long read, but it’s quite good. Here’s a snippet to whet your palate where he describes some of the prominent people behind these projects:

At least that’s how they saw themselves. My reporting revealed a different reality. As I found out by digging through financial records and FOIA requests, many of these self-styled online radicals were actually military contractors, drawing salaries with benefits from the very same U.S. national security state they claimed to be fighting. Their spunky crypto-tech also turned out, on closer inspection, to be a jury-rigged and porous Potemkin Village version of secure digital communications. What’s more, the relevant software here was itself financed by the U.S. government: millions of dollars a year flowing to crypto radicals from the Pentagon, the State Department, and organizations spun off from the CIA.

For context: I have become very interested in the debate amongst app users such as Telegram, Signal, Threema, etc… and I know that many people claim that Signal is the very best amongst all of them but there’s something really sketchy about its location (US based) and the fact that the government can for anyone to comply with their orders and forbid them from telling anyone about it via gag orders (see Durov’s comments on this: https://t.me/durov/59).

Both are fascinating reads, and certainly help me appreciate platforms like Telegram and Threema even more. Regarding Threema, today they posted a comparison between their app and the competition, and found this interesting tidbit regarding Signal:

https://threema.ch/en/blog/posts/messenger-comparison-2021

Signal enjoys an outstanding reputation among experts, and it’s certainly a good alternative to WhatsApp. However, just like WhatsApp, it requires users to disclose personally identifiable information: Providing a phone number is mandatory. As a US company, Signal is also subject to the CLOUD Act, which entitles US authorities to access data from IT service providers that are based in the US.

Also: I just learned that FB spends millions of dollars every year on marketing and trying to influence people to not use platforms such as telegram.

  • ☆ Yσɠƚԋσʂ ☆@lemmygrad.ml
    link
    fedilink
    arrow-up
    3
    arrow-down
    2
    ·
    4 years ago

    The thing to remember is that cryptography is very tricky business, and even when an algorithm is sound on paper that does not guarantee that it’s implemented in a secure way. A famous example is when NSA “helped” develop the Diffie-Hellman cryptographic key exchange standard and introduced a vulnerability that nobody noticed for a very long time.

    Any standard that’s been developed in conjunction with US agencies should be considered compromised in my opinion.

  • freedomenjoyer@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Signal has not been able to provide the US gov with personal data as they only store the date of account creation and a signal ID number. Look at how signal handles these information requests right now.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      You’re totally right. Signal has demonstrated its full proof against US courts. But perhaps not against security agencies. Signal stores private keys in the cloud. Relying on SGX extensions to keep them from being trivially broken. Signal could be compromised, SGX could be compromised, something we don’t realize in that supply chain could be compromised. So it could just be a long-term honeypot. But if you’re a threat model does not include US security apparatus, you’re fine