Recent comments in /f/YouCould

devtesla wrote (edited )

Reply to comment by twovests in You Could: Download and use Signal, and get your friends to too by twovests

I want to clarify that I don't think the government has a way to read signal messages. What I mean is, for all the reasons you state, mass adopted E2EE is the start of security and not the end. It can honestly be a little dangerous because it creates a false sense of security, because all the ways to get around E2EE are more common than interception.

2

twovests OP wrote

Reply to comment by devtesla in You Could: Download and use Signal, and get your friends to too by twovests

Yep, this is always true and always possible.

I completely agree with this:

you still probably shouldn't talk about crimes you're gonna do on it because of all those other things that could go wrong

But I do want to contend with this statement:

It's a bit of security theater in the end.

I just disagree with this entirely.

Even if the NSA is sitting on a compromise of the Signal protocol, it probably won't be a complete break of the protocol, and it probably won't be something that can be applied widely.

Cryptographic protocols usually have ridiculous guarantees like "it would take all the computers a trillion years to crack this". I'd have to get into the current iteration of Signal's protocol to talk with concrete numbers here, but we usually start moving away from something when it gets weakened to "it would take all the computers a million years to crack one message".

The key assumption is the data is gathered now, and all the messages are gathered to be cracked with a future weakness. So, maybe in a decade, it would only take one supercomputer one decade to crack every message.

If I were to estimate a total guess of a distribution of scenarios, maybe the 99th percentile worst scenario is "in 10 years, any persons Signal chatlogs will be able to be cracked by the NSA, but they can only crack one persons logs per day with their computational power." And if we still have to worry about todays fascist regime in 10 years, then we're just so fucked.

And even in the 99.999th percentile worst case scenario (the NSA today can read every Signal message at will, even without compromising key exchange), they would still need to (1) be collecting them during the short period they're stored (encrypted) on the servers and (2) they would only be able to burn this kind of thing once, ever. We're all paranoid freaks who are looking for whiffs of this shit all the time.

And I want to stress that this is a wild scenario I'm imagining. (And, as described, there are way easier ways to get your messages). I think it's implausible to get a compromise that breaks Signal in two decades, even if we dedicated every tax dollar to getting people onto a pipeline to become cryptography PhDs. (I sincerely think we're way more likely for the AI bros to create the AI singularity god they keep talking about.)

What this means is, even in the worst case scenario, Signal is still protecting you from everyone who isn't the NSA. The LAPD requesting your chatlogs from Instagram, hackers reading all your SMS messages, or some guy who works at Telegram getting details from a gay furry porn group chat.

tldr: it's not security theater! even in the worst case scenario, e2ee messaging is good, and signal is still the best one.

To repeat, if the US government indeed has a compromise in Signal's E2EE, it's

  • Something so subtle that independent cryptographers have not yet found in the protocol, and

  • It's something they can burn only once ever.

Generally speaking, the ways to get access to the chats (and the way we see it happening) are to:

  • Physically take the device,

  • Compel the vendor (Apple, Google, etc) to sign a compromised version of the app (or compromised software update) for specific individuals,

    • (Note: Except for those who download the APK from Signal directly, Signal can't be compelled to do this, because of how the app store works.)

  • Remotely hack the target device itself,

  • Get into a group chat, or get an informant in with the target. (This is what's happening right now with right wing influencers on X and the FBI),

  • Compromise key exchange. (AFAIK we've not seen this happen, but it's plausible. This is something impossible to solve for, short of either having quantum computers in our phones, or requiring every Signal user to meet in person first), or

  • Learn scary new facts about the laws of physics

2

devtesla wrote

Reply to You Could: Download and use Signal, and get your friends to too by twovests

Another benefit of Signal is that it's extremely pleasant to use, while every other app is increasingly a pain in the ass. That counts for a lot.

But yeah...

I'm a bit more suspect of the Signal and E2EE in general. The initial funding for Signal, like Tor, came from the Open Technology Fund. At the time communication that couldn't be intercepted by other governments aligned with American foreign policy interests. I think it's also true that when something is E2EE people will say things that they wouldn't on other lines, which means it can be intercepted in all the other ways that E2EE can break down. This gave advantage to America, which has the capability to hack devices and a history of spooks.

That doesn't mean I don't use Signal, it's super useful. But like, you still probably shouldn't talk about crimes you're gonna do on it because of all those other things that could go wrong. It's a bit of security theater in the end.

2

oolong OP wrote (edited )

Reply to comment by twovests in you could give yourself a stomach ulcer by oolong

think really hard about something you have no control over as it spirals into oblivion. consider all the possibilities you have no power over, especially as you do nothing to combat those thoughts. make a frowny face like :c while doing so. do not take an antacid once you start tasting stomach acid

edit: upon further research, you could actually be giving yourself heartburn. a stomach ulcer may require more steps

6