@janet_catcus #XMPP+#PGP may be a good option if you don't want to deal with half a dozen #OMEMO keys...

@Andromxda @mollyim no it's not bs and fanboying @signalapp isn't going to change that.

If #Signal was secure it would be the #1 comms tool of organized crime...

• Yet I've only seen #TechIlliterates shill it.

Real professionals use #SelfHosting capable, fully #FLOSS'd solutions like #PGP/MIME & #XMPP+#OMEMO.

• Again: Demanding #PII like #PhoneNumbers and shilling a #Shitcoin-#Scam (#MobileCoin) makes Signal literally untrustworthy and if it doesn't for you then maybe your standards are just too low...

It's just me reading the room: Cuz #ComSec isn't done woth "JuSt UsE sIgNaL!" and everyone who claims so without pointing out #OpSec, #InfoSec & #ITsec is BSing hard.

• The cold hard truth is that #TechLiteracy is irreplaceable and the only solution to it is to actually teach normies how to "get gud" with stuff like PGP.

Fortunatelty, @thunderbird and @tails_live / @tails / #Tails and many other tools make that easier than ever before.

• So rather than vomiting insults against my intellect in my mentions, go to the next @cryptoparty@mastodon.earth / #Cryptoparty / @cryptoparty@chaos.social and lend a hand.

@crazy_pony when @signalapp isn't being run as a #VCMoneyBurningParty and they take #InfoSec, #OpSec, #ComSec & #ITsec serious and stop shilling the #Shitcoin #Scams that is #MobileCoin!

For everyone else, there's #XMPP+#OMEMO (see @monocles / #monoclesChat) & #PGO/MIME (see @delta / #deltaChat)…

@walkinglampshade @jrredho @fj It's basic #InfoSec, really:

• @signalapp has no "#LegitimateInterest" to demand #PII like a #PhoneNumber and they use and abuse that to restrict functionality of their App (it doesn't matter that they merely claim "comply with #sanctions" [their #MobileCoin #Shitcoin #Scam disqalifies them even more!] because they have the tech to distinguish and discriminate users)...

Thus #Signal fails at protevting #Journalists and theor sources because they do have that data and can be #subopena'd for it if they don't already provide #BulkSurveillance & #LawfulInterception #API|s to comply with #CloudAct. (Or are you guys so naive and believe @Mer__edith will risk dying of old age in jail for non-paying users?)

• This entire "thread vector" just doesn't exist with #XMPP+#OMEMO nor #PGP/MIME!

And if you believe "this won't ne used/abused me because I'm from 'Murica!" and point at #ANØM as an example, then you really ignored all tze #Cyberfacism since 9/11…

@froge @fj I'm not replacing @signalapp with "random tools" but good options.

Like @delta & @thunderbird as well as @monocles / #monoclesChat & @gajim which work flawlessly over @torproject / #Tor using @tails / @tails_live / #Tails and @guardianproject / #Orbot respectably.

• Also these allow not only #SelfHosting but just work and I'd highly recommend #monocles as a hoster which finances iself by users paying and allows #anonymous accoubts & payments including not just #Monero but also #CashByMail!

Considering the costs of even acquiring and upkeeping an #anonymous #SIM, I'd rather pay €2 p.m. for #XMPP+#OMEMO and #PGP/MIME-supported #eMail with the option of self-custody than $2,50+ p.m. just to keep a phone number.

• Plus I don't run around with a #tracking device that could be used to #deanonymize me any second...

Or is anyone here expecting @Mer__edith to risk jail for life amd not comply with #CloudAct?

• If #Signal was as secure as advertised, it would've been shutdown like #EncroChat and #SkyECC!

It stenches like #ANØM, because NOTHING IS FOR FREE and running a #VCmoneyBurningParty is expensive...

@fj I still think @signalapp has fundamental flaws like demanding #PII (#PhoneNumbers can't be obtained anonymously around the globe and are trivial to track down to devices and thus users), being subject to #CloudAct as an unnecessary & 100% avoidable risk as well as #Shitcoin-#Scam shilling (#MobileCoin) and it's #proprietary, #SingleVendor & #SingleProvider nature that makes it inferior to real #E2EE with #SelfCustody like #PGP/MIME & #XMPP+#OMEMO!

@nemo #XMPP+#OMEMO w/ self-custody of all the keys.

@osman If your #OpSec, #InfoSec, #ComSec and/or #ITsec relies on @signalapp and/or @Mer__edith risking jail or worse, you fucked up!

• If #Signal was secure, it would've been shutdown like #EncroChat & #SkyECC.

Seriously, to me #Signal stenches #Honeypot like #ANØM & #CryptoAG.

• All Signal fans do is #FUD #PGP/MIME and#XMPP+#OMEMO which are truly #decentralized and allow real #SelfHosting as well as #SelfCustody for complete control of all the data and keys...

That's why I get people setup with it!

@700Sachen @Bingenberger @groso dann doch lieber auf #XMPP+#OMEMO über #Tor migrieren, weil da funzen Sprachnachrichten nicht statt #NSAbook mit extea #Stimmdaten zu füttern.die dank #CloudAct US-Regierungseigentum werden und/oder dann für #Deepfakes genutzt werden können.

• Glaubste nicht? Lies die AGBs!

https://infosec.space/@kkarhan/114212474481198096

@ip6li @heiseonline @briar und natürlich #XMPP+#OMEMO sowie #PGP/MIME.

IMHO ist @signalapp eh nen #Honeypot!

@ckrypto if@signalapp@mastodon.world wasn't complying with #CloudAct, @Mer__edith would be in jail.

Not to mention even if Signal keeps their "#OpenSource" code updated - which is doubtful, NOONE can actually #verify that it's the code you actually use - regardless if #backend / #Server or #client / #App!

• #Signal is as secure as #ANØM, otherwise it would've been shutdown ages ago.

Also if Signal was designed for #security, it would've been #decentralized as #XMPP+#OMEMO and not demand #PII like #PhoneNumbers which oftentimes cannot be obtained anonymously in many juristictions at all!

• Only #MultiVendor & #MultiProvider standards can be secure, regardless if OMEMO or #PGP/MIME.

By comparison, @delta doesn't require any PII, only an #eMail account, and @monocles isn't a #VCmoneyBurningParty but sustainable due to #subscription and they don't even require any personal details for #payment: #CashByMail and #Monero are accepted.

• Not to mention neither #DeltaChat nor #monoclesChat are pandering #Shitcoin #Scams like #MobileCoin that don't work even for #TechLiterate #CryptoBros!

Again: It's Signal alone who have to evidence they are trustworthy, and all I get are "#TrustMeBro!" replies, which means they are not to be trusted.

• Not to mention, it's just not sustainable to run a #service without #revenue, even if it's run entirely by unpaid volunteers and gets all it's #hosting and #costs donated, someone has to pay for expenses due to #abuse of a service (which is an inevitability come mass adoption)...

Whereas with #XMPP I can completely setup my own server and client, even build my own if I don't trust anyone else and pay someone to audit the code.

• Signal as a #centralized, #SingleVendor & #SingleProvider service is inevitable vulnerable to #RubberhoseCryptoanalysis, and #Meredith will break if not doing so means jail for life until she does!

Whereas with XMPP & PGP/MIME #eMail I can layer @torproject / #Tor over it, make it an #OnionService and keep that thing under my bed with a literal killswitch...

@FediThing @nicoco @fabiscafe @vkc nodds in agreement

"Perfect" would be #OneTimePad, but that's just not in the cards - period!

#XMPP+#OMEMO & #PGP/MIME are the next-best options that are documented, multi-vendor & multi-provider standardsband offer #SelfCustody of all the keys.

https://infosec.space/@kkarhan/114177752291377549

@Sturmflut @fabiscafe @vkc

Or to put it more on the nose: You can be certain that i.e. @Mer__edith of @signalapp will talk cuz she can't pull the 5th on behalf of a user and won't go to jail for any of them.

Whereas if i.e. @monocles (or any #XMPP provider) got sent an order (and just like #Signal they'd comply if done so duely through legal channels, which is way harder in #Germany than the #USA cuz #GDPR & #BDSG & #LawfulInterception being way stricter than #CloudAct), if users used #OMEMO or #PGP/MIME, they (or any other provider) literally can't decrypt even when held at gunpoint, because asymetric public-private cryptography was literally designed to not be breakable unless someone managed to MITM comms from the first contact and any verification.

• Which is unlikely to impossible unless one's able to literally isolate and manipulate all comms and means to communicate of at least one party, at which point they'd already have warrants to search everything and don't even bother to try MITMing comms but instead kick in doors.

But that's a totally different subject of #OpSec & #InfoSec, not #ComSec & #ITsec on it's own...

@vkc nodds in agreement

The only safe comms are real #E2EE as in #XMPP+#OMEMO or #PGP/MIME with #SelfCustody of all the keys!

@aei @nicoco personally, I just stick with native #XMPP+#OMEMO because like public #eMail #relay servers most of these #gateways do get blocked once russian skiddies abude them to spam their garbage around.

• Ask me how I know!

@aei I only have one: @monocles / #monoclesChat (okay, two: @gajim / #Gajim on #Desktop) for #XMPP+#OMEMO!