undefined | Better HN

0 pointskuschku9y ago0 comments

Well, either the threat is a private group, then WhatsApp or even Google Hangouts is secure enough.

Or the threat is a government, then Signal is not secure enough either, because the US govt can just force Google and OWS to ship modified APKs.

0 comments

ajamesm9y ago

conflating the specific binary instantiation with the general cryptosystem. Regardless, depending on your threat model, you can take increasingly { reasonable | paranoid } precautions like manually compiling and loading Signal, as it's OSS.

edit: "private group" can encompass a lot, especially in other ecosystems like Google and FB. If said "private group" adversary is, say, a prominent and wealthy Silicon Valley businessman and enterprising vampire who collaborates with fascists, then you can see the potential of compromising someone's security by coercing Google or Facebook engineers to run you a Hadoop query or conditionally inject malicious JS.

kuschkuOP9y ago

> like manually compiling and loading Signal, as it's OSS.

Except, I’d have to modify the code, as the current version depends on Google’s proprietary libs, which I can’t inspect. And I lose half of the functionality, as RedPhone is also proprietary.

> by coercing Google or Facebook engineers to run you a Hadoop query or conditionally inject malicious JS.

The same can be done by coercing OWS engineers to backdoor their services.

And in any case, Signal can start collecting metadata any minute now, and there’s nothing we could do against it.

temprature9y ago

> And I lose half of the functionality, as RedPhone is also proprietary.

The source code for the Redphone client is here: https://github.com/WhisperSystems/Signal-Android/tree/master...

The source code the redphone-audio library is here: https://github.com/WhisperSystems/Signal-Android/tree/master...

Stop spreading misinformation.

1 more reply

j / k navigate · click thread line to collapse