> Is that trust in Signal justified? It suggests members at the highest security clearances believe Signal is not compromised. Are they correct? In any case, clearly there are more ways to fail opsec than backdoors.
Once upon a time, I was visited very forcefully by the FBI at 0600. They used a battering ram to gain access to my domicile.
During the "interview" that took place later that morning, they requested some information from me. I told them that the information was contained in Signal conversations between two recipients, and the messages in question have "disappearing messages" turned on. tldr; the messages are no longer available.
Relevant parts of conversation that followed:
me: "Do you have signal?"
agent: "I have it on my phone if that's what you mean."
me: "No, do you HAVE it - as in, do you have access to messages sent between other parties?"
agent: "If we do, I am unaware of it, and we certainly don't 'have it' with regard to this matter."
Take that for what it's worth.... my takeaway was that they(the FBI at least) have not compromised Signal. This was late in 2019 for context.
The other takeaway...be careful who you trust. That all happened because I trusted someone I shouldn't have.
I think there is likely a difference between what the FBI does to someone they want info pretty badly from vs what <insert state actor> does to someone that they have determined is a keystone to one of their national adversaries.
If they did have some kind of collection capability around Signal, they likely would not have risked burning it on you.
> If they did have some kind of collection capability around Signal, they likely would not have risked burning it on you.
I've always thought the exact same thing. The harm was ~800m USD to a private company. Sounds big, but it's nothing compared to actual state sponsored anything.
Just to add some more (possibly useful) context from the encounter....
The FBI was not able to unlock many LUKS secured devices - at all. They had zero success over approx 30 days, and had to explore alternative methods to obtain key material.
The FBI was not able to decrypt blowfish2 (ie vim -x).
The FBI was not able to decrypt ccrypt secured files (ie aes256).
I'm a nobody, but I imagine the feds or spooks would never use anything like that on someone they have physical access on. If the target is in their jurisdiction or a blacksite and it's that important, a lead pipe is easier.
IF they can decrypt stuff, they'll only use it when it's has an actual benefit beyond a conviction and the keys are truly inaccessible. (e.g., person is dead, the keys are in an enemy state HSM, etc.)
Once upon a time, I was visited very forcefully by the FBI at 0600. They used a battering ram to gain access to my domicile.
During the "interview" that took place later that morning, they requested some information from me. I told them that the information was contained in Signal conversations between two recipients, and the messages in question have "disappearing messages" turned on. tldr; the messages are no longer available.
Relevant parts of conversation that followed:
me: "Do you have signal?"
agent: "I have it on my phone if that's what you mean."
me: "No, do you HAVE it - as in, do you have access to messages sent between other parties?"
agent: "If we do, I am unaware of it, and we certainly don't 'have it' with regard to this matter."
Take that for what it's worth.... my takeaway was that they(the FBI at least) have not compromised Signal. This was late in 2019 for context.
The other takeaway...be careful who you trust. That all happened because I trusted someone I shouldn't have.