Hi Techlore forum users!
just had a casual chat with my colleague from work who came from far east (ex USSR member country) and on that meeting, they said Signal was hacked and had data breached numerous times, it’s proprietary and they’ll share the sources.
Their messenger of choice is Telegram which according to them was never hacked/breached, government officials use itm is open source and the most secure all around.
How should I break the news to them?
With articles from the headlines and not with your personal arguments.
This sounds like a person who got the information exactly backw
ards. Telegram has been repeatedly hacked.
And here, for comparison, data from Signal
Also, if Signal is so insecure, why Russians offers 1.5mil USD to break it?
Thank you very much!
Well they are using Google servers, and that’s a red flag to me. You can’t call yourself privacy focused and then host your data on the servers of the company whose sole mission is to know everything about everyone. And don’t tell me about “encrypted” data. Nothing is impossible when you are using experimental technology that will not be released to the public for another 10 years. If they want to know, they will know. Period.
I assume you are talking about Signal. If so, there is very little data on their servers, as proven by man court cases; therefore who has access to the data is less of a concern.
Your colleague is obviously ill-informed. You might begin by asking him/her how he/she knows for sure that “Signal was hacked and had data breached numerous times…” and where you can read more about that. Your colleague will not be able to provide any authoritative sources documenting these beliefs.
Google’s “sole mission” is not “to know everything about everyone.” Google has numerous corporate missions. Among them is providing reliable cloud computing services at competitive prices.
If you’re concerned that encrypted data sent today may be vulnerable to as-yet-undisclosed decryption techniques, I suppose that’s a fair concern, although there is no evidence to suggest that such technology currently exists. But it’s worth bearing in mind that security agencies such as the NSA and GCHQ are relying on the same encryption techniques used by Signal to protect their own communications.
I highly recommend Zuboff’s The Age of Surveillance Capitalism to understand how, from its very inception, Google built its mission on knowing everything about everyone.
Why do you think Google sells the vast majority of its services for 0 dollars? Why do you think Google spent hundreds of millions/billions developing Google Classroom, if not to build a database on the youth’s interaction with technology, the customers of tomorrow? Do you really think they do this out of altruism? Cloud computing services is just another way for Google to capture data, period. Just like Google maps was a "gift from Google, until they were caught red-handed scanning the home wifi and retrieving non-protected networking information from European households in 2010. Knowing everything about everyone. Anything else is naive.
Again, the experimental technology used by the NSA and Google is not known to the public. You keep this under wrap as long as possible, because this is the window of opportunity to gain an edge against competitors, at home or abroad.
Yes, and very small data is sufficient for correlation attacks. Remember, you are dealing with the most quantitative advanced company in the world. Our “impossible” is just another challenge to solve for them. I think Signal would be better served using non-Google servers.
They used Amazon servers last I checked.
Signal Protocol isn’t experimental. It combines a lot of battle-tested protocols. They have been thoroughly audited within the years by a lot of cryptographers. It’s the de-facto standard for E2EE.
They cannot. Period.
Storage.signal.org is hosted on Google cloud computers. Check online, multiple folks have raised this issue.
Who said that Signal is experimental? I was talking about Google’s technology. When your company is worth 1 trillon + dollars, trust me, you can hire the smartest people in the world and build the kind of technology that a random collection of part-timers working on Signal cannot hope to achieve. In short, unless you work for the NSA or Google, you have zero idea about the technological capabilities of these organizations. None. You are naive to assume that your understanding of technological capabilities matches the reality of technological advancement behind closed doors. We know what they want us to know.
Signal is the best we have, but I am realistic
I don’t think the time you signed up and the time you last logged in is enough.
Even the “smartest” people in the world can’t break Signal Protocol’s comprehensive encryption without pouring several man hours to break one message with Quantum computers. And all of that, for one message(thanks to PFS). It’s unlikely that FBI will want to go down that route. They are better off doing standard old school espionage techniques.
Signal Protocol doesn’t rely on the server to do the encryption, they are done client-side. The servers don’t really matter here. they are just there to handle all the fully encrypted web-traffic.
Quite a lot of distinguished developers work full time on Signal. Signal gets a lot of funds from volunteers and organizations which makes it possible for developers to work full time and also receive funds to eat.
Oh and also Snowden and many other journalists uses Signal.
Yes, as I said, Signal is the best that we have. But the collective brainpower and financial firepower of the other side is orders of magnitude higher than on Signal’s side. Remember that publicly known advances in AI and quantuum computing are just that…publicly known. Early in WW2, Britain cracked the German Enigma code, which allowed it to defeat German submarines and troops across Europe. Did Britain publicly boast that they had in fact broken the code? Of course not. They were very careful in not overusing the intelligence from Enigma, otherwise the Germans would have become suspicious. This is the window of opportunity, this is the time when you gain the edge over your unsuspecting opponent. In fact, Britain only revealed in 1974 that they had cracked the German code…30 years earlier.
Likewise, we won’t know when encryption is defeated. Like Britain, the other side will be very careful in using the intelligence gained from that intel. And when we are finally told that encrypted is no longer encrypted, it will be years after the fact. That’s how such critical secrets are always revealed.
I’m cognizant of history, I realize that the odds are significantly stacked against privacy conscious folks.
I think that rubber-hose cryptanalysis still applies as @anon73850698 suggests. It’s infinitely much cheaper to just compromise the device, to install the surveillance device, to use laser microphone, infiltrate groups, try to find vulnerabilities in the software or to just use phishing to gain access and “compromise” the encryption this way than to invest billions of dollars to try to break the encryption itself.
We’re clearly in the territory of pure speculations here. There is not a single evidence to support these claims. The same way I can say that they don’t need to break the encryption, because they’re reading our minds already. 
Another thing is that world became much more complicated and technological advancement are not done by individuals in a underground bunker anymore. There are collaboration of universities, companies, international teams, different kind of fundings etc. Moreover most of it happens in the private sector. This level of fragmentation and hunderds, sometimes thousands of people involved would be impossible to keep secret in my opinion. Personally I think that break of the encryption is still decades away.
So, to be careful - yes. To be paranoid - no.
No, AES/RSA/ECC encrypted data is unbreakable (by normal computers), as in normal computers lack the ability to factor out the large primes chosen. There is simply no way of doing it without using Quantum Computers.