Steve Saunders Goldwing Forums banner

1 - 8 of 8 Posts

·
Monkey with a Football
Joined
·
19,237 Posts
Yep, been using it for years.
It's great to have truly free speech again.
I know a lot of people use Signal but I prefer to avoid the mainstream products assuming the non-mainstream products are verified secure and don't attract as much attention from those who would try to circumvent it.
Just remember, to be truly secure, BOTH ends should delete message history after controversial chats.
 

·
Junior Member
Joined
·
103 Posts
Yep, been using it for years.
It's great to have truly free speech again.
I know a lot of people use Signal but I prefer to avoid the mainstream products assuming the non-mainstream products are verified secure and don't attract as much attention from those who would try to circumvent it.
Just remember, to be truly secure, BOTH ends should delete message history after controversial chats.


Yeah that sounds good.



I hear "Whats app " and poss Signal are bad , or at least apps that Use Signal the wrong way. Here is excerpts from Steve Gibson ....


We did a podcast on the Signal app, whereas I have said a number of times, as I was reading through the detailed protocol spec, I remember thinking initially, boy, this thing is overdesigned. And then, as I got into the details more, I realized why the bullet point features that were mentioned at the beginning were there, and I came away with a lot of respect for the Signal protocol. The problem is it's still up to the implementer to deal with some of the details. And at least WhatsApp has failed in one way to handle some of this.




This came to light on the 10th, which was, what, last Thursday. An Amazon employee, Abby Fuller, tweeted: "Logged into WhatsApp with a new phone number today and the message history from the previous number's owner was right there. This doesn't seem right." And apparently there was - I don't know how many people followed her. The news got out. It drew some attention to her tweets. She followed up with additional tweets. She said: "Now I'm wondering how many other times it's happened. Like does whoever has my old number now have my WhatsApp history?" And she also tweeted in response to others: "Yes, it was a new device. No, it wasn't second-hand. It was not a second-hand SIM. Yes, I'm sure they weren't my messages or groups that I was added to. Yes, they were in plaintext. I'm sure it's my new phone number. It was not restored from a backup."
Okay. So we know what happened. The apparent leakage of someone else's WhatsApp messaging stream into Abby's phone should raise privacy concerns. As we know, WhatsApp uses our phone number as our authentication in lieu of username and password. The argument has been that WhatsApp only sends to that number, and so our phone is our authenticating device. So the fact that it just uses our phone and our phone number is not a vulnerability. But what exactly happens when phone numbers change hands? It's clear from an online FAQ that WhatsApp is aware of this issue. The problem is that its users aren't aware, and WhatsApp has made everything so simple and automatic that it's difficult to then ask users to pay attention to something that's far from obvious because its security implications have been deliberately hidden in order to make this system easy to use.
On their FAQ, I've got a link to it in the show notes for anyone who's interested, they have a subject, "Changing phone numbers and/or phones," and then the subhead "Changing your WhatsApp phone number. Before you stop using a particular phone number, you should migrate your WhatsApp account to the new number. For a simple way to do this, use our Change Number feature. By using this feature, you'll be able to migrate your account information, including your profile information, as well as your groups."
They say: "Make sure your contacts delete your old number from their phone's address book and input your new number, as it is a common practice for mobile providers to recycle numbers. You should expect that your former number will be reassigned." In other words, this is a complete failure of the privacy guarantees that WhatsApp is promoting as a consequence of the fact that it's phone number tied, yet people are not necessarily tied to their phone numbers when they change. So Abby's tweets indicated that the chat history she received on her new phone was "not full, but definitely actual threads/DM conversations," she said elsewhere.
So we know that WhatsApp doesn't archive messaging on their servers, but we also know that - and really WhatsApp is Signal because it's the Signal protocol. And this is something that we explained and covered when I talked about the Signal protocol on our podcast of that name. We know that undelivered messages will persist in encrypted form for up to 45 days. The other problem is that once a device's SIM and phone number have been used to establish the local device's encryption keys, the SIM can be removed. Yet that device, now absent any cellular telephony, can continue to use the encryption keys it still has, until such time as the phone number associated with its absent SIM becomes assigned to some other WhatsApp user.
So that means the binding, the real-time binding between the phone number and WhatsApp encryption is weak. I mean, there is no real-time binding. It's a first-use establishment.

So this is the way WhatsApp operates. Oh, it also trusts new encryption keys broadcasted by a contact and uses them to automatically reencrypt undelivered messages and send them to the recipient without informing or leaving an opportunity for the sender to verify the recipient. Again, it's doing a lot of things behind the scenes so that it just works. Unfortunately, we're seeing a perfect example of how this could be broken. And of course this brings us back to my number one complaint about ease of use versus security and privacy tradeoffs, which we inevitably encounter anytime someone else manages our keys for us.

This made me go back and visit Threema. I haven't looked at the Threema website for a while. And I've always liked them because they keep this in the hands of their users. Yes, there's a little more setup in the beginning. You are asked to do - you remember that Threema's the one that has the green, yellow, and red sort of stoplight signal for the level of authentication of the other person's keys that you have achieved. So, yes, a little more setup. Also it's not free. It's a few dollars in order to purchase this.

 

·
Junior Member
Joined
·
103 Posts
from threema website , finally Ithink I have an analogy to share with friends.


Why you should care about privacy even if you have “nothing to hide”

You’re sitting in a coffee shop, talking to a friend. Suddenly, the waiter shows up, asks for your phone numbers, and wants to know who else you’re friends with and what you’re talking about.



Do you provide the requested information? Would you provide the information if, in turn, you wouldn’t have to pay the bill? Is it safe to assume that you have something to hide if you don’t enter into this deal?
Internet users who disclose their privacy in order to access free online services often do so on the grounds of having “nothing to hide”. However, as closer inspection reveals, this position is untenable. Having nothing to hide might be a desirable state of affairs, but it doesn’t entail that it’s safe to disclose one’s privacy.

If you don’t feel comfortable providing the requested information to the waiter, that doesn’t mean you have something to hide. It simply means you wish to preserve the privacy you rightfully deserve. Maybe you’re discussing something mundane, like the weather, but you think it’s none of the waiter’s business. Also, you don’t know what the waiter might do with the obtained information and why he’s keen on acquiring it in the first place.


If you do not carelessly disclose personal information to strangers in real life, you probably shouldn’t provide the same information to online services, either. By combining several data points, it’s easy to draw a detailed picture of you; one which reveals far more than each data point would on its own – and one that could reveal more about you than you would imagine.


Basically when i talk privacy to folks they look at me as if I was one of those prepper types .

and in reality I have nothing against preppers , but a little on that note I feel if it gets to that its no use going on.


But threema lays this out perfectly. My challenge is getting folks to use it. I can see myself handing out google play cards with $$ tokens .
 

·
Monkey with a Football
Joined
·
19,237 Posts
and remember kids... don't forget to use full time VPN, at home and while travelling. On all your devices.
It can be really cheap but avoid any of the free VPNs out there. VPN hosting is about trust and you can't trust the free ones.
I have gotten monthly at under $3/mo and Lifetime Premium subscriptions from between $29 to $79 one time forever depending on the host and grabbing short term offers.
Once you use a VPN, turning it off will make you will feel like you are driving with out a seatbelt and essentially, you are.
 

·
Monkey with a Football
Joined
·
19,237 Posts
My challenge is getting folks to use it. I can see myself handing out google play cards with $$ tokens .
The goal is not to get everyone on it for me. The goal is to have an alternative method to communicate with a few friends and trusted types.

It's like having a secure phone. You don't use it for all calls. Just those where you feel privacy might be helpful.

I hear ya though. I tried to get family on it and some installed it and never use it. Others use it occasionally. But is's nice to be discussing something and being able to say, lets continue this conversation on Threema. No reason to share everything you say with your ISP and every switch on the internet.

Like posting here for example... ;)
 
1 - 8 of 8 Posts
Top