Mastodon 🐘

Calamitous ORTBO :mstdn:I only have my <a href="https://mstdn.ca/tags/Instagram" class="mention hashtag" rel="nofollow noopener" target="_blank">#Instagram</a> account to lurk at other ppl's dogs & share post memes in DMs with friends & family. I don't post on there hardly anymore. It's true what they're saying now that the "<a href="https://mstdn.ca/tags/socialmedia" class="mention hashtag" rel="nofollow noopener" target="_blank">#socialmedia</a>" part of these platforms has moved to <a href="https://mstdn.ca/tags/messagingapps" class="mention hashtag" rel="nofollow noopener" target="_blank">#messagingapps</a> &/or the <a href="https://mstdn.ca/tags/messaging" class="mention hashtag" rel="nofollow noopener" target="_blank">#messaging</a> tool of those platforms. It's only really influencers & parents really keeping up with the daily posts & sharing.

Kyiv Independent Daily HeadlinesMonday, July 21, 2025 Our goals are clear; Kremlin unwilling to compromise on demands ahead of proposed 3rd round of peace talks — Russian attacks against Ukraine kill 7, injure at least 28 over past day — Ukrainian drones attack Russia as Moscow hit for 5th night in a row, train station burns in Rostov Oblast — This is what Ukraine could do with US Tomahawk missiles … and more <a href="https://activitypub.writeworks.uk/2025/07/monday-july-21-2025/" rel="nofollow noopener" translate="no" target="_blank">https://activitypub.writeworks.uk/2025/07/monday-july-21-2025/</a>

The-14WhatsApp introducing advertising is a potentially lucrative but risky move <a href="https://mastodon.world/tags/Tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#Tech</a> <a href="https://mastodon.world/tags/Business" class="mention hashtag" rel="nofollow noopener" target="_blank">#Business</a> <a href="https://mastodon.world/tags/WhatsApp" class="mention hashtag" rel="nofollow noopener" target="_blank">#WhatsApp</a> <a href="https://mastodon.world/tags/Meta" class="mention hashtag" rel="nofollow noopener" target="_blank">#Meta</a> <a href="https://mastodon.world/tags/Privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Privacy</a> <a href="https://mastodon.world/tags/DigitalTrust" class="mention hashtag" rel="nofollow noopener" target="_blank">#DigitalTrust</a> <a href="https://mastodon.world/tags/TechNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#TechNews</a> <a href="https://mastodon.world/tags/OnlinePrivacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#OnlinePrivacy</a> <a href="https://mastodon.world/tags/SocialMedia" class="mention hashtag" rel="nofollow noopener" target="_blank">#SocialMedia</a> <a href="https://mastodon.world/tags/Advertising" class="mention hashtag" rel="nofollow noopener" target="_blank">#Advertising</a> <a href="https://mastodon.world/tags/MessagingApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#MessagingApps</a> <a href="https://mastodon.world/tags/DataSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#DataSecurity</a> <a href="https://mastodon.world/tags/AdTech" class="mention hashtag" rel="nofollow noopener" target="_blank">#AdTech</a> <a href="https://mastodon.world/tags/DigitalCulture" class="mention hashtag" rel="nofollow noopener" target="_blank">#DigitalCulture</a> <a href="https://mastodon.world/tags/BigTech" class="mention hashtag" rel="nofollow noopener" target="_blank">#BigTech</a> <a href="https://mastodon.world/tags/UserTrust" class="mention hashtag" rel="nofollow noopener" target="_blank">#UserTrust</a> <a href="https://the-14.com/whatsapp-introducing-advertising-is-a-potentially-lucrative-but-risky-move/" rel="nofollow noopener" translate="no" target="_blank">https://the-14.com/whatsapp-introducing-advertising-is-a-potentially-lucrative-but-risky-move/</a>

Blaze TrendsSignal Rejects AI and Ads, Distinguishing Itself from WhatsApp<a href="https://mastodon.social/tags/Advertising" class="mention hashtag" rel="nofollow noopener" target="_blank">#Advertising</a> <a href="https://mastodon.social/tags/artificialintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#artificialintelligence</a> <a href="https://mastodon.social/tags/messagingapps" class="mention hashtag" rel="nofollow noopener" target="_blank">#messagingapps</a> <a href="https://mastodon.social/tags/signal" class="mention hashtag" rel="nofollow noopener" target="_blank">#signal</a> <a href="https://mastodon.social/tags/whatsapp" class="mention hashtag" rel="nofollow noopener" target="_blank">#whatsapp</a> <a href="https://blazetrends.com/signal-rejects-ai-and-ads-distinguishing-itself-from-whatsapp/?fsp_sid=53086" rel="nofollow noopener" translate="no" target="_blank">https://blazetrends.com/signal-rejects-ai-and-ads-distinguishing-itself-from-whatsapp/?fsp_sid=53086</a>

Priceless Planet<a href="https://todon.eu/tags/WhatsApp" class="mention hashtag" rel="nofollow noopener" target="_blank">#WhatsApp</a> has introduced channels, music in status etc. and has made WhatsApp into another social media and less of a mainstream <a href="https://todon.eu/tags/messenger" class="mention hashtag" rel="nofollow noopener" target="_blank">#messenger</a>.👿 The bad:• It is targeting people who are not on social media to be hooked.• I feel there's a possibility of WhatsApp removing encryption in future , now that its even less serious form of messenger.😈 The good:• It seems to be so distractive and cluttered that it makes <a href="https://todon.eu/tags/signal" class="mention hashtag" rel="nofollow noopener" target="_blank">#signal</a> , <a href="https://todon.eu/tags/simplex" class="mention hashtag" rel="nofollow noopener" target="_blank">#simplex</a> and other <a href="https://todon.eu/tags/floss" class="mention hashtag" rel="nofollow noopener" target="_blank">#floss</a> options more attractive.<a href="https://todon.eu/tags/messagingapps" class="mention hashtag" rel="nofollow noopener" target="_blank">#messagingapps</a> <a href="https://todon.eu/tags/briar" class="mention hashtag" rel="nofollow noopener" target="_blank">#briar</a> <a href="https://todon.eu/tags/foss" class="mention hashtag" rel="nofollow noopener" target="_blank">#foss</a> <a href="https://todon.eu/tags/switchtosignal" class="mention hashtag" rel="nofollow noopener" target="_blank">#switchtosignal</a> <a href="https://todon.eu/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#privacy</a> <a href="https://mastodon.world/@signalapp" class="u-url mention" rel="nofollow noopener" target="_blank">@signalapp</a> <a href="https://mastodon.social/@simplex" class="u-url mention" rel="nofollow noopener" target="_blank">@simplex</a>

Blaze TrendsWhatsApp Introduces AI-Powered Message Summaries Feature<a href="https://mastodon.social/tags/AIinnovation" class="mention hashtag" rel="nofollow noopener" target="_blank">#AIinnovation</a> <a href="https://mastodon.social/tags/artificialintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#artificialintelligence</a> <a href="https://mastodon.social/tags/chatsummaries" class="mention hashtag" rel="nofollow noopener" target="_blank">#chatsummaries</a> <a href="https://mastodon.social/tags/messagingapps" class="mention hashtag" rel="nofollow noopener" target="_blank">#messagingapps</a> <a href="https://mastodon.social/tags/whatsapp" class="mention hashtag" rel="nofollow noopener" target="_blank">#whatsapp</a> <a href="https://blazetrends.com/whatsapp-introduces-ai-powered-message-summaries-feature/?fsp_sid=49920" rel="nofollow noopener" translate="no" target="_blank">https://blazetrends.com/whatsapp-introduces-ai-powered-message-summaries-feature/?fsp_sid=49920</a>

Brian Greenberg :verified:⚠️ App security alert: TM SGNL — a custom Signal fork used by high-level U.S. officials — was reportedly hacked 📱🔓Key findings via researchers: 🛠️ Hardcoded credentials found in the app’s source code 📥 Hacker claims to have breached TeleMessage (creator of TM SGNL) in minutes 📁 Archive server may store unencrypted copies of sensitive messages 📇 Leaked data includes government contacts, messages, and backend access🚨 Why it matters: 🔐 TM SGNL modifies Signal to support message archiving — possibly before encryption ⚠️ That’s a potential plaintext vulnerability — even if E2EE is in place 💬 Raises urgent questions about how U.S. officials handle sensitive digital comms🛡️ Security leaders should: 📱 Vet third-party forks of secure messaging apps rigorously 🚫 Avoid using unofficial tools for sensitive communication 🧾 Align secure messaging practices with compliance and cybersecurityThis incident isn’t just a breach — it’s a wake-up call about assuming encryption = security.<a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/MessagingApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#MessagingApps</a> <a href="https://infosec.exchange/tags/Signal" class="mention hashtag" rel="nofollow noopener" target="_blank">#Signal</a> <a href="https://infosec.exchange/tags/DataBreach" class="mention hashtag" rel="nofollow noopener" target="_blank">#DataBreach</a> <a href="https://infosec.exchange/tags/GovernmentSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#GovernmentSecurity</a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#ThreatIntel</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#privacy</a> <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#cloud</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://www.csoonline.com/article/3977385/company-behind-modified-signal-app-used-by-mike-walz-allegedly-hacked.html" rel="nofollow noopener" translate="no" target="_blank">https://www.csoonline.com/article/3977385/company-behind-modified-signal-app-used-by-mike-walz-allegedly-hacked.html</a>

PUPUWEB BlogWhatsApp is rolling out cloud-based AI features like message summarization and composition, powered by Private Processing to keep your chats secure and private. AI tools, privacy-first. <a href="https://mastodon.social/tags/WhatsApp" class="mention hashtag" rel="nofollow noopener" target="_blank">#WhatsApp</a> <a href="https://mastodon.social/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://mastodon.social/tags/Privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Privacy</a> <a href="https://mastodon.social/tags/DataSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#DataSecurity</a> <a href="https://mastodon.social/tags/CloudAI" class="mention hashtag" rel="nofollow noopener" target="_blank">#CloudAI</a> <a href="https://mastodon.social/tags/TechNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#TechNews</a> <a href="https://mastodon.social/tags/EndToEndEncryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#EndToEndEncryption</a> <a href="https://mastodon.social/tags/MessagingApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#MessagingApps</a>

TrueTech Technology MagazineWant more privacy for your WhatsApp conversations? 🔒 A new built-in security feature lets you lock specific chats with biometrics or a secret code. Learn how to secure your private messages and keep them hidden from prying eyes 👀 Read our step-by-step guide to enhance your chat privacy.<a href="https://mastodon.social/tags/WhatsApp" class="mention hashtag" rel="nofollow noopener" target="_blank">#WhatsApp</a> <a href="https://mastodon.social/tags/Privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Privacy</a> <a href="https://mastodon.social/tags/ChatSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#ChatSecurity</a> <a href="https://mastodon.social/tags/MessagingApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#MessagingApps</a> <a href="https://mastodon.social/tags/MetaPlatforms" class="mention hashtag" rel="nofollow noopener" target="_blank">#MetaPlatforms</a><a href="https://true-tech.net/how-to-lock-whatsapp-chats-guide/" rel="nofollow noopener" translate="no" target="_blank">https://true-tech.net/how-to-lock-whatsapp-chats-guide/</a>

TrueTech Technology MagazineKeep your WhatsApp conversations private with new Chat Lock feature 🔒 Now you can secure specific chats using biometrics or a secret code for enhanced privacy 🔐 Read our step-by-step guide to learn how to protect your private conversations.<a href="https://mastodon.social/tags/WhatsApp" class="mention hashtag" rel="nofollow noopener" target="_blank">#WhatsApp</a> <a href="https://mastodon.social/tags/Privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Privacy</a> <a href="https://mastodon.social/tags/ChatLock" class="mention hashtag" rel="nofollow noopener" target="_blank">#ChatLock</a> <a href="https://mastodon.social/tags/MessagingApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#MessagingApps</a> <a href="https://mastodon.social/tags/DigitalSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#DigitalSecurity</a><a href="https://true-tech.net/how-to-lock-whatsapp-chats-guide/" rel="nofollow noopener" translate="no" target="_blank">https://true-tech.net/how-to-lock-whatsapp-chats-guide/</a>

WinbuzzerGoogle Messages Activates AI Powered Nudity Blurring with On-Device Warnings<a href="https://mastodon.social/tags/GoogleMessages" class="mention hashtag" rel="nofollow noopener" target="_blank">#GoogleMessages</a> <a href="https://mastodon.social/tags/Android" class="mention hashtag" rel="nofollow noopener" target="_blank">#Android</a> <a href="https://mastodon.social/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#AI</a> <a href="https://mastodon.social/tags/ContentWarning" class="mention hashtag" rel="nofollow noopener" target="_blank">#ContentWarning</a> <a href="https://mastodon.social/tags/Privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Privacy</a> <a href="https://mastodon.social/tags/SafetyCore" class="mention hashtag" rel="nofollow noopener" target="_blank">#SafetyCore</a> <a href="https://mastodon.social/tags/NudityDetection" class="mention hashtag" rel="nofollow noopener" target="_blank">#NudityDetection</a> <a href="https://mastodon.social/tags/MessagingApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#MessagingApps</a> <a href="https://mastodon.social/tags/Mobile" class="mention hashtag" rel="nofollow noopener" target="_blank">#Mobile</a> <a href="https://mastodon.social/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#Google</a> <a href="https://mastodon.social/tags/Alphabet" class="mention hashtag" rel="nofollow noopener" target="_blank">#Alphabet</a> <a href="https://mastodon.social/tags/CyberSafety" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSafety</a> <a href="https://mastodon.social/tags/OnDeviceAI" class="mention hashtag" rel="nofollow noopener" target="_blank">#OnDeviceAI</a> <a href="https://mastodon.social/tags/RCS" class="mention hashtag" rel="nofollow noopener" target="_blank">#RCS</a> <a href="https://winbuzzer.com/2025/04/22/google-messages-activates-ai-powered-nudity-blurring-with-on-device-warnings-xcxwbn/" rel="nofollow noopener" translate="no" target="_blank">https://winbuzzer.com/2025/04/22/google-messages-activates-ai-powered-nudity-blurring-with-on-device-warnings-xcxwbn/</a>

The Internet is CrackA conversation with Prof. Alberto Segre, Chair of CS at University of Iowa.This clip dives into encrypted messaging — how tools like WhatsApp protect your privacy (or don’t), and why understanding the tech matters more than ever.We also talk AI, quantum computing, and internet history. It’s deep, but accessible.🎧 Listen wherever you get your podcasts. <a href="https://youtu.be/RqSkKahvlPA" rel="nofollow noopener" translate="no" target="_blank">https://youtu.be/RqSkKahvlPA</a> <a href="https://mastodon.social/tags/theinternetiscrack" class="mention hashtag" rel="nofollow noopener" target="_blank">#theinternetiscrack</a> <a href="https://mastodon.social/tags/podcast" class="mention hashtag" rel="nofollow noopener" target="_blank">#podcast</a> <a href="https://mastodon.social/tags/Encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#Encryption</a> <a href="https://mastodon.social/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybersecurity</a> <a href="https://mastodon.social/tags/TechPodcast" class="mention hashtag" rel="nofollow noopener" target="_blank">#TechPodcast</a> <a href="https://mastodon.social/tags/InternetEthics" class="mention hashtag" rel="nofollow noopener" target="_blank">#InternetEthics</a> <a href="https://mastodon.social/tags/MessagingApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#MessagingApps</a>

nemo™ 🇺🇦Experts say Signal is as secure as messaging gets, but is it safe for national security? 🤔🔒 Read more about why it's not recommended for sensitive government communications: <a href="https://www.abc.net.au/news/2025-03-26/signal-safe-as-messaging-gets-but-not-for-national-security/105093006" rel="nofollow noopener" translate="no" target="_blank">https://www.abc.net.au/news/2025-03-26/signal-safe-as-messaging-gets-but-not-for-national-security/105093006</a> <a href="https://mas.to/tags/SignalSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#SignalSecurity</a> <a href="https://mas.to/tags/MessagingApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#MessagingApps</a> <a href="https://mas.to/tags/NationalSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#NationalSecurity</a> <a href="https://mas.to/tags/newz" class="mention hashtag" rel="nofollow noopener" target="_blank">#newz</a>

Linux G. Fossman<a href="https://mastodon.world/@Mer__edith" class="u-url mention" rel="nofollow noopener" target="_blank">@Mer__edith</a> <a href="https://mastodon.world/@signalapp" class="u-url mention" rel="nofollow noopener" target="_blank">@signalapp</a> <a href="https://social.librem.one/@purism" class="u-url mention" rel="nofollow noopener" target="_blank">@purism</a> <a href="https://fosstodon.org/@PINE64" class="u-url mention" rel="nofollow noopener" target="_blank">@PINE64</a> <a href="https://fosstodon.org/@furilabs" class="u-url mention" rel="nofollow noopener" target="_blank">@furilabs</a> <a href="https://fosstodon.org/@postmarketOS" class="u-url mention" rel="nofollow noopener" target="_blank">@postmarketOS</a> <a href="https://mastodon.social/@volla" class="u-url mention" rel="nofollow noopener" target="_blank">@volla</a> <a href="https://mastodon.social/@ubports" class="u-url mention" rel="nofollow noopener" target="_blank">@ubports</a> <a href="https://fosstodon.org/@mobian" class="u-url mention" rel="nofollow noopener" target="_blank">@mobian</a> I understand that addition of linked desktop devices can be a security concern from Signal's point of view. However, please allow us the option (after registering/activating on Signal Android) to completely move to the <a href="https://social.vivaldi.net/tags/SignalDesktop" class="mention hashtag" rel="nofollow noopener" target="_blank">#SignalDesktop</a> and deactivate/deregister the mobile version altogether. You can even make this dependent on the mobile user granting permission.Thank you for the great work you all are doing for <a href="https://social.vivaldi.net/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#privacy</a> and secure communication. Although we do not like the phone number requirement, we still consider Signal one of the best communication apps and have on-boarded countless numbers of users.(2/2)<a href="https://social.vivaldi.net/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#FOSS</a> <a href="https://social.vivaldi.net/tags/FLOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#FLOSS</a> <a href="https://social.vivaldi.net/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenSource</a> <a href="https://social.vivaldi.net/tags/dataprivacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#dataprivacy</a> <a href="https://social.vivaldi.net/tags/messagingapps" class="mention hashtag" rel="nofollow noopener" target="_blank">#messagingapps</a>

Stephen Hayes<a href="https://mastodon.africa/@GrahamDowns" class="u-url mention" rel="nofollow noopener" target="_blank">@GrahamDowns</a> <a href="https://mastodon.world/@signalapp" class="u-url mention" rel="nofollow noopener" target="_blank">@signalapp</a> Yes, Signal is the messaging app of choice for government people who want to hide what they're doing. They know the other apps are insecure because they themselves can spy on people using them. And they won't use official secure channels because they want to avoid accountability<a href="https://www.theguardian.com/australia-news/2025/mar/27/stephanie-foster-signal-australian-home-affairs-secretary-trump-scandal?CMP=share_btn_url" rel="nofollow noopener" translate="no" target="_blank">https://www.theguardian.com/australia-news/2025/mar/27/stephanie-foster-signal-australian-home-affairs-secretary-trump-scandal?CMP=share_btn_url</a><a href="https://c.im/tags/Signal" class="mention hashtag" rel="nofollow noopener" target="_blank">#Signal</a> <a href="https://c.im/tags/messagingapps" class="mention hashtag" rel="nofollow noopener" target="_blank">#messagingapps</a>

techiAutomattic’s Beeper Unveils Redesigned Desktop and iOS Messaging Apps Post-Merger<a href="https://mstdn.social/tags/Automattic" class="mention hashtag" rel="tag">#Automattic</a> <a href="https://mstdn.social/tags/Beeper" class="mention hashtag" rel="tag">#Beeper</a> <a href="https://mstdn.social/tags/TextsCom" class="mention hashtag" rel="tag">#TextsCom</a> <a href="https://mstdn.social/tags/MessagingApps" class="mention hashtag" rel="tag">#MessagingApps</a> <a href="https://mstdn.social/tags/TechNews" class="mention hashtag" rel="tag">#TechNews</a> <a href="https://mstdn.social/tags/iOS" class="mention hashtag" rel="tag">#iOS</a> <a href="https://www.techi.com/automattic-beeper-redesigned-desktop-ios-apps-launch/" target="_blank" rel="nofollow noopener" translate="no">https://www.techi.com/automattic-beeper-redesigned-desktop-ios-apps-launch/</a>

Adrian MoralesI have stopped using SMS. I stopped about a decade ago. It's only centralised banks and online shopping sites still using this technology that dates back to the 70s. Yeesh!<a href="https://ieji.de/tags/Tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#Tech</a> <a href="https://ieji.de/tags/MessagingApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#MessagingApps</a> <a href="https://ieji.de/tags/SocialMedia" class="mention hashtag" rel="nofollow noopener" target="_blank">#SocialMedia</a> <a href="https://ieji.de/tags/Texting" class="mention hashtag" rel="nofollow noopener" target="_blank">#Texting</a> <a href="https://ieji.de/tags/Thursday" class="mention hashtag" rel="nofollow noopener" target="_blank">#Thursday</a> <a href="https://ieji.de/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#SMS</a> <a href="https://ieji.de/tags/Signal" class="mention hashtag" rel="nofollow noopener" target="_blank">#Signal</a> <a href="https://www.makeuseof.com/still-using-sms-stop/" rel="nofollow noopener" translate="no" target="_blank">https://www.makeuseof.com/still-using-sms-stop/</a>

Alan K. MartinezThere's a saying that if something is <a href="https://infosec.exchange/tags/free" class="mention hashtag" rel="nofollow noopener" target="_blank">#free</a> then you're the commodity...If <a href="https://infosec.exchange/tags/signal" class="mention hashtag" rel="nofollow noopener" target="_blank">#signal</a> is free to use, what are they gaining or using you for? What is it about the customer they're gathering for their benefit to offer their messaging app for free?Serious question... I'd like to know...<a href="https://infosec.exchange/tags/cybersecurty" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurty</a> <a href="https://infosec.exchange/tags/messaging" class="mention hashtag" rel="nofollow noopener" target="_blank">#messaging</a> <a href="https://infosec.exchange/tags/messagingapps" class="mention hashtag" rel="nofollow noopener" target="_blank">#messagingapps</a>

TrueTech Technology MagazineiPhone users, a game-changing WhatsApp update is in the works 📱 Meta is finally bringing multi-account support to iOS, catching up with Android. Want to know when this feature arrives and how it'll change your messaging experience? Read the full article ⬇️<a href="https://mastodon.social/tags/WhatsApp" class="mention hashtag" rel="nofollow noopener" target="_blank">#WhatsApp</a> <a href="https://mastodon.social/tags/iOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#iOS</a> <a href="https://mastodon.social/tags/iPhone" class="mention hashtag" rel="nofollow noopener" target="_blank">#iPhone</a> <a href="https://mastodon.social/tags/Meta" class="mention hashtag" rel="nofollow noopener" target="_blank">#Meta</a> <a href="https://mastodon.social/tags/MessagingApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#MessagingApps</a><a href="https://true-tech.net/whatsapp-multi-account-support-iphone-spotted-beta/" rel="nofollow noopener" translate="no" target="_blank">https://true-tech.net/whatsapp-multi-account-support-iphone-spotted-beta/</a>

SoatokDon’t Use Session (Signal Fork)Last year, I outlined the specific requirements that an app needs to have in order for me to <a href="https://soatok.blog/2024/07/31/what-does-it-mean-to-be-a-signal-competitor/" rel="nofollow noopener" target="_blank">consider it a Signal competitor</a>.Afterwards, I had several people ask me what I think of a Signal fork called Session. My answer then is the same thing I’ll say today: Don’t use Session.The main reason I said to avoid Session, all those months ago, was simply due to <a href="https://web.archive.org/web/20241225131654/https://getsession.org/session-protocol-explained" rel="nofollow noopener" target="_blank">their decision to remove forward secrecy</a> (which is an important security protocol they inherited for free when they forked libsignal).Lack of forward secrecy puts you in the scope of <a href="https://www.cryptologie.net/article/372/key-compromise-impersonation-attacks-kci/" rel="nofollow noopener" target="_blank">Key Compromise Impersonation (KCI) attacks</a>, which serious end-to-end encryption apps should prevent if they want to sit at the adults table. This is <a href="https://github.com/TokTok/c-toxcore/issues/426" rel="nofollow noopener" target="_blank">why I don’t recommend Tox</a>.And that observation alone should have been enough for anyone to run, screaming, in the other direction from Session. After all, removing important security properties from a cryptographic security protocol is exactly the sort of thing a malicious government would do (especially if the cover story for such a change involves the introduction of swarms and “onion routing”–which computer criminals might think sounds attractive due to their familiarity with the Tor network).Unfortunately, some people love to dig their heels in about messaging apps. So let’s take a closer look at Session.<blockquote>I did not disclose this blog post privately to the Session developers before pressing publish.I do not feel that cryptographic issues always require coordinated disclosure with the software vendor. <a href="https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html" rel="nofollow noopener" target="_blank">As Bruce Schneier argues</a>, full disclosure of security vulnerabilities is a “damned good idea”.</blockquote>I have separated this blog post into two sections: Security Issues and Gripes.Security Issues<ol><li>Insufficient Entropy in Ed25519 Keys</li><li>In-Band Negotiation for Message Signatures</li><li>Using Public Keys as AES-GCM Keys</li></ol>Insufficient Entropy in Ed25519 KeysOne of the departures of Session from Signal is the use of Ed25519 rather than X25519 for everything.Ed25519 Keypairs generated from their <code>KeyPairUtilities</code> object <a href="https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/app/src/main/java/org/thoughtcrime/securesms/crypto/KeyPairUtilities.kt#L15-L28" rel="nofollow noopener" target="_blank">only have 128 bits of entropy</a>, rather than the ~253 bits (after clamping) you’d expect from an Ed25519 seed. <pre>fun generate(): KeyPairGenerationResult { val seed = sodium.randomBytesBuf(16) try { return generate(seed) } catch (exception: Exception) { return generate() }}fun generate(seed: ByteArray): KeyPairGenerationResult { val padding = ByteArray(16) { 0 } val ed25519KeyPair = sodium.cryptoSignSeedKeypair(seed + padding)</pre> As an implementation detail, they encode a recovery key as a “mnemonic” (see also: a gripe about their mnemonic decoding).Does This Matter?You might think that clearing the highest 127 or so bits of the Ed25519 seed is fine for one of the following reasons:<ol><li>It’s hashed with SHA512 before clamping.</li><li>Ed25519 only offers 128 bits of security.</li><li>Some secret third (and possibly unreasonable) argument.</li></ol>It’s true that Ed25519 targets the 128-bit security level, if you’re focused on the security of the Elliptic Curve Discrete Logarithm Problem. Achieving 128 bits of security in this model requires 256-bit secrets. Having 256-bit secrets makes the multi-user security of the scheme easy to reason about.When your secret only has possible values, your multi-user security is no longer as secure as Ed25519 expects.Additionally, you can shove the SHA512 + clamping in your attack script (thus negating the first objection) and find the corresponding secret key in queries if you know the top 128 bits were initialized to 0, using a modified version of Pollard’s rho for discrete logarithms.This means that Session’s <code>KeyPairUtilities</code> class only provides 64 bits of ECDLP security. <a href="https://cmykat.carrd.co/" rel="nofollow noopener" target="_blank">CMYKat</a> What does 64 bits of ECDLP Security actually mean?I provided a technical definition already (ECDLP stands for “Elliptic Curve Discrete Logarithm Problem”), but that’s probably not meaningful to most people outside computer security.What this means is that a distributed computing effort can find the secret key for a given Ed25519 public key generated from this algorithm in only queries.For flavor, queries is approximately the attack cost to find a SHA1 collision, <a href="https://shattered.io/" rel="nofollow noopener" target="_blank">which we know is possible and economical</a>.<blockquote>Based on this attack, the authors projected that a collision attack on SHA-1 may cost between US$75K and US$120K by renting GPU computing time on Amazon EC2 using spot-instances, which is significantly lower than Schneier’s 2012 estimates.— from the <a href="https://shattered.io/static/shattered.pdf" rel="nofollow noopener" target="_blank">Shattered paper</a>, page 2.</blockquote>I don’t know if this was mere stupidity or an intentional NOBUS backdoor that only well-resourced adversaries can crack. (I also don’t have hundreds of thousands of dollars lying around to test this myself.)In-Band Negotiation for Message SignaturesIf you thought the previous issue was mitigated by the use of Ed25519 signatures on each message, don’t worry, <a href="https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/messaging/sending_receiving/MessageDecrypter.kt#L44-L56" rel="nofollow noopener" target="_blank">the Session developers screwed this up too</a>! <pre>// 2. ) Get the message partsval signature = plaintextWithMetadata.sliceArray(plaintextWithMetadata.size - signatureSize until plaintextWithMetadata.size)val senderED25519PublicKey = plaintextWithMetadata.sliceArray(plaintextWithMetadata.size - (signatureSize + ed25519PublicKeySize) until plaintextWithMetadata.size - signatureSize)val plaintext = plaintextWithMetadata.sliceArray(0 until plaintextWithMetadata.size - (signatureSize + ed25519PublicKeySize))// 3. ) Verify the signatureval verificationData = (plaintext + senderED25519PublicKey + recipientX25519PublicKey)try { val isValid = sodium.cryptoSignVerifyDetached(signature, verificationData, verificationData.size, senderED25519PublicKey) if (!isValid) { throw Error.InvalidSignature }} catch (exception: Exception) { Log.d("Loki", "Couldn't verify message signature due to error: $exception.") throw Error.InvalidSignature}</pre> What this code is doing (after decryption):<ol><li>Grab the public key from the payload.</li><li>Grab the signature from the payload.</li><li>Verify that the signature on the rest of the payload is valid… for the public key that was included in the payload.</li></ol>Congratulations, Session, you successfully reduced the utility of Ed25519 to that of a CRC32! Art: <a href="https://bsky.app/profile/ajlovesdinos.bsky.social" rel="nofollow noopener" target="_blank">AJ</a> Using Public Keys As AES-GCM KeysI wasn’t entirely sure whether this belongs in the “gripes” section or not, because it’s so blatantly stupid that there’s basically no way <a href="https://web.archive.org/web/20250115034416/https://blog.quarkslab.com/resources/2021-05-04_audit-of-session-secure-messaging-application/20-08-Oxen-REP-v1.4.pdf" rel="nofollow noopener" target="_blank">Quarkslab would miss it if it mattered</a>.When encrypting payloads <a href="https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/snode/OnionRequestEncryption.kt#L56-L57" rel="nofollow noopener" target="_blank">for onion routing</a>, it uses the X25519 public key… as a symmetric key, for AES-GCM. See, <code>encryptPayloadForDestination()</code>. <pre>val result = AESGCM.encrypt(plaintext, x25519PublicKey)deferred.resolve(result)</pre> Session<a href="https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/snode/OnionRequestEncryption.kt#L95-L96" rel="nofollow noopener" target="_blank"> also does</a> this inside of <code>encryptHop()</code>. <pre>val plaintext = encode(previousEncryptionResult.ciphertext, payload)val result = AESGCM.encrypt(plaintext, x25519PublicKey)</pre> In case you thought, maybe, that this is just a poorly named HPKE wrapper… <a href="https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/utilities/AESGCM.kt#L48-L58" rel="nofollow noopener" target="_blank">nope</a>! <pre> /** * Sync. Don't call from the main thread. */internal fun encrypt(plaintext: ByteArray, symmetricKey: ByteArray): ByteArray { val iv = Util.getSecretBytes(ivSize) synchronized(CIPHER_LOCK) { val cipher = Cipher.getInstance("AES/GCM/NoPadding") cipher.init(Cipher.ENCRYPT_MODE, SecretKeySpec(symmetricKey, "AES"), GCMParameterSpec(gcmTagSize, iv)) return ByteUtil.combine(iv, cipher.doFinal(plaintext)) }}</pre> This obviously doesn’t encrypt it such that only the recipient (that owns the secret key corresponding to the public key) can decrypt the message. It makes it to where anyone that knows the public key can decrypt it.I wonder if this impacts their onion routing assumptions?<blockquote>Why should I trust session?(…)When using Session, your messages are sent to their destinations through a decentralised onion routing network similar to Tor (with a few key differences) (…)<a href="https://web.archive.org/web/20250102225433/https://getsession.org/faq#trust-session" rel="nofollow noopener" target="_blank">Session FAQs</a></blockquote>GripesSome of these aren’t really security issues, but are things I found annoying as a security engineer that specializes in applied cryptography.<ol><li>Mnemonic Decoding Isn’t Constant-Time</li><li>Unsafe Use of SecureRandom on Android</li></ol>Mnemonic Decoding Isn’t Constant-Time<a href="https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsignal/src/main/java/org/session/libsignal/crypto/MnemonicCodec.kt#L107-L112" rel="nofollow noopener" target="_blank">The way mnemonics are decoded involves the modulo operator</a>, which implicitly uses integer division (which neither Java nor Kotlin nor Swift implement in constant-time). <pre>return wordIndexes.windowed(3, 3) { (w1, w2, w3) -> val x = w1 + n * ((n - w1 + w2) % n) + n * n * ((n - w2 + w3) % n) if (x % n != w1.toLong()) throw DecodingError.Generic val string = "0000000" + x.toString(16) swap(string.substring(string.length - 8 until string.length))}.joinToString(separator = "") { it }</pre> This isn’t a real security problem, but I did find it <a href="https://soatok.blog/2020/08/27/soatoks-guide-to-side-channel-attacks/#integer-division" rel="nofollow noopener" target="_blank">annoying to see</a> in an app <a href="https://old.reddit.com/r/privacy/comments/jy3hjo/signal_vs_session_private_messenger/hgzef3y/" rel="nofollow noopener" target="_blank">evangelized as “better than Signal”</a> on privacy forums.Unsafe Use of SecureRandom on Android<a href="https://stackoverflow.com/questions/27622625/securerandom-with-nativeprng-vs-sha1prng/27638413#27638413" rel="nofollow noopener" target="_blank">The recommended way to get secure random numbers on Android</a> (or any Java or Kotlin software, really) is simply <code>new SecureRandom()</code>. If you’re running a service in a high-demand environment, you can take extra care to make a <a href="https://stackoverflow.com/a/34340717" rel="nofollow noopener" target="_blank">thread-local instance of SecureRandom</a>. But a local RNG for a single user isn’t that.What does Session do? <a href="https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsignal/src/main/java/org/session/libsignal/utilities/Util.java#L71-L79" rel="nofollow noopener" target="_blank">They use SHA1PRNG</a>, of course. <pre>public static byte[] getSecretBytes(int size) { try { byte[] secret = new byte[size]; SecureRandom.getInstance("SHA1PRNG").nextBytes(secret); return secret; } catch (NoSuchAlgorithmException e) { throw new AssertionError(e); }}</pre> And again <a href="https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsignal/src/main/java/org/session/libsignal/utilities/KeyHelper.java#L32" rel="nofollow noopener" target="_blank">here</a>. <pre>SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");</pre> Why would anyone care about this?On modern Android devices, this isn’t a major concern, but the use of SHA1PRNG <a href="https://web.archive.org/web/20240601000000*/https://blog.k3170makan.com/2013/08/more-details-on-android-jca-prng-flaw.html" rel="nofollow noopener" target="_blank">used to be a source of vulnerabilities in Android apps</a>. (See also:<a href="https://web.archive.org/web/20240301002810/https://www-fourier.ujf-grenoble.fr/JC2/exposes/ruhault.pdf" rel="nofollow noopener" target="_blank"> this slide deck</a>.)Closing ThoughtsThere are a lot of Signal that is poorly specified in their Whitepaper and I didn’t look at. For example, how group messaging keys are managed.When I did try to skim that part of the code, I did find a component where you can coerce Android clients into running a moderately expensive Argon2 KDF <a href="https://github.com/session-foundation/session-android/blob/75e2b87278cc378e21b77b27fa1a2aa773d25520/libsession/src/main/java/org/session/libsession/snode/SnodeAPI.kt#L237-L264" rel="nofollow noopener" target="_blank">by simply deleting the <code>nonce</code> from the message</a>. <pre>val isArgon2Based = (intermediate["nonce"] == null)if (isArgon2Based) { // Handle old Argon2-based encryption used before HF16</pre> That’s hilarious.Cryptography nerds should NOT be finding the software that activists trust with their privacy hilarious. <a href="https://cmykat.carrd.co/" rel="nofollow noopener" target="_blank">CMYKat</a> So if you were wondering what my opinion on Session is, now you know: Don’t use Session. Don’t let your friends use Session.<a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/aes-gcm/" target="_blank">#AESGCM</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/android/" target="_blank">#Android</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/asymmetric-cryptography/" target="_blank">#asymmetricCryptography</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/cryptography/" target="_blank">#cryptography</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/e2ee/" target="_blank">#E2EE</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/ed25519/" target="_blank">#Ed25519</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/java/" target="_blank">#Java</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/kotlin/" target="_blank">#Kotlin</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/messaging-apps/" target="_blank">#messagingApps</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/online-privacy/" target="_blank">#OnlinePrivacy</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/private-messaging/" target="_blank">#privateMessaging</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/session/" target="_blank">#Session</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/signal/" target="_blank">#Signal</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/signal-alternatives/" target="_blank">#SignalAlternatives</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://soatok.blog/tag/vulnerability/" target="_blank">#vuln</a>

Recent searches

Search options

Administered by:

Server stats:

#messagingapps