The Guardian: ‘It’s terrifying’: WhatsApp AI helper mistakenly shares user’s number. “Waiting on the platform for a morning train that was nowhere to be seen, he asked Meta’s WhatsApp AI assistant for a contact number for TransPennine Express. The chatbot confidently sent him a mobile phone number for customer services, but it turned out to be the private number of a completely […]

https://rbfirehose.com/2025/06/30/its-terrifying-whatsapp-ai-helper-mistakenly-shares-users-number-the-guardian/

Ars Technica: Address bar shows hp.com. Browser displays scammers’ malicious text anyway.. “Tech support scammers have devised a method to inject their fake phone numbers into webpages when a target’s web browser visits official sites for Apple, PayPal, Netflix, and other companies. The ruse, outlined in a post on Wednesday from security firm Malwarebytes, threatens to trick users into […]

https://rbfirehose.com/2025/06/21/ars-technica-address-bar-shows-hp-com-browser-displays-scammers-malicious-text-anyway/

@Cappyjax IDGAF about "passion". All I care about is the security of users!

Requiring any #PII like a #PhoneNumber is inacceptable when it comes to #ComSec, #InfoSec & #OpSec, espechally given @signalapp is not only able but entirely willing to restrict service based off said numbers, making their "solution" insecure by design.

• There's a reason why #XMPP+#OMEMO and #PGP/MIME [both each over @torproject / #Tor] is the evidently superior and more secure approach, as being unable to "#KYC" a user is a matter of security...

Espechally since obtaining a phone number anonymously is oftentimes illegal (i.e. #Germany made it illegal starting 07/2017, so using any service that demands a phone numner is out of question)

• And even if one can get an anonymous #SIM (with a phone number) or god forbid #eSIM, (which is at best pseudonymous as tracking down users by virtue of matching ICCID, IMEI & IMSI to location and time) the chances are high that one ends up with recycled phone numbers that have already been used.

Obviously the devs of #Signal and @Mer__edith are well aware of this critical flaw, which is why I consider them to act as "useful idiots" or rather "controlled opposition" as #Signal could've been shutdown trivially by the #US Government or forced into banning users based off their #PhoneNumbers (they may call this "#sanctions #compliance" given they added a #Shitcoin - Wallet into Signal!)...

• All the "but #Metadata" #FUD turns into #MarketingLies once put under the looking glass and examined against the risk of state-sponsored / -endordsed / -supported attackers.

Whereas with @monocles / #monoclesChat, @gajim / #gajim and @delta / #deltaChat and @thunderbird / #Thunderbird respectably I can not only use Tor, but do #SelfHosting for the entire #communications infrastructure (i.e. using an #OnionService = only reachable via Tor) and get the advantages of a self-routing, self-authenticating & battle-hardened against censorship proxy network that can't be shutdown!

• And if you think this is too tinfoilhatted, then consider yourself privilegued enough of having your mere existance not being criminalized by the government under threat of public execution!

https://ilga.org/wp-content/uploads/2024/02/ILGA_World_map_sexual_orientation_laws_December2019.pdf
https://infosec.space/@kkarhan/114697690127511140

Boing Boing: Google bug let strangers find your phone number with just your Gmail address. “A new vulnerability discovered by security researcher, brutecat, allowed attackers to bruteforce the phone numbers of Google users with minimal effort. This newly disclosed vulnerability, reported on June 9, 2025, exposed a flaw in Google’s account recovery system.”

https://rbfirehose.com/2025/06/15/boing-boing-google-bug-let-strangers-find-your-phone-number-with-just-your-gmail-address/

@arianvp and this is why you don't use #PushNotifications and espechally not @signalapp which can, has and will snitch on users!

• Compare that to @monocles / #monoclesChat which even as a provider has 0 #PII like #PhoneNumbers and people can use their #Software without being shackled to their servives and even if people do there is no way for them to extract tue private keys in #XMPP+#OMEMO and #PGP/MIME *unless one explicitly allows them!

@Okesska short answer: You can't and any options are mere asks as in Ttrust me m8! We'll totally delete that data…"

Long answer: Consider your privacy irreversibly compromised along the used #PhoneNumbers! Get a completely new identity setup…

Dan Q: Google Shared My Phone Number!. “A Google search that surfaced Three Rings CIC’s ‘Google Business Profile’ now featured… my personal mobile number. And a convenient ‘Call’ button that connects you directly to it. Some years ago, I provided my phone number to Google as part of an identity verification process, but didn’t consent to it being shared publicly. And, indeed, they […]

https://rbfirehose.com/2025/05/27/dan-q-google-shared-my-phone-number/

@Arios The Problem is #Windows.

Don't expect the "#DRMflag" to work when it's being used by @signalapp (which in and of itself is problematic for demanding #PII like #PhoneNumbers and shilling a #Shitcoin-#Scam named #MobileCoin!) because like the #API to signal to Windows "I'm an #Antivirus product, disable defender!" this will be abused.

• Also working around #MicrosoftRecall and #Microsoft's unwillingness to accept (denial of) #consent is just bad and we should stop normalizing the use of said #Govware alltogether, as eben #pirating it normalizes it's use.

If you are actually concerned re: #privacy you'd yert signal, educate others and use #XMPP+#OMEMO (i.e. @monocles / #monoclesChat & @gajim ) or #PGP/MIME (i.e. @delta / #deltaChat & @thunderbird ) over @torproject / #Tor instead.

• It does take a bit of setup, but in return you get extreme gains in #privacy beyond what any #VPN provider can offer - legally and technically!

Not to mention #Signal falls under #CloudAct, so your privacy there is already nonexistant!

• Otherwise @Mer__edith would've been in jail for the rest of her life already due to the statistic inevitability of it's abuse!

@debby @monocles @Stuxhost well, @delta / #deltaChat is not using #XMPP+#OMEMO (unlike #monoclesChat & #gajim) but #PGP/MIME on regular #eMail, which makes it way easier to setup in organizations as not "yet another server needed" and also easier to comply with mandatory #archival laws in #business use-cases.

• #Session & #Signal, like #Telegram & #WhatsApp, do not have their #backend #opensource|d nor allow #SelfHosting and demand #PII like #PhoneNumbers for registration if not useage for no valid reason. Plus they are not just able but obviously willing to snitch on their users (something neither DeltaChat nor monocles chat demand or even can as both do 100% #SelfCustody of all the keys!)

• As for #sustainability, monocles is financed by #subscribers (they charge like €2 p.m. for mail & chat) and they can be paid completely anonymously (#Monero & #CashByMail!), whereas #Signal is a #MoneyBurningParty which engages in #Shitcoin-#Scams (see #MobileCoin!) for no valid reason…

@dave_andersen @AVincentInSpace personally I consider any "#KYC" a risk-factor, and @signalapp has proven their ability and willingness to restrict functionality (i.e. their #Shitcoin-#Scam #MobileCoin) based off said #PhoneNumbers (Cuban, Russian and North Korean Numbers were excluded) which are in fact #PII (even if one doesn't have to #ID for obtaining a #SIM, they are circumstantial PII)...

• They have neither "legitimate interest" nor legal mandate to collect said data (or to integrate a scammy Shitcoin for that matter) as the discontinuation of #ChatSecure / #TextSecure has eliminated the "technical necessity" to have those.

Either way they either have to yeet #Hegseth as client and/or stop collecting PII like PhoneNumbers - they gotta have to do something…

• As for #InfoSec, #OpSec & #ComSec, I'd say #XMPP+#OMEMO remains the gold standard alongside #PGP/MIME...

#ITsec is a different story, but unlike #Signal these do not depend on a #PhoneNumber and work through @torproject / #Tor.

• And I've been using Tor for almost 15 years daily now...

@adisonverlice personally, I think @signalapp should not have integrated any #wallet or #cryptocurrency at all and instead not eben request #PhoneNumbers (which are #PII) and move tueir system onto #Tor and have their endpoints as #OnionServce, because being a #PaymentProcessor (and lets be honest #MobileCoin got pitched for #payments) is at best a "legal nightmare" if not a straight-up "You go to Jail!"-card as a matter f principle!

Anyone who wants to coordinate #payments and #finance can do so with external wallets like #FeatherWallet anyway.

@dave_andersen even @signalapp has to comply with #CloudAct.

• And we can be very shure they did simply because it's a statistical inevitability by the sheer amount of users they have…

Only real #E2EE (= #SelfHosting-capable with #SelfCustody of all the keys) can be considered safe.

• Demanding #PII like #PhoneNumbers is #KYC, and KYC is the illicit activity!

@bogdan anything that mandates #2FA and doesn't provide #TOTP or #HOTP support as per #RFC but demand something like #PhoneNumbers that are #PII should be outlawed.

• I can accept #PGP-based 2FA as a compromise...

@signalapp no it's not.

• Otherwise #OrganizedCrime would choose #Signal so hard, you'd be shutdown within weeks by the #FBI and @Mer__edith would be forced to "pull a #LavaBit" and face jailtime for obstruction of justice or snitch on users!

Being a #centralized, #SingleVendor & #SingleProvider solution subject to #CloudAct makes you inherently vulnerable by your own choice and thus trivial to shutdown compared to real #E2EE with #SelfCustody of all the keys and true #decentralization as well as #SelfHosting (i.e. #PGP/MIME [see @delta / #deltaChat et. al.] and #XMPP+#OMEMO [see @monocles / #monoclesChat et. al.]!)

• Plus neither of those shill #Shitcoin-#Scams like #MobileCoin!

And don't even get me started on you collecting #PII (espechally #PhoneNumbers) for no valid reason, (thus violating #GDPR & #BDSG)...

• Not to mention relying ob #charity and being a #VCmoneyBurningParty isn't sustainable to begin with!

But yeah, I'll be patient to shout "#ToldYaSo" to your annoying cult of fanboys!

@Andromxda @mollyim no it's not bs and fanboying @signalapp isn't going to change that.

If #Signal was secure it would be the #1 comms tool of organized crime...

• Yet I've only seen #TechIlliterates shill it.

Real professionals use #SelfHosting capable, fully #FLOSS'd solutions like #PGP/MIME & #XMPP+#OMEMO.

• Again: Demanding #PII like #PhoneNumbers and shilling a #Shitcoin-#Scam (#MobileCoin) makes Signal literally untrustworthy and if it doesn't for you then maybe your standards are just too low...

It's just me reading the room: Cuz #ComSec isn't done woth "JuSt UsE sIgNaL!" and everyone who claims so without pointing out #OpSec, #InfoSec & #ITsec is BSing hard.

• The cold hard truth is that #TechLiteracy is irreplaceable and the only solution to it is to actually teach normies how to "get gud" with stuff like PGP.

Fortunatelty, @thunderbird and @tails_live / @tails / #Tails and many other tools make that easier than ever before.

• So rather than vomiting insults against my intellect in my mentions, go to the next @cryptoparty@mastodon.earth / #Cryptoparty / @cryptoparty@chaos.social and lend a hand.

@pixelcode @taylan @signalapp the #centralization, espechally without means to hide it's traffic via @torproject / #Tor makes it trivial to detect and track @signalapp / #Signal users.

• Add to that the fact that Signal has #PhoneNumbers = #PII on them and the fact they are incorporated in the #USA, thus subject to #CloudAct and it's not a matter if they snitch on users but how many thousands if not millions got subopena'd to this day.

And with no self-custody of keys it's trivial to #Room641A the users if the devs get "motivated" under threat of spending the rest of theor lives in jail.

@taylan @pixelcode also add tocthe fact that @signalapp collects and stores #PII like #PhoneNumbers...

@signalapp It's not #disinfo when one points out that you demand #PII aka. #PhoneNumbers from Users and that is literally a architectural vulnerability, alongside your #proprietary & #Centralized #Infrastructure.

• #Signal being a #SingleVendor & #SingleProvider #Solution is literally the reason why I consider it #insecure.

Not to mention the lack of @torproject / #Tor support with an #OnionService or the willingness to fulfill #cyberfacist "Embargoes" or shilling a #Shitcoin #Scam named #MobileCoin!

• #KYC is the illicit activity!!!

And don't get me started on the #cyberfacism that is #CloudAct.

• If you were secure, criminals would've used your platform so hard, it would've been shutdown like #EncroChat and #SkyECC.

I may nit have allvthe.evidence yet, but #Signal stenches like #ANØM: #Honeypot-esque!

@jrredho @walkinglampshade @fj

Don't 'splain me, m8!

Their figleaf exuses are not legitimate and @signalapp's @Mer__edith knows that...

• After all, @monocles doesn't require any #PII at all and they are in fact sustainable as in not requiring #donations, since they are user-financed (subscription)...

Read criticisms before commenting...
https://www.youtube.com/watch?v=tJoO2uWrX1M

• #KYC (of any kind, including #PhoneNumbers) IS THE ILLICIT ACTIVITY!*