@Cappyjax IDGAF about "passion". All I care about is the security of users!

Requiring any #PII like a #PhoneNumber is inacceptable when it comes to #ComSec, #InfoSec & #OpSec, espechally given @signalapp is not only able but entirely willing to restrict service based off said numbers, making their "solution" insecure by design.

• There's a reason why #XMPP+#OMEMO and #PGP/MIME [both each over @torproject / #Tor] is the evidently superior and more secure approach, as being unable to "#KYC" a user is a matter of security...

Espechally since obtaining a phone number anonymously is oftentimes illegal (i.e. #Germany made it illegal starting 07/2017, so using any service that demands a phone numner is out of question)

• And even if one can get an anonymous #SIM (with a phone number) or god forbid #eSIM, (which is at best pseudonymous as tracking down users by virtue of matching ICCID, IMEI & IMSI to location and time) the chances are high that one ends up with recycled phone numbers that have already been used.

Obviously the devs of #Signal and @Mer__edith are well aware of this critical flaw, which is why I consider them to act as "useful idiots" or rather "controlled opposition" as #Signal could've been shutdown trivially by the #US Government or forced into banning users based off their #PhoneNumbers (they may call this "#sanctions #compliance" given they added a #Shitcoin - Wallet into Signal!)...

• All the "but #Metadata" #FUD turns into #MarketingLies once put under the looking glass and examined against the risk of state-sponsored / -endordsed / -supported attackers.

Whereas with @monocles / #monoclesChat, @gajim / #gajim and @delta / #deltaChat and @thunderbird / #Thunderbird respectably I can not only use Tor, but do #SelfHosting for the entire #communications infrastructure (i.e. using an #OnionService = only reachable via Tor) and get the advantages of a self-routing, self-authenticating & battle-hardened against censorship proxy network that can't be shutdown!

• And if you think this is too tinfoilhatted, then consider yourself privilegued enough of having your mere existance not being criminalized by the government under threat of public execution!

https://ilga.org/wp-content/uploads/2024/02/ILGA_World_map_sexual_orientation_laws_December2019.pdf
https://infosec.space/@kkarhan/114697690127511140

@derekmorr

Let it go, already. No one uses MobileCoin. You can’t even find an exchange to buy it.

Then why does @signalapp still have that shit in it? @Mer__edith could've pulled that #Shitcoin yet refuses to do do!

The Cloud Act is a non-issue. Signal doesn’t have data on users, so they can’t be forced to disclose it.

That's literally wrong!

• #Signal not only collects #PII in the form of a #PhoneNumher but explicitly is able and willing to use that to dsicriminate against users and restrict app functionality based off their presumed juristiction. There is no "legitimate interest" for.doing so nor any legal mandate to do so (unless we excuse the ehole #MobileCoin-#Scam!)

It’s been 30 years, and no one uses xmpp. Let it go.

Wrong again. Otherwise there wouldn't be thriving ecosystems and Apps to this day. It's just that corporate shills refuse to acknowledge that Signal - like all centralized, proprietary, #SingleVendor and/or #SingleProvider kessengers before and after - will inevitably die as their business model is not sustainable. Sake with #ICQ really. The only exceptions are those that abolish #privacy for #profit, integrate actually working payments or sellout to a #cyberfacist #government (all those apply to #WeChat!)

It’s shocking that people who claim to care about security and privacy push niche apps with terrible UX and no PFS like Delta or XMPP instead of the only private messenger with any real market share, Signal.

You know what's shocking to me: People who are unable or rather unwilling.to acknowledge that Signal is garbage and it's requirement for a #PhoneNumber kills any #privacy benefits it may have on paper by virtue of being at best pseudonymous (assuming the userd don't live in a juristiction that demands "#KYC" for even prepaid #SIM cards (ime. #Germany) or god forbid even #IMEI|s (i.e. #Turkey has a literal allowlist that'll kick any device off it's MNOs after 90 days within 365 days.

• The #UScentric approach to #privacy and #threats makes Signal absolutely useless in many cases, and I do speak here from experience.

I'd rather help people onboard #XMPP+#OMEMO like @monocles and/or @gajim or #PGP/MIME like @delta & @thunderbird (incl. setting them up with #Orbot / #TorBrowserBundle / @tails_live so their traffic gets through @torproject and doesn't provide any useable IP addresses.

• I've literally been there and done that!

As for #Sustainability, providers like https://monocles.eu finance themselves by subscriptions (starting at €2 p.m.) which people can pay fully anonymous using #CashByMail and #Monero on top of common payment methods (i.e. SEPA wire transfer)...

• So even if you think "#monocles is a #honeypot" that is mitigateable ciz unlike with Signal you can choose your own client, choose a different provider & exervise self-custody of all tue keys!

@cryptgoat @signalapp @Mer__edith I sincerely doubt that.

• Just like #Signal doesn't ditch #MobileCoin or the demand for a #PhoneNumber for good...

A Researcher Figured Out How to Reveal Any #PhoneNumber Linked to a #GoogleAccount

https://www.wired.com/story/a-researcher-figured-out-how-to-reveal-any-phone-number-linked-to-a-google-account/

A Researcher Figured Out How to Reveal Any #PhoneNumber Linked to a #Google Account

Phone numbers are a goldmine for #SIM swappers. A researcher found how to get this precious piece of information through a clever brute-force attack.
#privacy

https://www.wired.com/story/a-researcher-figured-out-how-to-reveal-any-phone-number-linked-to-a-google-account/

Interesting set of developments that someone was able to figure out how to extract your mobile numbers from Google accounts

If this White Hat had found it and told Google to Plug The Leak it may have meant black hats found it a long time ago and exploited it in the Wild

Warning paywall

#Android #infosec #GSM #google #Alphabet #phonenumber

https://www.404media.co/a-researcher-figured-out-how-to-reveal-any-phone-number-linked-to-a-google-account/

Google Shared My Phone Number

https://danq.me/2025/05/21/google-shared-my-phone-number/

#HackerNews #Google #Privacy #PhoneNumber #DataBreach #Security

@silhouette @richi @signalapp @torproject

1. You completely miss the points! There is no "#TechnicalNecessity" to demand #PII like a #PhoneNumber - espechally for a "#privacy"-focussed messenger!

2. & 3. #Signal is able and willing to comply with #Cyberfacism and pushing a #Shitcoin (#MobileCoin) makes it trivial to criminalize the App for "illegal & unregilated banking". If #Moxie or @Mer__edith cared they'd yeet that thing (or didn't even integrate it to begin with!) to avoid the attention. And yes Signal does restrict the App functionality when using a phone number from #Russia & #Iran (among other nations), thus affecting not only those in need of safe comms but by sending a verification code to them, earmarking them for police & intelligence. Which bings.me to the 1st agrument.

4. #Tor has a stellar record in terms of stability, integrity and censorship circumvention. DIY'ing something instead if following almost two decades of solid progress is absurd and violates "don't roll your own crypto" as a rule!

5. Only with #SelfCustody can you protect your own data. Or do you really expect Staff from Signal to not talk when facing lifetime in jail? If they have the keys, they can decrypt it, thus their #E2EE is just a "#TrustMeBro!" concept. I mean, what prevents them from being forced into backdooring all comms to @icij as per #NSL? Any "guarantee" without self-custody is worthless by virtue of being unenforceable!

Signal pushing #TechPopulism instead of teaching folks that their #ComSec is worth diddly-piss wothout.#OpSec, #InfoSec & #ITsec is dangerous!

• And yes claiming "JuSt UsE sIgNaL!" is dangerous in the era of #Trump's #cyberfacist regime acting as it does (like with the #ICC)!

Not to mention there are better options that don't do that shite (i.e. demand PII) and just work. @monocles / #monoclesChat & @delta / #deltaChat for example can adapt way better to said risks and ain't run by a #VCmoneyBurningParty!

@richi Except @signalapp is not "#Privacy-first" cuz if #Signal did, they'd not.demand #PII (#PhoneNumber) nor remain in the #USA (#CloudAct) nor peddle #Shitcoin-#Scams (#MobileCoin) and put their tech on @torproject / #Tor and fully #decentralized.with 100% #SelfCustody of all the keys!

@GossiTheDog @signalapp it merely prevents #Screenshots by claiming it's #DRM'd content.

• It's a mere ask and #Microsoft could specifically close that #API and make it subject to contractual agreements (as they did with their #Antivirus API calls to disable #WindowsDefender!) if they decide this is against their wishes.

• It also doesn't prevent the #Keylogger nor works against the known #CryptoAPI #backdoor affecting all #Browsers (except #Firefox and @torproject / #TorBrowser) which can be triggered by a single #HTTPS request.

The correct solution for #Signal would be to alert all their users and specifically block #Windows in general or at least #Windows11 simply because it is a #Govware and empirically cannot be made private or secure.

But that would require them to actually give a shit, which thed don't, cuz otherwise they would've stopped demanding #PII like a #PhoneNumber and moved out of juristiction of #CloudAct.

• I mean, what's gonna prevent the #Trump-Regime from threatening @Mer__edith et. al. with lifetime in jail for not kicking the #ICC (or anyone else he and his fans dislike) from #Signal's infrastructure?

Since they are highly centralized.they certainly are capable to comply with "#Sanctions" (or whatever bs he'll claim!)...

[image removed by user]

@dave_andersen @AVincentInSpace personally I consider any "#KYC" a risk-factor, and @signalapp has proven their ability and willingness to restrict functionality (i.e. their #Shitcoin-#Scam #MobileCoin) based off said #PhoneNumbers (Cuban, Russian and North Korean Numbers were excluded) which are in fact #PII (even if one doesn't have to #ID for obtaining a #SIM, they are circumstantial PII)...

• They have neither "legitimate interest" nor legal mandate to collect said data (or to integrate a scammy Shitcoin for that matter) as the discontinuation of #ChatSecure / #TextSecure has eliminated the "technical necessity" to have those.

Either way they either have to yeet #Hegseth as client and/or stop collecting PII like PhoneNumbers - they gotta have to do something…

• As for #InfoSec, #OpSec & #ComSec, I'd say #XMPP+#OMEMO remains the gold standard alongside #PGP/MIME...

#ITsec is a different story, but unlike #Signal these do not depend on a #PhoneNumber and work through @torproject / #Tor.

• And I've been using Tor for almost 15 years daily now...

Your mistakes makes no difference to us. But it’s our mission to educate you

Thanks @oliora for the picture

#Facebook #PhoneNumber #Validation

@lastquake a #XMPP-#Bot would be even better, as #Telegram demands #PII in the form of a #PhoneNumber!

@dzwiedziu @fj @signalapp not really, as the #Metadata #FUD cited by #Signal is mitigateable with proper measures.

• You can't even run Signal over @torproject and even if that point is moot when you're forced to quasi-#KYC by virtue of a #PhoneNumber aka. #PII they have neither legitimate interest nor technical reason to demand in the first place!

Every claim that things like #ITsec, #InfoSec, #OpSec & #ComSec can be solved with "Just use Signal!" is "#TechPopulism" at best if not being a "#UsefulIdiot"!

• All #centralized, #SingleVendor & #SingleProbider systems are inherently insecure!

#EOD #thxbye #next

@pixelcode @taylan Your nonchalant "So what?" gets people publicly murdered by the state in many juristictions...

• Which is why there is no substitute to teaching proper #TechLiteracy ffs!

If things were so easy as in "JuSt UsE sIgNaL!" then @signalapp would be shut down.

• Or do you really think that in a world where multi-year long sting ops like #ANØM / #OperationIronside / #OperationTrøjanShield get greenlit that @Mer__edith would risk dying of old age in jail for non-paying users?

If you do think so then you should really get some professional help, cuz you seem rather lost...

• #Signal doesn't even bother to have an #OnionService, much less to provide means to use their service without self-doxxing with a #PhoneNumber, which at best is pseudonymous and requires money to attain and maintain...

It's #centralization is an absolute nightmare and mist be deemed as criminally neglectful!

@Andromxda @pixelcode How can you claim something you can't evidence?

• Pretty shure if it's not @signalapp themselves, then their centralized architecture and unwillingness to even have an #OnionService on @torproject makes it trivial to pull a #Room641A on them.

It makes you look like one of those folks shilling #VPN|s that ain't logless after all...

• I don't believe in #marketing #lies and #Signal can't (and won't) be able to evidence that they don't log shit.

At least they should be honest about things and not claim bs, cuz demanding a #PhoneNumber is just #KYC with extra steps like demanding any #SSN or other #PII. Makes them look like chinese MMORPGs that demand ID card numbers for account signups, thus #paywalling the ability to use their service anonymously...

@signalapp I disagree because your platform is #proprietary, #SingleVendor, #SingleProvider and doesn't allow for #SelfHosting, #SelfCustody of all the Keys and you demand #PII in the form of a #PhoneNumber which can be used.to track users down!

• If #Signal was as secure as claimed, it would've been shut down like #EncroChat, #SkyECC & others...

@walkinglampshade @jrredho @fj It's basic #InfoSec, really:

• @signalapp has no "#LegitimateInterest" to demand #PII like a #PhoneNumber and they use and abuse that to restrict functionality of their App (it doesn't matter that they merely claim "comply with #sanctions" [their #MobileCoin #Shitcoin #Scam disqalifies them even more!] because they have the tech to distinguish and discriminate users)...

Thus #Signal fails at protevting #Journalists and theor sources because they do have that data and can be #subopena'd for it if they don't already provide #BulkSurveillance & #LawfulInterception #API|s to comply with #CloudAct. (Or are you guys so naive and believe @Mer__edith will risk dying of old age in jail for non-paying users?)

• This entire "thread vector" just doesn't exist with #XMPP+#OMEMO nor #PGP/MIME!

And if you believe "this won't ne used/abused me because I'm from 'Murica!" and point at #ANØM as an example, then you really ignored all tze #Cyberfacism since 9/11…

@nemo Except #Signal demanding #PII like a #PhoneNumber, being subject to #CloudAct an shilling #MobileCoin, a blatant #Shitcoin #Scam disqualifies them!