No, they are not. I’m in two groups. None of them are in the groups. I only use Signal for Real life friends from my Country. I never joined any random group. These people are from all over the world.
Interesting. Are there any other accounts on your phone that provide contacts? Maybe social media or other chat platforms? On Android you can see accounts in Settings > Passwords & Accounts (or somewhere similar; it varies a little between brands). You can also check inside your Contacts app by expanding the sidebar (again, varies by brand).
Just a thought. I don’t have any other contact providers on my phone so I can’t test it myself.
Please keep us posted if you get any official response or learn anything new!
Nope. And I maybe had to add (did it now) that this only appears to be a problem with Signal Desktop. My signal app on android doesn’t even show other contacts from strangers. I will update this if I get a response, of course.
Yup either official and through an Ubuntu/Debian container, or mess up your local system with the Opensuse Repo, or just use the Flatpak that just works
This is super helpful, I may post this to infosec.exchange. Flathub makes this so much more difficult to find the reason for what looks like a real breach. I don’t use Flathub for security reasons so I don’t know if you can even isolate the PID? Anyone know?
I don’t want you to have to spend a lot of time or troubleshoot over the web but if you see anything that stands out as “wow shouldn’t be there/running” when you run these commands come back to us:
I advise you stop using Signal Desktop immediately, they keep the database key in plaintext. Exposed over 5 years ago and still not fixed. Frankly I find this pretty pathetic. Making this safer could be as simple as encrypting such files with something like age and perhaps regenerate the keys on a frequent basis (yes I know full disk encryption is somehow a viable solution against unwanted physical access. But instead, they’d rather focus on security by network effect by adding shiny UX features instead of fixing infrastructural stuff, like improving trust by decentralization, not requiring phone numbers to join, or adding support for app pasphrase (which is available in case of Molly, along with regular wiping of RAM data which makes things like cold boot or memory corruption attacks harder)
maybe try setting up a matrix bridge if you feel confident you can secure that properly. On one hand it might increase attack surface (use only servers and bridges with End to Bridge Encryption) but what’s an attack surface on software that is so ridiculously compromised. Also you can try using an alternative client such as Flare. Though YMMV, for me the last time I’ve used it it was quite rough around the edges but I’m happy to see it’s actively maintained so might be worth checking out.
Also no, flatpak doesn’t fix this issue. Yeah it provides some isolation which can be further improved with flatseal, and other defense-in-depth methods. But unless you are willing to face the trade-offs of using Qubes, you won’t compartmentalize your entire system. The key file in question is stored in ~/.local/share. I’m not denying vulnerabilities in userland applications, but thanks to it’s wide reach, often massive codebases and use of unsafe languages like C, it’s the core system or networked software that is the most common attack vector. And that doesn’t ship and will never ship via flatpak.
The most obvious way this is exploitable is directory traversal. But not only that. Just look up “Electron $VULNERABILITY”, be it CSRF, XSS or RCE. Sandbox escape is much easier with this crap than any major browser, since contextIsolation is often intentionally disabled to access nodejs primitives instead of electron’s safer replacements. Btw Signal Desktop is also an electron app.
Also, Signal’s centralization, sussy shenanigans with mobilecoin and not updating their server app repo for over a year (latter they ceased afterwards iirc but still very detrimental to trust, especially since git reflog manipulation is ridiculously easy) and dependence on proprietary libraries and network services (in case of libraries there are thankfully at least a couple forks without such dependencies). Plus most of their servers that aren’t necessarily CDN being located in glowieland…
The huge red flag to me is that Signal is no longer decried as the devil of western intelligence anymore.
Frank Figliuzzi (former FBI cointel) and Chuck Rosenberg (former DEA admin) used to rail on about all of the dangers posed by Signal, but I haven’t heard an unkind word in over a couple years now.
French authorities consider it a “terrorist app”. Louis Rossmann made a video about it. It was in some court case but at this point I don’t remember whether it was a local court or higher and frankly don’t care enough to check.
We each make a choice according to our level of comfort in concern to privacy, or lack thereof, in how we choose to conduct ourselves afforded by the solutions we utilize and the rituals we observe.
Remember, privacy can never be enforced or guaranteed, only encouraged. Best practices, as available, as it were.
No worries, it seems like you understand perfectly - I was just reflecting on the downvotes above.
I like it here because the people often seem real, and the voting generally seems (to me, anyway) to follow more of a meritocratic pattern than whatever the fuck has been going on at the other place for the last ten or more years.
We should probably try to really understand these differences so we might get better at designing communities that are actually sustainable. Maybe I am just getting old - I’m tired of starting over, I’m tired of watching great communities self-destruct.
Likely because while simplex looks great and is very promising, it doesn’t add much to the conversation here. Signal is primarily a replacement for SMS/MMS, this means people generally would want their contacts readily available and discoverable to minimize the friction of securely messaging friends/family. Additionally it’s dangerous to be recommending a service that hasn’t been audited nor proven itself secure over time.
You can only do so much to secure your account. Everything else is in the hands of the developers. I’m not really understanding.
Can you specifically say what your end goal is and what you want to avoid?
You mention privacy concerns, then population problems, but then ask about security - just looking for something more concrete ig would help me help you
Unless you can get the majority of your customer base on decentralized social media platforms, you’ll have to live with having to maintain a presence on both sides. Now if you’re asking how to run your business more securely on centralized platforms, general advice would be:
Use a separate account to manage your business page. Don’t use your personal account or email.
Logon to your business account on a desktop browser with uBO in a container tab. Know that you will be limited on some features (i.e. no reels/shorts on desktop).
I have some small amount of experience with this, but based on the little I know, here’s what I can say. First question is what is your goal? To get customers, or to create a community? Below is general advice but it’s hard to say just talking about it in the abstract.
If you want a community, I would probably advise to just treat it as one more channel, have separate pages in Meta / X / Fediverse / Pinterest or whatever as separate communities, since in a lot of cases there won’t be overlap between them. I wouldn’t recommend abandoning your existing Meta or X pages to set up a Fediverse page instead, although making a contingency plan for the slow motion demise of Meta as a platform for the long term seems like a good idea.
If you want to drive sales, then for me Google Ads always worked better than buying advertising on Meta or X or etc anyway. Have you measured conversion numbers from Meta? They make it easy to spend money definitely, but I always found the ROI in terms of pure paid sales to be pretty bad from them.
Thank you for your reply. My goal is actually a combination, as our association organizes gaming conventions and we need customers, but at the same time, the main focus before the event is to have a community.
Hm, yeah, I would just start up a Mastodon page in parallel with the Meta page. Pick the right “home” server to join; that’s critically important for Mastodon in a way that it’s not for Meta. Put in charge of the page someone who’s genuinely excited about participating in Mastodon, and would be engaged with the gaming community there whether or not they were in charge of the page. I don’t think I would recommend spending anything on ad promotion of the Mastodon page, but like I say I’m not convinced of the utility of spending money on Meta promotion either. YMMV
Anyway like I say my level of knowledge about it is pretty minimal but I’m happy to talk more in depth on details of my experience also if you like.
privacy
Oldest
This magazine is from a federated server and may be incomplete. Browse more on the original instance.