So we know the UK, France, Sweden and Australia all have “pondered out loud” about getting platforms like Signal to allow backdoors into encrypted calls and messages.
This creates a sense of safety about these platforms being secure, because governments want to come after them.
Here’s a tinfoil hat take: Five Eyes is significantly reducing inter cooperation. The non-fascist parts of the alliance don’t want to share with the obvious authoritarian, but the authoritarian one used to share the fruits of their established backdoors with them, and now they don’t.
Note that the US isn’t asking signal for a backdoor. Why? Back in 2015-2016 (last years of Obama), Apple had a loud and visible feud with the FBI. Since the authoritarian came to power, this all disappeared from the media. Interestingly, 10 years have gone by since that moment, every single aspect of our lives has become more surveilled, and somehow the US govt has stopped trying to get into phones? *While the CEO is making hand deliveries of 24 karat gold bars to the Oval Office?
TLDR; I think a safe assumption that they are in our devices by now. Fundamentally people misunderstand encryption. Encryption is only as strong as the weakest link. If your signal chats are unencrypted for consumption on your device, then that’s when the unencrypted content can be captured.
For the longest time, Apple stored your iCloud backups encrypted. Looked good in marketing materials, until they casually admitted the decryption key is stored in the same cloud.
Combine this with ICE capturing citizens without due process. If you have a vanilla smart device, you’re doing the surveillance for them. /tinfoilhat
~this is OG content created by me, a Lemmy user. Please don’t go too .ml on me in the comments.~
The part of the patriot act giving the cia etc warrantless phone search powers on Americans expired and wasn’t renewed. It’s why the CIA and NSA fight really hard every time Congress renews the part that allows them to surveil foreign/international phone calls.
Additionally, governments want security and privacy too. The navy invented TOR, for example.
On linux you can access your Signal messages in db.sqlite.
once you delete a message from signal, either through disappearing messages or manually, all those messages are deleted from the db.sqlite.
They are stored in an encrypted db.sqlite here:
/home/user/.config/Signal/sql/db.sqlite
you can also extract it from you phone:
only the messages that you can see when you open the Signal app are visible there.
to access the messages:
install:
signal-bakcup-tools-git
https://github.com/bepaald/signalbackup-tools
and
DB browser for sqlite
++++++++++++++++++++++++++++++
The most straight forward way is to create an output file to html.
copy the db.sqlite to a new directory
open a terminal and run
signalbackup-tools --exportdesktophtml signal.html
this will create folders of all your contacts and messages and media.
easily acessible. open the signal.html files in your browser
=+++++++++++++++++++++++++++++++++++++++
To open db.sqlite as a Sqlite database;
first you need to get the key:
copy the db.sqlite to a new directory
then run in terminal:
signalbackup-tools db.sqlite --showdesktopkey
OpenSSL 3.3.2 3 Sep 2024)
Signal Desktop key (hex):
58bfa167bb66b2b13b2ca6eadc33f4bf7275c254006d17ae5e3de5356c60f0b7
copy the key to a text editor
===========================
you must now add 0x to the beginning of that line:
0x58bfa167bb66b2b13b2ca6eadc33f4bf7275c254006d17ae5e3de5356c60f0b7
then open db.sqlite with the sqlitebrowser
right click db.sqlite, select open with DB Browser for sqlite
select RAW from the dropdown menu
input the passphrase from above. make sure you added the 0x to the beginning.
The entire database opens.
you can view all the information that signal collects. phone numbers, messages, images, media etc
+++++++++++++++++++++++++++++++++++++++
this is the difference between Molly and signal.
In Molly you can password protect db.sqlite, Signal removed this a while ago
Very interesting, thanks for sharing. I beginning to see why tariffs are being slapped on aluminium now!
Lets be real the US govt effectively controls the certificate authority that almost everyone uses and therefore could mitm most connections anyway
Not sure that’s how it works. The certification and the encryption are two different things. Though encryption certification does require the private keys to be uploaded to the CA, a bunch of internal encryption for these type of apps would not necessarily be certified by that or a CA in order for the encryption to be effective.
That’s also the lovely thing with AI assistants like Gemini and Recall. Instead of having to deal with the PR fallout of client-side scanning, they just let the AI hoover up your data while it’s in plain view on your phone or computer.
Signal is open source, right? Though that wouldn’t stop a bugdoor, it might at least make one harder. As you say, I think getting in through the OS itself is much more likely. Signal would put up much more of an ideological fight than Google, I imagine.
I think what op is saying is that your OS can spy on signal since you input plaintext into signal to be encrypted, or when you receive messages they get decrypted on your device.
Exactly, even is Signal is secure across the wire, if you have a kit like Pegasus on your phone then it can just capture keyboard input, and screen output, entirely bypassing Signal itself.
Correct
IIRC Signal has issues as far as being classified as open source. It includes proprietary code. Molly is a fully open source version. Both use the same servers, but they also have issues.
I used session for years, but I wouldn’t anymore. Doesn’t simpleX have a Nazi problem? There’s also briar, which I have installed but have never used because nobody else uses it 🤣.
but have never used because nobody else uses it
The network problem is a huge issue with messengers, yeah.
Dunno about any nazi problem, you mean the devs? Kinda weird. People using it? That’s what you get if you democratize a tool - anyone can use it.
I thought the server side isn’t?
It was always open source, but they didn’t update the repo. They started updating it a few years ago after complaints from users. https://github.com/signalapp/Signal-Server
Anyways, it’s impossible to know if that’s the code they’re actually running on their servers. You just have to trust them the same way you trust “no logs” VPNs aren’t actually logging your activity.
