Here’s what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

  • PotatoesFall@discuss.tchncs.deEnglish
    0·
    4 months ago

    Okay first things first Jack Dorsey is a tool

    The US government / CIA did in fact develop the protocol back in the day, with the goal of helping people in China and other countries message securely, probably with ulterior motives.

    But the protocol itself is open source, and you can use it without any affiliation with the US government.

    The claim " It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺" is therefore so stupid it almost invalidates everything else being said because the person writing is either an idiot or purposely misrepresenting the facts.

    Not having reproducible builds is definitely weird though. Does anybody have more information on that?

    • Steamymoomilk@sh.itjust.worksEnglish
      0·
      4 months ago

      My theory is that apple wont let the developer share there code for IOS because of “security”

      I remember an emulator (retro arch i think?) Got on ios at one point and was later removed because it showed apples file system layout. Which apples reason was “because it could be used to make malware for IOS”

      I feel like there is some similar thing with signal IOS

    • bamboo@lemmy.blahaj.zoneEnglish
      0·
      4 months ago

      Not having reproducible builds is definitely weird though. Does anybody have more information on that?

      They boast this as a feature, but on the instructions for how to do this for iOS, even Telegram admits “As things stand now, you’ll need a jailbroken device, at least 1,5 hours and approximately 90GB of free space to properly set up a virtual machine for the verification process”. Browsing the steps, it’s extremely complex, and doesn’t seem like something that is very user friendly and that you’d do weekly or monthly when a new version is released.

      On the GitHub issue linked to in the body, it’s disingenuous to claim they refused to implement this, and that the technical hurdles Apple has in place make this extremely difficult which halted progress. In the community forums where the conversation was moved to, someone pointed out that even if you were to reproduce it on a jailbroken iPhone, that there’s no way to confirm that non-jailbroken iPhones aren’t receiving a version with a backdoor.

      And even if you are using a jailbroken device exclusively and can confirm the reproducibility of the iOS app, then the risk becomes the latest available jailbroken iOS could be outdated from the real versions, and you’d have other issues with not receiving timely security updates. This same issue applies to Telegram also.

  • 乇ㄥ乇¢ㄒ尺ㄖ@infosec.pub
    0·
    4 months ago

    Yeah, he needs to fix his broken secret chat feature first… I think it’s broken on purpose…

    After seeing his interview with Tucker Carlson, I’m 100% sure the guy has some really dark agenda…

  • ☆ Yσɠƚԋσʂ ☆@lemmy.ml
    0·
    4 months ago

    I find it weird how any discussion about Signal will inevitably have a bunch of people piling on dismissing any criticisms of it. Believing that Signal is perfect has become like a religion at this point. Whatever people might think of Telegram is completely irrelevant when it comes to the question of whether Signal is actually a secure tool or not.

    The fact that people working on Signal have direct ties to US intelligence agencies cannot be ignored. No can the fact that Signal is a centralized system based in US. These two things alone should make everybody very concerned.

  • AFF@beehaw.org
    0·
    4 months ago

    The article about Maher is written by a conservative who can’t accept that we can limit individual freedom to reach true collective freedom.

    Also he wrote for FoxNews lol

    Stop spreading propaganda please, it’s just a CEO trying to shill its product

  • NotMyOldRedditName@lemmy.world
    0·
    4 months ago

    You don’t need a backdoor in signal to bypass its encryption.

    All you need is to exploit the phone and wait for them to open or use signal.

    If you think your phone is safe from the NSA or similar services, I got some bad news for you.

    • emergencyfood@sh.itjust.works
      0·
      4 months ago

      All you need is to exploit the phone and wait for them to open or use signal.

      Physical access is root access. But just because you can’t make something NSA-proof dosen’t mean you can’t make it bloody difficult to break into.

      • NotMyOldRedditName@lemmy.world
        0·
        4 months ago

        There’s been enough zero day remote exploits that there’s bound to be more.

        Pretty sure there’s more than 1 about receiving an SMS and the payload rooting the phone and you not even knowing it happened. At least 1 but I think 2 or more.

        Something about a malicious image also rooting a phone.

        It goes on and on and phones don’t always get security updates.

        You can do your best, but then longer you use a given phone the higher the risk. That’s why people switch out phones frequently when doing shady or important shit

    • anon5621@lemmy.ml
      0·
      4 months ago

      Cannot agree about this.telegram have at least open clientsource code,and a lot pirated stuff u cN find in telegram channels. So if choosing between telegram and WhatsApp.Definitely Telegram.

  • winterayars@sh.itjust.works
    0·
    4 months ago

    I don’t think i care what Jack Dorsey says that isn’t backed up independently. Even if he’s right i just don’t trust him.

    • Dessalines@lemmy.ml
      0·
      4 months ago

      You shouldn’t need to trust open source, it should be independently verifiable. Unfortunately that’s not possible with either signal or telegram, as there’s no way to tell what server code they’re running.

      • delirious_owl@discuss.online
        0·
        4 months ago

        If encryption happens client side then it doesn’t matter.

        Its where the server is open but the client is closed that we need to worry, as is the case with Beeper

        • ForgotAboutDre@lemmy.world
          0·
          4 months ago

          Closed sources server (even open source with no verification of the code running on the server) means it’s possible the server records who you talk to, when, where and the size of the messages. This can be useful to sell to advertisers.

          • Dark Arc@social.packetloss.ggEnglish
            0·
            4 months ago

            Cloud source server or open source server, you can’t know what server their running.

            Pavel’s whole argument here is basically the same thing for the client; “you can’t verify the build in the app store matches what’s in the source code, so you have no way of knowing it’s actually what you’re auditing.”

  • swooosh@lemmy.world
    0·
    4 months ago

    You can verify builds on android. That’s just an iphone problem.

    Use Grapheneos if you need good security and privacy

  • The Doctor@beehaw.orgEnglish
    0·
    4 months ago

    Points 0 and 1: None of this is new. This goes back to 2011 or 2012.

    Point 2: If someone gets hold of your phone and unlocks it (meaning, they can interact with it), they have access to your Signal messages on-board. This is why additional security measures (not using biometrics, encrypting your phone natively) are recommended. If your phone is off and someone dumps the data from it, they get encrypted data.

  • dolle@feddit.dk
    0·
    4 months ago

    Yes, sorry, but I can’t take something seriously if every paragraph begins and ends with an emoji. I know it’s dismissive, but all my Facebook lunatic conspiracy theory alarm bells are blaring.

    • rottingleaf@lemmy.zip
      0·
      4 months ago

      It’s more normal in Russian-speaking Web.

      Shouldn’t trust this guy anyway, it’s VK’s founder talking.