Yeah, if a nation-state thinks you are a bad enough actor, they might use a high power way to get at you. See Pegasus, for instance
But those exploits are rare, expensive and can be blown.
No one has ever said Signal is perfect security.
But it is damn good. Your SMSes aren't sitting in plaintext on your mobile ISPs network. You aren't going to have them intercepted by a fake mobile tower. And if you and your recipients use disappearing messages, good luck to any prosecutor trying to get them off a device.
And as for Apple sending a fake update? Might could happen but 1) Apple fought this once and 2) it'd be hard to do in any widespread way without being detected
Saying Signal protects you from fuck all is not just wrong, it's irresponsible AF.
It's like saying that locks, firewalls, alarm systems, curtains and network monitoring don't work because some people know how to defeat them.
Signal is a great security upgrade for almost anyone. I love seeing more people use it.
The amount of one-off work this would take is quite high, so the amount of motivation for a company like Apple to say “No, you can’t legally compel us to to allocate engineering resources to this” is also quite high.
My point is that they (and other tech companies) would be highly incentivized against implementing something like a malicious update targeting a single device/user based purely on capitalistic motivations, rather than philosophical/ethical ones.
I wish I could agree with you but the real world doesn't work this way. Companies that don't play ball get broken up with anti-trust. Or what happened to the CEO (former CEO) of Qwest happens.
The "infrastructure" for the targeted updates is implemented by compartmentalized teams, who will be comprised of the clearance community, and the "external" people who work with them are a part of the clearance community.
>I wish I could agree with you but the real world doesn't work this way.
The real world does work this way. Businesses make business decisions based on bottom-line impact, and businesses generally push back very strongly against governments whenever a government asks them to do things that will cause them to make less money and/or waste money.
>The "infrastructure" for the targeted updates is implemented by compartmentalized teams, who will be comprised of the clearance community, and the "external" people who work with them are a part of the clearance community.
I agree that would be how it would work if it actually happened, but I think you overestimate the appetite (and even ability) of big tech to have any desire to do this kind of thing.
If you are implying that there are teams within big tech companies who secretly do this kind of thing, even against the wishes of other engineering teams (including security engineering teams) within the company... well that seems like a recipe for getting some of the company's most talented and highly paid security engineers incredibly pissed off if they ever find out — and it's very likely they would eventually find out, because it would be extremely difficult to hide this kind of thing over time.
How about you tell the former CEO of Qwest, or William Binney, or Jacob Applebaum how it is you are so sure you think the world works. I implore you, respectfully, to consider what they have told the world and give some time, on top of the time you have probably already given this topic -- give some extra time to this topic, after seeing what they have shared with us.
> and businesses generally push back very strongly against governments whenever a government asks them to do things that will cause them to make less money and/or waste money.
Did Facebook and Twitter do this when the federal government told them to censor?
What did Mike Benz' interview with Tucker (whether you dislike or like Tucker is neither here nor there so let's not get distracted by that) in February of this year (2024) reveal to all of us?
> of big tech to have any desire to do this kind of thing.
Apple is and always will be subservient to NSA, CIA, and the State Department. If you believe today -- after taking a moment to really, truly, seriously think about it -- that it is the other way around, you have a very special kind of stunted personal development.
> (including security engineering teams) within the company...
I respectfully implore you to look into the publicly available information about how many people at Facebook, Google, Twitter (pre-Musk), and Apple have NSA or other "glowie" backgrounds.
> well that seems like a recipe for getting some of the company's most talented and highly paid security engineers incredibly pissed off
You are correct here.
> if they ever find out
They won't, not unless they already have the appropriate clearance, and once they do they will take those secrets to the grave, or else -- unless they can make it to Moscow instead of a black site operated on foreign soil.
> and it's very likely they would eventually find out
Provided they can get into parts of buildings, buildings that aren't even on the same campus, that they aren't authorized to get into, which will never happen. So..
Yeah, if a nation-state thinks you are a bad enough actor, they might use a high power way to get at you. See Pegasus, for instance
But those exploits are rare, expensive and can be blown.
No one has ever said Signal is perfect security.
But it is damn good. Your SMSes aren't sitting in plaintext on your mobile ISPs network. You aren't going to have them intercepted by a fake mobile tower. And if you and your recipients use disappearing messages, good luck to any prosecutor trying to get them off a device.
And as for Apple sending a fake update? Might could happen but 1) Apple fought this once and 2) it'd be hard to do in any widespread way without being detected
Saying Signal protects you from fuck all is not just wrong, it's irresponsible AF.
It's like saying that locks, firewalls, alarm systems, curtains and network monitoring don't work because some people know how to defeat them.
Signal is a great security upgrade for almost anyone. I love seeing more people use it.
Normalizing encryption is great.