12-12-2020, 07:53 PM
(12-10-2020, 03:42 PM)ryo Wrote:(12-10-2020, 08:50 AM)displacefish Wrote:That's a very good point.(12-10-2020, 06:41 AM)ryo Wrote: Mind you, I'm using 2 chat apps (3 if you count the Jabber server at work), neither of them are considered secure.And therefore, the logical thing to do is employ techniques like app isolation.
They're both closed source even.
But because of that, I keep the risks in mind, and not simply assume that they will keep me safe.
My point is that being careful is great, and no security system can't be improved by using it carefully. The most hardened, airgapped system in the world can be defeated by a privileged human logging in and manually running malware with root access out of carelesness. However, the opposite is true as well: you can be as careful as you want, but there's always both the possibility of slipping up (we're all human after all), or that it turns out you weren't careful enough.
That's what defense in depth is. More layers of defense, rather than trusting any single one to be infallible. Being careful is a layer of defense like any other - a perfectly good one, but best used in complement with others.
(12-10-2020, 08:50 AM)displacefish Wrote: While I'm all for being paranoid, the fact is Signal is open source, and has received plenty of scrutiny. They're using established crypto protocols (Telegram, looking at you here) and no significant issues have come up yet. I've heard plenty of criticism about requiring a phone number to sign up, which was a privacy issue, but I believe that has been relaxed some time ago.I don't necessarily consider myself paranoid, rather I question everything regardless of security.
In the end, one thing is true: if all your acquantainces use Facebook Messenger, and you download The Perfect Secure Chat App, your conversations are all still gonna be as secure as Facebook Messenger. If Signal is what you can convince your family, friends, etc. to use, because things like Matrix or Jami aren't polished enough or suffer from issues due to their federated and p2p nature (respectively), then it's far, far better to talk to everyone over Signal, than to have all your favourite chat software installed but still talk to people over Whatsapp and the like because nobody else is using it.
Of course you can say "my app is fully open source, therefore you can see for yourself that no spyware is available" as much as you want, it takes 1 OTA update to sneak in spyware in a way (or even pre-install it) to completely destroy the entire point you made.
The most obvious example of that is Android.
Android is open source, private, secure, etc as long as Google remains entirely absent.
"I can't install anything, so I'll install the Play Store and login to my Gmail account" → privacy is gone.
So when someone installs Anbox on a Linux phone to use a couple apps not available on Linux, privacy is gone?