Quiet

Encrypted p2p team chat with no servers, just Tor.

https://tryquiet.org/index.html

https://github.com/TryQuiet/quiet

Currently in developpement stage so be cautious of your data

Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In Quiet, all data syncs directly between a team's devices over Tor with no server required.

No email or phone number required, Unlike #Slack, #Discord, #WhatsApp, #Telegram, and #Signal, no email or phone number is required to create or join a #community.

End-to-end encryption, All data is #encrypted end-to-end between member devices, using Tor.

Channels, Organize chats in Slack-like channels, so conversations don't get messy.

Images, Send and receive images, with copy/paste, drag & drop, and image previews.

Files, Send and receive files of unlimited size!

Notifications, Invite links, Keyboard controls, Desktop apps

Android, Quiet works on Android, and F-Droid support is on the way.

#E2E #Chat #Quiet #Tor

#WhatsApp, #Signal and #Telegram among apps cut from #iPhone app store to comply with censorship demand

#China ordered #Apple to remove some of the world’s most popular chat messaging apps from its app store in the country, the latest example of censorship demands on the iPhone seller in the company’s second-biggest market.

https://www.wsj.com/tech/apple-removes-whatsapp-threads-from-china-app-store-on-government-orders-a0c02100

The encrypted-messaging service #Signal is the application of choice for dissenters around the world. The app has been downloaded by more than 100 million users and boasts high-profile endorsements from NSA leaker Edward Snowden and serial entrepreneur Elon Musk. Signal has created the perception that its users, including political dissidents, can communicate with one another without fear of government interception or persecution.

But the insider history of Signal raises questions about the app’s origins and its relationship with government—in particular, with the American intelligence apparatus. Such a relationship would be troubling, given how much we have learned, in recent years, about extensive efforts to control and censor information undertaken by technology companies, sometimes in tandem with American government officials...

So what does all this mean for American users—including conservative dissidents—who believe that Signal is a secure application for communication? It means that they should be cautious. “Maher’s presence on the board of Signal is alarming,” says national security analyst J. Michael Waller. “It makes sense that a Color Revolutionary like Maher would have interest in Signal as a secure means of communicating,” he says, but her past support for censorship and apparent intelligence connections raise doubts about Signal’s trustworthiness. https://www.city-journal.org/article/signals-katherine-maher-problem

Don't install #signal app for #macOS, it is not secure.

I carried out this small experiment:

- I wrote a simple Python script that copies the directory of Signal's local storage to another location (to mimic a malicious script or app)
- I ran the script in the Terminal and got a copy of my Signal data on my Mac
- I booted a fresh macOS installation in a virtual machine
- I transferred the copy of Signal's data to the VM and placed it where Signal expects it: ~/Library/Application\ Support/Signal
- I installed Signal and started it
- Signal started and restored my session with all the chat histories 😳
- I exchanged a couple messages with a contact from the VM and it worked 😳
- Then, I started Signal on the Mac
- I got three sessions running in unison: Mac, iPhone, and VM 😳

Messages were either delivered to the Mac or to the VM. The iPhone received all messages. All of the three sessions were live and valid. Signal didn't warn me of the existence of the third session [that I cloned]. Moreover, Signal on the iPhone still shows one linked device. This is particularly dangerous because any malicious script can do the same to seize a session.

Perhaps this flaw is what makes some users think that Signal has a "backdoor" as it is easy for sophisticated attackers to target a victim who's using the Mac app and see their chats. (The same may be also true for the Windows app)

https://x.com/mysk_co/status/1809287118235070662

#Signal under fire for storing encryption keys in plaintext

https://stackdiary.com/signal-under-fire-for-storing-encryption-keys-in-plaintext/

Signal downplays encryption key flaw, fixes it after X drama | Bleeping Computer

Signal is finally tightening its desktop client’s security by changing how it stores plain text encryption keys for the data store after downplaying the issue since 2018.

As reported by BleepingComputer in 2018, when Signal Desktop for Windows or Mac is installed, it creates an encrypted SQLite database to store a user's messages. This database is encrypted using a key generated by the program and without input from the user.

#Signal

Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform

https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117

"Signal instantly dismissed my report, saying it wasn't their responsibility and it was up to users to hide their identity"

#im #signal #cloudflare

Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes

Multiple Russia-aligned threat actors have been observed targeting individuals of interest via the privacy-focused messaging app Signal to gain unauthorized access to their accounts.

The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate 'linked devices' feature that enables Signal to be used on multiple devices concurrently," the Google Threat Intelligence Group (GTIG) said in a report.

In the attacks spotted by the tech giant's threat intelligence teams, the threat actors, including one it's tracking as UNC5792, have resorted to malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance.

Once compromised, threat actors gain real-time access to victim messages, enabling persistent surveillance.

#Signal #QRCode

Deep dive into the #Signal arbitrary deletion #vulnerability I discovered in Signal Desktop:

In Signal Desktop, attachments are stored in a designated folder (typically “attachments.noindex”). The deletion logic resolves this folder’s absolute path using fs.realpathSync, which inherently follows symbolic links.


https://nitter.poast.org/jipisback/status/1894682205500088793

https://x.com/jipisback/status/1894682205500088793

https://fixupx.com/jipisback/status/1894682205500088793

#signal

https://xcancel.com/kaepora/status/1810989285148971162

If you look at leading scientific publications such as those from PETS, you’ll see that:

- Signal’s “sealed sender security” is broken and bogus (Martiny et al, 2021: https://cs-people.bu.edu/kaptchuk/publications/ndss21.pdf)

- Signal has regressed in terms of deniability: eprint.iacr.org/2024/741 (+upcoming work) - Signal’s group chat benefits from lesser security guarantees: eprint.iacr.org/2017/713.pdf

- Signal’s tying of usernames to phone numbers is a slap in the face for those expecting real pseudonymity from the Signal service and continues to be unaddressed,

- Signal’s desktop client does not detect when a state has been cloned and allows for two independent devices to masquerade and authenticate as the same device,

- Signal’s use of SGX is more opaque than it could be,

But of course, all of the above and more are not something that can be brought up in polite conversation, because Signal’s own leadership has poisoned the discourse with politics and by encouraging an in-group thinking dynamic with regards to Signal.

SignalGate Is Driving the Most US Downloads of Signal Ever | WIRED

Since the news broke on Monday that senior Trump administration cabinet members accidentally included the editor in chief of The Atlantic in a group chat on the Signal encrypted messaging platform where the officials were making secret plans to bomb Yemen, the ensuing news cycle and the constant mentions of Signal have led to the encrypted messaging platform doubling its usual rate of new downloads, the nonprofit organization that runs Signal tells WIRED.

Reminders :
How CIA created Signal app
Signal was funded by #glowies all along https://kitklarenberg.substack.com/p/signal-facing-collapse-after-cia

Sidenote on the so called "SignalGate":
If this was a genuine accident, it means the US is run by low IQ, emoji-using men-children who are as basic in their understanding of the world as they are incompetent with opsec..

#SignalGate #Signal #Opsec

Former National Security Advisor Mike Waltz was caught using TM SGNL, an israeli-modified version of #Signal with archiving features, to receive and relay potentially classified info.

first report:
https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/

Basically they use a signal fork that saves messages unencrypted for backup.

https://techcrunch.com/2025/05/05/telemessage-a-modified-signal-clone-used-by-us-govt-officials-has-been-hacked/

https://x.com/AFpost/status/1918484795790684633

Trump fires israeli MOLE inside the Trump administration

https://www.youtube.com/watch?v=VEIjzSUNjIU

#signal

#Signal’s privacy claims exposed! Mark37 dives into “#SignalGate,” revealing cracks in the app’s “gold standard” narrative. From closed-source anti-spam systems to leadership ties with Big Tech and government, plus vulnerabilities flagged by the Pentagon, is Signal truly secure? Learn the truth and explore safer alternatives.

https://mark37.com/signal/

#TeleMessage customers include DC Police, Andreessen Horowitz, JP Morgan, and hundreds more
#signal

I've been digging through the 410 GB of Java heap dumps from TeleMessage's archive server, provided by DDoSecrets. Here's a description of the dataset, some of my initial findings, details about an upcoming open source research tool I'm going to release, and a huge list of potential TeleMessage customers.

I found a WhatsApp group called "MPD Command Staff" with 46 users in it. There are many messages in this group, but they're all encrypted. (As I described in my earlier analysis, some of the individual messages are encrypted.) I looked up some of the phone numbers from this group on OSINT Industries and quickly discovered that these people all work for the Metropolitan Police Department in Washington, DC.

I also found a message sent to a Signal group called "US / China AI Race." The Signal group had 100 people in it. I looked some of them up: many of the group members hold prominent positions at major universities, the defense industry, and the military, and all seem to do AI-related work. The message says, "The biggest crime was USG ignored these fabs for two years." That's it. The dataset doesn't include any other messages from this Signal group.

That said, here's what I've found:
60,012 messages.
36,388 of the messages are plaintext, and 23,624 are encrypted.
1,079 of the message include full attachments (like images, videos, PDFs, contact files, etc.) that are actually part of the dataset. But of those, only 50 of messages are in plaintext. I can, however, actually open and view those plaintext attachments.
Most messages have a subject field that's something like, "WhatsApp message from X to Y." Based on these subjects:
37,753 are WhatsApp messages.
2,549 are Telegram messages.
455 are SMS messages.
141 are Signal messages.
95 are something called "App Messages."
26 are MMS messages.
26 are WeChat messages.
16 are voice calls logs.
11,254 are missing subject fields.
3,501 group chats, the vast majority of which are WhatsApp.
At least 2,034 are WhatsApp groups.
At least 578 are SMS groups.
At least 256 are Telegram groups.
At least 26 are Signal groups.
At least 10 are WeChat groups.
I'm not sure about the other ~600 groups, though it's possible to determine by manually looking at the messages associated with them.
There are also plenty of individual messages that are clearly part of a group chat, but that didn't include JSON metadata related to it, so they're not categorized as groups, even though they are.
44,503 users. These are either senders or recipients of messages.
At least 25,792 of them use phone numbers as the identifier.
At least 31 of them use email addresses, and at least 391 look like they use usernames.
I'm not sure about another 18,289 of them, but I think most of them are also phone numbers.
17,377 of them include first and/or last names, too.

https://micahflee.com/telemessage-customers-include-dc-police-andreesen-horowitz-jp-morgan-and-hundreds-more/

https://micahflee.com/telemessage-explorer-a-new-open-source-research-tool/

The #Surveillance Architect Running #Signal Engineering

https://youtu.be/lxNOpIwjTxo

Why #Signal’s post-quantum makeover is an amazing engineering achievement
New design sets a high standard for post-quantum readiness.

https://arstechnica.com/security/2025/10/why-signals-post-quantum-makeover-is-an-amazing-engineering-achievement/