BC TECH
Saved by @Mollyycolllinss

I posted about the Signal messaging application versus Telegram a while ago, and I received a lot of answers about different applications as alternatives. So I'd like to write a thread giving an overview about my perspective on the security of different applications. 1/53

 It's very important to remember that this thread is only about messaging applications for mobile phones, and the evaluations are based on my own perspectives and needs. In some cases they will be subjective, and you should investigate before applying the advice to yourself. 2/53
As I've mentioned in previous, when talking about secure messaging applications, it's extremely important to remember that if an application is secure enough, the limitation will not be the security of the application itself, the limitation is the security of the device. 3/53
When talking about security, the weakest link in a chain will be the one an attacker will go after. There are some applications in this thread that are very secure and have great protocols. But if the device is compromised, that will simply not matter. 4/53
So, if you have something very sensitive to discuss, my strong advice is to not trust that information to a mobile device - there are simply too many ways it could be compromised. So, from that perspective, the security of the protocol is not relevant. 5/53
Of course, a messaging application can _fail_ by not having good enough security, but once you reach a certain level, the security of the protocol or the application is not a factor anymore. As always, figure out a threat model for your situation before deciding. 6/53
This list will not be in any particular order. I will try to keep the summaries fairly concise to make this thread smaller than a hundred tweets. In general, you might have to dig deeper for further information, or ask for clarifications. So, let's jump in! 7/53
First, Confide. Confide has been around since 2013. It was early supporting disappearing messages. Confide is not open source, which disqualifies it for me. Security audits have also found many issues over the years, so although it's end-to-end encrypted, it's not for me. 8/53
OK, Facebook Messenger. I basically consider the mobile applications for FB messenger spyware. They've had a long history of asking for much more permissions than necessary, and using questionable methods for collecting all kinds of user information. 9/53
The application is obviously also closed source, making it impossible to inspect. These days, the applications does support end-to-end encryption, but this is optional. It does use the Signal protocol for this feature, which is good. That said, I wouldn't recommend it. 10/53
What about the different Google messaging products? Things like Allo, Duo, Hangouts and all the others? You might see the trend by now - these are all closed source. Some of them support end-to-end encryption at some level, but usually as an optional mode. 11/53
When it comes to Google products, the opaqueness of their implementation, combined with lack of clarity of product evolution and uncertain security properties, I would recommend simply staying away from them. 12/53
OK, so what about Apple's iMessage? Any better? Just as the others we've just looked at, it's a proprietary and closed source tool. What's more, it's only available on Apple products. On the other hand, Apple has been quite open about how certain parts of it works. 13/53
Independent analysis of the security properties of iMessage has been done. What are the results? My summary would be "meh". The end-to-end encryption seems to work well enough, but there are certainly ways around it if Apple took an interest in a certain customer. 14/53
This might be a good place to pause and talk about backups. If you do any kind of cloud backups for a mobile messaging application, it's often the case that your messages will _not_ be protected the same way (or at all) they are in the application. 15/53
For this reason, this evaluation doesn't really look at what happens if you have backups turned on. It's the same kind of situation as if an adversary has their hands on your unlocked phone - in general you lose. 16/53
The same thing is completely true if an adversary has managed to infect your phone with malware - especially if that malware has succeeded in countering the security mitigations on your phone and achieved kernel access. In this situation, you lose. 17/53
It's important to remember this. We talked about the security of mobile phones in the beginning of the thread, but I want to remind you. There are many types of attacks that an application simply can't protect you against. Don't put too sensitive information on your device. 18/53
What about Session? This is a very new messenger application at the moment. It is open source and doesn't require real-world identifiers (such as phone number) to register. It tries very hard to be decentralized, and removing as much meta data as possible in the design. 19/53
To be honest, Session looks quite interesting. It's pushing forward in directions that other messenger solutions are not. However, it is also very new, has not been audited yet, and it's unclear how well it scales in practice. It's also built on new protocols. 20/53
For all of these reasons, I would not recommend using Session for anything critical at the moment. It's a project worth keeping an eye on, and in a while it might be something I would recommend - but security also has to be conservative, Session is too new. 21/53
Time to look at Signal. First, the good parts. It has a very good end-to-end encrypted protocol. Encryption also covers groups, although not with the same security properties as one-on-one. In general, there's a lot of functionality, and adoption is high. 22/53
Signal is completely open source, both the clients and the server. Their security choices are generally conservative in a positive way, while still evaluating new technology to solve problems such as backups and privacy contact discovery. 23/53
Buuuuuuuut. Signal still requires phone numbers for registration, and will automatically notify you when someone in your contact list signs up. There are still bugs here and there - and the app still crashes often, at least for some users. 24/53
Just a few days ago, Signal was completely down for roughly 12 hours, because of a huge surge in new users. This could happen to anyone, of course, but it still must have given a bad impression to all those new people, fleeing WhatsApp. 25/53
What about security? In general, it's pretty good, for running on a phone. There are persistent discussions about information leaks through Google's Android keyboard, or through third party installed keyboards. But honestly, I think Signal is doing the right thing here. 26/53
If a user installs a custom keyboard, they expect to be able to use it everywhere. Taking away that choice would be actively hostile to a good user experience. And when it comes to GBoard, it seems to me that if Google is your adversary, you shouldn't use a Google OS. 27/53
Same thing is true for iOS and Apple, of course. If your threat model is such that you can't trust the basic services of the phone, you should not put anything sensitive on that phone. It's not just keyboards - these providers have a million ways to backdoor you. 28/53
So from my perspective, being worried about the keyboard doesn't really make sense. It comes from an inconsistent threat model. 29/53
Since we are talking about messaging applications, let's just look at regular text messages - SMS. Not encrypted, transmitted over the air and with no real delivery control of any kind, it's really the worst of all options. 30/53
Now Telegram... As I mentioned in an earlier tweet, Telegram should _not_ be considered a secure messaging application. Yes, it supports end-to-end encryption, but it's not turned on by default, and the design is such that cryptographers go "hmmmm". And not in the good way. 31/53
Telegram groups are also very popular - but they are not encrypted at all. Further, the Telegram is open source - which is good - but the servers are not. Overall, I would recommend that you stay away from Telegram, especially if you have any security needs. 32/53
OK, what about Threema? There are things to like about this application. They have good documentation about their security, focus on privacy is strong, their group design is such that it hides most information even from the servers. No phone number needed for registration. 33/53
However, there are also some issues. First, and most importantly, it's not open source. And while they have received several audits, that's not nearly the same thing. Their marketing material is also quite misleading at times, most importantly regarding forward secrecy. 34/53
Specifically, they claim that Threema is forward secret, but looking at the protocol documentation it turns out that it's only the _transport layer_ which has forward secrecy, not the actual end-to-end encryption. 35/53
I guess now is a good time to discuss the issue of jurisdiction. Many people talk about the benefits of messenger applications being based in Switzerland, because of the strong privacy laws found there. My personal opinion is that jurisdiction doesn't actually help. 36/53
There are simply too many ways around jurisdiction from a legal protection standpoint. I prefer technology and cryptography to protect me. If jurisdiction is something you think you can depend on, any one of the messenger applications in this thread should work for you. 37/53
And then we come to the elephant in the room - WhatsApp. First, WhatsApp is not really a choice in many parts of the world. Most people in Latin America relies on WhatsApp to such a large degree that you almost have to have it installed, if you live here. 38/53
Now, WhatsApp has a huge market penetration. They do have end-to-end encryption, based on the Signal protocol. Usability is pretty good as well, and there are many features, including things like business accounts and so on. 39/53
However, WhatsApp is not open source, and it's owned by Facebook. It's clear that they collect a large amount of meta data and traffic information -and that this is very valuable to them. The recent fracas about changed terms and conditions doesn't actually change anything. 40/53
Instead, these new terms and conditions only clarify things that WhatsApp was _already_ doing. While having WhatsApp installed is sadly something you might not get away from, I recommend using other alternatives as much as possible, and certainly for sensitive things. 41/53
OK, on to Wickr. This was a very early adopter of "disappearing messages". You can see how cool it is if you've ever seen Mr Robot. However, while disappearing messages are useful, they are not the strong security measure you might imagine. 42/53
Wickr has decent cryptography, as far as we can tell - but this goes to the core of the problem again: we can't verify this, since Wickr is not open source. This reason is enough for me to feel uncomfortable recommending Wickr. 43/53
Our final entry in this list is Wire. Of all the messenger applications, I think Wire is the one that most people claim as the one you should use instead of Signal. A lot of this support comes from the fact that Wire doesn't require phone numbers for registration. 44/53
Another common argument for Wire is the legal residence, since Wire was created in Switzerland. But you have already seen my thoughts on that above. And that's also less relevant now, since in 2019 the company that owns Wire was bought by a US corporation... 45/53
What about crypto? Wire is based on the Signal protocol, using libsodium for their implementation. Nothing complicated or problematic here. Wire has also open sourced both their client and server software, which makes it easier to verify the system. 46/53
However, there are other security considerations that continue to be concerning. Audits have uncovered problems and some of those have been fixed, while others remain - such as sending of passwords over a simple TLS connection. 47/53
But the most problematic aspect of Wire in my opinion has to do with their policies around data retention. Their servers store much more information than necessary, and lots of meta-data about users are stored completely unencrypted. 48/53
Finally, Wire does not support group messaging at all (in the Wire Personal version). Taking all of these things together, especially data retention and change of ownership, makes me feel quite uncomfortable using Wire for anything sensitive. 49/53
We have reached the end. The truth is, none of these options are fantastic. All have issues and I can't recommend any single one without caveats. I personally do use Signal as my main messenger application, since on balance, it suits my threat model best. 50/53
But I need to reiterate - you don't put anything sensitive on a mobile device in the first place. If you do, it doesn't really matter which secure messenger you use, since all of them runs on a device which have security limitations. 51/53
One final point, which might be obvious - all of these evalutions are based on some assumptions. One of them is that you actually install the real application. In some cases there have been reports about people downloading a messenger and being attacked by it. 52/53
These things can always be traced back to a situation where the download happened from a place that wasn't official. Of course, in sensitive enough situations, backdoored applications can concievably be served by app stores as well. Once again: don't trust mobile devices. 53/53

More from Tech

Cookie Cyboid
Cookie Cyboid
@CookieCyboid
“Why are Tumblr and Facebook cracking down on sex so much? And why is Facebook in so over zealous about it? It’s all Apples fault!” Etc etc

I can explain all. It is largely the fault of a set of US laws called SESTA and FOSTA.
TECH
Biz Stone
Biz Stone
@biz
Originally, tweet length was 160 minus username length. One day, I turned to Jack and pointed out that I got one more character than him. He said, "That's not fair. We should standardize." I agreed. He said, "How about 140?" I said, "Sure." And he updated the code.

Last year, we upgraded tweet length to 280 and guess what? Use of 'please' is up 54% and 'thank you' is up 22%. I love that! Also, people are asking more questions and having more conversations. All this, and the majority of tweets are still under 140. It worked.
TECH
Advertisement
Patrick McKenzie
Patrick McKenzie
@patio11
It’s underremarked upon that stablecoins accomplish basically all of the original design goals for Bitcoin qua a transactional mechanism (instant free value transfer anywhere), but that nobody cares about this because nobody ever cared about that part of the pitch.

“Why do people care about stablecoins then?”

A mix of “they encourage dollar-denominated liquidity in the cryptocurrency ecosystem and discourage withdrawal of the same” and “they’re good for money laundering.”

“But they make value transfer between exchanges much faster!”

This was a solved problem in traditional finance, too, mostly through the extension of credit. (It doesn’t matter how long settlement takes if there is sufficient trust to enable credit.)

The Bitcoin ecosystem is *positively allergic* to credit, so you have to call it a coin for them to accept it. And after you call it a coin they ignore everything the world has learned about credit, like risk management.

“Stablecoins aren’t credit!”

They’re pretty much exactly credit? A tether is a zero-coupon Bitfinex bond with a non-functioning call option. I
TECH
Got Got Need
Got Got Need
@Hudlen_
Thought I'd put a thread together of some resources & people I consider really valuable & insightful for anyone considering or just starting out on their @SorareHQ journey. It's by no means comprehensive, this community is super helpful so no offence to anyone I've missed off...

1) Get yourself on the official Sorare Discord group https://t.co/1CWeyglJhu, the forum is always full of interesting debate. Got a question? Put it on the relevant thread & it's usually answered in minutes. This is also a great place to engage directly with the @SorareHQ team.

2) Bury your head in @HGLeitch's @SorareData & get to grips with all the collated information you have to hand FOR FREE! IMO it's vital for price-checking, scouting & S05 team building plus they are hosts to the forward thinking SO11 and SorareData Cups 🏆

3) Get on YouTube 📺, subscribe to @Qu_Tang_Clan's channel https://t.co/1ZxMsQR1kq & engross yourself in hours of Sorare tutorials & videos. There's a good crowd that log in to the live Gameweek shows where you get to see Quinny scratching his head/ beard over team selection.

4) Make sure to follow & give a listen to the @Sorare_Podcast on the streaming service of your choice 🔊, weekly shows are always insightful with great guests. Worth listening to the old episodes too as there's loads of information you'll take from them.
TECH
(((E. Glen Weyl)))
(((E. Glen Weyl)))
@glenweyl
I am grateful to @slatestarcodex for taking the time to respond to my critique of technocracy. There is a lot there to respond to and in general I think the exchange speaks for itself. However, I think there are few points where clarification is important for the exchange to be

productive, which I'll briefly address here. I suspect many fellow travelers (e.g. @audreyt @dsallentess @JohnnieM @MichelleRempel @VitalikButerin @mds49) will find the exchange fairly ironic/revealing. I'll post this as a response on this blog as well.

1. Let me start with concessions. There are many points where @slatestarcodex correctly highlights various areas where my grasp of beliefs and facts are limited or wrong, especially in the depth of my grasp of the views of the rationalist community.

I freely admit that there are serious limits to how much I've been able to research the views of people in this community and I certainly hope they are not as I characterized them, though as I will point out below many elements of @slatestarcodex's response confirm my concerns.

2. Given the last point, I fully acknowledge the danger of throwing stones lest I shatter my own glass house. However, leaving aside any blame, I think to make sense of my piece and @slatestarcodex's response requires a bit of context that clearly he lacked. First, outside
TECH

You May Also Like

Tej Dosa \U0001f602\U0001f9e0
Tej Dosa 😂🧠...
@ComedicBizman
(A THREAD)

18 Things I Would Do At 18:

I was a dumb 18-year-old. I thought I had the world figured out. I didn't.

I stayed up till the wee hours. Drank every liquor invented.

Partied non-stop. Woke up after noon.

Surfed the web aimlessly.

Read BS self-help.

Repeat.

If I could do it all over again, here's 18 things I would do...

PHASE ONE: GET MY MIND RIGHT

ACTION #1: Break the chains - I wish I made the decision earlier. I didn't. I was scared. Anxious. Nervous. I knew once I made the decision, there was no going back.

Don't be like me.

Make the decision at 18. The decision to pave your own path in life. To go against the herd. To choose your own adventure. To commit to whatever sets your heart on fire.

ACTION #2: Cut off every negative person in your life.

Scroll through the contacts in your phone...

Notice how the names make you feel.

Delete any and all names that fill you with doubt and negativity.

ACTION #3: Condition your mind to embrace the producer mindset instead of the consumer mindset.

Consume 20% of the time. Produce 80% of the time.

Case closed.

ACTION #4: Set an intention to make $10k a month and write it out every MORNING and NIGHT as if you already achieved it (in the past tense).

Visualize yourself already having the money as you write.

Cheesy?

Yes.

Does it work?

Yes.

PHASE TWO: EDUCATION
LIFE
Jim O'Shaughnessy
Jim O'Shaughnessy
@jposhaughnessy
I’m torn on how to approach the idea of luck. I’m the first to admit that I am one of the luckiest people on the planet. To be born into a prosperous American family in 1960 with smart parents is to start life on third base. The odds against my very existence are astronomical.


I’ve always felt that the luckiest people I know had a talent for recognizing circumstances, not of their own making, that were conducive to a favorable outcome and their ability to quickly take advantage of them.

In other words, dumb luck was just that, it required no awareness on the person’s part, whereas “smart” luck involved awareness followed by action before the circumstances changed.

So, was I “lucky” to be born when I was—nothing I had any control over—and that I came of age just as huge databases and computers were advancing to the point where I could use those tools to write “What Works on Wall Street?” Absolutely.

Was I lucky to start my stock market investments near the peak of interest rates which allowed me to spend the majority of my adult life in a falling rate environment? Yup.
ALL
Advertisement
Aditya Todmal
Aditya Todmal
@AdityaTodmal
MASTER THREAD on Short Strangles.

Curated the best tweets from the best traders who are exceptional at managing strangles.

• Positional Strangles
• Intraday Strangles
• Position Sizing
• How to do Adjustments
• Plenty of Examples
• When to avoid
• Exit Criteria

How to sell Strangles in weekly expiry as explained by boss himself. @Mitesh_Engr

• When to sell
• How to do Adjustments
• Exit


Beautiful explanation on positional option selling by @Mitesh_Engr
Sir on how to sell low premium strangles yourself without paying anyone. This is a free mini course in


1st Live example of managing a strangle by Mitesh Sir. @Mitesh_Engr

• Sold Strangles 20% cap used
• Added 20% cap more when in profit
• Booked profitable leg and rolled up
• Kept rolling up profitable leg
• Booked loss in calls
• Sold only


2nd example by @Mitesh_Engr Sir on converting a directional trade into strangles. Option Sellers can use this for consistent profit.

• Identified a reversal and sold puts

• Puts decayed a lot

• When achieved 2% profit through puts then sold
OPTIONSLEARNINGS , ALL , OPTIONS STRATEGY
Zach Weinersmith
Zach Weinersmith
@ZachWeiner
Hey, for people interested in this stuff, here's a thread about a change we made to running our facebook account:

So, about 5 years ago, we got on facebook. Why? Well, facebook has a big audience and they like to consume on facebook. So, we started posting comics there, even though we got paid nothing and facebook made money off the free content.

Why? Because back then, once in a while, you would say "also hey, I sell books" or "hey, I'm going to be signing at this event" and your facebook followers would actually see it.

Effectively, the implicit old arrangement was "facebook lets me reach readers efficiently, and I supply facebook with free content they run ads on."

Over time, like a bad business partner, facebook basically made it impossible to reach your audience without *paying them*. Thus, you supply them free content on which they run ads, and you get nothing in exchange.
MARKETING
Dr. Thomas Binder, MD
Dr. Thomas Binder, MD
@Thomas_Binder
1/12

RT-PCR corona (test) scam

Symptomatic people are tested for one and only one respiratory virus. This means that other acute respiratory infections are reclassified as


2/12

It is tested exquisitely with a hypersensitive non-specific RT-PCR test / Ct >35 (>30 is nonsense, >35 is madness), without considering Ct and clinical context. This means that more acute respiratory infections are reclassified as


3/12

The Drosten RT-PCR test is fabricated in a way that each country and laboratory perform it differently at too high Ct and that the high rate of false positives increases massively due to cross-reaction with other (corona) viruses in the "flu


4/12

Even asymptomatic, previously called healthy, people are tested (en masse) in this way, although there is no epidemiologically relevant asymptomatic transmission. This means that even healthy people are declared as COVID


5/12

Deaths within 28 days after a positive RT-PCR test from whatever cause are designated as deaths WITH COVID. This means that other causes of death are reclassified as
CATEGORY C19