Just because it’s not marketed doesn’t mean it’s not offered

And now you know why he’s donating to the Trump campaign.

Because with the shift of power with project 2025 he can actually do this.

Yes but it pushes it to an operating system level and that means everyone wins as the operating system solutions to improve as vulnerabilities are found and resolved.

You also don’t need rce access to exfiltrate data. If decrypted keys are held in memory, that mitigates an entire class of vulnerabilities from other applications causing your private chats from leaking.

Full disk encryption is not a solution here. Any application that’s already running which can provide read only file system access to an attacker is not going to be affected by your full disk encryption.

They don’t necessarily need RCE access.

Also this isn’t how security works. Please refer to the Swiss cheese model.

Unless you can guarantee that every application ever installed on every computer will always be secure under every circumstances then you’re already breaking your security model.

An application may expose a vulnerable web server which may allow read only file system access without exposing the user to any direct control of their computer from an attacker. Now your lack of security posture for your application (signal) now has a shared fate to any other application anyone else built.

This is just one of many easy examples that are counter to your argument here.

Having Signal fill in gaps for what the OS should be protecting is just going to stretch Signal more than it already does. I would agree that if Signal can properly support that kind of protection on EVERY OS that its built for, go for it. But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

Damn reading literacy has gone downhill these days.

Please reread my post.

But this should be an OS level protection that can be offered to Signal as an app, not the other way around.

1. OSs provide keyring features already
2. The framework signal uses (electron) has a built in API for this EXACT NEED

Cmon, you can do better than this, this is just embarrassing.

That’s not how this works.

This sort of “dismissive security through ignorance” is how we get so many damn security breaches these days.

I see this every day with software engineers, a group that you would think would be above the bar on security. Unfortunately a little bit of knowledge results in a mountain of confidence (see Dunning Kruger effect). They are just confident in bad choices instead.

“We don’t need to use encryption at rest because if the database is compromised we have bigger problems” really did a lot to protect the last few thousand companies from preventable data exfiltration that was in fact the largest problem they had.

Turns out that having read access to the underlying storage for the database doesn’t necessarily mean that the database and all of your internal systems are more compromised. It just means that the decision makers were making poor decisions based on a lack of risk modeling knowledge.

That said the real question I have for you here is:

Are you confident in your omniscience in that you can enumerate all risks and attack factors that can result in data being exfiltrated from a device?

If not, then why comment as if you are?

And there are ways to mitigate this attack (essentially the same as a AiTM or pass-the-cookie attacks, so look those up). Thus rendering your argument invalid.

Just because “something else might be insecure”, doesn’t in any way imply “everything else should also be insecure as well”.

That’s not how this works.

If the stored data from signal is encrypted and the keys are not protected than that is the security risk that can be mitigated using common tools that every operating system provides.

You’re defending signal from a point of ignorance. This is a textbook risk just waiting for a series of latent failures to allow leaks or access to your “private” messages.

There are many ways attackers can dump files without actually having privileged access to write to or read from memory. However, that’s a moot point as neither you nor I are capable of enumerating all potential attack vectors and risks. So instead of waiting for a known failure to happen because you are personally “confident” in your level of technological omnipotence, we should instead not be so blatantly arrogant and fill the hole waiting to be used.

Also this is a common problem with framework provided solutions:

https://www.electronjs.org/docs/latest/api/safe-storage

This is such a common problem that it has been abstracted into apis for most major desktop frameworks. And every major operating system provides a key ring like service for this purpose.

Because this is a common hole in your security model.

That’s the joke.

Damn near every tech company and major utility provider has no way of growing aside from squeezing.

No matter where you turn you will be getting squeezed, and it’ll just get worse every year that regulations don’t catch up.

And if the U.S. has it’s way, institutional regulation will be a thing of the past as a new wave of unchecked corporate oligarchy begins. And since the U.S’s biggest export is crazy, it’ll just spread…

Making the future more grim.

Remember, this is likely going to be the next POTUS.

The guy who is following someone else’s plan to get rid and cripple regulatory bodies like the FAA.

Work for the FAA and disagree? That’s a secret policing for you, or maybe a public service announcement from the POTUS that he wants you gone. And his rabbid followers will do the rest to you and anyone near you.

And as an official act, that’s okay.

Build it, don’t turn it on, watch all the residents complain about new ailments and conditions caused by the 5G.

Reveal that it’s never even been powered to really hammer home their ignorant bullshit.

The cognitively impaired should not be able to do this sort of shit.

And depending on the results of the upcoming election the FTC may no longer exist afterwards anyways.

Now we just need accessibility tools for the cognitively impaired that can’t seem to read the damn article.

Typical security negligence of startups.

Your data is essentially never secure if it’s sitting with a startup. It’s an atrocious world for security out there.

Literally the first thing you do on NoStupidQuestions is attack the person asking the question.

And then go on a rant that doesn’t actually address the question. I honestly don’t even know if you read the same OP that I did here…

Cmon, that’s not acceptable behavior here.

Give it time.

Is it really that difficult to think of equally or worse failures in American politics?