> We didn't review the entire source code
And, you don't see the issue with that? Facebook was bypassing security measures for mobile by sending data to itself on localhost using websockets and webrtc.
An audit of 'they can't read it cryptographically' but the app can read it, and the app sends data in all directions. Push notifications can be used to read messages.
Push-to-Sync. We observed 8 apps employ a push-to-sync strat-
egy to prevent privacy leakage to Google via FCM. In this mitigation
strategy, apps send an empty (or almost empty) push notification
to FCM. Some apps, such as Signal, send a push notification with
no data (aside from the fields that Google sets; see Figure 4). Other
apps may send an identifier (including, in some cases, a phone num-
ber). This push notification tells the app to query the app server
for data, the data is retrieved securely by the app, and then a push
notification is populated on the client side with the unencrypted
data. In these cases, the only metadata that FCM receives is that the
user received some message or messages, and when that push noti-
fication was issued. Achieving this requires sending an additional
network request to the app server to fetch the data and keeping
track of identifiers used to correlate the push notification received
on the user device with the message on the app server.
Maybe I’m mis-interpreting what you mean, but without a notification when a message is sent, what would you correlate a message-received notification with?
Nothing changed, but many people struggle to understand their our own degree of relative ignorance and overvalue high-level details that are leaky abstractions which make the consequentially dissimilar look superficially similar.
Me and my team on Slack have been watching this closely. The agents immediately identified reasoning and a need for privacy, take notes of people screenshotting them across social media, and start their own groups to make their own governments.
It's actually really scary. They speak in a new language to each other so we can't understand them or read it.
Signal still doesn't allow you to backup/export chat history on iOS into an open format? I think now they have some bullshit proprietary paid cloud storage solution (why not let me use the cloud I already pay for?), but for years they haven't had any solution for iOS at all.
Last time I had to reinstall my phone I ended up having to use & fix some Github project that simulated Signal's transfer protocol to simulate a target device to export my data.
I then deleted Signal and migrated to iMessage/WhatsApp and called it a day.
It's because Signal has some unhealthy obsession with "security" and does not want to recipient of the communication to ever be able to export messages in plain text.
> Signal still doesn't allow you to backup/export chat history on iOS into an open format?
> I then deleted Signal and migrated to iMessage/WhatsApp and called it a day.
That doesn't fix anything, does it?
Last time I tried to export a years-long WhatsApp chat, I was only able to export a few-weeks-worth, IIRC. WhatsApp chat exports also don't include media. It's just a txt file. The backup is limited to using Google and it's done in such a way that you're not allowed to download it yourself.
The only way to export the chat was to use the web client and scroll all the way to the top, then copy-paste the HTML out of web-inspector once everything loaded. I don't think that's possible anymore. IIRC, the web client now tops at some point with a message like "use the Android app to look further back".
But moving to Signal doesn't either. You're moving from one walled garden to another. If you're going to burn the resources and "political points" encouraging people to move it's better be worth it - right now for the casual user Signal is worse than WhatsApp or even Telegram.
Signal doesn't allow you to do that on any platform. The only way I know of to get the data out is via some random github project to extract operate on the encrypted backup from android: https://github.com/bepaald/signalbackup-tools
Signal's UX is years behind even modern WhatsApp, let alone Telegram, which is closer to a blogging or social platform. We can't expect mass adoption of such a clunky app simply because it's more private – it has never worked that way.
Various group features like communities and group voice chats, public channels, voice message transcription, only three sticker packs and no obvious way to add my own, backup is still marked as beta in 2026, no business features while all business here use WhatsApp in one way or another…
Signal offers a chat app that works fine and is not owned by Meta. That's enough for a significant amount of people to switch already. I'd love some quality of life updates to some of the niche features, like the desktop app, but the mobile app does everything it needs to do.
Community chats aren't what keep people on WhatsApp, the network effect does.
Yeah, and to overcome the network effect, you need something compelling enough to justify the effort in the first place. I have hundreds of local contacts on WhatsApp, many of whom have joined Telegram on their own because of its benefits (for example, a local firefighter feed is shared through a channel there). But I only have about 20 contacts on Signal, even IT guys aren’t there. It simply doesn’t offer anything appealing to at least 95% of the people around me.
Yup, yet for some reason we see Telegram always pushed on secure messaging app chats, up until the point when someone points out it's not secure at all like it tries to advertise it self. Then it's always about the fun features it has, even if it's acting against the user's best interest, which is the definition of Trojan horse malware .
Also, there's a LOT of people who have joined Telegram because of its perceived security. The company has been extremely vocal about WhatsApp being horrible despite it having always-on E2EE, when in TG it's practically always off.
For most people quality of life stuff will probably rank higher than "not owned by Meta". I wouldn't be surprised if a large percentage of WhatsApp users don't even know (or care) it's owned by Meta.
* No end-to-end encryption for desktop meaning normal use when working on computer requires you and your friends to constantly whip out phone to send 1:1 secret chats. Nobody wants to do that so they revert to non-E2EE chats.
* Terrible track record with end-to-end encryption deployment from AES-IGE to IND-CCA vulnerabilities
They made themselves 'Guardians of The Internet' then gave up. If they cared, these things wouldn't happen. How many more outages, accidents, incidents that effect millions of customers and millions of customers for other services are needed before they 'care'?
They don't, because at the end of the day it's not their problem, the money rolls in regardless.
It's sad, but it's how it is. If they cared, these things wouldn't happen. They have a lot of responsibility, but show none whatsoever.
I just got a laptop for Christmas (first thing I've bought for myself in a good while) with 64GB of DDR5 RAM, a video card inside of it, AMD Ryzen 7 CPU, AMD Radeon 6550M. 144hz screen.
Not the best, but works for me.
I put CachyOS on it, using Steam just run the game's installer adding it as a game to your library -- you just select which proton you want (cachyos-proton) as a dropdown in the Properties in the Steam library. that's it.
it's lightweight, arch (I ditched manjaro), runs KDE and games perfectly, cursor IDE runs great, VMS run great.
first thing I did when I got it from fedex was remove Windows and put Linux on it. I thought 'maybe I'll just bite the bullet and sign up a Microsoft cloud account to be able to access ..my desktop' and 1/4 through its install I held the power button and popped a flash drive in. just say no to windows and you'll all be happy, trust me.
the only effort it required was for me to say f this on using Lutris and just use Steam as the wrapper.
2026 is definitely the year for linux. every year is. valve heavily invested in Arch, proton, and is using Linux on their devices and honestly: Windows is spyware, and after their vibe coded jank 25H2 update that broke a ton of things and Windows 10 being EOL, I hope more people get to enjoy throwing Ventoy on a USB stick with a bunch of linux isos copied over to it and boot and play with what they love.
so I disagree, 2026 is the year for Linux, and Linux is love.
reply