I think the Swiss Made Safe Messaging is suspect to those who know about backdoors. In fact the Swiss sold “encrytped” crypto phones with backdoors baked in as a business model. You paid to get spied on:
A peeve of mine: pretty much all "made outside the US" messaging is sketchy, because one of the most important differences between stuff run in the US and stuff run outside the US is that NSA doesn't need special permission to hack stuff run outside the US --- in fact, hacking stuff outside of the US is basically their whole charter.
I'm not saying you should purposefully select US technology in order to avoid surveillance, just that "hosted or made in Switzerland" messaging in privacy tools isn't very meaningful, and takes advantage of an emotional reaction in prospective customers, not a rational one.
I think you're missing a bigger issue: if the data is in America, nothing needs to be hacked. Your data can be obtained through legal means.
Plus, if you're not an American citizen, you have no rights so far as three-letter agencies are concerned, whether your data is stored in the US or elsewhere.
The choice is between data stored in the US, where data can be obtained through legal means or hacking, and data stored elsewhere, where it can only be obtained through hacking.
That's true. You do have to make a decision about which protection you feel is stronger: the American legal system, or the current commercial state of the art in computer security lined up against the world's largest consumer of offensive security technology.
That could be true but only applies to people subject to the American legal system, i.e. those with American citizenship or living on American soil.
For the other 96% of us, the American legal system offers no protection whatsoever, as far as I'm aware.
This deficiency is not true of all jurisdictions. As far as I can tell from reading articles 1-3 GDPR, the GDPR applies to all processing that takes place within the EU or on behalf of an EU entity, regardless of whether the subject of the data is a citizen or resident of the EU. Same goes for the Swiss data protection act [0].
So as a non-American, I have a choice between services located in a country where I have no legal rights and services located in countries where I do.
This is also all from a security point of view. From a privacy point of view, I know that American companies have essentially free reign over the data I give them. They can monetize it, sell it, train machine learning models with it or do whatever else they please, regardless of whether they have my explicit consent.
Other jurisdictions have privacy protections, so I know I have some basic level of privacy if I choose say a German email provider, while I know I have essentially none if I choose an American one.
Really, as a non-American, I see no reason why I should treat American services as being any better than say Russian or Chinese services. I'm happy to listen if you have any compelling arguments though.
I agree with most of what you're saying, and again, I don't want to be taken to have said "you should go out of your way to use US companies". Also, there are other important concerns! If you don't trust how a US company is going to handle your data --- cough Facebook --- you shouldn't use them, no matter what you think NSA is going to do.
But: the protections I'm talking about aren't rights accorded to non-US persons abroad. I agree, you have very few legal protections against the US as a non-US person in (say) Europe. But the US company itself does have protections. It is not lawful for NSA (or the DOJ or CIA or whatever) to hack into Google's servers; on the flip side, it is probably lawful for NSA to have pre-hacked every major information provider and telecom in Europe, if they really wanted to. My point is, if you're overseas, the largest SIGINT agency in the world doesn't even have to ask to get access.
(Obviously, they don't have to ask in the US if they simply ignore the law, but then, if you ignore the law, none of this matters, and everything is up for grabs).
That's fair, I just wanted to explain why "made outside the US" could be a valid selling point.
Regarding hacking Google and ignoring the law, isn't that essentially what PRISM was? Do we have any reason to believe US intelligence will obey the law now?
I do understand your argument but I think we place different levels of confidence in the US legal system. I have zero confidence, so assign it zero value.
That might be true if you are US person. If you're not, like 95% of the mankind, using non-US hosted services lowers the threat. Nobody knows how much since the answer lies in NSA capabilities.
But as a smart approach, for folks ie in Europe, US is a big no-no if security is a concern.
I don't see how it does; if you're a non-US person using a non-US service, you have essentially no formal legal protections whatsoever from NSA surveillance. A non-US person using a US service at least inherits whatever procedural protections US companies have. I'm not saying it's a meaningful barrier, just that going overseas logically can't gain you protection (unless you're more worried about the Swiss or EU's sigint agencies than you are the NSA).
As a non-US person I'm not concerned about the NSA, it doesn't have a material impact on me, it's not like the NSA orders a black helicopter to snatch me from Germany. I'm worried about corporate use of my data because that stuff can actually realistically leak or be used for ads or whatever else and in this case I have probably better default protections with a Swiss company than with a US based one. (with some exceptions of course, Signal and so on seem trustworthy).
If your intelligence service let the biggest bank of Switzerland (UBS) buy those product, there is no excuse, and later being proud of the whole thing (as a neutral country) it's a shame and a shit stain on our integrity (which is/was more or less the only real quality of Swiss services)
CIA and BND (Bundesnachrichtendienst, the German intelligence service). They actually owned the CryptoAG company. It's become a big political scandal there, with accusations that the Swiss intelligence services knew and deliberately misled their parliament.
They are neutral and trustworthy. Significantly so.
Nobody is absolutely neutral or always trustworthy. It's argumentation error to move from is not completely neutral and has had some issues to saying "it's all bullshit".
Didn't mean to dismiss them out right. Rather that banking on 'Swiss' as a shortcut isn't wise. Obviously if one does the work to audit those involved or the product/service itself then they can trust it regardless of the marketing.
What does banking has to do with secure messaging? That's pretty basic strawman argument. For example US does Blackwater and did MK Ultra on its own citizens, so what?
Banking en Suisse adheres to Swiss laws, which are heavily influenced by EU and US laws these days. If some private company decides to break the law, they will be handled accordingly.
Given this precedent, there's good reason to believe it would happen again. There is not reason to believe that the people behind Teleguard today would be in favor, but there is good reason not to become wedded to the service given the risk that it may change hands or be operated similarly to Crypto AG down the road.
Crypto was founded by a Swede and moved to Switzerland because of taxes. Hardly the Swiss would think of it as a Swiss company. It‘s quite easy to set up a company in Switzerland. Few questions are asked. Swiss intelligence knew from 1993 that it is owned by the CIA and BND and did not rely on their machine. It was suspected for a long time that they are not safe. In addition, there are indications that the Military knew already in the 70‘s it is owned by the CIA through employees working there. The policy seemed to be observing, rather than investigating, so they wouldn‘t have to stop it.
But true, the Swiss should have blocked the whole operation.
That and the fact that they sold "banking secrecy" to the whole of Europe for the better part of a century only to betray all those promises in the 21st century.
Banking secrecy was removed due to peer pressure from EU and US, which together form a majority of exports for Switzerland. They just did make keeping the secrecy extremely costly in form of import tariffs on Swiss goods.
Originally intended as a fine example of government actually caring about privacy of its own citizens, then heavily misused by local and international banks, it just stopped making sense anymore at one point. Its still somewhat valid for its own citizens and AFAIK residents.
Banking together is cca 12% of Swiss economy, so the fantasy of some folks who read let's say alternative news about Switzerland ruining itself by losing banking secrecy didn't pan out. Swiss economy is much more reliant on tons of small/medium high quality manufacturing companies, or tourism rather than banking.
"The" Swiss made secure messaging app (which already has brand recognition and some meaningful adoption within Switzerland) is Threema (no affiliation, and I'm using Signal - just comparing to Threema because "Swiss made" seems to be what this app is trying to make their main selling point).
This app has "1,000+" installs on the Play store (Threema: "1,000,000+"), and doesn't use phone numbers as IDs, i.e. it's only useful if you for some reason want to migrate all your friends to a brand new chat app that nobody else has heard about, and that has no really unique selling points, and thus little chance of building meaningful network effect (which is critical for chat apps, because a chat app without people to talk to is useless). As a result, it seems unlikely to be successful and thus unlikely to be supported (or exist) long term.
It seems to be a poorly thought out attempt to jump onto the wagon train far too late and get users trying to flee WhatsApp. Due to the network effect, adding choice is likely to help only the incumbent (WhatsApp) by making it harder for any of the alternatives to reach critical mass.
The crypto design is also highly questionable: They say they're using "SALSA 20", which is a low level primitive (comparable to e.g. AES), not a complete protocol. Advertising primitives shows little understanding of the actual problems in cryptographic practice, and thus a significant risk that not enough work went into designing the protocol around it, resulting in something that is insecure overall.
Raises the more interesting question of what is sufficient collateral for a developer to make a secure messenger.
Before Snowden/Poitras/Greewald, we trusted Moxie Marlinspike mostly because of his dreadlocks and some conference appearances. Very, very, few people understood what a ratchet was, let alone read the code. We trusted founders Jan and Brian of WhatsApp I think because they wrote t-filez. Security is in many ways cultural and aesthetic as it is technical. SILC was a thing for people legitimately being spied on by their governments in the pre-occupy anti-globalization movement - and then suddenly it wasn't.
I want a product like this to succeed, so why snark about these perfectly nice seeming people's new tool? Because security has serious consequences. We don't need to tell anyone what we need privacy for, but I think we're still lacking a clear "for what," to evaluate privacy technologies against.
The threat we need to build privacy tools against is essentially suburban-bourgeois and mob governance. When you look at old "alternative" culture, or why people still go to things like burning man today, it's to engage in what are essentially aesthetic communities of desire and to be free of political oversight and surveillance. The criteria I would propose for a secure messenger is that it can create a private perimeter to facilitate the freedom of something like burning man for a community of users. If it isn't designed to create that kind of growth, it's a reaction with a limited horizon and just bargaining with the inevitable.
Personally I think a privacy product that is for everyone is necessarily for no one. Maybe this is the one that gets used by the next burner-level community to emerge, but the conversation about what-for will be the thing that drives the adoption of it.
> “The threat we need to build privacy tools against is essentially suburban-bourgeois and mob governance”
no, that’s exactly wrong in ways that really matter, distracting us from real threats to free and fair living, which are exertions of power by large organizations (including governments) and wealthy (influential) people (including politicians).
the focus on the capitol disturbance is exactly this kind of distraction as well, trying to vilify the relatively powerless while the real ‘villains’ (to satirize) ratchet up their hold on power and insulate themselves further from consequences and answerability to their constituent stakeholders.
we should not be looking askance at each other, but rather askance at anyone trying to garner power and influence. the balance of power has no lasting stable mode so we as citizens must keep tabs on power. the last 50+ years has been a slow neglect of that duty, allowing ourselves to be distracted by all the new shinies.
> we trusted Moxie Marlinspike mostly because of his dreadlocks and some conference appearances.
Not because experts had reviewed the design and found it good? (Serious question, I don't know what the exact timeline looked like, i.e. when people were trusting the apps vs. when reviews became public)
People from Switzerland are probably the most patriotic in the world after those from USA. If it's made in Switzerland, you can be sure "Swiss-made" is prominent and there's a white-on-red cross somewhere visible.
But, honest question, is there such thing as the "Swiss guarantee" in tech?
What have the Swiss ever done for us, in computer science, to demand such respect just by mentioning the place of origin as certificate of trust?
It's only partially patriotism. More importantly, I suspect, just a brand that sells well, no matter what you are selling.
That said, EPFL/ETH and CERN have done some important things in computer science.
There's definitely more Swiss-made signage and emphasis in Switzerland than anywhere in the US I've been, having lived in both countries. You'd have a hard time finding broccoli, dish soap, or wheat flour labeled with a made-in-US or made-in-[state] insignia in the US, for instance.
In general flag-bearing, however, the US might just beat out Switzerland but I doubt either are at the top of that list.
It also depends on which cantons in Switzerland. You're hardly going to see flag bearers in Zurich canton for example.
There are parts of Switzerland that are extremely conservative - think deep American south but more. Women's right issues are far backwards than the deepest of US south. Women in gained the right to vote in federal elections in 1971 in Switzerland.
Switzerland is also small, the size of SF Bay Area (~ 7 million people). Most people don't realize how small Switzerland is - not in land area, but in many other aspects.
There is also some friction with Germany when it comes to culture and customs. The Swiss pride themselves to speak Swiss-German. Never suggest buying a German watch or you're going to get nasty reactions :-)
Last but not the least, Switzerland has declined to be part of the EU and majority of the people are against joining it. There are a lot of parallels than differences between Brexit philosophy and Swiss sovereignty.
This website is awfully light on details. Is it open source? Is there a whitepaper on the encryption used? Does it have e.g. forward secrecy? At the moment there's no reason why you might want to use this over e.g. Signal or Wire, both of which use well-studied encryption schemes.
Also -- "Complex encryption system for all transmitted data" does not seem like a particularly good thing.
So... why not contribute to Matrix? Or why would anyone get this instead of Swiss-made Threema? Which was audited, has a web version (even if it's super crappy), has contact discovery, and is open source. I can not find a single advantage of Teleguard (even the name, it just reminds me of Telegram) over either Matrix or Threema. Or perhaps Wire if you don't care about Amazon handling your data.
The faq for "why use this" says it uses the best crypto ever: salsa20. That isn't better or worse than aes in terms of security and it's also missing a few components (surely they haven't reinvented digital signatures using a stream cipher). And they say it complies with the law, like okay yeah that sounds pretty standard.
Frankly, it looks shady. No profit model, inconsistent text styles, weird reasons given for why it should be better, a brand name whose abbreviation conflicts with an established competitor (seems like a throwaway name), no source code / f-droid release, handful of downloads on Google Play Store, and claiming with a straight face that literally no user data is stored - what, does it not store incoming chat messages until my device comes online? It just isn't true.
Don't know if this is a Show HN (it's not labeled as such) or just someone who randomly found it, but I'd be curious to hear from the developers what the thought process is here.
Edit: checking out the company behind it, they have paid privacy products. I guess it's not as shady as it first seemed, but it's also not quite ready for launch given the competition's state of maturity. It's a hard market to get into I think, it might make more sense to fork Signal and make it use usernames and European servers to at least have something to work off of.
To achieve effective end to end encryption, you need:
1. All cryptographic keys controlled by the users.
2. Some way to confirm you are actually connected to who you think you are connected to.
3. A way to confirm that the code you are running is not leaking keys/content.
I could not find a claim for any of these. But Telegard still claims end to end encryption as a feature. They could of just left things with how trustworthy they are and called it a day but they just had to check all the marketing boxes.
A bit like @newscracker, I'm on the lookout for a messaging app that works for me. @motohagiography addresses the privacy claims by asking good privacy for what.
I've discussed nothing on a conf/video call or exchanged messages that are so sensitive as to absolutely require encryption. There are no absolutes in security anyway. Sorry, but I'm sublimely unparanoid at my national government reading my emails. While I could probably be accused of being a member of the metropolitan elite (c.f. suburban-bourgeoise), I've never said in real life or written online anything to threaten anyone.
Instead, @Barrin92 argues that the concern is leakage to allow corporate use of that data. I agree with the concern, but contend that regulation is the answer. I don't believe I've received targeted ads based on the content of my inbox, yet my inbox arrives over unencrypted SMTP. A special case can't be claimed for messaging. The problem isn't weak regulation, the problem is that messaging apps are largely in the hands of few -- and not interoperable.
Jabber and SIP aren't in the hands of a single company and for me, the direction of travel has to be federated across autonomous providers along the lines of interoperability.
I haven't tackled any of my acquaintances about it but suspect that the remainers from the defection from WhatsApp that Facebook provoked include a fair number that take a "out of the frying-pan and into the fire" or "better the devil you know" stance moreso than inertia.
There isn't money in it in the sense of the unwelcome TeleGuard HN spam. But, rather than banging-on about encryption, espionage, and elites, what those with the resources need to do is to use them to help democratise messaging.
I'm constantly on the lookout for newer and/or different messaging applications. This one is good because it doesn't rely on a phone number. But it's still yet another centralized system. There isn't enough information on how this service doesn't store user data (or metadata) and still manages to connect them (in contrast, Signal has many blog posts and documentation about how it minimizes data collection).
In the FAQ, there's this:
> Which operating systems are supported?
> TeleGuard supports all Android devices with version OS 5.0.3+ and all iPhone devices with at least iOS 9.0+.
It's good to support a few older versions of operating systems, but I don't think a messenger can promise security or privacy if it supports operating systems that are quite old by mobile standards and aren't getting security updates for a long time. Wikipedia says that Android 5's latest release was nearly six years ago (April 21, 2015) and that of iOS 9 as 17 months ago (July 22, 2019). Supporting iOS seems kinda ok, but supporting that Android version looks quite bad.
I also judge websites by what they say and how they say it. In the FAQ, after the answer for "07. Edit Profile", there's a list of bullet points that looks like a to do list for additional FAQs that haven't been completed:
Closed source, unclear what protocol is used. They mention SALSA 20 which is good, but that's probably just channel encryption. No details on how session keys are derived.
Took me a minute to realize this wasn't related to the Telegard BBS. I didn't see the "u" in the name at first, and I was wondering what the Swiss had to do with old BBS software.
Same here though my brain may have been primed in that direction due to reading the Associated Press Tandy Model 100 article right before this. Telengard, a Rouge like game for many 8-bit computers also came to mind.
This is the first thought that I had too. Lots of good memories, although I was on the latter end of the era and mostly played around with heavily-modded Renegade and Iniquity boards.
Can someone give me a TL;DR 30,000ft view of why Teleguard is better than what are arguably the "market leading" Swiss alternatives, namely Threema and Wire ?
These are the same folks that looked the other way on Hitler (and in fact were his preferred banking location) and recently sold a phone with a backdoor while claiming it was private.
The Swiss are extremely systematic, which makes them great at banking, but ethical? Not sure about that.
I think the "swiss made" plays onto two ideas in this context: on the one side, Switzerland having a very advanced industry when it comes to precision technology / on the other side Switzerland being a neutral country of high diplomatic esteem.
But both of those tropes might very well be a little stuck in the last century imho.
https://en.wikipedia.org/wiki/Crypto_AG