The Dim-Post

September 9, 2015

Technical question – Is it safe?

Filed under: Uncategorized — danylmc @ 8:20 am

When I want to send someone a private message I use a couple of different formats:

  • SMS Text
  • Gmail
  • Google Hangouts
  • Twitter DM
  • Facebook message

I already have two-step verification activated for everything (except SMS). So which is these is the most secure? I don’t need, like, a secure OS booted from a USB or anything. I’m mostly just chatting and gossiping with friends. It’d be nice to know if one of these is safer or way less safe. Or, is semi-randomly using a bunch of different medium safer?


  1. Is it SMS or iMessage?

    My take:
    – SMS – unencrypted/clear text. It’s hard to intercept as it’s on a private network mostly, but not hard for a govt agency to intercept
    – iMessage – encrypted and pretty hard for anyone to intercept outside really serious govt agencies (aka NSA). If they’re watching you you’re screwed anyway, pretty much anyone else would find it hard to read. The main threat is someone compromises your apple id
    – Gmail – your mailbox is reasonably secure (google read it to target ads to you, but otherwise it’s hard to get into). But when the mail goes to the person you’re e-mailing it’s plain text on the internet, which isn’t overly hard to intercept. Unless it’s Gmail to Gmail, which might be harder because it wouldn’t ever go out onto the internet – probably again means serious govt agencies who can demand access from Google
    – Google hangouts. I suspect similar to iMessage, but don’t know for sure
    – Twitter DM. No idea, but doesn’t feel very secure to me. Not sure Twitter are very focused on privacy
    – Facebook message. Similar to Twitter DM to me – doesn’t feel very secure. Not sure Facebook are very focused on privacy

    Comment by PaulL — September 9, 2015 @ 8:25 am

  2. iMessage security: Summary – good enough unless you’re hiding from agencies with three letter acronyms. It’s also clear that SMS is insecure.

    And this one lists some common and some obscure technologies. iMessage does surprisingly well on their ratings:

    Comment by PaulL — September 9, 2015 @ 8:32 am

  3. It depends on who or what you want to be safe from, Danyl.
    Any context? Is it just a basic privacy concern?

    Comment by Gregor W — September 9, 2015 @ 8:41 am

  4. Ashley Maddison related question? ….

    Comment by Richard Williams — September 9, 2015 @ 8:43 am

  5. Thanks Paul

    @Gregor – it is just a basic privacy concern. I’m not really worried about intelligence agencies. More, I guess, Ashley Madison style hack-and-dumps.

    Comment by danylmc — September 9, 2015 @ 8:49 am

  6. OK – if that’s the case then SMS.
    Minus the 2FA concern, it’s effectively a point-to-point transaction (minus all the network and IP smarts in the background). Also, he likelihood of cracking your providers SMS Gateway is pretty low, plus as subscriber identifiers aren’t generally held there is a useable form (i.e. phone number) a bunch of other systems would need to be cracked open to correlate your details.

    Non, SMS – as per Paul, go for iMessage.

    Comment by Gregor W — September 9, 2015 @ 9:02 am

  7. *in a useable form

    Comment by Gregor W — September 9, 2015 @ 9:05 am

  8. A much bigger risk than an Ashley Madison-style hack is that your individual account, or the account of someone you’re communicating with, will by compromised, in which case none of the web-based methods will be secure at all. (Do the telecoms store all SMS messages for 6 months after they’re sent or something like that? I have a vague recollection that that might be true. In which case, group it with all the others.)

    The only way to prevent a malicious hacker, who obtains site-wide access to gmail or Facebook or Twitter servers from reading your messages would be to encrypt them all, which would be a measure on par with the encrypted hard drive. And even that wouldn’t stop them from seeing the metadata. (If you do want to go that route, there are existing solutions that implement it for email, but to be properly effective it would require that everyone you email has their own encryption key pair and be capable of using it.)

    If that’s too paranoid for your tastes, then the very best you can do, which mitigates the vast majority of risk, is to use unique, randomly generated passwords for every website that you use, and encourage others that they do the same.

    It’s really important that people not reuse passwords on different websites. The Ashley Madison hackers probably have access to the password hashes of every account on that site, which makes it substantially easier to find the account passwords, which, if any of them are the same as the password for that person’s Facebook account, gives the hackers access to that Facebook account.

    Comment by Finn — September 9, 2015 @ 9:13 am

  9. Signal [iOS] / TextSecure [Android] is supposed to be pretty good, although it requires both parties to use their app.

    Comment by Alan — September 9, 2015 @ 9:34 am

  10. Yeah, agreed, if you want to use cleartext and don’t care so much about NSA (I know I don’t), then SMS is probably “the best”, but for most comms it’s fairly similar. 2FA stops people getting onto those cloud-hosted whizbang services, but the T&Cs of those services pretty much guarantee that metadata and content gets shared between advertising agencies etc. There’s also much less impact if you ever do have to change a mobile number (compared to a gmail address for instance).
    If you were really hardcore, and all the people you communicate were equally hardcore, then PGP (well, GPG) + gmail (done properly) would be about as safe as anything on your local PC.

    The only downside to SMS not mentioned by others is the smart phone it likely runs on: just be wary of 3rd party apps (not sure about iPhone, but I hear the security/permissions model is a bit better than Android) requesting message data. That’s technically a way for your stuff to get into some flaky app developer’s hackable cloud-hosted data (or worse, if they’re dodgy), without SMS as a messaging method itself being at fault.

    Comment by Kim S — September 9, 2015 @ 9:34 am

  11. Do the telecoms store all SMS messages for 6 months after they’re sent or something like that? I have a vague recollection that that might be true. In which case, group it with all the others.

    It depends on the provider. There is no specific requirement to archive or hold subscriber generated data.
    From a legal perspective the regulation of SMS pricing falls under MTAS in the Telecommunications Act and intercept falls under TICSA.

    Also as I noted about, the SMS content tends to be divorced from meaningful subscriber details – this is to protect consumers from the notion of a telco employee being able to read specific texts – so some degree of correlation with additional systems would be required.

    Comment by Gregor W — September 9, 2015 @ 9:36 am

  12. Another risk worth considering is how secure is your device if it were to get stolen (and the security of any backups of the device kept at another location). Even if someone can’t intercept your SMS messages, they could read any local copies if they got hold of your phone.You might want to ensure your device is encrypted.

    Comment by wtl — September 9, 2015 @ 9:38 am

  13. Talk to them or send a letter?

    Comment by unaha-closp — September 9, 2015 @ 10:24 am

  14. Use of an email (even gmail) address other than your generic one without your real name associated with it. (e.g. means that even if someone reads your mails, they will have trouble (without manual detective work) associating it back with your government name. Always accessing that email from a browser in pr0n mode and via a VPN (paid for with a Pressy card) builds in a bit more anonymity and safety from caching.

    Comment by richdrich — September 9, 2015 @ 10:34 am

  15. Alternatively, and this is pretty low bandwidth, take a trusted slave (you have grad students, right?), shave their head and tattoo the message, possibly as a QR code, onto their scalp. Wait for their hair to grow back and sent them to the recipient, who can shave the hair and read the message. Worked for the Romans.

    Comment by richdrich — September 9, 2015 @ 10:38 am

  16. All the security in the world doesn’t help you if you’re dealing with a provider you can’t trust. Google Hangouts and Facebook Messenger may be TECHNICALLY secure but I assume that anything I say via those channels is being permanently recorded and could be used by Google or Facebook for whatever purpose they desire, or be handed over to some other entities without my knowledge or permission.

    Comment by @simongarlick — September 9, 2015 @ 10:51 am

  17. “Summary – good enough unless you’re hiding from agencies with three letter acronyms.”

    GSCB has sad 😦

    Comment by Fooman — September 9, 2015 @ 10:53 am

  18. The only downside to SMS not mentioned by others is the smart phone it likely runs on…

    This is a good point, Kim S.
    Edge device security is an important element.

    Basically if you are really worried about comms security and want to use SMS, get another pre-paid non-smartphone and only dish out the number to your equally paranoid interlocutors.
    Also, security PIN the device – just make sure it’s different from your EFTPOS one!

    Comment by Gregor W — September 9, 2015 @ 11:15 am

  19. It also depends on what you mean by safe.

    Comment by Bill Bennett — September 9, 2015 @ 12:15 pm

  20. If you’re not using end to end encryption none of them are safe or secure in any real way (and if you are you’re still open to errors in your and your correspondents security). If you don’t care about true safety and security then there’s little reason to be picky about any of them and SMS txting is the one probably most secure because it’s the one least open to interception on-line and outside of New Zealand. Not that that means anything because your likely eavesdropping enemies are either corporates, corporates conspiring with governments or governments and ours is in deep with the spying-ist spies of them all.

    Comment by Fentex — September 9, 2015 @ 12:16 pm

  21. You’ve got nothing to worry about if you’ve got nothing to hide 😊 (and don’t leave your phone in a crowded bar or go home with lipstick on your collar)

    PS look out behind you

    Comment by insider — September 9, 2015 @ 12:36 pm

  22. I can recommend Wickr ( ) as a private message service (of course both correspondents need it installed).

    Messages are decrypted at the end points, so transmitted and stored on servers in encrypted state. and deleted 24 hours after reading

    Comment by nommopilot — September 9, 2015 @ 12:37 pm

  23. Cyber dust is another self deleting messaging system. Messages disappear after 30 secs

    Comment by insider — September 9, 2015 @ 1:05 pm

  24. Thinking about this a bit more, I’m thinking gmail is probably my best bet, because even if it is hacked, somehow, the size of the data is so vast it couldn’t be shared or dumped. A big archive of twitter DMs, on the other hand, could be torrented just as easily as the Ashley Madison dumps. Same, probably with Facebook.

    Comment by danylmc — September 9, 2015 @ 2:53 pm

  25. I’m sure whale oil thought the same Danyl

    Comment by insider — September 9, 2015 @ 3:11 pm

  26. Not sure I agree with the “size of data is so vast…” argument. I’ve been using gmail a while, and don’t delete much, and it’s still only 3.75GB. That’s a few minutes after your malicious credential thief decides to visit or connect to your gmail with IMAP or POP3 and grab the whole lot.
    Even if you’re close to the 15GB “free” limit, I’d still call that easy to dump.

    If this is something you’re really concerned about, it’s hard to do much beyond encryption – you can be as secure as you want with 2FA etc, but remember: emails have one or more recipients. You’re only as secure as the weakest of your most frequent email recipients. If they get hacked, a bunch of your data will be in their archives, too.
    I suppose that even with encrypted mail, you don’t know if someone is sharing cleartext copies elsewhere, but ideally, only your unreadable stuff stays in gmail and the decrypted cleartext lives – temporarily – on your and your contacts’ (also probably insecure) computers.

    Comment by Kim S — September 9, 2015 @ 3:21 pm

  27. Your gmail is your most important password for most people. Use 2FA and be paranoid. Be aware that (assuming you register using your gmail) compromise of your gmail account allows them to password reset any other service you’re registered to, and therefore exposes your entire life to gaze.

    For everything else, random passwords on the site, and use a password safe like LastPass so that you don’t have to remember them all. In general don’t do stuff you’d be embarrassed for your mother to know about, because sooner or later she will. Luckily my mother isn’t very sensitive.

    Comment by PaulL — September 9, 2015 @ 3:24 pm

  28. Interesting case study from a journalist. he was interviewed on radio NZ in 2012, but I can’t find the link

    Comment by insider — September 9, 2015 @ 3:38 pm

  29. There is no safety if you want to do good work. Put your cellphone on a train if you really want to talk to someone in person somewhere else. Otherwise carry on as per usual but lie almost all the time.

    Comment by the White Rabbit — September 9, 2015 @ 4:35 pm

  30. Actually iOS Facetime is surprisingly safe even from lawful intercept, at least according to speakers at Kiwicon last year, owing to Apple’s design choices around encryption.

    SMS and anything you use via an app on your handset is weak here in the sense that someone who has your phone can impersonate you just like that, and read messages you haven’t deleted. Same goes for browser sessions where you stay logged in. Your biggest risk with the services you name are around losing the device (for SMS) or leaving yourself logged in or reusing passwords or having easily guessable passwords or not using 2FA. Google are the only one of the services named who claim to have a policy of requiring legal compulsion before handing over data.

    Remember you’re always depending on the person at the other end to do the right thing too.

    Apart from that — what does “safe” mean here? Safe from whom?

    Comment by Stephen J — September 9, 2015 @ 5:13 pm

  31. “Whom” is a very interesting question in a small country like New Zealand.

    What if a very ambitious young Nat is close friends with people in the corporate IT industry, and they have a close friend with the same ambitions in one of the agencies, and that young Nat is working in a National MP’s office…

    Comment by the White Rabbit — September 9, 2015 @ 5:24 pm

  32. Oh, and imagine that they are all friends with David Farrar. Perhaps they even met at a princess party and have done very well for themselves since?

    We should consider such thought experiments.

    Comment by the White Rabbit — September 9, 2015 @ 5:28 pm

  33. Use a password manager! Just do it, they are great and actually increase convenience rather than most security measures decreasing it (looking at you 2FA).

    I use LastPass myself, but there are many others.

    As for privacy I think this is basically impossible unless both parties agree to use a service designed for it. Good luck with trying to convince anyone else to switch what they are using. That said Whatsapp has a billion users and is fairly private so that might be your best bet. Try TextSecure if you really want government level encryption.

    Comment by Korakys — September 9, 2015 @ 6:40 pm

  34. OTR (off the record messaging) is something to consider using on top of whatever messaging app is convenient.

    As for the concerns about data breaches, Quinn Norton pretty much summed it up for all time recently: “Over time, all data approaches deleted, or public.”

    Comment by Mark Rickerby (@maetl) — September 9, 2015 @ 8:26 pm

  35. Snapchat

    Comment by ropata — September 9, 2015 @ 8:59 pm

  36. Most passwords can be extracted with a big or sharp enough stick.

    Comment by Michael — September 10, 2015 @ 1:15 am

  37. I don’t want people to know who I am when I post here, so I layer my pronouncements under several layers of coded signifiers and dogwhistles. I hope that helps.

    Comment by Lee Clark — September 10, 2015 @ 7:27 am

  38. The Portable cone of silence is the only way to be 100% sure –

    Comment by Exclamation Mark — September 10, 2015 @ 3:46 pm

  39. Or you could use Viber and let Shin Bet take care of your security for you…

    Comment by dots — September 10, 2015 @ 8:14 pm

  40. Danyl the thing you should worry about is the weakest link, the devices you are accessing any of those services from. No matter how good the security or design of the service you’re using, you’ll undo it all accessing it from a compromised device.

    Comment by rsmsingers — September 14, 2015 @ 11:47 am

  41. Nothing is safe. Any text can be copy/pasted or a screenshot captures it. The only really ‘safe’ (disputable) comms is face to face speech with no recorders running.

    Comment by Steve W — September 14, 2015 @ 11:48 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: