> don't rely on others to encrypt your comms. Either go with classic PGP or make your own layers

You're saying "don't rely on others to encrypt your comms" and then the very next sentence says "use something someone else has made". Those two are conflicting. "Making your own" is even worse, because cryptographers don't usually have to resort to crime.

There is making encryption tools and then there is using them. "don't rely on others to encrypt your comms" means don't let others use encryption on your behalf, it means encrypt it yourself. It also does not mean to make your own encryption tool.

So your comment parent meant use a reputable tool yourself. And I would agree with that.

I'm not sure what you mean. They were using a tool that encrypted their communications, it just wasn't good. What's the difference between using Signal and using what they were using, or using GPG and what they were using?

I get the feeling you don't want to understand at this point, but ok, I'll byte:

The difference is the action of encryption and decryption is completely transparent to the user in the case of Signal or this thing they used. You don't encrypt anything, you input plain text and then the system takes over and you have to trust it. If the rumors are true the authorities compromised the servers, pushed an update to the app and the encryption no longer happened.

Just one example on how to do it yourself: using PGP you can use any hardware (not a phone marketed to criminals) and keep it completely offline. And use a phone (worst option but whatever) in which you input the encrypted thing directly. So you don't have to trust the network device. Bonus: neither do you have to use something that makes you stand out to authorities.

Okay, but unless you implement the encryption yourself, PGP can push an update and use weak RNG input so that your message is decryptable, and you'd never know.

"Don't rely on others" makes no sense for encryption, you have to rely on others because it's too hard otherwise. You just have to pick trustworthy others.

PGP can not push an update in the example I offered. And I already explained what was meant with "Don't rely on others" - btw now I see you cut the quote to fit your straw-man argument.

If the attack was that the NCA compromised a server and then pushed an update, then using Signal would buy you that you have people of the calibre, reputation and public platform size of the Signal developers in charge of protecting the servers.

Moxie going on twitter to say the cops have broken into Signal would be headline news, at least in the tech world.

But how do you reconcile that with "don't rely on others"?

You accept that, unless you're the NSA, GRU or whatever the Chinese counterpart is called, you will have to.

Do you really have the talent in your organisation to develop a better cipher than AES or ChaCha? If not, go with something that exists. According to Snowden, even the NSA can't just break PGP if you use it properly.

Do you have better coders than OpenWhisperSystems? You're going to have to trade off relying on someone else's software versus the chance your own coders make a mistake. I'd say the latter risk is usually the bigger one - even the Sony PS developers messed up on the "don't reuse nonces" bit.

Do you have your own chip fab? If not, you're going to have to hope whatever you're using doesn't have too many backdoors.

There is huge difference between relying on libraries or independent implementations of software in a form of source code that may or may not have bugs, and relying on an organization that sends binary blobs to you, that has to keep their development process secure, infrastructure secure, physical security, developers not compromised, backdoors not forced through laws, state agencies not threatening and forcing to implement backdoors, etc. OpenWhisperSystems essentially asks you to trust they can do all of that, but of course they can't, while an open source PGP implementation doesn't ask you to trust them and rely on their competence on running highly secure infrastructure. So, don't be fooled by propaganda organizations put out, there is a huge difference in what you can rely on and Signal here is exactly as weak as EncroChat.

Yeah, agreed. So you just have to pick carefully who you rely on.

They weren't does the encryption themselves. If you encrypt something yourself, that is different than relying on some apps endtoend.

>But criminals are usually just dumb in regards to this

I'm reminded of the film Sneakers:

Marty: Organised Crime?

Cosmo: Don't kid yourself, its not that organised.

Not even street smart in this example. You don't have to work in IT security to understand you should not trust a product based on the vendor description. In this case you don't even know who the vendor is ffs. Could actually be the authorities.