Focus on the issue, not the person (Tucker), you might not trust a person which is fair, but you are still trusting Signal’s server, you can NEVER know if they have a memory injection backdoor running in there, you can audit the code as much as you want and it still passes, yet, the messages are compromised.

There are ways of getting messages without breaking Signal or using a backdoor. One of them is getting the messages from the other party(ies) involved. You can't protect yourself from this even if you self host. Something else that might happen is you ending up with your phone hacked because you're talking with someone close to Putin.

The only way to know for sure is for you to create an alternative service, write all code yourself, and host everything without ever leaving your server alone. And even then you can't be sure you haven't been hacked.

On a side note, if we're getting information from someone that lies a lot and often leaves out details that don't fit the narrative, then perhaps we should also look at the person, not just the issue.

> One of them is getting the messages from the other party(ies) involved. You can't protect yourself from this even if you self host.

You certainly can, the self destruction messages are one of the ways, sure, it is not the only solution as you need to make sure the OS is secure itself too, but definitely helps in that case, no messages stored at rest and all are encrypted in transit.

> Something else that might happen is you ending up with your phone hacked

Which is essential to have a messaging platform that allows multi-client/cross platform, say running that app on a hardened OS is an option and possible compared to only iOS with a phone a number for example.

> write all code yourself, and host everything without ever leaving your server alone.

You don’t need to write it yourself, as long as you can read it, and host it knowing no other services are spying on that server, should be miles ahead of other apps like signal, sure, you can still have that server breached, but first you need to know where’s that server, or even you are using this messaging app in the first place, contrary to Signal for example, all I need is checking if you use it by the phone number. Not to mention it will make it harder for whoever is trying to spy on you, if most people ran their instances, but that’s a little bit more of a dream as the average person won’t, but at least the option should be provided.

Signal makes the app open source and you can build it yourself and use it. The messages are E2EE so we don't need to trust the server in the same way because they aren't being decrypted there. They can't have the key. They could be logging the messages and metadata, but that's a different argument. And it really would come down to the NSA being able to hack AES with a quantum encryption (though I don't think this was out at that time). So I have pretty good reason to trust signal despite there still being some gray areas that I could still want more light on. It's just that we're the shadows are I'm unconvinced it could undermine the whole system. You can't fit an elephant in the shadow of a mouse.

On the other hand Tucker isn't even being consistent in his telling of the story. He says that he hasn't told anyone and makes a big deal to even mention his wife, so we think even his closest confidants. But then what message did he send over signal that was extracted? The personal notes? There's also much more reasonable pathways for the NSA to get that information. If he's researching and just storing notes on signal he's still leaving breadcrumbs somewhere. He's a popular news host so I'd be surprised if the NSA hasn't tried to compromise his whole phone, and signal only protects your messages in transit. The only evidence we have is his word that someone from the NSA told him. Which itself would be really weird because it'd completely undermine that capability or imo a more likely explanation is someone is lying. Gov does disinformation all the time and convincing people a secure channel isn't seems pretty useful since they'll turn to easier methods.

So I don't have to rely on my distrust of Tucker or his history of misinformation. If this was my only and first encounter there's more than enough for me to be suspicious in just his telling.