Regarding qualifications: I spent years building secure technology (publication platforms, websites) for whistleblowers including Ed Snowden himself (I built his official website (https://edwardsnowden.com) for the Courage Foundation (his official defence fund) plus the tech behind it that supports it. This allows our editors to submit anonymously to the site through the Tor network.

I used cryptographic software as an end-user for many years, like GPG for instance, and agree that it's hard, and we need to train people to use correct security habits (infosec and opsec), to minimise exposure to hostile elements.

I've tought at cryptoparties and other events, I have spoken to many intelligence whistleblowers, some of which I consider to be close friends, and they've told me about some of the techniques used on the national intelligence agency level and how wrong use of crypto and general bad operational security practices can expose you. So while I'm not a trained cryptographer, and do not claim to be, I have extensive experience not only building secure software, but also, thanks to whistleblowers know about some of the ins and outs of the intelligence industry re crypto and surveillance.

I see I haven't replied yet to your first point: here goes. Of course clearly an alternative has to be at least cryptographically secure. I fully agree with you on that. I'm not recommending something that isn't, and certainly am not recommending Telegram or Cryptocat.

An alternative needs to be as a bare minimum cryptographically secure. And then on top of that it would be very nice if there was federation, not tied to phone numbers and all the components being open source. Those last 3 points is where Signal fails currently. Federation is something that moxie tried, didn't work out, now he's basically not in favour of that, the phone number issue is of course well known, and the redphone server component is not open source.

One of the problems I face when somebody comes along and tells me that they're now on Telegram, Cryptocat, Wire, or whathaveyou is that I might recall an issue but there doesn't seem to be a good up-to-date overview that answers the questions (1) should I trust these people (how bad was it; was it in their code or a dependency?) and (2) is it known to be far less secure than it advertises? (still?)

I recall e.g. that Moxie reviewed Telegram's security, found that none of it made any sense and that its authors didn't know what they were doing. https://tobtu.com/decryptocat.php looks like the cryptocat analogue of that. Have the two projects improved somehow? Have some people joined or others left?

Could you please also provide links for the claim that CryptoCat and Telegram are being used by governments to hunt down activists?