Users of the Signal messaging app got hit by a hacker attack. We analyze what happened and why the attack demonstrates that Signal is reliable.
so… a bunch of twilio employees had (and still have) exactly the capability that the attackers gained with this phishing attack. As do employees of Signal, Amazon, and various telecom companies, not to mention governments.
“Secure messenger” and “requires a telephone number” are not compatible concepts.
“Secure messenger” and “requires a telephone number” are not compatible concepts.
Wrong. Anonymity from your contacts or phone carrier or government is different from security of messages and metadata.
Signal’s “sealed sender” metadata protection is a farce.
Their use of phone number identifiers is a gift to police and other violent adversaries around the world, including those that amazon doesn’t cooperate with. When one person’s phone gets seized or otherwise compromised, that adversary gets a list of the phone numbers - aka strong selectors in intelligence lingo - of all of the victim’s contacts.
Signal’s initial growth was funded with millions of USD from the US government, ostensibly for use by dissidents in places like China and Iran. The former requires ID to obtain a phone number, and the latter requires fingerprints. Even people who support the US’s soft power efforts to aid dissidents in those countries should be disturbed by the promotion of the use of phone numbers for “secure communication” in those contexts.
I have not said about metadata, but contested your claims of conflating security with phone number identifier causing lack of anonymity.
Geopolitical game, metadata and phone number identifier can be a different aspect of its own, compared to security.
I would like to contest your claim of the geopolitical aspect here as well. You may have suspicion about Signal, but do you think organisations like Riseup are also backdoored?
I have not said about metadata, but contested your claims of conflating security with phone number identifier causing lack of anonymity.
Huh? My first comment in this thread did not say anything about metadata or anonymity; it was (like the linked blog post) discussing the attack surface that comes with using phone numbers for authentication.
It was you that brought up both metadata and anonymity when you said this:
Wrong. Anonymity from your contacts or phone carrier or government is different from security of messages and metadata.
(emphasis added). Phone numbers are also terrible for those issues, of course.
do you think organisations like Riseup are also backdoored
I did not say signal is “backdoored”. I think their client and server software is most likely doing what they say it is, and Signal employees can probably honestly say they don’t retain any data that they could give to governments. The backdoors, if you want to call them such, are in the phone number based design and the choice of company (Amazon) that they rely on to keep the promises that Signal makes to their users.
My understanding of Riseup is that they own their own hardware, which puts them in a better category than Signal already. They also don’t require phone numbers. They do however use an invite code system to prevent spam/abuse, which they say they don’t retain a social graph from… but it isn’t clear to me how that system is actually useful to them if they don’t. Unlike Signal, Riseup is explicitly for activists, which makes me reluctant to recommend it. I don’t think it is intentionally backdoored and I think the people behind it mean well, but I think having a system explicitly for activists seems wrong as (1) it is a very attractive target and (2) merely using it can make you seem suspicious. The use of riseup has actually been cited as evidence of wrongdoing in an arrest warrant in Spain.
Guess I will ban Spain from my life then.
My Dog, “hackers hacking a hack”.
Can we please stop using the word “hacker” when we mean “cybercriminals”, “attackers”, “malicious agents”? We have plenty better terms. Like… “cybercriminals”, “attackers”, “malicious agents”: https://rys.io/en/155.html
I mean, I get the need for clickbaity titles and all, but surely we can do better.
First, I did not make the title, I just linked an article.
Second, I get that you wish people did not use the word “hacker” the way they do, but… isn’t it how natural languages work? Words mean what people them for. I wish “crypto” did not mean “cryptocurrencies”, butibn many contexts it does. That’s life.
Talking about clickbaits, what about linking to your blog everywhere you can? It’s completely off topic (the link is about Signal, your blog is about how people misuse a word according to you), but nobody complains, because apparently you thought it was relevant, just like the author thought that calling them “hackers” was fine.
Complaining about use of the word hacker is the tech nerd’s equivalent of complaining about clips vs magazines. It doesn’t matter and everyone understands it anyway, there is absolutely no reason to be bent out of shape by it except in situations where being specific and clear instead of generalising actually matters.
Gun nerds deserve being laughed at for getting upset over it and so do tech nerds.
Gun nerds deserve being laughed at for getting upset over it and so do tech nerds.
People are allowed to ridicule me for nerding out my passion pompously, or any sort of perceived sincerity, for that matter.
I’ve always held that sincerity alone shouldn’t implicitly justify immunity from ridicule, but the ridicule tends to work if isn’t sincere in its own right.
What’s better is using it as a handy way to temper my own zealotry.
Complaining about people complaining does get old fast, however.
I disagree. The nuance between the words “hacker” and “cybercriminal” is so different that it should not even be contested. If you are a socialist, be critical and consistent. These nuances matter a lot. A hacker is not necessarily a criminal. And a criminal is not necessarily a hacker.
There is nobody reading an article from Kaspersky that does not already know the meaning.
Fair enough.