But: There's a pretty glaring error in here. Google Threat Analysis Group did not warn that Signal encryption had been compromised but that the Russians had developed techniques to trick users into linking their Signal accounts to attacker-controlled devices. - ThreadSky

moltke.bsky.social • 59 days ago

But: There's a pretty glaring error in here. Google Threat Analysis Group did not warn that Signal encryption had been compromised but that the Russians had developed techniques to trick users into linking their Signal accounts to attacker-controlled devices.

Reposted from Henrik Moltke

The gift that keeps giving. www.cbsnews.com/news/trump-e...

Comments

moltke.bsky.social•59 days ago

This allows them to receive copies of all messages in real-time without actually breaking Signal's encryption. The attackers use fake group invites, security alerts, and even battlefield capture of devices to exploit Signal's legitimate "linked devices" feature that enables multiple device use.

moltke.bsky.social•59 days ago

@joannestocker.bsky.social @emmetlyonscbsnews.bsky.social sorry to be that guy :)

joannestocker.bsky.social•59 days ago

Thanks for the note! What we’ve said is they “were increasingly attempting to compromise the Signal accounts”, and
“One method … is redirecting group chat invite links to malicious pages that trick a user into linking their account”. Not suggesting they’ve succeeded.

moltke.bsky.social•59 days ago

I get that, but you also write “The Signal app offers end-to-end encryption, meaning messages sent on the platform cannot be read by anyone but the senders and receivers. That encryption is not impenetrable, however, and the Google Threat Intelligence Group …” suggesting that the TAG had identified

moltke.bsky.social•59 days ago

.. ways to break the encryption. I’m probably being pedantic but I’m sure people will take this to mean that the encryption might be compromised.

moltke.bsky.social•59 days ago

How about:
"While Signal employs end-to-end encryption, no security system is completely immune to attacks”

- Removes the ambiguous "not impenetrable" phrasing
- Clarifies the relationship between the warning and the specific threat
- Uses more precise language

joannestocker.bsky.social•59 days ago

As a fellow pedant I do appreciate it.

exotraveller.bsky.social•59 days ago

However, one should expect any commercial grade phone used on the Russian mobile network to be compromised. My understanding is that Signal cannot be installed on secure government phones ...

Comments

Posting Rules

Reply