The primary vulnerability with Signal is the belief it alone assures security. That's not true of anything. If, for example, you're a high-ranking US official, your phone itself is a prime target for zero-day exploits that can see whatever you see. Another reason why this breach was so egregious. - ThreadSky

maxkennerly.bsky.social • 91 days ago

The primary vulnerability with Signal is the belief it alone assures security. That's not true of anything.

If, for example, you're a high-ranking US official, your phone itself is a prime target for zero-day exploits that can see whatever you see.

Another reason why this breach was so egregious.

Reposted from Meredith Whittaker

This is inaccurate. There is no known vulnerability with Signal's core tech. The memo was discussing phishing attempts, which Signal has worked to mitigate. And it was hastily reported.

It's important not to spread misinfo that can confuse people into moving away from meaningfully private comms.

Comments

bobblakley.bsky.social•90 days ago

Security folks (like me!) mean something specific by "vulnerability"; it means a design or implementation weakness in an information system that could be exploited by an adversary. The issue in this instance didn't arise because of what we call a vulnerability.

1/

bobblakley.bsky.social•90 days ago

The issue arose because of a combination of poor operational security (OPSEC) and an incorrect threat model.

OPSEC is critical because no system will be secure if it's used incorrectly (that is, in violation of its explicit design goals and assumptions).

2/

bobblakley.bsky.social•90 days ago

One of the design goals of Signal is that it doesn't try to protect you against attacks by the people who are actually in the conversation. In support of this design goal, a design assumption is that you'll be careful who you invite to the conversation.

3/

bobblakley.bsky.social•90 days ago

And Signal provides a control to help you with this; it makes you confirm that you really want to add a new participant, and it notifies ALL existing participants when anyone's added. In this case, no one checked when Goldberg was added. Didn't understand the threat model or use the controls

/FIN

rawkergrrrl.bsky.social•91 days ago

‘This is how they tell me the world ends’ by Nicole Pertroth should be required reading for all these idiots. Also applies to anyone okay with DOGE accessing every f*cking thing.

thelordgod.bsky.social•91 days ago

The vulnerability with signal seems to be that if you let assholes who are fucking morons use it for classified discussions they'll invite any rando in their contact list to it.

There's no secure app on Earth that can stop unbridled stupidity.

bfgilme.bsky.social•90 days ago

The one government they know will not have access to the Signal Group Chat is the USG. Law prevents the USG from collecting on people without a warrant.

aaronblackshear.bsky.social•91 days ago

All of these people are going to be targeted with Pegasus if they haven't already

zscottyg.bsky.social•90 days ago

I do not love the fact that the CEO of Signal is out there trying to mitigate this like it’s their problem and not the administration’s. Stop carrying their water, dumbass. This is not on you. It’s on them.

this-guy.bsky.social•90 days ago

It’s only as secure as the least secure device on the app.

hopeislikethesun.bsky.social•91 days ago

Also bypasses document retention required by federal law

drakechristensen.bsky.social•91 days ago

Plus the whole, you know, preserving records thing

liztufte.bsky.social•91 days ago

Detailed info about their phones & communications
https://www.cbsnews.com/news/trump-envoy-steve-witkoff-signal-text-group-chat-russia-putin/

akdweller.bsky.social•90 days ago

Whatever. They use it so they can delete things and not be subpoenaed for them later.

boggywitch.bsky.social•90 days ago

🎯

maverick72.bsky.social•90 days ago

It was to be expected when looks and fealty over expertise were the primary attributes in 🤡🍊’s selecting them.

amunicipalfox.bsky.social•91 days ago

Hell, Apple deals with this exact situation often enough that they built a feature into every iPhone specifically to try to make it more difficult for state actors to attempt this! The complete and total contempt that this administration has towards basic opsec is gonna get people killed.

murray104.bsky.social•91 days ago

Although someone eavesdropping on grandma’s surprise party planning session is not very consequential. But top security intel? That is outrageous with potentially grave consequences. If my child was in the Military with this clown show? Unforgivable consequences.

murray104.bsky.social•91 days ago

Does Signal clarify their product is not intended for high level security meetings?

clarissasorenson.bsky.social•90 days ago

Signal usually clarifies that although their software and encryption are very secure, it's no guarantee against a highly motivated actor, it's only as safe as the device or people using it- and these personal devices likely hacked and someone just invited a journalist in

clarissasorenson.bsky.social•90 days ago

I think if you are compromised and it's because someone hacked or broke into the Signal code and not a device or human failing, you were a high value target with immaculate security habits

murray104.bsky.social•90 days ago

Signal Core is not to be blamed. The group texters made choices.

reedermt.bsky.social•91 days ago

They used Signal to skirt the Presidential Records Act. That’s where the investigation should focus. What else are they hiding? Why are they acting as if the law doesn’t apply to them?

bfgilme.bsky.social•90 days ago

The one government that can't access the Signal Group Chat is the USG. Those people investigating the 'leak' legally don't have a way to get the information if the people in the group don't cooperate.

drbb1955.bsky.social•91 days ago

"I strongly object to all these references to cannibalism in the Royal Navy. It's well known we have the problem relatively well in hand."

brianmorales.bsky.social•91 days ago

Which is why Witkoff being in Russia completely compromised that chat.

moderatejerk.bsky.social•91 days ago

kristinemarie67.bsky.social•91 days ago

Thank you..I had questions!

Comments

Posting Rules

Reply