It's really crucial to understand how badly framed this is. There is no Signal vulnerability. The Pentagon email did a bad job explaining a Google report from a month ago and NPR repeated it. This is like saying because you got a phishing email at your Gmail address, there's a Google vulnerability. - ThreadSky

kevincollier.bsky.social • 5 days ago

It's really crucial to understand how badly framed this is. There is no Signal vulnerability. The Pentagon email did a bad job explaining a Google report from a month ago and NPR repeated it.

This is like saying because you got a phishing email at your Gmail address, there's a Google vulnerability.

Reposted from David Folkenflik

News: NPR’s Tom Bowman reports of a Pentagon-wide warning about Signal’s security vulnerability - one week ago 👇🏼

Comments

massixone.bsky.social•4 days ago

We shoud be very careful with such a pentagon guys.
I'd only add that whoever uses signal knows the Truth.

littlenomad.bsky.social•5 days ago

Thing is, there are secure, government-approved ways of having these conversations that follow legal guidelines for records retention. Signal ain’t that. If they were using Signal for this, they’ve been using Signal for all kinds of other things, probably to avoid recordkeeping. For obvious reasons.

418-im-a-teapot.bsky.social•5 days ago

This was my first thought. Seems like nobody else has mentioned it. They are definitely violating record retention laws.

woollahra.bsky.social•5 days ago

PEBKAC is a vulnerability. But really, beyond advising you on good secure practices, they're not obliged to fix or prevent it.

deeddoer.bsky.social•5 days ago

The bulletin is pretty clear about the issue.

rorfle.bsky.social•5 days ago

It's so funny that the 'vulnerability' is just the user - skill issue i guess! If you get goofy and invite someone you shouldn't have, not sure what you'd expect signal to do about that!

rorfle.bsky.social•5 days ago

Misunderstood the context of the report -oppsie. That's what I get for responding without reading firsta

psketti.ca•4 days ago

“Reportable” is such an apt term to use here, as in “I’m sure I can craft this non-news into something portable!”

d3v1ls7h3r4p157.bsky.social•5 days ago

Exactly.

I'm pretty sure I heard about this simple signal layer8 phishing attack before.

Probably sometime last year or early this year, but I can't quite pinpoint or find it.

This is just embarrassing. Zero OpSec. The US is fucked.
In case you don't hear it, the whole world is laughing. 🫣😔

kevincollier.bsky.social•5 days ago

This is the Google report in question, which
A. Signal helped with, and
B. Literally doesn't find a vulnerability in how Signal works. It's about how users can be tricked, as Signal is now used enough in Ukraine, securely, that Russia is poking for workarounds.

alanpdx23.bsky.social•5 days ago

Fear Uncertainty and Doubt.

lastthird.bsky.social•5 days ago

100%. Exactly what I told some friends earlier today (on Signal no less):

jorge314.bsky.social•4 days ago

Signal should not be used for this type of communications, period.

joshdsw.bsky.social•5 days ago

How about a very senior US official taking any call / connection on any device that includes highly sensitive information while sitting in an unsecured location in Moscow, possibly the Kremlin itself - - where intercepts are the norm for Russian intelligence operations. Russia ❤️ Iran. Iran ❤️ Houthi

alxfed.bsky.social•5 days ago

It looks like Signal hired this particular person here to do the 'laundering' of the story, and this little shaved headed punk will pretend in front of us that the personal phones which are _all_ compromised by definition (PRISM and the rest) can be used if they have Signal messengers on them.

joshdsw.bsky.social•5 days ago

Thank You.

valoisdubins.bsky.social•5 days ago

The way the media and too many Democrats are finding ways of avoiding saying bluntly “Pete Hegseth committed a serious crime against the United States” is doing my head in.

thatac.bsky.social•5 days ago

*waves hi*
Resident Immortal Sociopath here, I have insight to offer.

Rule 1 - Humans are fscking stupid.

Rule not yet numbered - Humans will do completely horrible things to protect the "image" of something, even if what they do completely betrays that image.

See also: Churches, Cops, SCOTUS

jimj.bsky.social•5 days ago

Nothing is ever their fault.

vartec.bsky.social•5 days ago

An open, public service *is* a vulnerability compared to high-security air-gapped system where you can't be phished, because the attacker would have to gain physical access to a secure device at a secure location. You can't accidentally invite a wrong person to a SCIF.

tomsebald.bsky.social•3 days ago

This seems like a distinction without a difference.
User error is a confirmed Signal vulnerability.
Kinda like how an apartment building is secure until somebody props the door with a brick for a delivery.
Nothing wrong with the lock, but the system still allows for that vulnerability.

tomsebald.bsky.social•3 days ago

The relevant discussion isn't how good Signal is, it's whether or not it is appropriate for this use....which it clearly isn't.
Any security feature has vulnerabilities that can be exploited. Parsing how the vulnerability is framed is one thing, but pretending it isn't still a vulnerability is wrong

Comments

Posting Rules

Reply