Users of the Signal messaging app got hit by a hacker attack. We analyze what happened and why the attack demonstrates that Signal is reliable.

Users of the Signal messaging app got hit by a hacker attack. We analyze what happened and why the attack demonstrates that Signal is reliable.

My Dog, “hackers hacking a hack”.

Can we please stop using the word “hacker” when we mean “cybercriminals”, “attackers”, “malicious agents”? We have plenty better terms. Like… “cybercriminals”, “attackers”, “malicious agents”: https://rys.io/en/155.html

I mean, I get the need for clickbaity titles and all, but surely we can do better.

Jones
creator
link
fedilink
73M

First, I did not make the title, I just linked an article.

Second, I get that you wish people did not use the word “hacker” the way they do, but… isn’t it how natural languages work? Words mean what people them for. I wish “crypto” did not mean “cryptocurrencies”, butibn many contexts it does. That’s life.

Talking about clickbaits, what about linking to your blog everywhere you can? It’s completely off topic (the link is about Signal, your blog is about how people misuse a word according to you), but nobody complains, because apparently you thought it was relevant, just like the author thought that calling them “hackers” was fine.

Lenins2ndCat
link
fedilink
5
edit-2
3M

Complaining about use of the word hacker is the tech nerd’s equivalent of complaining about clips vs magazines. It doesn’t matter and everyone understands it anyway, there is absolutely no reason to be bent out of shape by it except in situations where being specific and clear instead of generalising actually matters.

Gun nerds deserve being laughed at for getting upset over it and so do tech nerds.

I disagree. The nuance between the words “hacker” and “cybercriminal” is so different that it should not even be contested. If you are a socialist, be critical and consistent. These nuances matter a lot. A hacker is not necessarily a criminal. And a criminal is not necessarily a hacker.

Lenins2ndCat
link
fedilink
53M

There is nobody reading an article from Kaspersky that does not already know the meaning.

Fair enough.

Jones
creator
link
fedilink
13M

But probably those who made this attack were hackers, right? So “hit by a hacker attack” does not say that hackers are malicious, it’s just a way of saying that it was an attack made with computers (and not with, say, fighter jets).

I don’t think it’s inaccurate or generalizing (hackers are not necessarily cybercriminals, and cybercriminals are not necessarily hackers, but cybercriminal who attack a computer system with a hack are indeed hackers). It’s just a shortcut for “hit by an attack by cybercriminals who happen to be hackers, and used a skillset commonly attributed to hackers to execute their attack”.

If that makes sense :)

@rysiek@szmer.info
link
fedilink
3
edit-2
3M

First, I did not make the title, I just linked an article.

Great. No need to take stuff personally. But since you did: one thing you could have done is to replace “hackers” with “[malicious actors]” (yes, in square brackets, to signify modification).

Second, I get that you wish people did not use the word “hacker” the way they do, but… isn’t it how natural languages work? Words mean what people them for. I wish “crypto” did not mean “cryptocurrencies”, butibn many contexts it does. That’s life.

I linked to the specific entry on my blog, because I expected that exact type of response. I give pretty specific arguments why I find the abuse of the word “hacker” problematic. And not just from the perspective of hackers (i.e. tinkerers, techies, etc) themselves, but also from the broader perspective of being able to have informed public debate about information security.

You are using the same argument that has been used against Black activists trying to reclaim the N-word, and against LGBTQ+ activists who tried to reclaim the F-word. And you know what? They both succeeded.

So there’s that.

Jones
creator
link
fedilink
2
edit-2
3M

So you’re saying that a “black hat hacker” cannot exist, because by definition a hacker is not a malicious actor. So everyone who is using the word “blackhat” is disrespectful towards those who identify as “hackers”, as much as using the N-word or F-word is disrespectful towards the respective communities. Am I getting that right?

So you’re saying that a “black hat hacker” cannot exist, because by definition a hacker is not a malicious actor.

I never said that. I said:

Can we please stop using the word “hacker” when we mean “cybercriminals”, “attackers”, “malicious agents”?

Many of these cybercriminals, attackers, and malicious agents are, in fact, hackers. They are also techies. Would it make sense to say “Signal got hit by a techies’ attack”? No, obviously not — one chooses the most specific term that fits in the context. But “hacker” is not that in this particular case.

If a bank is robbed and it just so happens that every single member of the robbers’ team happens to be a driver, would you write “Bank robbed by drivers”? Or, to be even closer to the absurdity in that article, “Bank driven by drivers”? No, that would be silly. You would write instead: “Bank robbed by robbers”.

So instead of writing “Signal hacked by hackers” it really makes way more sense (and happens to also be more informative) to write “Signal attacked by state-sponsored attackers”, or whatever the specific case might be.

So everyone who is using the word “blackhat” is disrespectful towards those who identify as “hackers”, as much as using the N-word or F-word is disrespectful towards the respective communities.

No, but I would agree that people who knowingly misuse the word “hacker” when they mean “attacker”, etc., are disrespectful to the amazing, creative, inventive and inspiring people who often identify themselves as “hackers”. Come to a hacker con or camp one day and maybe you’ll get it.

I getting that right?

No, you are clearly arguing in bad faith, trying to put in my mouth something I did not say. And you know it very well.

Jones
creator
link
fedilink
23M

So instead of writing “Signal hacked by hackers”

Pretty sure it was “Signal attacked by hackers”, but I get your point about “Signal hacked by hackers”, though I don’t think this would be worth an entire blog post :-).

trying to put in my mouth something I did not say.

On the contrary, I am trying to reformulate what I understood, so that you can confirm (or not) that I got your point. Don’t assume that people who disagree with you are in bad faith, and you’ll generally have a better experience communicating.

Anyway, that’s not constructive, let’s stop here.

so… a bunch of twilio employees had (and still have) exactly the capability that the attackers gained with this phishing attack. As do employees of Signal, Amazon, and various telecom companies, not to mention governments.

“Secure messenger” and “requires a telephone number” are not compatible concepts.

Jones
creator
link
fedilink
93M

“Secure messenger” and “requires a telephone number” are not compatible concepts.

Following that logic, could we say that “secure messenger” and “requires a computer” are not compatible concepts, because the computer could be compromised? I mean, in the Twilio situation above, users got informed that the conversation key had changed (suggesting that they should verify the keys again if it matters to them). Now if your phone is compromised, you’re screwed, whether or not your secure messenger requires a telephone number.

“Secure messenger” and “requires a telephone number” are not compatible concepts.

Wrong. Anonymity from your contacts or phone carrier or government is different from security of messages and metadata.

Arthur Besse
link
fedilink
2
edit-2
3M

Signal’s “sealed sender” metadata protection is a farce.

Their use of phone number identifiers is a gift to police and other violent adversaries around the world, including those that amazon doesn’t cooperate with. When one person’s phone gets seized or otherwise compromised, that adversary gets a list of the phone numbers - aka strong selectors in intelligence lingo - of all of the victim’s contacts.

Signal’s initial growth was funded with millions of USD from the US government, ostensibly for use by dissidents in places like China and Iran. The former requires ID to obtain a phone number, and the latter requires fingerprints. Even people who support the US’s soft power efforts to aid dissidents in those countries should be disturbed by the promotion of the use of phone numbers for “secure communication” in those contexts.

I have not said about metadata, but contested your claims of conflating security with phone number identifier causing lack of anonymity.

Geopolitical game, metadata and phone number identifier can be a different aspect of its own, compared to security.

I would like to contest your claim of the geopolitical aspect here as well. You may have suspicion about Signal, but do you think organisations like Riseup are also backdoored?

Arthur Besse
link
fedilink
23M

I have not said about metadata, but contested your claims of conflating security with phone number identifier causing lack of anonymity.

Huh? My first comment in this thread did not say anything about metadata or anonymity; it was (like the linked blog post) discussing the attack surface that comes with using phone numbers for authentication.

It was you that brought up both metadata and anonymity when you said this:

Wrong. Anonymity from your contacts or phone carrier or government is different from security of messages and metadata.

(emphasis added). Phone numbers are also terrible for those issues, of course.

do you think organisations like Riseup are also backdoored

I did not say signal is “backdoored”. I think their client and server software is most likely doing what they say it is, and Signal employees can probably honestly say they don’t retain any data that they could give to governments. The backdoors, if you want to call them such, are in the phone number based design and the choice of company (Amazon) that they rely on to keep the promises that Signal makes to their users.

My understanding of Riseup is that they own their own hardware, which puts them in a better category than Signal already. They also don’t require phone numbers. They do however use an invite code system to prevent spam/abuse, which they say they don’t retain a social graph from… but it isn’t clear to me how that system is actually useful to them if they don’t. Unlike Signal, Riseup is explicitly for activists, which makes me reluctant to recommend it. I don’t think it is intentionally backdoored and I think the people behind it mean well, but I think having a system explicitly for activists seems wrong as (1) it is a very attractive target and (2) merely using it can make you seem suspicious. The use of riseup has actually been cited as evidence of wrongdoing in an arrest warrant in Spain.

Guess I will ban Spain from my life then.

Albert
link
fedilink
53M

Why change the title? This is extremely misleading. The article states " We analyze what happened and why the attack demonstrates that Signal is reliable."

Jones
creator
link
fedilink
3
edit-2
3M

Extremely confusing how? I copied the first sentence in the “title” box, then the first two sentences in the “description” box, and the article again starts with those two…

Also the attack demonstrates that they could not do much, but still they got access to some accounts, which I believe qualifies for “some people where victim of an attack”. Or does it need to end badly for the title to be allowed to say that there was an attack?

EDIT: sorry, I actually had missed the title and copied the first sentence. Fixed!

Sponsored by …?

bkrl
link
fedilink
0
edit-2
3M

deleted by creator

Signal is pretty awesome! Best general messenger for non-techies as well!

bkrl
link
fedilink
3
edit-2
3M

One may have all the encryption you want, but if the 2FA SMS whispers entry to the hackers, it’s clear that they’re not coming in through the security door but through the broken window…

Jones
creator
link
fedilink
53M

To be fair, even though they bypassed the 2FA, they did not get access to previous conversations and contact list. That’s the point of the article, right?

bkrl
link
fedilink
53M

Even if the encryption does not collapse, it is still an app full of identifiers. That makes metadata available. An attacker could figure out who contacted whom.

Jones
creator
link
fedilink
63M

Whenever someone says “Signal is not good enough”, my answer is “what’s your threat model”? For me it’s a pretty damn good compromise given that all my friends and family are on it (as opposed to e.g. using WhatsApp or Telegram 99% of the time and a perfect alternative with one contact). The day I can realistically think about making my contacts move to a better alternative, I’ll do it. In the meantime, that’s the best I’ve got. And it’s not too bad, to be fair.

bkrl
link
fedilink
2
edit-2
3M

Uh, I forgot to tell you that the “account” is safely saved locally (something) like jones.zip. That’s it!

bkrl
link
fedilink
23M

In the meantime, that’s the best I’ve got. And it’s not too bad, to be fair.

Are you quite certain? Have you looked hard and concluded that Signal is the best alternative available today?

I can tell you that my messenger doesn’t use identifiers, it doesn’t track me, it doesn’t care who my contacts are, it doesn’t ask for my email, phone number, and importantly it does everything Signal does.

Jones
creator
link
fedilink
43M

Yes, I have been following Signal and alternatives since… well since TextSecure was only for SMS. And I find that many times people critical about Signal don’t really know much about it except for the fact that it uses the phone number (not the email).

Again, not saying it’s perfect. Just that for my threat model (which arguably is a valid threat model for billions of people), it’s a very good solution.

bkrl
link
fedilink
23M

You cannot know what kind of government we will have in ten years, nor is it said that your good behavior will be enough to keep you out of trouble. Millions of Jews had done nothing wrong, yet they were persecuted. Moreover, the fact that you have nothing to hide does not fully express what you could do if you had instead: sort of like giving up your right to speak because you have nothing to say.

Jones
creator
link
fedilink
43M

This seems completely off-topic to me. I never said I have nothing to hide. The Signal client app (i.e. the part that you can audit, compile and run, not the server) provides a lot of privacy already: e2e encryption via the excellent Signal protocol, private profile, private groups, sealed sender. So in terms of metadata, the Signal server never knows what you write, who is in which group, and to whom you are writing. Again, from the client code that you can audit yourself before you run it.

On top of that, leveraging the secure enclaves, the Signal server (tries to) guarantee(s) the private contact discovery (based on the hashes of your contact list). Which means that if you trust the SGX enclave, all that the Signal server knows is your phone number. If you don’t trust the enclave, then you can assume that the server got access to your contacts when you did the discovery (i.e. when you installed the app).

That’s very, very, very far from saying I have nothing to hide.

Signal introduced closed-source server side code last November. The founder and CEO stepped down from his position this January… End of story to me about Signal

Source for this claim?

bkrl
link
fedilink
2
edit-2
3M

Oh yeah bro. You have my thumbnail up. Seems only a detail but freedom defenders (Signal) have their backs sitted in California…

Jones
creator
link
fedilink
23M

Signal introduced closed-source server side code last November.

What? I’m not aware of that. Source?

What’s your messenger then?

bkrl
link
fedilink
23M

It is the sole messenger that doesn’t use identificators. You cannot get wrong.

No identificators at all? Lol sure, who else is using it with you?

bkrl
link
fedilink
13M

At the moment I think more than 3000 people. Young app. Needs it to spread.

If it needs to spread, don’t make a secret of it lol. Briar, SimpleX, something else?

bkrl
link
fedilink
3
edit-2
3M
Jones
creator
link
fedilink
33M

Oh, yet another messenger that pretends that it’s the only one that can prevent MITM. Abusive marketing, or plain misunderstanding of what e2ee means? Anyway I wouldn’t trust them just for that.

bkrl
link
fedilink
23M

The code is open. You can check your own doubts.

Jones
creator
link
fedilink
3
edit-2
3M

Not my point. Their webpage says that others (Signal included) are not protected against MITM (in the case of Signal, there is a note saying “if the server is compromised”). Which is plain wrong.

bkrl
link
fedilink
23M

Are you aware that, just to start somewhere, Signal asks (and needs) your phone number to make the service work? If you write “go to hell” to a person and two minutes later you regret it that person can accuse you with absolutely legal evidence in his or her favor. Is everything normal?

Jones
creator
link
fedilink
53M

First, that’s completely unrelated to the very concept of MITM. Second, it also shows that you have no clue about how such protocols work (in Signal, in SimpleX, or anywhere else). I really don’t understand why people who are really into secure messengers often don’t really care about how they actually work… I mean it is damn interesting!

bkrl
link
fedilink
1
edit-2
3M

deleted by creator

Confidentiality Integrity Availability

  • 0 users online
  • 1 user / day
  • 1 user / week
  • 15 users / month
  • 66 users / 6 months
  • 1 subscriber
  • 127 Posts
  • 143 Comments
  • Modlog