ICYMI, from Reuters:
-
@mattblaze @briankrebs @ai6yr So now they know
- your phone number,
- your dad's phone number,
- your voice,
- your dad's voice,
- your phone or phone OS,
- the location you're calling from,
- the approximate location of your dad's house,
- that you live with your dad or are visiting him,
- that your dad has a house with a driveway,
- and that there is a garage there.
This is metadata that, when combined with other metadata, can paint an alarmingly accurate picture of you.@ron_olafsson @mattblaze @briankrebs @ai6yr
...multiplied by millions of people, in every corner of the country. All the data extrapolation waiting there,
- population densities
- family size averages
- local and regional events
- almost any financial transactionThere's too much value to count it all.
Because local-first data principles aren't the law, we have this bullshit closed cellular network (apt name, btw), that's totally exploitable like this. Might as well pee with the door open.
-
@ron_olafsson @mattblaze @briankrebs @ai6yr
...multiplied by millions of people, in every corner of the country. All the data extrapolation waiting there,
- population densities
- family size averages
- local and regional events
- almost any financial transactionThere's too much value to count it all.
Because local-first data principles aren't the law, we have this bullshit closed cellular network (apt name, btw), that's totally exploitable like this. Might as well pee with the door open.
@mattblaze @briankrebs @ai6yr @mousey Calls made via messenger apps such as Signal are end-to-end encrypted, offering greater privacy from mobile providers and potential eavesdroppers.
-
@mattblaze @briankrebs @ai6yr So now they know
- your phone number,
- your dad's phone number,
- your voice,
- your dad's voice,
- your phone or phone OS,
- the location you're calling from,
- the approximate location of your dad's house,
- that you live with your dad or are visiting him,
- that your dad has a house with a driveway,
- and that there is a garage there.
This is metadata that, when combined with other metadata, can paint an alarmingly accurate picture of you.@ron_olafsson @mattblaze @briankrebs @ai6yr
I am nobody, and still my voicemail recording doesn't have my voice on it. And I don't pickup on unknown numbers, if it's important they will leave a voicemail.
Signal FTW
-
@mattblaze @briankrebs @ai6yr @mousey Calls made via messenger apps such as Signal are end-to-end encrypted, offering greater privacy from mobile providers and potential eavesdroppers.
@ron_olafsson @mattblaze @briankrebs @mousey That said (having not analyzed it), how much relationship / traffic analysis can you do on Signal?
i.e. if you drunk buddy Pete keeps on texting you hot tips about things going down overseas, can you look at addressing/trace network traffic, even if you can't read the messages? i.e. he keeps on texting your OTHER friend, Marc about him needing to find a girlfriend in his new job running the overseas branch of your franchise, but he's got to learn Spanish first? And suddenly they're exchanging traffic at 2am on Signal?"
-
@mattblaze @briankrebs @ai6yr @mousey Calls made via messenger apps such as Signal are end-to-end encrypted, offering greater privacy from mobile providers and potential eavesdroppers.
@ron_olafsson @mattblaze @briankrebs @ai6yr
Still metadata to be reaped. Is your keyboard autocompleting your words while you type into Signal?
Every (read: both, it's a duopoly) mobile OS, on most phones, is a house built on sand.
Every carrier is Security without Privacy.
Every stupid backdoor, like the CALEA law, is another camera in your toilet.
-
@ron_olafsson @mattblaze @briankrebs @ai6yr
Still metadata to be reaped. Is your keyboard autocompleting your words while you type into Signal?
Every (read: both, it's a duopoly) mobile OS, on most phones, is a house built on sand.
Every carrier is Security without Privacy.
Every stupid backdoor, like the CALEA law, is another camera in your toilet.
@mousey @ron_olafsson @mattblaze @briankrebs "I'm totally secure! Look at this cool app, Grammarly AI Keyboard! Now I never make typos!" 🤪
-
@ron_olafsson @mattblaze @briankrebs @mousey That said (having not analyzed it), how much relationship / traffic analysis can you do on Signal?
i.e. if you drunk buddy Pete keeps on texting you hot tips about things going down overseas, can you look at addressing/trace network traffic, even if you can't read the messages? i.e. he keeps on texting your OTHER friend, Marc about him needing to find a girlfriend in his new job running the overseas branch of your franchise, but he's got to learn Spanish first? And suddenly they're exchanging traffic at 2am on Signal?"
@mattblaze @briankrebs @mousey @ai6yr Fair point: Signal also collects metadata to a small extent (when messages are sent allows conclusions to be drawn about lifestyle habits). Even more problematic is that Google can also evaluate this metadata, as Signal messages are delivered via Google Play Service FCM (at least on Android). A better option for Android is the more privacy-friendly Signal client Molly, which supports UnifiedPush and thus completely bypasses Google.
-
ICYMI, from Reuters:
"Democratic Senator Maria Cantwell on Tuesday said Verizon and AT&T are blocking release of key documents about an alleged massive Chinese spying operation that infiltrated U.S. telecommunications networks known as Salt Typhoon and wants their CEOs to appear before Congress to answer questions."
"Cantwell asked both companies to turn over security assessments conducted by Alphabet cybersecurity unit Mandiant. She said Mandiant refused to provide the requested network security assessments, apparently at the direction of AT&T and Verizon."
"In some cases, hackers are alleged to have intercepted conversations, including between prominent U.S. politicians and government officials. Several lawmakers have described them as the worst telecom hacks in U.S. history."
"Cantwell said Salt Typhoon allowed the Chinese government to "geolocate millions of individuals" and "record phone calls at will," and that the incident targeted almost every American."
@briankrebs this is exactly why out of 9 business entities i have participated in forming 0 of them are anything more than a side hustle.
i cannot afford to go all-in without an extremely generous investor.
-
R relay@relay.an.exchange shared this topic
-
@ron_olafsson @mattblaze @briankrebs @ai6yr
Still metadata to be reaped. Is your keyboard autocompleting your words while you type into Signal?
Every (read: both, it's a duopoly) mobile OS, on most phones, is a house built on sand.
Every carrier is Security without Privacy.
Every stupid backdoor, like the CALEA law, is another camera in your toilet.
@mattblaze @briankrebs @ai6yr @mousey There are ways to regain control of your own data. For Android, @GrapheneOS is recommended, for example. For a private keyboard, you can find several options on F-Droid, such as FlorisBoard, which does not send any data to the internet. You can check this (and restrict all other apps as you wish) with @rdns. Once everything is configured, it works great. But sure, there's no 100%.
-
@ron_olafsson @mattblaze @briankrebs @ai6yr
...multiplied by millions of people, in every corner of the country. All the data extrapolation waiting there,
- population densities
- family size averages
- local and regional events
- almost any financial transactionThere's too much value to count it all.
Because local-first data principles aren't the law, we have this bullshit closed cellular network (apt name, btw), that's totally exploitable like this. Might as well pee with the door open.
@mousey @ron_olafsson @mattblaze @briankrebs @ai6yr
You can get information on things like population density and average family size from census.gov; it's out there for the taking by anyone who wants to know. Similarly, you can find out about local and regional events by looking at public advertisements. I'm not saying the breach isn't catastrophic, but a lot of the information you're talking about is already public knowledge. -
ICYMI, from Reuters:
"Democratic Senator Maria Cantwell on Tuesday said Verizon and AT&T are blocking release of key documents about an alleged massive Chinese spying operation that infiltrated U.S. telecommunications networks known as Salt Typhoon and wants their CEOs to appear before Congress to answer questions."
"Cantwell asked both companies to turn over security assessments conducted by Alphabet cybersecurity unit Mandiant. She said Mandiant refused to provide the requested network security assessments, apparently at the direction of AT&T and Verizon."
"In some cases, hackers are alleged to have intercepted conversations, including between prominent U.S. politicians and government officials. Several lawmakers have described them as the worst telecom hacks in U.S. history."
"Cantwell said Salt Typhoon allowed the Chinese government to "geolocate millions of individuals" and "record phone calls at will," and that the incident targeted almost every American."
@briankrebs I feel like it happens enough, with great percision, this effect should have a name.
1. Telecommunications breach occurs
2. Someone mentions Signal
3. Nuanced hypotheticals are exchanged
4. Argument over metadata takes place
5. There's a Molly vs. Signal comparison
5b. Something about Matrix
6. GrapheneOS
7. Someone knows too much about keyboardsIt feels like a Godwin's law type event where it's just a matter of when, not if.
-
R relay@relay.infosec.exchange shared this topicR relay@relay.mycrowd.ca shared this topic
