We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists.
-
@lackthereof no, it's not because unlike #Phones and #PhoneNumbers, #eMail is not necessarily traceable by circumstances.
- Because a Phone "Line" (regardless of whether it's POTS, ISDN, VoIP, GSM, VoLTE, …) and #telephony in general are designed for realtime communication, they inherently necessitate an active, ongoing connection.
- Even if it's just some App/PBX/… to connect to the provider and constantly state "I am on the network and able to recieve calls!" (with PSTN networks, there a physical line that gets assumed to have a phone connected)…
Whereas with eMail (and any #asynchronous #communication) you don't have that requirement.
- So unless the provider is being taken over or otherwise "cooperative" there's no means for a sender to know where, when and how a message was retrieved unless the recipient wants the sender to know of it!
- Besides, even if you don't have an eMail provider like
cock.liwhich natively supports @torproject / #Tor useage with an #OnionService, unless said provider explicitly prevents you from doing so, you can use not just Tor but also other techniques to make it extremely hard (not necessarily impossible, but at least unfeasible at scale!) to get tracked down. - In fact, you could even use #Sneakernet - Style distribution through "#MeatProxies" and #DeadDrops (aka. #dr0p) to further twart tracing attempts.
- Besides, even if you don't have an eMail provider like
Or to put it simple:
- You can ring up someone and thus circumstantially verify the chain of #PhoneNumber -> #IMSI -> #ICCID -> #SIM -> #IMEI -> Device -> Location -> Owner quite quickly.
So either way a phone number is just a horrible means of doing that.
- And don't even get me started on the fact that legally speaking noone truly owns their number.
- Because even if you got some spechal case number (like UPT was) you still depend on neither regulators nor telcos to not block or otherwise interfere with it. Which is in contrast to say an
OnionServicewhich can only be shutdown effectively by sabotage aka. (more or less figurately) "unplugging" it.
- Because even if you got some spechal case number (like UPT was) you still depend on neither regulators nor telcos to not block or otherwise interfere with it. Which is in contrast to say an
I mean, it's not as if I didn't gave @signalapp a fair chance.
- I wanted #Signal to be good - honestly...
- But I'm old enough that things rarely are that simple as #TechPopulism & #Propaganda claim it to be.
- Just like 5th grade #SexEd is not a substitute for Endocrinology, Gynecology and Andrology and actually licensed, medical professionals.
So any #Messenger service that requires a #Phone Number for signup and/or useage is truly not a real replacement and inherently makes PROVEN WRONG assumptions [i.e. that it is legal and possible to obtain a phone number anonymously at someone's juristiction] about it's customers' ability to shield their privacy…
- Cuz all the "#Metadata" claims of Signal are complete #MarketingLies by virtue of them storing a Phone Number and not just being (as per admission by @Mer__edith) 'hard locked-in' with #aws but also subject to #CloudAct.
- They certainly are not deploying real #E2EE cuz you neither get #SelfCustody nor #SelfHosting and have to blindly trust them (aka. "#TrustMeBro!") that what they release as #SourceCode is actually what they deploy.
- It's like all those "#VPN" shillings which one cannot verify to be true or false!
THIS is why I am going fucking ballistic on #TechPopulism aiming at #TechIlliterates because it's spreading a "false sense of #security" whilst completely disregarding absolute fundamentals when it comes to the underlying systems.
- And I don't mean shit like #Govware of the #SS7 kind, but absolute basics in #ITsec, #InfoSec, #OpSec & #ComSec that every @cryptoparty@chaos.social / @cryptoparty@mastodon.earth / #CryptoParty worth it's name touches on.
- Signal can't and won't save peoples' asses and the sooner we realize that "complex problems are hard to fix" the less we waste Resources on #HoneyPots that stench like #CrytpoAG & #ANØM!
Your threat model is totally incoherent here and you talk like a cheap LLM
- Because a Phone "Line" (regardless of whether it's POTS, ISDN, VoIP, GSM, VoLTE, …) and #telephony in general are designed for realtime communication, they inherently necessitate an active, ongoing connection.
-
Your threat model is totally incoherent here and you talk like a cheap LLM
@lackthereof no it's not (because things are in fact intertwined) and I expect you to apologize for that!
- Go outside, #TouchGrass and in a week you can come back…
-
To protect people from such phishing, Signal actively warns users against sharing their SMS code and PIN.
We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal related code, it is a scam. We make this clear when users receive their SMS code during initial signup.
@signalapp maybe write:
"If you are currently installing signal, use this code. If some chat website or phonecall asks for it, it is an attack trying to steal your account." -
@unaegeli @signalapp One is an in-app prompt. The other is a message, text or email. They don't look anything alike.
@distrowatch @unaegeli @signalapp
It's a prompt on the phone.
They "are the same".
People don't make the difference. -
@distrowatch @unaegeli @signalapp
It's a prompt on the phone.
They "are the same".
People don't make the difference.@gunstick @unaegeli @signalapp Messages that come in are not a prompt and don't look or act like any popup or prompt.
-
You should add the ability to sign up with email. I'm not sure that Russian users can log in with a code from SMS.
@izby @signalapp Email registration would turn Signal into a spam and bot cesspool like Twitter, Facebook, Instagram etc.
-
@kkarhan@infosec.space since i've started hosting services for people, i came to the conclusion that the only thing you will need is an email, and only when there is no other option to reach out to the user.
let's make it clear to everyone: phone numbers should only be shared to people you trust and nobody else
@gettie @kkarhan Or hide your phone number, and create and share a username. Signal's had usernames for a couple years: https://support.signal.org/hc/en-us/articles/6712070553754-Phone-Number-Privacy-and-Usernames
-
@leoschuldiner23 @gettie @kkarhan It depends. I have 5 phone numbers all used for different purposes.
-
@signalapp Why not change the message to "To setup Signal on your new phone, please enter code ..." to make it absolutely clear what the code is for and create additional friction for scammers as they'll have to come up with an excuse as to why it says new phone.
@rbairwell @signalapp It's not always a new phone. Just a few months ago I purged Signal from my phone before going through CBP on my way back from an international trip, then put it back on the same phone.
-
-
@signalapp nobody should use Signal
@Lizette603_23 @signalapp Will you offer any proof for a reason why or just leave it ambiguous to sew distrust in the most secure and private app available?
-
@scathach @signalapp You can just turn off discovery by phone number and never get a spam message again: https://support.signal.org/hc/en-us/articles/6712070553754-Phone-Number-Privacy-and-Usernames#pnp
-
@signalapp You know how you could solve that? Stop taking users' phone numbers, and especially stop using it for verification. EZPZ.
@DekOfTheYautja @signalapp Or just turn off phone number discoverability and never get a spam message again: https://support.signal.org/hc/en-us/articles/6712070553754-Phone-Number-Privacy-and-Usernames#pnp
-
@signalapp
Thank you for explanations.1. When will mere users be able to detach Signal session from the mobile device?
This single functionality (doable for versed hackers but not for the general public) would stop such scams for high value targets like journalists, who would simply use a single-purpose wifi only desktop/tablet.
@ohir @signalapp No need to detach from a phone number. Just turn off discoverability by phone number: https://support.signal.org/hc/en-us/articles/6712070553754-Phone-Number-Privacy-and-Usernames#pnp
-
@signalapp phone number required! fine.
but can't you add an option at the bottom of the screen to skip that and use a randomized ID like @session does
Also, to migrate to a new phone one needs to enable every sensor on their phone (including GPS), can't we just generate and scan a QR code and use our secret PIN as a 2FA?!!
@levi @signalapp @session You can disable discoverability by phone number and create a username since 2 years ago: https://support.signal.org/hc/en-us/articles/6712070553754-Phone-Number-Privacy-and-Usernames#pnp
-
@starraven @signalapp They can't get contacts without also phishing your Signal PIN. And they can't get message history without also phishing your cloud backup key.
-
@rbairwell @signalapp It's not always a new phone. Just a few months ago I purged Signal from my phone before going through CBP on my way back from an international trip, then put it back on the same phone.
@Avitus @signalapp True, but at least you would be expecting it and the prompt would make some sense: if it was someone malicious saying "We r Signal, plz confirm the security codez" and the message said "To install on a new phone" I hope most people would question the message.
-
@kkarhan
This has always struck me as the strangest complaint about Signal.You don't need to distribute your phone number to actually communicate with other signal users.
Presumably you want some form of 2fa, because losing your account would be bad.
And you don't want to be tied to some cloud based email provider.
And it's literally a phone app so every single user has the dependency.
@lackthereof @kkarhan My kids have mobile devices with data only eSim cards. No phone number. I can't use Signal on their device to talk to them. Not everyone with a phone has a phone number.
-
@izby @signalapp Email registration would turn Signal into a spam and bot cesspool like Twitter, Facebook, Instagram etc.
OK. What about WhatsApp or Telegram?
-
@ohir @signalapp No need to detach from a phone number. Just turn off discoverability by phone number: https://support.signal.org/hc/en-us/articles/6712070553754-Phone-Number-Privacy-and-Usernames#pnp
@Avitus @signalapp
> No need to detach from a phone numberI am talking about detaching mobile device used to setup from the desktop you want to use to talk with your informants. This very setup Signal devs fight claws and teeth – you can use desktop as long as you periodically make your chat content reach your ah-so-trusted Android or iOS phone, decrypted and written in plaintext on it, and only then you can continue to use your desktop till the next dump of plaintext to the phone.
I.e. while all is perfectly encrypted on the way, all Signal communication is as much confidential as Android and iOS are themselves. Ie. close to none.
At least for Jane Journalist is none.
You John Hacker can hack around and have long-living desktop instance. But for the communication channel to be confidential it must be that on the BOTH sides.
Hope this helps.
