A response to recent reporting in Germany, in service of clarity and accountability:
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb
*Anyone* can be tricked. If your'e caught at a bad time, distracted, stressed, you *will* fall for it.
@davep @signalapp -
@signalapp I wonder what the motivation behind this attack is. There's no money to be made from stealing Signal accounts, except maybe by extortion.
@jackemled @signalapp Gaining access to classified information from highest government officials, and being able to pose as these officials when contacting their colleagues, feels like something worth your time if you're interested in that sort of information.
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb @davep @signalapp we are talking about german politicians here, being daft is a job requirement
-
@stagerabbit @ahltorp @davep @signalapp ok maybe, but banks are saying all the time not to give out pin even to bank staff.
@jtb @stagerabbit @ahltorp @davep @signalapp Banks and others regularly call me up and ask me to identify myself to them, ie give the unknown caller my credentials. And cannot see the problem in training their customers to comply.
-
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
@jtb @davep @signalapp Well well. We speak of the president of the german parliament. No one would ever suspect her to be seriously daft.
-
@jtb Watch what you call the President of the German Parliament! /s
@guenther @jtb @davep @signalapp she is, actually, and has long been known to be
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp I am trying to work out why Registration Lock is not on by default. In particular, why would you be able to set a PIN and not set Registration Lock? I can imagine a use case where someone didn't want a PIN at all, though that shouldn't be the default in a secure messaging app. But why PIN and no lock?
-
@nuk3 @signalapp I wonder what issue they have with Matrix?! They could just spin up their own sever.
As far as I know, the Bundeswehr already uses matrix
-
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
-
-
As far as I know, the Bundeswehr already uses matrix
@nuk3 @stairjoke yes the BwMessenger and then there is also the BundesMessenger which is based on that.
-
@energisch_ @signalapp with e2ee?
@yetzt rather automatically Block any accountname with Signal & Support in it?
@signalapp -
@jtb @stagerabbit @ahltorp @davep @signalapp Banks and others regularly call me up and ask me to identify myself to them, ie give the unknown caller my credentials. And cannot see the problem in training their customers to comply.
@EarthOrgUK @jtb @ahltorp @davep @signalapp Both my life insurance company and my overseas bank want me to send copies of my passport and proof of address over unencrypted email. When I complain, they say I should password protect the file and send the password in a separate unencrypted email to the same address.
Even if I find a way to send it securely, based on this, I doubt they store it securely.
-
@EarthOrgUK @jtb @ahltorp @davep @signalapp Both my life insurance company and my overseas bank want me to send copies of my passport and proof of address over unencrypted email. When I complain, they say I should password protect the file and send the password in a separate unencrypted email to the same address.
Even if I find a way to send it securely, based on this, I doubt they store it securely.
@EarthOrgUK @jtb @ahltorp @davep @signalapp And they've locked my account for KYC reasons until I do it. Damned if you do, damned if you don't.
-
@MFennVT @signalapp uncheck pin reminder in setting accounts.
@GOKUSHRM @MFennVT @signalapp why would you want to do that?
-
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock). 8/
@signalapp what about a "government mode" which needs a second account to be involved to do these things.
Of course it needs to be set up, which is then not done by politicians because too cumbersome. -
@GOKUSHRM @MFennVT @signalapp why would you want to do that?
@chisop @MFennVT @signalapp to avoid pop-up box
-
@stagerabbit @ahltorp @davep @signalapp ok i withdraw my remark as I didn't see the dialog. If it said "verify pin" someone might have done that without thinking
@jtb @stagerabbit @ahltorp @davep @signalapp You still get those bona fide people on the phone who ask 'can you confirm your ...' (dob, account number, whatever), who then expect you to *give* them the detail for them to check. So it's not surprising that people can be tricked into 'confirming' online.
-
@EarthOrgUK @jtb @ahltorp @davep @signalapp Both my life insurance company and my overseas bank want me to send copies of my passport and proof of address over unencrypted email. When I complain, they say I should password protect the file and send the password in a separate unencrypted email to the same address.
Even if I find a way to send it securely, based on this, I doubt they store it securely.
@stagerabbit @EarthOrgUK @jtb @ahltorp @signalapp
That is awful practice.
