14 comments

[ 3.8 ms ] story [ 51.8 ms ] thread
I blame Apple for forcing users to backup iMessage messages to iCloud if they keep iCloud itself enabled.
There's nothing in this article on the "How". Misleading title to a fairly vacuous piece.
There is a recommendation though: use message expiry.
Agree that it is fairly vacuous, however the article does say that the content of the communications were backed up to Apple's cloud leading to it getting compromised.
That was talking about Manafort, not Cohen. See

[About Cohen] > It’s unclear if the FBI actually broke through any layers of encryption to get the data

[About Manafort] > Paul Manafort, himself found ... Those messages appeared to have been found through Manafort’s Apple iCloud account.

Security is only as good as its weakest link.

Case in point, all of my messages in Signal are locked behind a password phrase, which I have to re-enter every time the phone restarts or the app gets updated. I figured it was iron-clad. Until I discovered that the whole password-protected message vault is entirely optional (must've been one of those things I toggled years ago and never looked back). My girlfriend, of course, uses Signal but does not have that turned on, so if they really wanted a record of our communications, all they'd have to do is subpoena her phone instead of mine.

This is not a problem unique to Signal. Any communication can be compromised via any participant regardless of medium or protocol.
Not a big surprise. Being secure against the FBI (not to mention NSA) is really hard, even for a technical person.

If you want to be secure against a possible prosecution you really need to hire an expert to setup your devices and teach you how to use them securely. And you also need to think about physical security.

Indeed mostly we encrypt phones, laptops, disks, etc. to protect in case of theft.
(comment deleted)
Article does not follow from headline.

"It’s unclear if the FBI actually broke through any layers of encryption to get the data. It’s possible that Cohen, who apparently at times taped conversations, stored the conversation logs in a less-than-secure way."

I wanted to post that exact quote as a TL;DR for the article.

We can consider the article a reminder that secure communication tools are not enough for full privacy. One also needs a privacy aware behavior to take advantage of such tools: don't record/backup these conversations, delete the history from your app, have strong passwords, etc.

Of course it follows.

"Secure communications app" != "Secure communications"

Protecting data in transit vs data at rest. Classic.

Reminds me of.. « Yes your database was encrypted but the key was stored in a file on the server adjacent. »