Since Anom, we need a new word than “honeypot”. The next secure messenger will not be created by these types. But many will be incrementally marketed, and each campaign will succeed in reaching a new batch of near-hit recruits.
This is why signal’s encrypted phone number lookup system is so cool. The server uses a bitwise xor when querying for numbers using hardware encrypted ram. The result is that even if you’re examining the machine at the most basic levels you can’t tell the difference between a negative or positive hit for the phone number unless you’re the phone requesting the api.
Obviously ratelimiting is a separate and important issue in api management.
The thing about building secure systems is that there are a lot of edges to cover.
Such a nice design on server-side.. and yet on the client side, it uses system address book - something that Google backs up on the server, and many carriers back up too, and many apps (like Whatsapp) save it too.
"Hey, _we_ don't store your contacts, we are good! Instead you have to manage them yourself, and in process share your presumably "secure" Signal contact list with Apple, Google, Facebook phone carriers and everyone else. But it's not on our servers, so we don't care"
Feels a little like clickbait "MAGA-themed", never heard of Converso.
That said, the analysis itself is interesting and worth a look, if nothing else it's a general pattern you can follow for many chat applications to see how secure it is.
When something is "super secure" you know it's full of holes. It's right up there with "impossible to hack" and "military grade" aka lowest cost bidder.
Yup. As the guy who put together the most secure FOSS messaging system*, it's not "impossible to hack". It's a caveat ridden, inconvenient to use, tedious to setup, hardware-isolated, multinode application, with long must-read documentation, and that requires experience with electronics and soldering.
I stumbled upon a GOP jobs board a year ago that stored submitted job applications in the same search index as the job listings themselves, so all you had to do was search "bob" and find a bunch of resumes and application answers for people who had applied, I couldn't believe it.
It's crazy how many security vulnerabilities are just people pinging http endpoints in ways they didn't expect. You would think in order to "hack" a system in 2025 you would need to be doing some crazy computer science wizardry but it really is just lazy engineers. Like how do you ship an API and have no rate-limiting. It literally takes a line to implement in Nginx.
I once went to a B-Sides talk of a person that paid off their mortgage via API related bounties - you wouldve confused their presentation with a Postman 101 video if you were only half listening.
Why in the world would any sane person utilize such an app, knowing what kind of people will be "at the other end" of communication, and what topics would be discussed, even if the most secure piece of software ever developed?
It appears that one of the most central aspects of MAGA is a postmodernist rejection of the very existence of expertise- except, ironically, in the art of grifting itself because they see “recognized experts” in any field as just very successful grifters. Hence replacing competent government employees at every level with incompetent employees. It would track that technology developed for and by the MAGA community is developed with the same philosophy. Anyone planning to buy the Trump phone?
This is the same thing that sent weev to jail when he and JB did it against AT&T to determine the email addresses (instead of PINs) of every iPad 3G user.
I'm curious why a Canadian is so hell bent on causing more division in America by embedding his political views in an otherwise decent vulnerability analysis.
He makes it sound he's on some sort of a mission...like the users of the messaging app ( which I have never heard of before until today ) should face some sort of backlash for their own political views opposite of him....which is amusing to say the least as Canadians seem to have permanently marked conservatives, not just in their own country but all over the world as "MAGA".
also I'd appreciate if we can keep politics out which just detracts focus on technical end of things
This is an app specifically built for a specific political group, a group that is wreaking havoc on our science and technology. "MAGA" has become the go-to term for a global movement, because there is a global alt-right movement to undo progress and dominate others into their world view.
It's going to be a part of HN like it was the first go around. Being apolitical is how political groups like this come to power.
49 comments
[ 2.9 ms ] story [ 67.8 ms ] threadA sentence clipped from a point a little past the introduction, but catchy nevertheless.
I suspect there will be more than "tens of readers" shortly.
Obviously ratelimiting is a separate and important issue in api management.
The thing about building secure systems is that there are a lot of edges to cover.
"Hey, _we_ don't store your contacts, we are good! Instead you have to manage them yourself, and in process share your presumably "secure" Signal contact list with Apple, Google, Facebook phone carriers and everyone else. But it's not on our servers, so we don't care"
> Neither of us had prior experience developing mobile apps, but we thought, “Hey, we’re both smart. This shouldn’t be too difficult.”
I think, 40 years from now when we're writing about this last decade or so of software development, this quote is going to sum it all up.
Have they?
I'd only have 20 cents, which I guess is good. But I'm sure there's more I'm forgetting.
Related:
[1] https://news.ycombinator.com/item?id=44684373
[2] https://news.ycombinator.com/item?id=43964937
[3] https://news.ycombinator.com/item?id=45985036
That said, the analysis itself is interesting and worth a look, if nothing else it's a general pattern you can follow for many chat applications to see how secure it is.
* github.com/maqp/tfc
It may not be pertinent to the subject, but clearly I have found a kindred spirit in this author.
The website doesn't really spark any confidence.
Never heard of it and I'd be surprised if they have more than 100 users.
Never heard of the wrench technique? It's always gonna work out great. Way cheaper and easier than "wizardy" too.
He makes it sound he's on some sort of a mission...like the users of the messaging app ( which I have never heard of before until today ) should face some sort of backlash for their own political views opposite of him....which is amusing to say the least as Canadians seem to have permanently marked conservatives, not just in their own country but all over the world as "MAGA".
also I'd appreciate if we can keep politics out which just detracts focus on technical end of things
This is an app specifically built for a specific political group, a group that is wreaking havoc on our science and technology. "MAGA" has become the go-to term for a global movement, because there is a global alt-right movement to undo progress and dominate others into their world view.
It's going to be a part of HN like it was the first go around. Being apolitical is how political groups like this come to power.