inor0gu
No user record in our sample, but inor0gu has activity below (stories or comments). Likely we have partial data — the full bulk-load will fill profiles in.
No user record in our sample, but inor0gu has activity below (stories or comments). Likely we have partial data — the full bulk-load will fill profiles in.
> government actor can intercept the text message Signal and others use for verification and set up the victims account on a new device Yes, but if they only control the phone number, you they will register a new…
Revocation of trust is always a tricky issue, you can look at TLS certificates to see what a can of worms that is. The Signal server does not forward messages to your devices, and the list of devices someone has…
About the paper: if someone has gotten access to your identity (private) key, you are compromised, either with their attack (adding a linked device) or just getting MitM'ed and all messages decrypted. The attacker won.…
> latest and shittiest marketing lingo It exists since Android 6: https://developer.android.com/reference/com/google/android/m... Informative banner that does not require user interaction to dismiss.
I don't think they are insane, they are quite useful when designing security mechanisms, while at the same time being utter noise for the end-user benefiting from that system. > If you're building a chip to generate…
You will always have to root your trust in something, assuming you cannot control the entire pipeline from the sand that becomes the CPU silicone, through the OS and all the way to how packets are forwarded from you to…
Probably not, in any normal case a secondary device shouldn't have that kind of authority to dictate. It is more concerning if the toggle is on by default and then you carelessly press next (on this or some other kind…
Would probably lead to notification fatigue. Showing a big snackbar when a new device is added is probably enough, especially if the app can detect there was no "action" on your phone that triggered it. Key…
Unrelated most likely, signal.me is a legitimate domain used by Signal. Doubt twitter is so on top of Threat Analysis when they fumbled their own redirects from twitter.com to x.com for a while.
Signal doesn't collect that data, but you have no reason to trust me on it. Look at what data they can provide to governments when compelled by law: https://signal.org/bigbrother/
you also send them your contacts in plaintext so you can find who's also on WhatsApp; signal doesn't
Unrelated most likely, signal.me is a legitimate domain used by Signal. Doubt twitter is so on top of Threat Analysis when they fumbled their own redirects from twitter.com to x.com for a while.
I would also read it from another perspective. Attackers, especially at the level of nation states, will always try to get as many avenues for achieving their goals as possible. If you have compromised a service, it…
Your phone (primary device) and the linked ones have to share the IK since that is the "root of trust" for you account: with that you generate new device keys, renew them and so on. Those keys are backed by Keystore on…
That's not what the attack does tho - they have access to your private key so they can complete the linking protocol without your phone and add as many devices as they want (up to the allowed limit). If you add a bad…
The attack in that paper assumes you have compromised the user's long term private identity key (IK) which is used to derive all the other keys in the signal protocol. Outside of lab settings, the only way to do that…