That encryption is not impenetrable, however, and the Google Threat Intelligence Group warned just last month of “increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia’s intelligence services.”
This is somewhat disingenuous. Signal can’t be directly cracked. Only access to the phone directly or via mirroring can expose it. The article somewhat explains this.
I am in no way whatsoever excusing the actions of these douche-chalupas. I prefer accuracy in my reporting, though. That said, Witkoff in Russia may as well have been a direct line to Putin.
This seems a bit too nitpicky tbh.
The author is correct, Signal is not “perfect”, because the weakest link is always the endpoint device and the end user. Which is kind of the whole point of this article; The issue is not that Signal was used, as it’s reasonably secure, it’s that the people using it are not secure at all.
Oh, I’m definitely picking nits. I agree and said as much in my last comment. But the way the article presented it made it feel like there is a clear and present danger from Chinese and Russian threat actors against the protocol.
Right, those shouldn’t be conflated (the protocols vs the phone/persons security properties).I think anyone actively targeted by a major govt power is probably fucked though. Pegasus has taught us that, so while signal is probably a pretty secure protocol, phones definitely have a lot of vulnerabilities.
OK, my time to pick nits: There is a clear and present threat. China, Russia and certainly the US as well have teams of cryptographers looking at software such as Signal and analysing every update and change made in order to spot potential openings. The threat towards Signal however is comparatively small because there are tens if not hundreds of times as many people checking the code as well and reporting back to Signal because of its Open-source nature.
That’s exactly my point. I work in security, specifically versus threat actors. I don’t typically deal with State actors, but on occasion I do. Those are the real problem.
You’re writing the concerns, suggestions, and warnings I would give.
As far as I’m aware the encryption can’t really be broken given the current amount of compute. Is anyone aware of what potential vulnerabilities there could be to the Signal protocol outside of brute forcing? How hard is it to crack a private public key exchange?
One of the biggest issues is they can be recorded and potentially decrypted in the future once quantum computing attacks become feasible. At the moment, the cryptography in Signal (or similar) has no known vulnerabilities that would make it vulnerable to practical attacks given reasonable assumptions about the technology that exists in the world at the moment.
And this is very much not limited just to signal. No matter what software, protocol or any other way you use to communicate, both you and the receiving entity/entities are the weakest link by a long shot. I don’t expect even my closest friends to hold our everyday conversations secret if for whatever reason their wellbeing was threated in any way. And even if I did there’s always other options, like targeted social engineering, to get trough pretty much any reasonable safety concerns on digital communication.
Of course in everyday life if our chat histories were publicly available it would not be too big of an issue, but it’s still something worth keeping on mind when interacting over any digital or any other written medium.
Given the rest of their behavior I’m seeing that chat member leaning across the lunch table towards Putin’s secretary, holding out his phone: “hey look, we’re just about to bomb Yemen!”
But it isn’t that hard to create a signal account with the name of someone high in the US ranks and send a request to these people. They are too dumb to actually validate the key of the person.
Encryption can’t handle when the encrypt with a foe’s key and send that for the message.
This is somewhat disingenuous. Signal can’t be directly cracked. Only access to the phone directly or via mirroring can expose it. The article somewhat explains this.
I am in no way whatsoever excusing the actions of these douche-chalupas. I prefer accuracy in my reporting, though. That said, Witkoff in Russia may as well have been a direct line to Putin.
The most uncrackable encryption can be defeated by Steven Witkoff sitting on Putin’s lap while reading the messages.
Bingo, comrade.
I think it’s disingenuous to try to suggest that communists have anything to do with it. It’s purely an oligarchical shithole.
Putin was KGB. The fact that the sleeper argent Krasnov awoke 38 years after his recruitment is testament to the Soviet program’s effectiveness.
This seems a bit too nitpicky tbh.
The author is correct, Signal is not “perfect”, because the weakest link is always the endpoint device and the end user. Which is kind of the whole point of this article; The issue is not that Signal was used, as it’s reasonably secure, it’s that the people using it are not secure at all.
Oh, I’m definitely picking nits. I agree and said as much in my last comment. But the way the article presented it made it feel like there is a clear and present danger from Chinese and Russian threat actors against the protocol.
Right, those shouldn’t be conflated (the protocols vs the phone/persons security properties).I think anyone actively targeted by a major govt power is probably fucked though. Pegasus has taught us that, so while signal is probably a pretty secure protocol, phones definitely have a lot of vulnerabilities.
Indeed. So are digital hygiene practices.
OK, my time to pick nits: There is a clear and present threat. China, Russia and certainly the US as well have teams of cryptographers looking at software such as Signal and analysing every update and change made in order to spot potential openings. The threat towards Signal however is comparatively small because there are tens if not hundreds of times as many people checking the code as well and reporting back to Signal because of its Open-source nature.
That’s exactly my point. I work in security, specifically versus threat actors. I don’t typically deal with State actors, but on occasion I do. Those are the real problem.
You’re writing the concerns, suggestions, and warnings I would give.
As far as I’m aware the encryption can’t really be broken given the current amount of compute. Is anyone aware of what potential vulnerabilities there could be to the Signal protocol outside of brute forcing? How hard is it to crack a private public key exchange?
One of the biggest issues is they can be recorded and potentially decrypted in the future once quantum computing attacks become feasible. At the moment, the cryptography in Signal (or similar) has no known vulnerabilities that would make it vulnerable to practical attacks given reasonable assumptions about the technology that exists in the world at the moment.
And this is very much not limited just to signal. No matter what software, protocol or any other way you use to communicate, both you and the receiving entity/entities are the weakest link by a long shot. I don’t expect even my closest friends to hold our everyday conversations secret if for whatever reason their wellbeing was threated in any way. And even if I did there’s always other options, like targeted social engineering, to get trough pretty much any reasonable safety concerns on digital communication.
Of course in everyday life if our chat histories were publicly available it would not be too big of an issue, but it’s still something worth keeping on mind when interacting over any digital or any other written medium.
Given the rest of their behavior I’m seeing that chat member leaning across the lunch table towards Putin’s secretary, holding out his phone: “hey look, we’re just about to bomb Yemen!”
Was Mr Putin over his shoulder at the crucial moment, or just a state-run high-def camera?
почему не оба?
But it isn’t that hard to create a signal account with the name of someone high in the US ranks and send a request to these people. They are too dumb to actually validate the key of the person.
Encryption can’t handle when the encrypt with a foe’s key and send that for the message.