zlacker

[return to "Signal app downloads spike as US protesters seek message encryption"]
1. AnonC+ul[view] [source] 2020-06-05 06:17:12
>>pera+(OP)
The biggest drawback with Signal for protesters is that it exposes the user's phone number to everyone else in groups (just like WhatsApp does). There is no way to even hide the fact that you have an account on Signal. I can add phone numbers by enumeration into my contacts and Signal will show who among my contacts is on it. If the authorities don't use tactics like they did in Hong Kong, the protesters may be safe from being spied on (or worse).
◧◩
2. goneho+gn[view] [source] 2020-06-05 06:36:45
>>AnonC+ul
This tradeoff is arguably a good thing.

By using phone numbers as IDs signal can rely on your phone's local contacts (meaning they don't have to send your social graph to their servers). This way they can keep very little metadata on you.

There's pretty much nothing for them to turn over except the fact that your phone number has the signal app.

Most of the other secure apps could turn over your entire contact list (which could be damaging for people in a protest that are being targeted).

Confirming a single phone number has the app is not nearly as big of a deal (I'd argue it doesn't matter at all).

◧◩◪
3. Legogr+vo[view] [source] 2020-06-05 06:50:42
>>goneho+gn
I've lost track of the number of times I've had this conversation but here we go:

There's nothing inherent in phone numbers here. Both iOS and Android also allows you to add e-mail addresses (and other identifiers) to your local contacts. I'm yet to hear an argument as to why e-mail addresses or other identifiers can't be used in addition to phone numbers, or why it would be a complicating factor.

◧◩◪◨
4. goneho+rp[view] [source] 2020-06-05 06:59:49
>>Legogr+vo
My guess would be that phone numbers are guaranteed to be unique IDs that (almost) every phone will have which simplifies things and reduces the risk of someone impersonating someone else.

I think they are working on non-phone number IDs though (Moxie was in an earlier signal thread on HN recently and mentioned it).

◧◩◪◨⬒
5. HenryB+Uq[view] [source] 2020-06-05 07:22:34
>>goneho+rp
In that spirit, emails (when discovered on a device) are also unique IDs. Even if someone's email is The-Dog@someprovider_dot_com authorities can still track that this mailbox was accessed by IP x.x.x.x and this IP is provided to phone number 555-12345 which belongs to Henry Bemis.

It will take the authorities a bit more time (i.e. someone throws away their burner phone and authorities hack it)(with the assumption that phone numbers/SIM activations are provided using valid ID as it happens in many countries).

◧◩◪◨⬒⬓
6. fsflov+Vy[view] [source] 2020-06-05 08:54:16
>>HenryB+Uq
You can access email only through Tor and they will never know your real IP.
◧◩◪◨⬒⬓⬔
7. nix23+4U[view] [source] 2020-06-05 12:30:02
>>fsflov+Vy
Wrong...they probably don't know your IP..but a agency that has global surveillance in place, can find your source IP quite easy.
◧◩◪◨⬒⬓⬔⧯
8. fsflov+h21[view] [source] 2020-06-05 13:27:57
>>nix23+4U
All typical attacks on Tor are known for many years already. If you follow the advises from the Tor website, it will be very hard (nearly impossible) to find you. What do you mean by "quite easy"?
◧◩◪◨⬒⬓⬔⧯▣
9. nix23+E31[view] [source] 2020-06-05 13:35:00
>>fsflov+h21
By quite easy i mean, when you have global surveillance in place. All tor-nodes are public all tor-exits are public, if your system can track connections from one node to another node and then the exit-node everything is clear.

https://en.wikipedia.org/wiki/Global_surveillance#Infiltrati...

Edit: And that from netzpolitik (highly trusted german source) under 'A global passive adversary' that's the interesting part: https://netzpolitik.org/2017/secret-documents-reveal-german-...

◧◩◪◨⬒⬓⬔⧯▣▦
10. fsflov+nd1[view] [source] 2020-06-05 14:25:58
>>nix23+E31
It is enough to have at least a few independent relays to cover the trace. Everyone who can should be running a relay node at home I guess. Also we generally need more participants in Tor of course.

There is also I2P network, which is even harder to break (unless someone owns practically all nodes there).

◧◩◪◨⬒⬓⬔⧯▣▦▧
11. nix23+ai1[view] [source] 2020-06-05 14:52:18
>>fsflov+nd1
Well i run a node (not exit) and yes it's better then nothing, but to fully trust Tor is a big nono, i said nothing else. Protections from private company or country's yes..but protection from GCHQ/NSA probably not.

And no you can trace it thru the ISP's, the problem is the latency, Connection from here to there in that millisecond trace one...and so on.

◧◩◪◨⬒⬓⬔⧯▣▦▧▨
12. fsflov+Ri1[view] [source] 2020-06-05 14:56:01
>>nix23+ai1
If you are speaking about the timing attack, then you should consider I2P. It makes them significantly harder. In general, I agree that if your enemy is NSA, you can do very little. But you can make their life harder, and you should.
[go to top]