Alternative link (to web archive):
2 Likes
Here’s a non-GOOGLE source: https://www.securityweek.com/how-russian-hackers-are-exploiting-signals-linked-devices-for-real-time-spying/
1 Like
I don’t put much faith in anything any govt says about any govt that that govt is estranged with. How does France get it spied upon material, or Britain, or…
And how can it be “secretly” if the world knows about it? What, The Russians won’t find out the rest of the world knows their “secret”.
There are THREE sides to every story. For example, there is Russia’s side of the story, there is the U.S. side and some where in the middle is the truth.
And, how long has america known this secret? And if they know how the Russians are operating, then it shouldn’t be very hard for the West’s best of MIT to deal with Russia’s ‘them’. I’m confident the US is much better at quietly and surreptitiously sniffing out other nations ‘secrets’.
The tale does throw a crimp in my faith in encryption. But then again, I don’t click to invite myself to give away my identity.
I think if “bad actors” want to do things on the QT, using snail mail - well, who looks at that any more? 
And, hide it in plain sight.
Just postulating s’all,
~s
The Girl: It’s not that I have something to hide. I have nothing I want you to see.
2 Likes
This is good to know. Signal’s cooperation with GTIG in investigating this matter as well as the extent to which the attacks are tailored to their targets gives me confidence that Signal handles security issues in a responsible manner, increasing my trust in the software. This does nothing to diminish my responsibility as a user to treat incoming information with skepticism and take care when using my device.
3 Likes
I guess the Kremlin resents being locked out of the honeypot 
1 Like
By looking at the examples of spoofed graphical interfaces in the post, I am not sure whether natural caution would save me in a real world situation. QR codes and URLs are convenient, but they tend to be opaque. On the one hand, signal.org is not the only domain on which Signal services operate. On the other hand, keeping everything under a single domain is a bad idea as we know. So, one needs to keep track of the domains somehow and to check QR code contents.
Software design may help users to avoid some scenarios of social engineering. I guess that some subtle changes to how the links are processed by the application will help to improve the situation, but I do not know. The project’s collaboration with the researches is definitely a good sign!
2 Likes
The word “secretly” in this report was used in the context of researchers analysing fraud activities. So, I interpret the word to mean that the user of Signal failed or was supposed to fail to realise that he was authorising another phone (or some other “device” used as a phone substitute) to use his Signal account, including reading his Signal chat history. It looks like the SecurityWeek journalists were trying too hard in their word choice to simplify the report for the general audience.
1 Like
I don’t know if there are any real “journalists” left, but I see too much tabloid style journalism, and it irks my ire to read ‘best kept secret’ or ‘secrets no one knew about (insert crying celebrity here)’.
Interesting story though.
~s
2 Likes
I agree completely. As another example, the fact that QR codes can do so many different things makes social engineering attacks easier; if they were restricted to a subset of actions that are “safer”, or adding something like a second factor for more dangerous actions, the attacks would be less effective.
I felt the need to explicitly make that remark because I have see too many cases where someone has unreasonable expectations about their software, expecting it to make it impossible for them to make a mistake while still being functional. I wanted to distance myself from that archetype.
It’s similar to the frustration I have when people discuss carbon output: consumers want to say that all of the problems are supply side, producers want to say that all of the problems are demand side. Consumers and producers are in a relationship with each other; both are responsible for the outcomes of that relationship even though neither has full control over those outcomes.
2 Likes