If you are using Signal, and you are doing something the government considers illegal, the way they are going to read your messages about it is they will arrest the person you sent the messages *to*, and make your counterparty show them the logs. We know this because this technique came up again and again in, for example, the Jan. 6 court filings.
There may, hypothetically, be other Signal exploits available to a government, but this is the one they will use, because it works.
like this
reshared this
Kiloku - Secretรกrio do Caos
in reply to mcc • • •The best way to avoid this is to use "Disappearing Messages", which makes messages you send auto-delete after a set period of time, even on the receiving end.
Edit: important to note that the timer starts to count down for each recipient independently when they read it. Meaning if the recipient's device was compromised before they read your message, the message is compromised no matter how short the timer was.
Erik Jonker reshared this.
Irenes (many)
in reply to mcc • • •Hugo Mills
in reply to mcc • • •amy
in reply to mcc • • •Tinker โ๏ธ
in reply to amy • • •amy
in reply to Tinker โ๏ธ • • •mcc
in reply to amy • • •Tinker โ๏ธ
in reply to amy • • •@amy - So you can set disappearing messages for different time periods AND at different areas. So you might not have any disappearing messages normally... then if you want to talk about something sensitive but let them refer to it for a past week, you set it to a week. It will then BEGIN to disappear messages from that point forward for a week. But then maybe you want to say something really sensitive and have it disappear in an hour. Change the setting.
That gets a little cumbersome... but if you're on top of it, you're solid.
CautionWIP (he/him) ๐ณ๏ธโ๐๐จ๐ฆ๐
in reply to amy • • •Technology preview: Sealed sender for Signal
Signal MessengerPursuitOfElysia
in reply to CautionWIP (he/him) ๐ณ๏ธโ๐๐จ๐ฆ๐ • • •mcc
in reply to mcc • • •Please be very clear I am not saying not to use Signal, or saying that using Signal is pointless; I am describing a threat model which you should be aware of when using the application.
( This said I'd also recommend turning off "Apple Intelligence". And also discontinuing use of any device, application, or operating system which has the capability to interoperate with "Apple Intelligence", "ChatGPT" or "Copilot".
theverge.com/24340563/apple-inโฆ )
How to turn off Apple Intelligence on your iPhone
David Nield (The Verge)keithzg likes this.
reshared this
apocalypselog, Bill Jorth, Sorry, not sorry I’m Canadian ๐จ๐ฆ, Official Kakistocracy Jester ๐ช, SarahATX, sport of sacred spherical cows, Soatok Dreamseeker, Ricardo Harvin, nullagent and FreediverX reshared this.
mcc
in reply to mcc • • •Several people have replied to this to point out Signal has this feature. support.signal.org/hc/en-us/arโฆ
Note this will not protect against situations such as:
- People screenshotting the message for some reason
- People reading the message, then testifying they remember reading it
- A large group chat containing one or more FBI agents, who screenshot, copy and/or take contemporaneous notes preserving the content of the message
Nathan likes this.
reshared this
recursive ๐ณ๏ธ๐, Soatok Dreamseeker, Erik Jonker and Ricardo Harvin reshared this.
margot
in reply to mcc • • •margot
in reply to margot • • •mcc
in reply to margot • • •DirtWood
in reply to mcc • • •Waps
in reply to mcc • • •GutterPoetry
in reply to margot • • •Next thing will be the thought police, the way things are going ๐
Sashin
in reply to mcc • • •Ricardo Harvin reshared this.
Irenes (many)
in reply to Sashin • • •the FBI's job is to keep track of political activity, of all kinds. for this purpose it does not matter whether the activity is legal, and there are numerous stories over the years where it was... if agents do not attempt to infiltrate group chats in which activists congregate, the FBI is neglecting its duties.
so, like, don't discount the possibility when you plan, is what we're saying.
Ricardo Harvin reshared this.
mcc
in reply to Sashin • • •keithzg likes this.
Ricardo Harvin reshared this.
mike805
in reply to mcc • • •They infiltrate all social change groups. The Far Right flag and mask groups are about half undercover cops and half idiots. The idiots are routinely egged on to do something dumb like saw off a shotgun so they can be prosecuted. This is how you get promoted in Fed land.
The guy calling for more action, violence, and lawbreaking, is a cop every time.
Paid informants are common. The informants routinely steal money from the group, because they know they are immune to prosecution.
Steve Holden
in reply to mcc • • •mcc
in reply to Steve Holden • • •maybit
in reply to mcc • • •I have an issue with your approach, which basically is steeping fear.
And fear causes inaction ๐ฑ
Here, you did:
(1) share content that causes fear without showing the obvious mitigation
(2) once a mitigation was offered, you re-share it *but* immediately point its flaws
It is alright, and legitimate to be afraid, and feel free to express that ๐ค
One step better is: try to research mitigations, in order to avoid pushing your fellow activists to inaction, and take care of them โค๏ธ
mcc
in reply to maybit • • •Luci Callous Thumb
in reply to mcc • • •mcc
in reply to Luci Callous Thumb • • •craccerror
in reply to mcc • • •mcc
in reply to craccerror • • •@12_XU @bri_seven Tried to reply to this and got "500" errors ugh. Trying again
See replies to this thread.
mastodon.social/@mcc/113884671โฆ
Infosec mastodon seems very unimpressed with Session. They have diverged from Signal significantly in a slapdash way.
People seem to have positive things to say about Briar and Simplex, and nobody I have seen has said anything bad about them. But I'm not qualified to evaluate them. The reason I trust Signal is people qualified to evaluate it speak highly of it.
mcc
in reply to mcc • • •Orca ๐ป | ๐ | ๐ช | ๐ด๐ณ๏ธโโง๏ธ
in reply to mcc • • •mcc
in reply to Orca ๐ป | ๐ | ๐ช | ๐ด๐ณ๏ธโโง๏ธ • • •Luna Lactea
in reply to mcc • • •@12_XU @bri_seven Matrix has some bad cryptography too. It uses what's basically a toy encryption library with some big security issues that's only meant for learning & demonstration purposes & the Matrix Foundation refuses to fix it.
Also Session depends on a cryptocurrency to work, so if the security of messages isn't an issue, the stability of the network is. Anyone with money could buy all of the tokens & begin refusing to route messages, which destroys the network.
CautionWIP (he/him) ๐ณ๏ธโ๐๐จ๐ฆ๐
in reply to mcc • • •mcc
in reply to CautionWIP (he/him) ๐ณ๏ธโ๐๐จ๐ฆ๐ • • •milas
in reply to mcc • • •Google-ified Android also has a rather nebulous "Let Google Assistant learn from this app" toggle 9to5google.com/2021/05/13/googโฆ
It's not clear to me that they're currently using this similarly to how Apple Intelligence works, but "a more personalized experience" and zero docs that I can find on Google's site don't inspire much confidence
And despite the article being from 2021, I can confirm it's still there on an up-to-date Pixel device
Google Assistant adds โYour appsโ settings menu for Android
Abner Li (9to5Google)mcc
in reply to milas • • •linear cannon
in reply to mcc • • •FreediverX
in reply to mcc • • •And there will never be an easier time to turn it off that now, while itโs still mostly a useless gimmick and not some essential tech feature we canโt live without.
But judging from the blasรฉ attitude amongst most of my friends and coworkers about the ongoing coup in America, I suspect this message wonโt reach beyond a community of tech nerds and activists.
Luna Lactea
in reply to mcc • • •schrotthaufen
in reply to mcc • • •mcc
in reply to schrotthaufen • • •gkrnours
in reply to mcc • • •ch0ccyra1n is leaving fedi soon
in reply to mcc • • •Karel P Kerezman
in reply to mcc • • •Yeah, I'm also seeing a lot of reminders going out that Signal is a *message privacy* app, not an *anonymity* app.
Like, Signal is very good! But it's not a be-all/end-all "this will fix it so I can say whatever I want without consequences" thing.
Brandon Jones
in reply to mcc • • •Security
xkcdkeithzg likes this.
benda reshared this.
mcc
in reply to Brandon Jones • • •keithzg likes this.
Anthony Sorace
in reply to mcc • • •@tojiro โa subpoena is homomorphic to a wrench.โ ๐๐๐๐ฏ
Also, people are over-confident nobody will hit them with a wrench.
mcc
in reply to Anthony Sorace • • •LisPi
in reply to mcc • • •If they're willing to go for abductions and torture, one was never getting out of it anyway and the only remaining option is to self-terminate.
Too few people consider this implication of the issue, or the further implications when secrets are shared rather than ostensibly private.
mcc
in reply to LisPi • • •- Arresting you
- Using non-torture forms of pressure to induce you to cooperate with an investigation.
Ursidinoj/The Bjornsdottirs
in reply to mcc • • •Andres
in reply to Brandon Jones • • •@tojiro (regarding the alt text on there:)
It's one wrench, Michael. What could it cost, $5?
SpaceLifeForm
in reply to mcc • • •Because there is metadata.
Obligatory:
xkcd.com/538/
Security
xkcdMark T. Tomczak
in reply to mcc • • •zetabeta
in reply to mcc • • •how the goveRRnment got the logs?
being in signal forums. signal servers keep very little metadata. i don't think that signal servers have appropriate logs.
mcc
in reply to zetabeta • • •zetabeta
in reply to mcc • • •well assuming this. then the messages are also on the phone. why going after receiver?
although, i wouldn't be surprised that current governments want to penalize everyone involved, not just sender.
ZAC
in reply to mcc • • •Jennifer Em likes this.
mcc
in reply to ZAC • • •Fat_Farang
in reply to mcc • • •Jennifer Em likes this.
mcc
in reply to Fat_Farang • • •vฬพiฬพtฬพrฬพiฬพoฬพlฬพiฬพxฬพ
in reply to mcc • • •blue_thistle37
in reply to mcc • • •mcc
in reply to blue_thistle37 • • •@Blue_thistle37 there is a follow up post on this thread. mastodon.social/@mcc/113964973โฆ
Moreover, Signal is a good way to keep your communications private.
mcc
2025-02-07 22:31:37
mcc
in reply to mcc • • •@Blue_thistle37 If your threat model does not involve the people you are chatting with being subpoenaedโฆ then your threat model does not involve the people you're chatting with being subpeonaed. And most people never get subpoenaed.
However also never use an "AI" product.
Sam Bowne
in reply to mcc • • •Hobson Lane
in reply to mcc • • •@AE4WX
mcc
in reply to Hobson Lane • • •Mike Fraser
in reply to mcc • • •mcc
in reply to Mike Fraser • • •Nemo
in reply to mcc • • •mcc
in reply to Nemo • • •zl2tod
in reply to mcc • • •Fonant
in reply to mcc • • •How about a Tor-like message system using Signal and a few trusted friends (ideally in different countries)?
Alice sends her message to Bob, who sends it a little later to Charlie, who sends it a little later to Derek.
The message timing logs still exist, but several people would need to be arrested to show Alice's message was sent to Derek.
FreediverX
Unknown parent • • •While I wouldnโt be shocked to learn some companies like Google, Microsoft, and Facebook are already planning such nefarious uses, I believe the main reason behind the heavy push for AI is the desperate need to prolong the tech sector economic bubble.
Silicon Valley ran out of product ideas a few years ago, so theyโve been relying on hype to push โthe metaverseโ, then โcryptoโ, and now โAIโ.
Leen Kievit
in reply to mcc • • •mcc
in reply to Leen Kievit • • •@lnkvt Yes, but I don't think you should use those other messaging apps, so it becomes advice about Signal.
(Matrix and WhatsApp are probably fine, on the encryption front at least.)
The Sleight Doctor ๐๐
in reply to mcc • • •One item missing from all "opsec for activists"-type guides I've read, is how to irreparably destroy a phone handset to make it immune to forensics.
I've recently been pondering what I'd do if authorities were closing in. Assuming I had time (which is of course an unsafe assumption), I'd want to sabotage my own tech.
mcc
in reply to The Sleight Doctor ๐๐ • • •@ApostateEnglishman Please don't make decisions on this advice without doing further research, but a phone factory reset is likely to be *entirely adequate* protection against forensics, especially if you are using disk encryption.
Try to guess which adversaries you are likely to actually face.
Martin McWhorter
in reply to mcc • • •mcc
in reply to Martin McWhorter • • •mcc
Unknown parent • • •@lindarosesmit Do you mean Element?
As far as I know, Element is as good as Signal on the encryption front. I believe it does not have Signal's disappearing messages and it may be harder to intentionally remove messages from a server. I am not the person to ask.
mcc
Unknown parent • • •rakoo
in reply to mcc • • •@lindarosesmit
cage
in reply to mcc • • •>
> [โฆ] they will arrest the person you sent the messages *to*, and make your counterparty show them the logs.
So, if it works on court, this seems to me โ ironically โ the best counterargument for any actions that promotes the mandatory installing of backdoor in software.
Bye!
C.
DG1JAN
in reply to mcc • • •Security
xkcdJ$
in reply to mcc • • •Yes, $5 wrench attacks work against all cryptography.
One obstacle, when targetting you by pressuring correspondents into submitting data is determining and finding these. That information is not available by sigint, and obtaining it requires a potentially substantial socint effort.