Comment by rurp
8 months ago
I agree with all of this, my only quibble is that I would bet there have already been costs associated with this idiocy. Hostile powers knew going in that this would be an incompetently run administration and I'm sure were looking at gaining access to personal devices out of the gate. It's possible that a great many highly sensitive conversations have already been read by adversaries. I also expect that similar sloppiness like adding the wrong person to a Signal chat has already happened without being reported on.
Yes, this was one of the main points on infosec Mastodon today. While everyone is aware enough to be concerned with encryption over the wire, it's the endpoints that matter. Personal Android devices capable of running Signal are going to be some of the easiest to compromise for a sufficiently motivated attacker. I've seen n00b cops do it for drug gangs here. There's no question that Russia, China, et al. can do it just as well and we have as good as much as confirmation that that's what's going on in at least Tulsi Gabbard's case.
Exactly. Signal on Android uses your phone PIN, for some insane reason.
> Signal on Android uses your phone PIN, for some insane reason.
The reason is simple: 95% of people would just set-up the same PIN anyway.
In unrelated news: Password reuse is rampant: nearly half of observed user logins are compromised
https://blog.cloudflare.com/password-reuse-rampant-half-user...
It can be set differently.
1 reply →
I suspect we won't know the true damage until all these people are gone, kind of like how Apollo 13 didn't know the true damage to the service module until they jettisoned it.