Comment by heavyset_go

17 hours ago

This is one of the reasons it's crucial that the next set of secure messaging systems does away with tying real phone numbers to accounts.

One phone gets compromised and the whole network is identified with their phone numbers.

29 comments

heavyset_go

Reply
saguntum  15 hours ago

I haven't tried it, but Signal supports not sharing your phone number/just communicating with usernames: https://signal.org/blog/phone-number-privacy-usernames/

You still need to use your phone number to sign up, though.

  • jack1243star  14 hours ago

    > You still need to use your phone number to sign up, though.

    Which defeats the whole point. What if the FBI politely asks Signal about a phone number?

    • Vinnl  7 hours ago

      All they'd learn that way is that that phone number has a Signal account, when it was registered, and when it was last active. In other words, it doesn't tell them whether it's part of a given Signal group. (See https://signal.org/bigbrother/.)

    • Grisu_FTP  13 hours ago

      I might be misremembering or mixing memories but i remember something about them only storing the hash of the number.

      So the FBI cant ask what phone number is tied to an account, but if a specific phone number was tied to the specific account? (As in, Signal gets the number, runs it through their hash algorythm and compares that hash to the saved one)

      But my memory is very very bad, so like i said, i might be wrong

      4 replies →

1vuio0pswjnm7  15 hours ago

If the Signal Messaging LLC is compromised, then "updates", e.g., spyware, can be remotely installed on every Signal user's computer, assuming every Signal user allows "automatic updates". I don't think Signal has a setting to turn off updates

Not only does one have to worry about other Signal users being compromised, one also has to worry about a third party being compromised: the Signal Messaaging LLC

longitudinal93  16 hours ago

Hiding your phone number is a setting now. Has been for well over a year.

  • heavyset_go  16 hours ago

    You can't sign up without one, and it being an option means people who are in danger won't do it.

    Also, if someone's phone is confiscated, and you're in their Signal chats and their address book, it doesn't matter if you're hiding your number on Signal.

    It's better to just not require such identifying information at all.

    • godelski  13 hours ago

      That's true for any system where you have contacts linked. Same thing happens when you have names and avatars.

      If you don't want to link your contacts... don't link your contacts...

      But this doesn't have the result that the GP claimed. The whole network doesn't unravel because in big groups like these one number doesn't have all the other contacts in their system.

      For people that need it:

        | Settings 
  |- Chat
  | |- Share Contacts with iOS/Android <--- (Turn off)
  |- Privacy
  | |- Phone Number
  | | |- Who Can See My Number
  | | | |- Everybody
  | | | |- Nobody <----
  | | |- Who Can Find Me By Number
  | | | |- Everybody
  | | | |- Nobody <----
  | |- App Security
  | | |- Hide Screen in App Switcher <---- Turn on
  | | |- Screen Lock <---- Turn on
  | |- Advanced
  | | |- Always Relay Calls <-----

      If you are extra concerned, turn on disappearing messages. This is highly suggested for any group chats like the ones being discussed. You should also disable read receipts and typing indicators.

      Some of these settings are already set btw

      2 replies →

Fokamul  8 hours ago

Using any mobile phone connected to mobile network is breach of OPSEC, period. Even more in countries, where you cannot get anonymous SIM card.

Not using phone numbers in chat app doesn't protect you against someone locating you.

When phone is turned on, even without SIM, your location is saved, in inches. Thanks to 5G.

And some phone turns itself on automatically, lol.

Using laptop (without any wifi card) -> Wifi card (rotating fake MAC) -> wifi network/LTE modem with IMEI spoofing

whateveracct  14 hours ago

Physical keys are the real path. Sign every message with your Yubikey.

  • kreetx  8 hours ago

    Same with internet trolls: make it possible to authenticate privately to social media platforms and the bots would disappear!

    • DecoySalamander  5 hours ago

      Bots can authenticate just as well as human users. Both bots and trolls are completely different set of issues that cannot easily be solved, regardless of your approach.

      1 reply →