American Partisan: Signal App Compromised? Not So Fast…

NC Scout at American Partisan talks about the supposed compromise of the secure messaging app Signal in Signal App Compromised? Not So Fast… Remember that encryption works, and because encryption works the people who want your data will do anything they can to convince you to just not take the effort to use it.

Much has been written about the supposed compromise of Signal as a so-called ‘secure messaging app’, with some sources being a bit better than others on the matter. I’ve had a ton of questions about it over the past couple of days, and almost all of it doesn’t revolve around the issues with an app itself, but rather, the tradecraft errors behind using it.

First things first, almost everyone I come into contact with in the Liberty community, absent those with serious .mil backgrounds requiring at least a primer in tradecraft, have no idea what they’re actually doing. That statement is not meant to deride, far from it; its simply the truth. When it comes to communications, most are looking for a replacement: a methadone for a heroin addiction, if you will- to their incessant need for a phone. This is especially true when it comes to the instant gratification of messaging. I’m reminded of Russell Crowe’s line from a movie long since memory-holed, Body of Lies, saying “we just need al Saleem on the phone. Langley’ll do the rest.”

And they did.

Signal, as a software, does what it claims to do. On top of that, the source code for the app is open source and subject to anyone’s audit or modifications, should your skillset include the expertise in that area. And should you have that level of ability, you can even modify it to suit your needs running a code off the beaten path while still utilizing Signal’s network. It is end-to-end encrypted, after all. And what exactly does that mean? It means that the administrators can see that someone is accessing the network, but not what is being passed along it, much the same way that TOR actually works. Even with audio calls, the system does what it claims to do.

So let’s discuss the actual vulnerability in question.

According to documents filed by the Department of Justice and first obtained by Forbes, Signal’s encrypted messages can be intercepted from iPhone devices when those Apple devices are in a mode called  “partial AFU,” which means “after first unlock.”

When phones are in partial AFU mode, Signal messages can be seized by federal authorities and other potentially hostile interests. GrayKey and Cellebrite are the tools typically used by the FBI to gain this sensitive information, an expert has explained.

It uses some very advanced approach using hardware vulnerabilities,” said Vladimir Katalov, who founded the Russian forensics company ElcomSoft, believing that GrayKey was used by federal authorities to crack Signal.

So its not the app after all, but rather the hardware’s setting. A vulnerability which, since its a hardware exploit, likely applies to every messaging app. So tradecraft, or the lack thereof, is the heart. As per the usual. And the hardware in question is the hipster device of choice, an Apple iPhone. Shocker. But I thought Apple prided itself on user security?

Maybe at one point. But clearly no longer. Must be all that CCP money. And the real kick in the groin is that (shocker, again!) the FBI (or any other domestic security agency) can get into your phone without your handy little thumbprint. And just because they didn’t mention Android, don’t think its not every bit as vulnerable. It is.

So let’s talk about how to mitigate it.

First, understand the levels of data collected from cellular devices. I’ve discussed this ad nausem in the past. Your phone is constantly tracking you, no matter what you do absent putting it in an EMP bag, and if you cannot fully comprehend this reality then you’re really, really far behind the power curve. The lone answer is moving to using wi-fi only mobile devices for communications using open source apps. Wifi is common enough even in rural areas and if the technology is beyond you, so is your usefulness in a direct action cell.

Second, understand how to properly message people. The magic blanket of encryption may conceal our message but it neither conceals our presence nor our patterns of life- and in particular, who’s being messaged. This requires first discipline, and second, a pre-arranged (and trained on) code. One Time Pads work quite well, but a pre-configured Trigram or Brevity matrix works as well. On top of that, messages should be set to delete after a short period of time. Signal enables this, and if the message is important (it should be if you’re using Signal to send it), write it down. Clandestine messages are usually one-way as it is, requiring no overt response. Or if a response is necessary, respond through another backchannel (the same way I teach communicating on two different frequencies simultaneously in the RTO Course). Further, group messages of any more than two individuals is an instant non-starter. This violates even the most basic rules of clandestine cell organization and why Liberty groups feel the need to broadcast everything to everyone, I’ll never understand. Maybe you’ll learn one day. Domestic Black Sites are real.

Last, what you’re using as a so-called daily driver, ie your surface phone, is absolutely not used for this role. One of my own personal objections to Signal is and has always been the requirement of a phone number for registration. My Sudo allows us to bypass this by generating another phone number, but alternative apps such as Wire and Threema register via an email account…far, far better. And on that note you did install it on your own, absent Google play, correct?

So with that said, what do I think of this so-called ‘compromise’? It think its a smoke screen for CCP / Apple to keep their own compromise hidden in the details, as well as a smoke screen for disgruntled feminist intersectionalist IT workers behind the scenes at Signal unhappy that anyone other than AntiFa degenerates and washed up Agency Spooks would be using their app. For me, Signal is the C in my PACE plan- the ability to contact those using cell phones from my own wifi device, should the need arise. I don’t hang my hat on its ability outside my control. Neither should you. And the fact that a lot of people in this community do underscores just how behind the curve some of the louder voices really are. No matter what you’re doing, the correct answer is always using open source systems, have a PACE plan, follow the Moscow Rules and if there’s any doubt, there is no doubt.

CSG: Welcome to the Panopticon

Combat Studies Group has a comprehensive article up about choosing a secure chat/messaging application in this time of increasing governmental and corporate excess. It’s a long read, but if you are interested in your privacy you should give it a read. If you don’t understand what he’s talking about, then this is a starting point for your electronic privacy/security education.

Welcome To The Panopticon, or “How I Learned To Stop Worrying And Love Information Warfare”

So it’s 2019……and so far we have:

– Twitter, Facebook, Youtube and the like, de-platforming or censoring any content that leans towards the right or conservative side.

– Amazon, Google, Apple, Microsoft, et al, doubling down on collection of people’s data.

– The US intelligence apparatus convincing major hotel chains (Marriot for one) to collect information and report on hotel guests (for the most trivial of “abnormalities”, if one can call them that).

– Amazon working with law enforcement to implement widespread facial recognition gathering.

– Those nifty DNA/ Heritage testing sites have been caught giving your DNA to Uncle Sam.

– Cellular providers selling your real-time location to anyone who wants to buy it.

– The proliferation of “smart” devices such as Alexa that is always listening.

– Web browsers screening the news you search for and only letting the “leftist” slanted news through.

I could go on for pages and pages, but you get the point. One needs to become aggressive to secure their privacy in this day and age….so with that in mind I thought it apropos to publish an updated breakdown of available options.

Lets establish some standards that should be adhered to when choosing a chat application.

1. It should be comprised of open-source code. Open source code can be audited by third parties for completeness, proper implementation and potential security vulnerabilities.

2. It should employ end to end encryption. In other words, the encryption happens on your device and the decryption happens on the recipient’s device versus a third party server. This removes the need to trust a third party with your keys.

3. It should utilize INFOSEC industry accepted standards for cipher primitives. It should use well studied ciphers, key exchanges and hashes such as: AES-256, RSA-4096, ChaCha20, ECC-512, Curve25519, Poly1305, secp256k1, Curve448, Twofish, SHA-3, Whirlpool, GPG.

4. It should utilize forward secrecy. This protects the user if they have a key that somehow gets compromised. In this setup the system renegotiates the key exchange at short, established time intervals. Diffie-Hellman  is a common implementation of this concept.

5. It should support the removal/destruction of messages on both ends of the conversation. This could be based on a timer, manual selection or a “destroy on read” protocol…

Click here to read the entire article at CSG.

Related:

Technology and Avoiding Censorship