Just do one thing and do it well, be the trusted de facto platform for private messaging that empowers dissidents, journalists and grandma all to communicate freely with the same guarantees of privacy. Signal is a still a great piece of software. We’ve seen this before, after all Telegram tried the same thing in an ICO that imploded when SEC shut them down, and Facebook famously tried and failed to monetize WhatsApp through their decentralized-but-not-really digital money market fund project. I think I speak for many technologists when I say that any bolted-on cryptocurrency monetization scheme smells like a giant pile of rubbish and feels enormously user-exploitative. Combining it with a cryptocurrency means that the whole system dies if any part dies.ĮDITED TO ADD: Commentary from Stephen Deihl: Signal is the best app we have out there. End-to-end encryption is already at risk. Secure communications and secure transactions can be separate apps, even separate apps from the same organization. It’s that adding a cryptocurrency to an end-to-end encrypted app muddies the morality of the product, and invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI.Īnd I see no good reason to do this. It’s not even that Signal is choosing to tie itself to a specific blockchain currency. It’s not just that blockchain is just plain stupid.
It’s not just the bloating of what was a clean secure communications app. “I would like to get to a world where not only can you feel that when you talk to your therapist over Signal, but also when you pay your therapist for the session over Signal.” “There’s a palpable difference in the feeling of what it’s like to communicate over Signal, knowing you’re not being watched or listened to, versus other communication platforms,” Marlinspike told WIRED in an interview. Moxie Marlinspike, the creator of Signal and CEO of the nonprofit that runs it, describes the new payments feature as an attempt to extend Signal’s privacy protections to payments with the same seamless experience that Signal has offered for encrypted conversations. (Is it okay to booby-trap your phone?) A colleague from the UK says that this would not be legal to do under the Computer Misuse Act, although it’s hard to blame the phone owner if he doesn’t even know it’s happening.Īccording to Wired, Signal is adding support for the cryptocurrency MobileCoin, “a form of digital cash designed to work efficiently on mobile devices while protecting users’ privacy and even their anonymity.” Or whether this runs foul of the Computer Fraud and Abuse Act in the US. I have no idea how effective this would be in court. The idea, of course, is that a defendant facing Cellebrite evidence in court can claim that the evidence is tainted. It could even write that fabricated/altered evidence back to the phone so that from then on, even an uncorrupted version of Cellebrite will find the altered evidence on that phone.įinally, Moxie suggests that future versions of Signal will include such a file, sometimes:įiles will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. That malicious file could, for example, insert fabricated evidence or subtly alter the evidence it copies from a phone. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
#Signal messenger web client code
This means that Cellebrite has one-or many-remote code execution bugs, and that a specially designed file on the target phone can infect Cellebrite.įor example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures.
There are virtually no limits on the code that can be executed.
…we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. (The one example he gives is that it uses FFmpeg DLLs from 2012, and have not been patched with the 100+ security updates since then.)
#Signal messenger web client software
Moxie got his hands on one of the devices, which seems to be a pair of Windows software packages and a whole lot of connecting cables.Īccording to Moxie, the software is riddled with vulnerabilities. Moxie Marlinspike has an intriguing blog post about Cellebrite, a tool used by police and others to break into smartphones.
0 kommentar(er)
