TimePencil

joined 8 months ago
[–] TimePencil@infosec.exchange 4 points 2 days ago* (last edited 2 days ago)

@Vanilla_PuddinFudge

Yes...
... but that's OK.

Lemme explain...

A Signal user will commonly have the client app installed on their mobile device.

They may also have a second client on a laptop that syncs the same data.

If the user goes on holiday for a week but leaves their laptop behind, it won't be synced to the laptop.

On return from holiday, the laptop client uses its decryption keys to retrieve the last week's worth of messages.

I *think* Signal can do this (retrieve cached messages from the Signal servers) for up to 14 days.

That said, the entire Signal cache is encrypted on their servers, and one's messages are fully E2EE and retrievable only by the user.

(However, one weakness of Signal is that a desktop or laptop client's cache is stored unencrypted. To secure these, one needs to use full disk encryption at the OS level or higher.)

@DarkCloud

[–] TimePencil@infosec.exchange 1 points 3 days ago (1 children)

@sunzu2

"Under FISA order, signal would provide logs."

How would Signal do this? Logs of what?

Corresponding parties? Messages? They don't have them.

They'd have to rewrite their backend code to obtain them, and changes would also need to be made to the Signal client apps.

It would not matter if the FISA Court ordered that logs be produced in secret by Signal. Any such logs could not be obtained without significant changes to the way Signal works. Users would know.

Yes, Signal does have some shortcomings, but these are acceptable in most 'use cases' for most threat models.

Signal is best used as a private, E2EE alternative to SMS. Only a fool would use it for the *most sensitive* of communications. (Like, you know, discussing an impending military strike...)

We all know of the alternatives, including (but not limited to) SimpleX, Session, Briar, Element etc.

@maniacalmanicmania @9tr6gyp3 @signalapp

[–] TimePencil@infosec.exchange 1 points 3 days ago (3 children)

@sunzu2

Read the Affidavit produced here:
https://signal.org/bigbrother/santaclara/

Read Signal's complete source code here:
https://github.com/signalapp

Once you understand the code, you'll understand "what they can do" and what they cannot do.

When you've identified any flaw in the code that runs the Signal servers that would allow IP logging, let me know. I'll be glad to file the bug report on your behalf.

@maniacalmanicmania @9tr6gyp3 @signalapp

[–] TimePencil@infosec.exchange 1 points 3 days ago (5 children)

@sunzu2

Signal knows *when* a user wqs last connected, but not the IP address of that connection. The system has been specifically designed to minimise the meta data available for collection.

@maniacalmanicmania @9tr6gyp3 @signalapp

[–] TimePencil@infosec.exchange 1 points 3 days ago (7 children)

@sunzu2

To do the things you are suggesting that Signal could be forced to do, Signal would have to rewrite its entire codebase as well as the client apps.

Fortunately, Signal is open source, and such changes would be noticed.

As it stands, it doesn't matter what is demanded nor by whom as the only user data, including traffic analysis, that Signal can currently reveal is insignificant.

Signal simply cannot disclose data it itself cannot access.

Yes, decentralised services are preferable, but Signal has probably the easiest onboarding experience for the average user, especially those new to the concept of E2EE.

@maniacalmanicmania @9tr6gyp3 @signalapp

[–] TimePencil@infosec.exchange 4 points 3 days ago (9 children)

@sunzu2

Nope and I was wrong.
@signalapp is only able to produce LESS information than I previously stated.

  1. The phone number (which will already be known by the relevant authority.)
  2. Last connection date.
  3. Account creation date.

That's it. Nothing else.
Signal does NOT log users' IP addresses.

See this for more information:
https://signal.org/bigbrother/santaclara/

@maniacalmanicmania @9tr6gyp3 @signalapp

[–] TimePencil@infosec.exchange 2 points 3 days ago (12 children)

@9tr6gyp3

There is NO back-door to Signal.

@signalapp is blind to all communications. (Including, probably, this toot! 🤪)

Signal itself does NOT know who has messaged whom, nor when, nor how (e.g. the IP address is NOT known.)

If Signal was subpoenaed to produce my records, they could produce:

  1. My phone number. (Actually, my number is the only way Signal could 'reference' my data.)
  2. The date I joined Signal.
  3. The date I was last active on Signal.
  4. (This one is a maybe...) The existence of secondary devices that I use - such as the Desktop app.

I'm *fairly* sure that is all of it.
(Please let me know if I'm wrong.)

@sunzu2

[–] TimePencil@infosec.exchange 1 points 1 week ago

@princessnorah

Ditto.
[at]gurnu[at]lemmy.world has been on my own 'blocked' list for a while.

An oxygen thirf who's worth nobody's time...

@PeterLG

[–] TimePencil@infosec.exchange 6 points 1 week ago (1 children)

@sabreW4K3

The government will LOVE this scheme...

  1. Make children obtain a government issued ID card.
  2. Increase the cost of the ID card from a 'nominal' payment to, say, $100 p.a.
  3. Require e-bikes to be registered for a nominal fee.
  4. Increase the registration fee.
  5. Make insurance compulsory for e-bikes.
  6. Require registration and insurance for ALL bicycles, including pedal powered bikes.

Then, in 10 years' time...
7. Spend a fortune on an advertising campaign trying to get people back on 'traditional' bicycles.

[–] TimePencil@infosec.exchange 9 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

@Zagorath

Half a penny?
Where's the rest of it?

[–] TimePencil@infosec.exchange 1 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

@spiffmeister

Oh, increasing the dingo population (by any method) would, as you say, definitely impact the roo population. No question!

But the *location* of that roo population matters and affects whether any cull makes economic sense.

I was a spotter and offsider for a few pro roo shooters over a few seasons.

Culling roos usually only makes sense when it benefits the farmer AND value can be extracted from the roos.

Most culls I've seen were in cattle country that was still 'close to town', usually within 1-2 hrs' drive. (I'm sure that culls also occur down in sheep country, too.)

Primary producers rarely look upon dingos favourably, and there'd be little support for increasing them.

The 'predator-prey' 'boom/bust' cycles are still common, but generally where the station's size is measured in 1000's of sq. kms. In the 'back of beyond', diesel alone costs much more than can be made from any culled roos.

Edit: check out the dingo fence...
https://en.m.wikipedia.org/wiki/Dingo/_Fence

view more: next ›