End-to-end encrypted messaging app Signal says attackers accessed the phone numbers and SMS verification codes for almost 2,000 users as part of the breach at communications giant Twilio last week.
Twilio, which provides phone number verification services to Signal, said on August 8 that malicious actors accessed the data of 125 customers after successfully phishing multiple employees. Twilio did not say who the customers were, but they are likely to include large organizations after Signal on Monday confirmed that it was one of those victims.
:trade-offer:
I receive: Your phone number, tied to your name, address and billing information.
You receive: "Anonymous," encrypted messaging.
I don't think Signal ever aims for anonymity, but yes, it's trash.
Any system which attempts to combine these things in an auto-updating mobile app is more risky than it's really worth.
- Communication client
- Public-key infrastructure
- Web of trust
Signal can easily be compelled or compromised to replace someone's public key, reencrypt messages MITM'd for them so they can't notice, and update the client software to obfuscate the public key change.
There's no reason for something so centralized to exist even if its stated purpose is honest. It's just a disaster in waiting for someone who actually needs its value proposition.
I don’t think Signal ever aims for anonymity, but yes, it’s trash.
It's not so much Signal's advertising as much as how I see people use it in practice. Most people who aren't nerds just think in terms of privacy. "Oh I heard that app has good privacy!" But anonymity and encryption are two completely different things. If you're some dork fed who finally ended up reading Howard Zinn and decide you need to send a couple secret documents to a journo over Signal, they are going to get you unless you managed to sign up with a fake identity and not fuck it up in any single way.
Any system which attempts to combine these things in an auto-updating mobile app is more risky than it’s really worth. [...]
This is a very good point.
If I understand the only thing signal does is encrypt the message while it's in transit, right?
So, do they get "kudos" for the phishing attempt only breeching 2000 accounts or nah?
Depends on if it was because they were only after 2000 select targets or if it's because of twillio's response, but I'm inclined to say yeah
