You can't underestimate how much people will screw up operational security (opsec.)
Arch-revolutionary Che Guevara was tracked down and assassinated because the NSA cracked his "unbreakable" one time pads which would have been unbreakable if he'd only used them once.
Signal's cryptography is quite secure. Signal's user management (restricting users you can chat with only to members of your organization) is nonexistent since it's not a goal. There's no requirement to have your common access card to get into a Signal group, there's no check for appropriate clearance enforced by Signal, so it's fundamentally unsuited to handling military information.
> no requirement to have your common access card to get into a Signal group, there's no check for appropriate clearance enforced by Signal, so it's fundamentally unsuited to handling military information
It's also running on a device that's had who knows what websites visited on it today.
In the early days of the iPhone, there was a vulnerability that allowed you to jailbreak your phone by visiting a specific web site. IIRC it was some vulnerability in the TIFF handling code. The same vulnerability could have been used to silently install spyware with root level access. No need to break signal's crypto if you can just silently capture screenshots.
It's not hard to imagine some foreign intelligence agency is sitting on some severe zero-day vulnerability, waiting to use it on very high value targets, such as senior administration staff.
You don’t have to imagine. This is a billion dollar intel industry that pays out millions of dollars for vulns, and charges corrupt governments more for access to hack their citizens most private data.
Those unscrupulous enough to sell the vulnerability to the exploiters, there is gold. Of course we would rather they did the right thing and got the bugs fixed.
> No need to break signal's crypto if you can just silently capture screenshots.
This is also something that comes up with esoteric cryptography schemes. There are systems designed so that you could theoretically deny whatever property, but in reality, the bad guy looks at your phone and believes whatever is on the screen anyway.
One could, in theory, run Signal on a dedicated device without any other app. Not that it's likely in this case! The lack of access controls is a limitation of the Signal app, since it's not part of the intended purpose to use it for classified data there's no support for the functionality classified-data communications programs need. The insecurity of the device it runs on could be solved without the Signal Foundation releasing a new version, the lack of centralized access control can't be.
If you aren't listening to the Darknet Diaries podcast yet, you really should be. Episode 146 talks about a signal-like "secure messaging" app that the FBI enticed people to use that secretly had the FBI as a member of every chat, so they would get a copy of every message sent. This story strongly reminds me of that.
That was a lot more than a secure messaging app. It was an entire Android-based operating system, preinstalled on physical devices.
It was originally created by a private company, that went a bit too far in marketing it to criminals. Undercover agents asked the CEO "How do I use this to prevent the police from monitoring my drug smuggling", and he answered the question.
In order to keep the feds from throwing them in prison, the remaining execs needed to provide names, and what better way than to compromise the phone and market it to criminals?
Around the same time, law enforcement cracked a more popular custom phone used by criminals, so gangs started looking elsewhere. And the FBI was waiting for them.
It was an insane operation. It was being run from a local FBI office (San Diego), not headquarters. A bunch of low level agents.
But it provided massive police intelligence around the world.
It also screwed over a lot of the contractors who worked on it. The Android developers who designed the phone are now on organized crime's radar, even though they thought they were just making a secure phone.
I heard this story elsewhere, and the attitude of law enforcement infuriated me. It was basically, “Only criminals would care about their privacy to purchase this premium phone, so of course we needed to crack it”. Screw everyone else who did not want more ad tracking or whatever.
Law enforcement was paranoid about making sure it only went to criminals. It was producing so much intelligence, any non-criminal usage wasted lots of time.
The fact that it was really only criminals using it was the big selling point.
I agree in part, but nobody legit is paying $200/month to use signal or other free secure private messengers. If it was a free platform I can see innocents getting caught, but considering it was sold by criminals, to criminals for a criminal fee — I think they were mostly correct.
Granted I’m hazy on the details of the story, but I did not recall a service fee. Just a few hundred dollars premium Android phone geared towards secure privacy. Sure, there was a nudge and a wink towards crime, but I could easily see it appealing to a civil protestor, journalist, or philanderer.
Each episode is chewed up slowly to the lowest common denominator, meaning half of an episode is condescending explanation of trivial matter. The misplaced air of faux mystery, true crime podcast style, does not help. The narrator being occasionally a free speech absolutist and explicitly in favour of money laundering services does not help.
Risky Biz covered Anom in https://risky.biz/RB751/ via a dense if a bit short interview with Joseph Cox, who wrote a book about it, starting around minute 35. Listen to that and respective Darknet Diaries episode to compare. In general Risky Biz offers more balanced, less boring, and up-to-date takes on cybercrime (sans interviews with actual criminals).
Could you reference some of this free speech absolutist background?
I'm willing to reexamine my appreciation for the darknet diaries,but I have never gotten this political take from the content itself. Rather he seems to simply be willing to engage with folks he disagrees with morally, as a matter similar to any journalist might. He does not engage with active crime or anything like that either.
I really like darknet diaries. I don't think it is just about cyber crime though. More like a human social journalism with a heavy cyber crime angle. So that's how you have such a range of content in my opinion.
Also, maybe listen at 1.3X? That makes the explanations and pacing imo easier
Yes. Sorry, I edited my comment for brevity. The episode about Tornado Cash was the one I pulled the plug on Darknet Diaries. His suddenly very opinionated take just did not jive with reality, and considering it is targeted at laypeople I wasn’t a fan of that.
Which app was that? There's been a few instances like that, Encrochat, ANOM and Sky ECC were all intercepted in one way or another by law enforcement.
Of course, the real question is whether these led to any convictions. They did lead to a few prevented murders and the like, but given they're all sweeping / non targeted sting operations, they're not admissible in court in a lot of cases.
I've often wondered if automatic updates and nag-screens are being used by bad-faith actors as vectors to sneak trojan horses into nominally-open-source apps. I tend to assume that any sufficiently-large open-source project will be well-enough scrutinized enough that they can't be used in this way but when you're obtaining binary builds somebody else made, and especially when those builds are being pushed out on an almost-daily basis for extremely mundane reasons the chain-of-trust is has several weak links. Only accepting signed binaries is not a good answer to this problem because if you aren't involved in a project then you have very little insight into how those binaries were signed or whether the private key is even private.
But even so, when stakes are high enough victim-blaming becomes both warranted and healthy. Even if there really was a deep-state conspiracy to embarrass the presidential cabinet (not that i think there was), the ultimate responsibility should still fall on their heads for not taking obvious precautions while planning an airstrike. If you can't verify that everybody in your signal conversation is actually supposed to be in the conversation, let alone that they are even who they appear to be, then it's obviously not an appropriate platform for this discussion.
> Point being: SCIFs are the right tool for the job. Smartphone apps like Signal are not.
The job in this case seems to be secure, ad-hoc communication between multiple parties while on the road (the VP at least was doing an event in Michigan). Clearly a public smartphone app isn't the right tool for the job. Is a SCIF the right tool though? I always thought of SCIFs as purpose-built rooms. It seems impractical that every time a message needs to be communicated, the parties have to be whisked away to a SCIF.
There are portable SCIFs, basically specially designed trailers, to allow senior staff to communicate securely on the road. It's very likely Vance had one of these nearby.
Not to mention plenty of DoD facilities from coast-to-coast with SCIFs - even without a portable SCIF, he likely wasn't far from one.
Failing that, these people almost certainly have laptops connected to DoD networks at a lower COMSEC level than a true SCIF (indeed, "high-side laptops" were mentioned in the Signal thread). They could have communicated with those. I don't know about DoD policy if those would be acceptable or not for discussions about planned strikes, but it'd be a hell of a lot more secure than unsecured public smartphones.
The author writes "I do not foresee any smartphone app ever being approved for this purpose." (the purpose is 'passing classified information for military operations'), while in fact, I'm not sure I see the issue - all the app (any one of them, including WhatsApp, Signal, etc.) needs to add is what is referred to as 'conditional access' to some chats. Meaning, you can define chats as only authorized for users whose identity is provided by a trusted Identity Provider, or are running on certified devices. This type of security is already implemented in many enterprises, supported by browsers (to some extent, at least), and can be relatively easily be supported by applications. Custom made chat apps already use this (e.g. Workplace Chat, which is used by Meta), and so I'm not sure it's something we won't see supported by other commercial apps messaging apps.
What he means by "I do not foresee any smartphone app ever being approved for this purpose." is that a commodity smart phone is an insecure platform, so the military will not be approving any app designed for a commodity smart phone.
And by insecure here, he and I mean that its not a platform designed and manufactured to meet the large number of requirements for handing classified information. It may be secure in the sense of industry standards or conventions, but its not secure in the sense of military information security.
If I read it correctly it's because they think phones are a no-go from the outset, so clearly apps for those phones are out, too:
> When government and military officials want to discuss operations, they’re typically required to go into a SCIF (Sensitive Compartmented Information Facility), which ensures:
>
> - That they are not being wiretapped. (To this end, mobile phones are not permitted in a SCIF.)
Whether this is actually true or not I wouldn't know and can't be arsed to research, but it makes sense to me. Whether it's reasonable to assume based on this that phones are completely out I also don't know.
Endpoint integrity is also critical. If Apple or Google were compromised, they could silently push an update that replaces the real Signal app with a modified version that forwards everything to an adversary.
Any system where the government doesn't have total control over software deployment will never be viable for handling claasified information.
"In some cases, Google has found Russia's notorious, stealthy hacking group Sandworm (or APT44, part of the military intelligence agency GRU), to work with Russian military staff on the front lines to link Signal accounts on devices captured on the battlefield to their own systems, allowing the espionage group to keep tracking the communication channels."
"In other cases, hackers have tricked Ukrainians into scanning malicious QR codes that, once scanned, link a victim’s account to the hacker’s interface, meaning future messages will be delivered both to the victim and the hackers in real time."
Gee, I dunno, sounds like hacking the endpoint to me (which always defeats end-to-end encryption).
They're making a joke about how Matrix e2e is so high friction and unreliable that even if you should have access to a channel you'll get "unable to decrypt message" errors from key or identity issues - not that they would be rightfully unable to be decrypted by third parties (all the e2e programs they mention have that property).
Arch-revolutionary Che Guevara was tracked down and assassinated because the NSA cracked his "unbreakable" one time pads which would have been unbreakable if he'd only used them once.
https://www.kopaldev.de/2022/04/27/cryptography-for-everybod...