A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/
@jtb Read the thread 👍
@davep @signalapp If they handed over verification code and pin then they would have to be seriously daft.
[I withdrew this later. It was prompted by incredulity. I hope I will be forgiven and not sent to X for punishment]
@jtb It's how phishing / social engineering works. Not everyone is as clever as you.
@claudius why should technical skills like that be a requirement for people to have something to say in politics? The stakes are too high as they are now, you need to have rhetoric skills, a mindset to make it to the top and a bunch of other privileges.
We shouldn't individualize everything, it's a structural problem and there should be structural measures in place to prevent politicians from making those mistakes. It's a government we're talking about, they have the resources.
@radieschen @davep @ahltorp @jtb I am not saying they must be perfect. But if they are not they need to get themselves help.
And, as pointed out, they need better than average opsec *anyway* because they also should not leave hardcopies of sensitive stuff in a cab or paste their plans for some upcoming regulation into ChatGPT.
Yes, that is the bar I would set for a politician. Yes, we also need structural help. Both of these are desirable.
@s4mmy @radieschen @davep @ahltorp @jtb honestly, I find it unreasonable to *not* set higher standards for people in such an exposed office. Again: I am all for structurally preventing attacks where possible. But at the same time, these are not random people, they are under far more scrutiny and are much higher value targets for attacks like these. IMO this needs to be part of their threat model.
I don't think we'll reach a consensus, here if we can't agree on that.
@claudius the only thing I'm disagreeing with in your reply above is that I don't think they should get help, I think they should be trained.
Because people like that need to have better than average op-sec, it *must* not be their responsibility. The problem is so huge, *everyone* needs to be made aware of common threats.
Structural problems need structural solutions. Relying on individuals to be aware they have to educate themselves can only go wrong. It's only a matter of when, IMO.
@radieschen I used to work in the NHS, it was forbidden to communicate sensitive information by email etc. I see France has its own app. But maybe politicians like everyone else just want to be on the same app everyone else is using. Normally Whatsapp. It's hard to get people to move.
@claudius
It's definitely part of their threat model, whether they recognise that or not.
Frankly, due to this, they should be using a modified version of Signal for government officials that removes the risk of this sort of account takeover.
@ahltorp @davep @jtb @signalapp People have been trying to scam me since the 90s and I've always seen through it or taken a moment to check. Even so, I got had a couple of months ago by a very obvious piece of social engineering. All it takes is being tired, or stressed, or distracted, or all three, and you just go into automatic when asked to do something. I had to change all my passwords, update all my 2FA, change email addresses used for logins, etc.
It can happen to anyone.
Edit: typo
@jtb @stagerabbit @ahltorp @signalapp
Fair enough. Social engineers and phishing scams are by definition very good at this.
@EarthOrgUK @jtb @ahltorp @davep @signalapp Both my life insurance company and my overseas bank want me to send copies of my passport and proof of address over unencrypted email. When I complain, they say I should password protect the file and send the password in a separate unencrypted email to the same address.
Even if I find a way to send it securely, based on this, I doubt they store it securely.
@stagerabbit @davep I think most of the banks in Sweden are at least ok in this regard. I’ve had online banking for 30 years (pre internet), and it has always been two-factor. In the beginning only pin and single-use codes, but very quickly it became smartcard-based challenge-response with pin unlock of the smartcard, so theoretically very secure.
I’ve only done hanko based banking in Japan, so I’ve never seen online banking in Japan, but that seems horrible.
@gsc @stagerabbit @jtb @ahltorp @davep @signalapp I have left one* of the banks in question and filed complaints every single day it took to leave with all my savings. I didn't have the spoons at the time to take it up with the regulators (financial and data), but I have been director/CTO of a regulated fintech, so I am fairly confident that I could get my complaint heard if I could devote 6 months of my time...
*It's complicated.
@0x0 Troy Hunt. Lovely chap.
@ahltorp @davep @jtb @signalapp as a real world story. I work in cyber security. The team I work with is a very experienced security conscious team of devs (many with 20+ years experience).
One got hit with a phish because of a perfectly timed email. The email was obviously a scam IF you weren’t expecting a parcel delivery. Unfortunately, my colleague was expecting a parcel delivery!
The phishers managed to hit the right topic and context and a timing window that coincided with a highly anticipated, expected delivery, from that exact carrier at about the right time.
Luckily he realised within minutes and was able to move quickly to change passwords and reset credentials.
This wasn’t even spear phishing or any sort of targeted, social engineering supported attack. It was just luck and timing.
WenAstar
Signal
jtb
David Penfold 
Magnus Ahltorp
Claudius
Grumble 🇺🇸 🇺🇦 🇬🇱
Alien software, human hardware
Radieschen
s4mmy
dirtside
Achim Domma
The Stage Rabbit (he/him)
iestynap
Earth Notes
gsec
0x0
Nikolai Hampton 💾
Giliell