. o ( start a cyber metal band called Pyramid of Pain )
| pronouns (en) | he/him or they/them |
| pronouns (nl) | hij/hem of die/diens |
| It's me. | https://stiiin.nl/ |
Stijn van Drongelen
- 99 Followers
- 255 Following
- 51 Posts
Toots do not represent employer's opinion.
Caria Giovanni - HarpocratesStatic + dynamic analysis of Signal's APK. The good news first: Signal is genuinely exceptional.
Rust core (libsignal_jni.so), post-quantum hybrid Double Ratchet (Kyber-1024 + X25519), Direct ByteBuffers with immediate zeroing after PIN/username hashing, Intel SGX attestation for SVR — MREnclave verification means even a compromised Signal server can't extract your PIN hash.
But two things stood out:
1. Firebase is always there. Google receives IP + notification timestamps regardless of message content. If you need metadata privacy, Signal still leaks presence data to Google's infrastructure.
2. Certificate revocation endpoints hit http://g.symcd.com in plaintext. An ISP or state-level observer can fingerprint Signal usage from DNS queries and HTTP traffic to those CAs — without touching message content.
Conclusion: strongest crypto engineering in consumer messaging. The attack surface isn't the cryptography. It's the operational dependencies.
Soon the full analysis
#infosec #AndroidSecurity #Signal #privacy #ReverseEngineering #postquantum #mobileforensics
@trezzer Forget the platform, where's Wash?! 🥺
Hey @bitsoffreedom, tekenen jullie ook even? https://keepandroidopen.org/open-letter/
@bert_hubert @belastingdienst Als hier ook facturen voor dienstverlening onder vallen, dan gaat deze data ongetwijfeld ook worden aangegrepen om schijnzelfstandigheid op te sporen.
@MiaWinter I'm using light-dark() wherever I use colours and play with the color-scheme property to toggle between them, but I don't know if that plays nicely with transitions. Time to experiment with that when I get home!
@yvanspijk @PKYo The link works if you're logged in, but then the site wants you to pay a dollar to download it.
The proceedings that the paper was published in is mirrored at https://lauragrestenberger.com/wp-content/uploads/2017/10/akten_erlangen_i-stc3a4mme.pdf , see pages 103 through 112.
(Not sure why the proceedings are from 2014 while the conference was in 2011.)
@MichelPatrice @leanderlindahl The test whether to ask for consent is not about "selling your data" either.
The ePrivacy Directive of the EU requires every member state to make laws that ratify certain rules. One of those rules (Article 5(3)) is that reading and/or writing data on "terminal equipment", such as cookies on a visitor's computer, requires consent.
The laws must include two exceptions, covering data that is only used to make data transmission possible, and data that is necessary to provide a service that was explicitly requested by the user. This is why you can't disable "functional cookies" or "strictly necessary cookies" in cookie walls.
However, Article 5(3) does not use the word "consent". I'm not going to repeat the exact wording here. The way I read it, is that you should have prior consent before using cookies (or local storage, or other data stored by web APIs) except for the strictly necessary stuff, but even the strictly necessary stuff still needs to be clearly and comprehensively explained to the user. So if you don't need prior consent, you don't need a wall, but you still need a section on your "privacy" page about your cookies.
See the Planner app within Microsoft Teams for Android.
Be surprised that it's there, days after being told you don't have a license.
Try to create a To Do list in it. It works.
Try to delete it. There's no option to do so.
Who the fuck makes this shit, and why do we keep buying it?