Our statement on the UK government’s demand that all content on all devices sold or used in the country be scanned, on the presumption of nudity, using a dystopian combination of age verification and content scanning. This proposal will not safeguard children. It endangers us all.
https://t.co/VdWe9uhi8p
A response to recent reporting in Germany, in service of clarity and accountability:
First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised.
However, sophisticated attackers have engaged in a harmful phishing campaign, posing as “Signal Support” by changing their profile display name and using social engineering to trick people into handing over their credentials — information that allowed these attackers to take over some targeted Signal accounts. This is something that plagues any mainstream messaging app once it reaches the scale of Signal, but we know how high the stakes are given the trust people place in us.
In the coming weeks, you’ll see us rolling out a number of changes to help hinder these kinds of attacks.
Because we don’t collect user data, what we know about these attacks comes from the victims of phishing. And from what victims have told us, the attacks followed a broad pattern: after tricking people into revealing their Signal credentials, attackers then used those credentials to take over their account and also frequently changed the associated phone number. Because such a change results in de-registering your Signal accounts, attackers prepared people for this by telling them that being de-registered was intended behavior, and that all they would need to do is “re-register,” or, create a new account. When they moved to create a new Signal account — one that was now decoupled from their hijacked account — the victims thought they were logging back in to their primary account. As a result, many didn't notice the takeover. The compromised accounts were then weaponized to target the victims' contact lists by posing as the owners of the account.
We understand the trust that people put in Signal, and how devastating this kind of social engineering can be. While it’s true that all messaging platforms are susceptible to scammers and phishing that betrays people’s trust and convinces them to “unlock the front door” where no backdoor exists, we are looking to do everything we can to help people avoid and detect such scams.
For the time being, please stay vigilant against phishing and account takeover attempts. Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock).
Security researcher Paul Moore has demonstrated how the EU age verification app can be compromised in under 2 minutes with nothing more than physical access to a device.
By editing the app’s shared preferences file an attacker can remove the encrypted PIN values, reset the rate limiting counter to zero, and disable biometric requirements entirely.
The app then accepts a new PIN and grants access to the existing age verification credentials.
His earlier analysis of the open source code also revealed that the app stores NFC biometric facial data and user selfies as unencrypted lossless PNG files on the device.
Deletion is incomplete, leaving the images at risk even after processing.
Europe is so cooked
📣VeraCrypt update : after Microsoft reinstated @idrassi Windows Hardware Dev account, active work on the next 1.26.x release is underway.
Please share important bugs, regressions or low-risk improvements you think should be included before release.
“Bij de gemeente Nijmegen kun je zowel met Yivi als met DigiD inloggen. Die gemeente is al autonoom en kan een uitval van DigiD opvangen.”
Digitale soevereiniteit en weerbaarheid zijn in Nijmegen speerpunt!
https://t.co/hfDBO10SrW
We are deeply saddened to learn of the passing of Hideki Sato, who served as President of SEGA from 2001 to 2003. SEGA would like to offer its condolences to his family and friends. Starting his career with the development of arcade machines, Mr. Sato was instrumental in the development of iconic home consoles, including the SG-1000, SC-3000, Mega Drive/Sega Genesis, Sega Saturn, and Dreamcast. His leadership helped lay the foundation of SEGA, and his contributions had a significant and lasting impact on the entire gaming industry. We will always remember his contributions to our company, and all of us at SEGA extend our deepest condolences as we honor his memory.
Mr. Hideki Sato, known as the father of Sega hardware, passed away yesterday.
His passion and bold spirit defined an era and inspired Sega fans around the world.
Rest in peace.
Beep21
📰🤖 "Despite sharp criticism from data protectionists and human rights organizations, the #EU Commission announced on Wednesday that it intends to simplify its rules on data protection and #AI." (from German)
👉 Read more (Article in German): https://t.co/ephCaMw2vj
On #GlobalEncryptionDay let's celebrate Phil Zimmermann, creator of PGP. The US govt fought him for 3 years for spreading encryption. He won, & privacy prevailed.
Today, we’re in another war against privacy, & we need more Phil Zimmermanns to lead the charge.
Full interview:
We are alarmed by reports that Germany is on the verge of a catastrophic about-face, reversing its longstanding and principled opposition to the EU’s Chat Control proposal which, if passed, could spell the end of the right to privacy in Europe.
https://t.co/015qmQnIS2
We loved your article on Password Manager extension clickjacking attacks. We would love it if you evaluated KeePassXC as well and included it as an addendum to your blog.
@marektoth
https://t.co/ZTDthlDjzP
@HTM_Reisinfo Sommige chauffeurs mogen wel eens een cursus 'omgaan met reizigers' doen...
Je meld ze beleefd wat, kijken je aan alsof je een debiel bent en negeren je compleet.
Jammer dat zo'n malloot je reiservaring verziekt.
Right now there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging and its nuances. Which means there’s misinfo flying around that might drive people away from Signal and private communications.
One piece of misinfo we need to address is the claim that there are ‘vulnerabilities’ in Signal. This isn’t accurate. Reporting on a Pentagon advisory memo appears to be at the heart of the misunderstanding: https://t.co/QfWgOxHAzp. The memo used the term ‘vulnerability’ in relation to Signal—but it had nothing to do with Signal’s core tech. It was warning against phishing scams targeting Signal users.
Phishing isn’t new, and it’s not a flaw in our encryption or any of Signal’s underlying technology. Phishing attacks are a constant threat for popular apps and websites.
In order to help protect people from falling victim to sophisticated phishing attacks, Signal introduced new user flows and in-app warnings. This work has been completed for some time and is unrelated to any current events. If you’re interested in learning more, this WIRED article from February 19th (over a month ago) goes into more detail:
https://t.co/xvVVdPDhSs
Signal is open source, so our code is regularly scrutinized in addition to regular formal audits. We also constantly monitor [email protected] for any new reports, and we act on them with quickness while also working to protect the people who rely on us from outside threats like phishing with warnings and safeguards.
This is why Signal remains the gold standard for private, secure communications.
🇬🇧 A big win for digital security in France.
The French National Assembly recently rejected a proposal disguised as an 'anti-drug legislation' which would force messaging platforms like Signal and WhatsApp to allow backdoor access to private conversations.
🇫🇷 Une grande victoire pour la sécurité numérique en France.
L'Assemblée nationale a récemment voté contre le retour de l'article 8ter de la proposition de loi "narcotrafic", qui souhaitait forcer les fournisseurs de services chiffrés, tels que Signal et WhatsApp, à introduire des portes dérobées dans leurs services. Cet article avait suscité de nombreuses inquiétudes quant à la sécurité numérique des citoyens et des entreprises françaises.