Skip to content
  • Hjem
  • Seneste
  • Etiketter
  • Populære
  • Verden
  • Bruger
  • Grupper
Temaer
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Kollaps
FARVEL BIG TECH
  1. Forside
  2. Ikke-kategoriseret
  3. This is a good thread.

This is a good thread.

Planlagt Fastgjort Låst Flyttet Ikke-kategoriseret
13 Indlæg 5 Posters 0 Visninger
  • Ældste til nyeste
  • Nyeste til ældste
  • Most Votes
Svar
  • Svar som emne
Login for at svare
Denne tråd er blevet slettet. Kun brugere med emne behandlings privilegier kan se den.
  • xgranade@wandering.shopX This user is from outside of this forum
    xgranade@wandering.shopX This user is from outside of this forum
    xgranade@wandering.shop
    wrote on sidst redigeret af
    #1

    RE: https://mastodon.world/@signalapp/116478659183004819

    This is a good thread. I like how carefully they take responsibility for where they could have done better, and at the same time very clearly state what isn't a problem with Signal.

    xgranade@wandering.shopX 1 Reply Last reply
    0
    • xgranade@wandering.shopX xgranade@wandering.shop

      RE: https://mastodon.world/@signalapp/116478659183004819

      This is a good thread. I like how carefully they take responsibility for where they could have done better, and at the same time very clearly state what isn't a problem with Signal.

      xgranade@wandering.shopX This user is from outside of this forum
      xgranade@wandering.shopX This user is from outside of this forum
      xgranade@wandering.shop
      wrote on sidst redigeret af
      #2

      Like, it's both very true that a phishing attack against Signal users isn't a vulnerability with Signal, and that given the high value of Signal accounts, they can and should do more to proactively resist phishing attacks. They don't let either one of those truths overshadow the other, and good on 'em.

      pelle@veganism.socialP 1 Reply Last reply
      0
      • xgranade@wandering.shopX xgranade@wandering.shop

        Like, it's both very true that a phishing attack against Signal users isn't a vulnerability with Signal, and that given the high value of Signal accounts, they can and should do more to proactively resist phishing attacks. They don't let either one of those truths overshadow the other, and good on 'em.

        pelle@veganism.socialP This user is from outside of this forum
        pelle@veganism.socialP This user is from outside of this forum
        pelle@veganism.social
        wrote on sidst redigeret af
        #3

        @xgranade
        it kinda is an issue with #signal tho.

        they've been training users to fall for re-register #scams by constantly prompting users to re-enter your #PIN (and the PIN is only necessary because phone numbers are used for sign-up).

        #signal are good at #victimblaming whenever there's a security incident.

        david_chisnall@infosec.exchangeD 1 Reply Last reply
        0
        • pelle@veganism.socialP pelle@veganism.social

          @xgranade
          it kinda is an issue with #signal tho.

          they've been training users to fall for re-register #scams by constantly prompting users to re-enter your #PIN (and the PIN is only necessary because phone numbers are used for sign-up).

          #signal are good at #victimblaming whenever there's a security incident.

          david_chisnall@infosec.exchangeD This user is from outside of this forum
          david_chisnall@infosec.exchangeD This user is from outside of this forum
          david_chisnall@infosec.exchange
          wrote on sidst redigeret af
          #4

          @pelle @xgranade

          they've been training users to fall for re-register #scams by constantly prompting users to re-enter your #PIN (and the PIN is only necessary because phone numbers are used for sign-up).

          No, the PIN is required to reacquire the account if you lose all connected devices. If they used any other unique identifier as the account handle, the PINs would still be required.

          pelle@veganism.socialP 1 Reply Last reply
          0
          • david_chisnall@infosec.exchangeD david_chisnall@infosec.exchange

            @pelle @xgranade

            they've been training users to fall for re-register #scams by constantly prompting users to re-enter your #PIN (and the PIN is only necessary because phone numbers are used for sign-up).

            No, the PIN is required to reacquire the account if you lose all connected devices. If they used any other unique identifier as the account handle, the PINs would still be required.

            pelle@veganism.socialP This user is from outside of this forum
            pelle@veganism.socialP This user is from outside of this forum
            pelle@veganism.social
            wrote on sidst redigeret af
            #5

            @david_chisnall @xgranade
            yes, exactly: #PIN is needed to reaqcuire your account — using your #phonenumber! — because without PIN, #signal account data would be vulnerable to #SIMswapattack, right?

            david_chisnall@infosec.exchangeD 1 Reply Last reply
            0
            • pelle@veganism.socialP pelle@veganism.social

              @david_chisnall @xgranade
              yes, exactly: #PIN is needed to reaqcuire your account — using your #phonenumber! — because without PIN, #signal account data would be vulnerable to #SIMswapattack, right?

              david_chisnall@infosec.exchangeD This user is from outside of this forum
              david_chisnall@infosec.exchangeD This user is from outside of this forum
              david_chisnall@infosec.exchange
              wrote on sidst redigeret af
              #6

              @pelle @xgranade

              Without the phone number, you'd still need a mechanism for authenticating new devices, which would be a password or a PIN. With the phone number, the first step is there for you and the PIN is defence in depth, without it you still have the same problem.

              pelle@veganism.socialP 1 Reply Last reply
              0
              • david_chisnall@infosec.exchangeD david_chisnall@infosec.exchange

                @pelle @xgranade

                Without the phone number, you'd still need a mechanism for authenticating new devices, which would be a password or a PIN. With the phone number, the first step is there for you and the PIN is defence in depth, without it you still have the same problem.

                pelle@veganism.socialP This user is from outside of this forum
                pelle@veganism.socialP This user is from outside of this forum
                pelle@veganism.social
                wrote on sidst redigeret af
                #7

                @david_chisnall @xgranade
                whatever #signal's reasons are for badgering users for a #PIN, it's clearly a design choice they made, because other secure messengers don't do this.

                and clearly this design choice has some harmful consequences, which i don't think it's fair of them to just #victimblame away.

                david_chisnall@infosec.exchangeD 1 Reply Last reply
                0
                • pelle@veganism.socialP pelle@veganism.social

                  @david_chisnall @xgranade
                  whatever #signal's reasons are for badgering users for a #PIN, it's clearly a design choice they made, because other secure messengers don't do this.

                  and clearly this design choice has some harmful consequences, which i don't think it's fair of them to just #victimblame away.

                  david_chisnall@infosec.exchangeD This user is from outside of this forum
                  david_chisnall@infosec.exchangeD This user is from outside of this forum
                  david_chisnall@infosec.exchange
                  wrote on sidst redigeret af
                  #8

                  @pelle @xgranade

                  whatever #signal's reasons are for badgering users for a #PIN, it's clearly a design choice they made, because other secure messengers don't do this.

                  The choice is either:

                  • Periodically ask people to enter their PIN, or
                  • Deal with people complaining that they forgot their PIN and are locked out (or, ideally not possible):
                  • Provide an insecure way of recovering an account after you are locked out.

                  The PIN entry UI looks nothing like an incoming message.

                  pelle@veganism.socialP 2 Replies Last reply
                  0
                  • david_chisnall@infosec.exchangeD david_chisnall@infosec.exchange

                    @pelle @xgranade

                    whatever #signal's reasons are for badgering users for a #PIN, it's clearly a design choice they made, because other secure messengers don't do this.

                    The choice is either:

                    • Periodically ask people to enter their PIN, or
                    • Deal with people complaining that they forgot their PIN and are locked out (or, ideally not possible):
                    • Provide an insecure way of recovering an account after you are locked out.

                    The PIN entry UI looks nothing like an incoming message.

                    pelle@veganism.socialP This user is from outside of this forum
                    pelle@veganism.socialP This user is from outside of this forum
                    pelle@veganism.social
                    wrote on sidst redigeret af
                    #9

                    @david_chisnall @xgranade
                    yea, i guess it's a trade-off, but repeated nagging pop-ups asking for your PIN unrelated to any user action within the app is perhaps not the best way of to teach users to never give out the PIN.

                    avitus@ioc.exchangeA 1 Reply Last reply
                    0
                    • pelle@veganism.socialP pelle@veganism.social

                      @david_chisnall @xgranade
                      yea, i guess it's a trade-off, but repeated nagging pop-ups asking for your PIN unrelated to any user action within the app is perhaps not the best way of to teach users to never give out the PIN.

                      avitus@ioc.exchangeA This user is from outside of this forum
                      avitus@ioc.exchangeA This user is from outside of this forum
                      avitus@ioc.exchange
                      wrote on sidst redigeret af
                      #10

                      @pelle @david_chisnall @xgranade The prompt appears less over time. I get it once per month.

                      1 Reply Last reply
                      0
                      • david_chisnall@infosec.exchangeD david_chisnall@infosec.exchange

                        @pelle @xgranade

                        whatever #signal's reasons are for badgering users for a #PIN, it's clearly a design choice they made, because other secure messengers don't do this.

                        The choice is either:

                        • Periodically ask people to enter their PIN, or
                        • Deal with people complaining that they forgot their PIN and are locked out (or, ideally not possible):
                        • Provide an insecure way of recovering an account after you are locked out.

                        The PIN entry UI looks nothing like an incoming message.

                        pelle@veganism.socialP This user is from outside of this forum
                        pelle@veganism.socialP This user is from outside of this forum
                        pelle@veganism.social
                        wrote sidst redigeret af
                        #11

                        @david_chisnall @xgranade
                        #signal has now decided to use official release notifications that look almost indistiguishable from a regular chat, just to train users even harder to fall for phishing attacks. 😑

                        david_chisnall@infosec.exchangeD rzeta0@mathstodon.xyzR 2 Replies Last reply
                        0
                        • pelle@veganism.socialP pelle@veganism.social

                          @david_chisnall @xgranade
                          #signal has now decided to use official release notifications that look almost indistiguishable from a regular chat, just to train users even harder to fall for phishing attacks. 😑

                          david_chisnall@infosec.exchangeD This user is from outside of this forum
                          david_chisnall@infosec.exchangeD This user is from outside of this forum
                          david_chisnall@infosec.exchange
                          wrote sidst redigeret af
                          #12

                          @pelle @xgranade

                          Signal has a weird blind spot for security usability. A year or so ago I wrote down a list of half a dozen simple things they could do to improve it. And none of these were particularly difficult things but they’ve never been a priority.

                          1 Reply Last reply
                          0
                          • pelle@veganism.socialP pelle@veganism.social

                            @david_chisnall @xgranade
                            #signal has now decided to use official release notifications that look almost indistiguishable from a regular chat, just to train users even harder to fall for phishing attacks. 😑

                            rzeta0@mathstodon.xyzR This user is from outside of this forum
                            rzeta0@mathstodon.xyzR This user is from outside of this forum
                            rzeta0@mathstodon.xyz
                            wrote sidst redigeret af
                            #13

                            @pelle @david_chisnall @xgranade

                            i'm genuinely surprised that an organisation (signal) that is normally so alert and aware of such issues is making this error

                            is it a case of an overly powerful product owner pushing this past dissenting voices?

                            if so then the president/ceo of @signalapp needs to hear from us

                            1 Reply Last reply
                            0
                            Svar
                            • Svar som emne
                            Login for at svare
                            • Ældste til nyeste
                            • Nyeste til ældste
                            • Most Votes


                            • Log ind

                            • Har du ikke en konto? Tilmeld

                            • Login or register to search.
                            Powered by NodeBB Contributors
                            Graciously hosted by data.coop
                            • First post
                              Last post
                            0
                            • Hjem
                            • Seneste
                            • Etiketter
                            • Populære
                            • Verden
                            • Bruger
                            • Grupper