@return2ozma @technology
10 years ago, the Feds wanted backdoors to all of phones so they could read all of our text messages. Now, the Feds want everyone not to use software that has backdoors so the Chinese cannot read our phones. The Feds don't want competition.
The backdoors they use are there for freedom and justice, the backdoors the "others" use are tools of evil and security risks!
"They're the same picture"
Why do you hate America’s children?
For real, I bet this guy didn't back the "Definitely Don't Maybe Not Almost Probably Save The Children ACT."
in other news grass is green
Didn't this happen quite awhile ago? I don't see anything new in this article
The novelty is the fact that it's ongoing. They haven't mitigated the hack. The threat actors are still inside the networks, which is why the government is telling people to switch to E2EE apps.
Lovely
Thank god, give me my HMAC hash please.
Nothing more terrifying than losing your phone number these days because of all the accounts tied to it via 2FA.
Oh man it sure would be nice if the feds had the power to regulate something like this /s
They did. That's the reason for this hack, they wanted Lawful Interception, they got their backdoor. It's what professionals and privacy advocates said all along, if it exists it will be abused.
I wish Signal stopped using it. I know you can set a Signal PIN but a lot of the non-techy friends I speak to on Signal probably wouldn't think to, or look through the settings (not that you need to be "techy" to set it, but you know the kind of learned helplessness most people have about tech). At least a prompt for all users to set an account PIN so their account can't just be stolen by anyone with their SIM card.
I thought they abandoned SMS a couple years ago??
They abandoned letting you use the Signal app to send and recieve SMS. You still need to get a code via SMS to activate your Signal account. I believe this is what they are referring to.
I coulda told you that for free. And sooner
Authentication for my work email: Enter 28 character password, receive sms, enter message, log in
Authentication for my Battle.net account:
-Enter email made before 2000 because they don't let you change email
-Enter password
-Get rejected
-Solve CAPTCHA
-Try backup passwords, get rejected
-Request new password
-Send request to 24 year old email
-Try to log on to 24 year old email, email is suspicious and sends Authentication request to my newer email
-Open newer email, Authenticate older email
-open old email, Put in code to battle.net
-Battle.net requests Authenticator code from Battle.net app
-Open battle.net app (no requests)
-Try manual code, doesn't work
-Try to connect Battle.net app Authenticator to account
-Realize you cannot connect Authenticator without signing in AND signing in requires Authenticator
-Close Battle.net app
-Open Blizzard Authenticator
-Close warning that this app got depreciated in January
-Enter manual code
-it works
-Attempt to change password to password I first attempted
-Won't let me use same password
-Try logging in using that password
-Still doesn't work - Solve one more CAPTCHA
-Change password to backup password and back to original password - have to solve 2 more Captchas
-Finally works
-Log in
So many services still don't even offer 2FA at all. Any service that stores payment information and PII without any 2FA options, let alone a secure one, at this point are a disgrace.
NIST has been saying since 2016 not to use SMS for MFA. It's always been horribly insecure.
Ive been slowly hearing about this over the last week or so, and I couldnt tell if it was real news or just over exaggerated.
And everyone has been on an on about iphone to android RCS, but no word on if anything is being done to fix the vulnerability.
What vulnerability? I thought RCS is encrypted on transit
RCS doesn't really do a whole lot of anything. It's a step up from SMS/MMS, but not by much.
All the features people think they mean when they're talking about RCS are proprietary Google extensions that only work if you go through Google's servers. They're basically exactly the same as Apple putting iMessage on top; Apple just brags about it while Google tries to trick you into thinking incompatibility is someone else's fault for not giving them control.
Since when was sms ever secure? My understanding is that messages are sent in the clear, meaning your carrier and the recipient's carrier both have the opportunity to intercept messages.
I mean that's the message content, not the authentication, but still, sms is the opposite of secure, always has been.
I hate forced 2FA that you can't disable anyway. I don't want to waste time waiting for an insecure text, I don't want to input an unencrypted code you sent to my email, I don't want to click your damn notification that runs through Play Services, and no I'm not enrolling in passwordless auth. I don't need to be babied into securing my accounts. Any account I do actively and willingly secure is already using TOTP. Let me put in my username and password, then kindly fuck off.
Yeah. So you, myself, and some others are the exception to the rule. But, you can't look at it that way because its a 'lowest common denominator' problem. The least secure of us means we are all only as secure. Others need to be hand held.
It's definitely time to raise all boats and drop SMS 2fa like a hot rock.
The most natural authentication mechanism for humans is a key. That thing you carry with yourself. A physical key containing, well, the actual secret (shouldn't be retrievable, should be used for decrypting access request and signing the response) that, maybe combined with your password (another natural for humans authentication mechanism) or maybe, yes, TOTP, gives you access.
Like those "security keys" Imperial officers in Jedi Outcast carry with them. Maybe a bad example.
Phone numbers are used as identifiers because governments like it, nerds don't like it, and normies explicitly like what nerds don't like and also want everything to be insecure, they call it "having nothing to hide".
Also "normal and social" people have that idea that their social prowess is more elegant, smarter at ensuring their security that those dumb and boring nerd technical solutions. So them always choosing things logically opposite of sane, like social media instead of forums, and phone numbers instead of any other identifier, is literally a matter of principle. It's really not that hard to use something else. They do the stupidest possible thing technically to prove a point that you only have to do the smart thing socially. I mean, in Galileo Galilei's case the other side of the disagreement is generally considered right, but that's not an argument effective in society.
I should admit that I've been doing the opposite - the stupidest possible thing socially to prove a point that only technical sense matters, which is why nobody would send me encrypted mail except Facebook with its notifications, and nobody would write me in Tox, and nobody would even contact me via XMMP. Which is why I'm now using TG, VK, FB, WA and Signal for communication, of these Signal is secure, and WA is kinda better than the rest of them.
is already using TOTP.
A lot of things are moving to phishing-resistant technologies like FIDO2/WebAuthn or passkeys. All my important accounts, like my password manager, are secured using Yubikeys (one that I keep with me and one as a backup in a secure place).
This is a most excellent place for technology news and articles.
