[-] TimePencil@infosec.exchange 1 points 11 hours ago

@sunzu2

"Under FISA order, signal would provide logs."

How would Signal do this? Logs of what?

Corresponding parties? Messages? They don't have them.

They'd have to rewrite their backend code to obtain them, and changes would also need to be made to the Signal client apps.

It would not matter if the FISA Court ordered that logs be produced in secret by Signal. Any such logs could not be obtained without significant changes to the way Signal works. Users would know.

Yes, Signal does have some shortcomings, but these are acceptable in most 'use cases' for most threat models.

Signal is best used as a private, E2EE alternative to SMS. Only a fool would use it for the *most sensitive* of communications. (Like, you know, discussing an impending military strike...)

We all know of the alternatives, including (but not limited to) SimpleX, Session, Briar, Element etc.

@maniacalmanicmania @9tr6gyp3 @signalapp

[-] TimePencil@infosec.exchange 1 points 12 hours ago

@sunzu2

Read the Affidavit produced here:
https://signal.org/bigbrother/santaclara/

Read Signal's complete source code here:
https://github.com/signalapp

Once you understand the code, you'll understand "what they can do" and what they cannot do.

When you've identified any flaw in the code that runs the Signal servers that would allow IP logging, let me know. I'll be glad to file the bug report on your behalf.

@maniacalmanicmania @9tr6gyp3 @signalapp

[-] TimePencil@infosec.exchange 1 points 12 hours ago

@sunzu2

Signal knows *when* a user wqs last connected, but not the IP address of that connection. The system has been specifically designed to minimise the meta data available for collection.

@maniacalmanicmania @9tr6gyp3 @signalapp

[-] TimePencil@infosec.exchange 1 points 13 hours ago

@sunzu2

To do the things you are suggesting that Signal could be forced to do, Signal would have to rewrite its entire codebase as well as the client apps.

Fortunately, Signal is open source, and such changes would be noticed.

As it stands, it doesn't matter what is demanded nor by whom as the only user data, including traffic analysis, that Signal can currently reveal is insignificant.

Signal simply cannot disclose data it itself cannot access.

Yes, decentralised services are preferable, but Signal has probably the easiest onboarding experience for the average user, especially those new to the concept of E2EE.

@maniacalmanicmania @9tr6gyp3 @signalapp

[-] TimePencil@infosec.exchange 4 points 1 day ago

@sunzu2

Nope and I was wrong.
@signalapp is only able to produce LESS information than I previously stated.

  1. The phone number (which will already be known by the relevant authority.)
  2. Last connection date.
  3. Account creation date.

That's it. Nothing else.
Signal does NOT log users' IP addresses.

See this for more information:
https://signal.org/bigbrother/santaclara/

@maniacalmanicmania @9tr6gyp3 @signalapp

[-] TimePencil@infosec.exchange 2 points 1 day ago

@9tr6gyp3

There is NO back-door to Signal.

@signalapp is blind to all communications. (Including, probably, this toot! 🤪)

Signal itself does NOT know who has messaged whom, nor when, nor how (e.g. the IP address is NOT known.)

If Signal was subpoenaed to produce my records, they could produce:

  1. My phone number. (Actually, my number is the only way Signal could 'reference' my data.)
  2. The date I joined Signal.
  3. The date I was last active on Signal.
  4. (This one is a maybe...) The existence of secondary devices that I use - such as the Desktop app.

I'm *fairly* sure that is all of it.
(Please let me know if I'm wrong.)

@sunzu2

[-] TimePencil@infosec.exchange 9 points 1 week ago* (last edited 1 week ago)

@Zagorath

Half a penny?
Where's the rest of it?

[-] TimePencil@infosec.exchange 9 points 3 weeks ago

@spiffmeister

Kangaroo populations will naturally go through "boom and bust" cycles as the amount of available feed and water varies tremendously. (Aussies often forget that this is the world's driest continent.)

Mass deaths within local kangaroo populations will always occur due to drought. That's nature, and it's a bad way to die

Having 'extra' dingos manage the 'roo population' would mean they'd suffer a similar fate, just delayed by a few months, if that.

When the 'roo population fell to low numbers, the dingos would turn on whatever is available... including, as you say, livestock.

It's a complex problem, and there are no easy answers.

However, which is worse? Letting 'roos die horrible mass deaths from inevitable droughts, or controlling their numbers via managed culls, and then tapping into that resource? Most, but not all, kangaroos that are culled will die an instant death.

In fact, for those of us who eat meat, we should avoid beef, lamb, and pork. Kangaroo is FAR more sustainable from an environmental perspective...
... even if Skippy is on our National Coat of Arms.

@Davriellelouna

[-] TimePencil@infosec.exchange 13 points 1 month ago* (last edited 1 month ago)

@ada

Methinks Zag was suggesting (possibly) that 'age verification' should be a *device* and *operating system* (& platform) feature that would be *inactive* by default.

In other words, there should be nothing for an adult (without kids) to do in order for their devices to function as they do now.

A parent would be required to activate a 'child lock' feature on a device before handing it to their kids.

Unfortunately, all governments are too chicken-shit scared to compel parents to do this small thing.

Governments *prefer* the option of compelling ALL users to provide 'age verification' (possibly Gov't issued ID) to the relevant platforms.

For the 'Liberals' this would be a natural extension of their right wing fascism.

For the Labor party, it's merely a reflection of their general incompetence.

@Zagorath

#auspol

[-] TimePencil@infosec.exchange 13 points 1 month ago

@princessnorah

No, nothing wrong.

However, due to their shape, there is the delightful possibility of the misapplication of said vegetables as a particular variety of adult toy.

(Everyone's mind went there... didn't it? Didn't it?)

@DiaDeLosMuertos

[-] TimePencil@infosec.exchange 9 points 1 month ago* (last edited 1 month ago)

@princessnorah

China does make a LOT of really low quality goods. However...
... those goods are made to the quality specified by the importer / wholesaler / buyer...
... because 'cheap' goods are often preferred over 'more expensive but higher quality' goods...
... by the people who buy them.

Which is probably what happened in this case!

I *think* that most Ming dynasty vases are still 'under warranty'!

@DiaDeLosMuertos

[-] TimePencil@infosec.exchange 18 points 4 months ago

@quokka

Yeah.
It's a toss-up between NOT printing it out so as to not waste paper...
... or printing it out so one can wipe one's arse with it.

@MHLoppy

view more: next ›

TimePencil

joined 8 months ago