Feedback & Followups
- Thankfully Microsoft have not learned the wrong lesson from their recent over-zealous response to possible malware in the VS Code Marketplace: VSCode Marketplace Removes Two Extensions Deploying Early-Stage Ransomware — thehackernews.com/…
- Attackers are continuing to focus their attention on using GitHub to attack developers, given how many NosillaCastaways use GitHub we need to remain vigilant
- Note that GitHub do not use the Issues system to notify repo owners about security issues, and be very wary of granting any app permissions on your GitHub account: Fake “Security Alert” issues on GitHub use OAuth app to hijack accounts — www.bleepingcomputer.com/…
- Whenever possible, try to stick to GitHub actions from GitHub themselves and minimise your use of 3rd-party actions: Supply chain attack on popular GitHub Action exposes CI/CD secrets — www.bleepingcomputer.com/…
Brian Krebs continues to do sterling work documenting the ways in which the DOGE chaos is endangering America’s cybersecurity: DOGE to Fired CISA Staff: Email Us Your Personal Data — krebsonsecurity.com/…- CitizenLabs are continuing their excellent work exposing how governments use grey-hat hacking tools to attack civil liberties:
Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data — thehackernews.com/… (Australia, Canada, Cyprus, Denmark, Israel, and Singapore)
Deep Dive — Is Signal ‘Safe’?
TL;DR for personal use, and for authorised corporate use in compliance with corporate policies — YES!
This is not a foreign affairs or politics podcast, so the details of exactly why senior US officials were discussing military strikes over Signal are not our concern, but it is a big news story, and the President of the United States did (wrongly) call Signal’s security into question.
For our purposes, these are the pertinent facts:
- Senior US government officials were chatting about planned military strikes on Signal, including precise details about timing, targeting, and specific military assets.
- Somehow, someone, apparently without intending to, added a journalist to the chat.
- There are US laws and regulations covering the dissemination of this kind of sensitive military information, and these communications were not compliant.
To understand why it is simultaneously true that this kind of use of Signal is not safe, and why both our personal use of Signal and authorised and compliant use of Signal within organisations are safe, it’s important to understand what end-to-end encryption does and does not do, and what makes a public service like Signal different from private government or corporate communications systems.
Signal uses and open and independently audited protocol built on open and independently audited cryptographic algorithms to securely and transparently do the following:
- Share the public keys belonging to the participants in conversations
- Encrypt all conversations between the devices of all participants so that at no point between leaving one device and arriving at another can anyone, including Signal, decrypt the messages
The key point to notice is what Signal does not do — Signal does’t and can’t secure the messages on the user’s devices. If a recipient’s phone is hacked, the attacker can read the messages from the device, just like the user can.
Another key point to notice is that while Signal doesn’t allow anyone to be secretly added to a conversation, anyone can use Signal, and anyone can be inadvertently added to any conversations. If the participants don’t check the participant list, or don’t notice someone on the list, that’s not a technological issue, that’s a squishy-organic-bit issue.
The reason governments and some corporations issue users with secured managed devices is to protect data at rest. The reason governments and some organisations choose to run their own private secure messaging systems is to ensure no outsiders can possibly be added to conversations. In these kinds of closed systems humans can still make mistakes, but the scope for error is constrained, and the organisation will have the needed audit trail to reliably determine the scope of any leaks.
This is why governments and organisations have rules about what types of information can be shared which apps on which devices. For US military secrets that absolutely does not include Signal on any device, and especially not Signal on personal devices!
For your own personal use Signal is about as secure as messaging services get, and if you work for an organisation that allows for the use of Signal in specific ways from specific types of devices for specific kinds of information, and if you follow those rules, you’re golden!
The question in this latest Trump Administration scandal is not whether or not Signal is safe, but whether the official’s use of Signal in this specific way was both safe and legal, and as best as I can tell based on the available facts, the answer to both is a resounding ’No!’
But equally, is Signal a good choice for NosillaCastaways to stay in touch with friends and family? Heck yes! It’s my preferred secure messages by far, and I highly recommend it. So much so that I’m a donor!
Action Alerts
- All the major Windows browsers have received related patches for a type of exploitation observed in the wild by sophisticated attackers (probably nation-states):
- Mozilla warns Windows users of critical Firefox sandbox escape flaw — www.bleepingcomputer.com/…
- Google Chrome patches zero-day used to spread “sophisticated malware” — www.intego.com/… (Related patches for the other Chromium browsers too)
- Ubuntu Linux Users take note: three security feature bypasses have been discovered in Ubuntu, and while there are no patches, Canonical have released an advisory with recommended changes to harden systems against these kinds of security bypasses — www.bleepingcomputer.com/…
Worthy Warnings
- After suffering a very nasty data breach last year, 23andMe have now filed for Chapter 11 Bankruptcy Protection in the US and have informed the relevant court that are seeking to sell to an “independent bidder” — www.bleepingcomputer.com/…
- The company insist they nothing will change in terms of data protection
- California’s Attorney General has issued a customer alert recommending users delete their data
- Note that this is an area where US & EU law could not differ more, under EU law you always own data about you, so a change of ownership has no effect on your data protections, but under US law the company that has the data owns it, so no promises made by 23andMe can have any legal weight, unless you trust them completely to only see to a fully trustworthy new owner, you should delete your data.
- Related:
An excellent discussion of why, and more importantly how, to remove your data – Checklist 417 – 23andMe Goes Bankrupt and a Crash Course in Signal — overcast.fm/…
- Americans may want to be aware that there is a confirmed breach in Oracle Health, specifically in the data from the cloud provider Cerner whom Oracle acquired a few years ago and merged into their Oracle Health branded suite of offerings to healthcare providers like hospitals — www.bleepingcomputer.com/…
- Oracle are being noticeably and disappointingly evasive about this breach, and making it needlessly difficult for patients to discover whether or not they are affected
- The best thing to do if you’re concerned would appear to be to contact your hospital or clinic and ask if they were Cerner users, hardly a good solution
- Editorial by Bart: this is a real ding on Oracle’s reputation in my eyes, I consider their evasiveness here as nothing short of scandalous
Notable News
The European Commission is continuing to enforce regulations on US tech giants — arstechnica.com/…
- Apple have been ordered to make a list of specific changes to how it supports third-party hardware integrations to iPhones in order to be considered in compliance with the Digital Markets Act
- A preliminary finding has been issued against Google finding that they are referencing in Google Search (this is like an indictment under US law — a formal accusation of guilt with associated evidence, and the accused now get the right to defend themselves from the formal accusation)
- New Utah law forces big tech to add age verification, Apple is already prepared — appleinsider.com/…
- Opinion from Bart: this approach of entrusting just our chosen platform with this kind of sensitive data is a lot better for privacy than making each site gather and store the data separately. You should never use a phone on an ecosystem you don’t trust since our phones have so much sensitive data on them, so this shouldn’t change who we choose to entrust with our data.
- A timely reminder of why it’s important to stay patched: Apple Passwords was open to targeted phishing attacks, before patch — appleinsider.com/…
- Thanks to responsible disclosure Apple were able to patch before the details were published
- The way the vulnerability worked it’s extremely unlikely any NosillaCastaway who stays patched has anything to worry about
- A timely reminder that it can happen to anyone: A Sneaky Phish Just Grabbed my Mailchimp Mailing List — www.troyhunt.com/…
- Key Takeaway 1: you’re extra vulnerable when you’re tired and/or rushing, so try to be aware of that and keep your proverbial shields up
- Key Takeaway 2: the value experience being informed brings is that you’ll realise what you’ve done within seconds not hours or days, so you have the power to limit the damage
Palate Cleansers
- An excellent new four-part mini-series on AI from the Future Perfect Podcast: Good Robot 1: The Magic Intelligence in the Sky — overcast.fm/…
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
|
A link to audio content, probably a podcast. |
|
A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
 |
A link to graphical content, probably a chart, graph, or diagram. |
 |
A story that has been over-hyped in the media, or, “no need to light your hair on fire”  |
 |
A link to an article behind a paywall. |
 |
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
 |
A tip of the hat to thank a member of the community for bringing the story to our attention. |
 |
A link to video content. |