Feedback & Followups
- π¨π³ More details continue to emerge of just how deeply the Chinese government infiltrated the West’s telecommunications networks β it’s not just a few US carriers, it’s carriers in “dozens of countries”, and even the US government isn’t sure they know how bad it is yet β www.bleepingcomputer.com/β¦
“We cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing. We’re still trying to understand that, along with those partners” β US CISA Official
Deep Dive β The FBI’s Encryption Advice, No U-Turn, but Great Advice
In response to the news that the Chinese government appear to have completely compromised the traditional telecommunications industry powering our traditional fixed and mobile phone networks, the FBI have advised people to use encryption. Some see this is some kind of U-turn, but if you look a little more closely, I really don’t think it is. For the most part, it’s good advice though, so let’s examine what they said, and how best to follow their advice.
The advice came on a call with the press, so the quotations below are based on NBC News’ reporting on that call (the emphasis added in bold is mine):
“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether itβs on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible [to intercept]”
β¦
“People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant [multi-factor authentication for email, social media and collaboration tool accounts]”
Before explaining why I emphasised those two phrases, let’s remind ourselves that there are two distinct classes of data encryption, and the FBI’s feeling on them differ greatly.
The type of encryption the FBI have been in favour of for many years now is encryption in motion, with the state-of-the-art here being end-to-end encryption (E2EE). When you send data from one device to another, it’s in motion, and with E2EE the data gets encrypted on the sending device and remains encrypted all the way across the internet until it arrives at the receiving device, which then decrypts it. This is what we get when we browse the web with HTTPS when we upload files over secure FTP, and when we use end-to-end encrypted messaging services. This protects the data from being eves-dropped on as it makes its way through the absolute wild-west that is the internet.
The other type of encryption, the one the FBI has a much more nuanced opinion of, is encryption at rest, in other words, full disk encryption on our devices. This is where the strange phrase responsibly managed is hiding a lot. It’s some masterful lawyer speak actually. To avoid actually contradicting themselves, while not distracting for their core message, they were sure to add in that seemingly clumsy but unimportant phrasing. What do they mean by responsibly managed? They mean a back door for the good guys!
If you think the FBI has changed what it’s advocating since the last time is tried to sue Apple for a back door into phones, I’m sorry to say you are mistaken. The FBI gave up on wire-tapping the internet years ago when HTTPS took off and it all went dark as they put it. Removing encryption in motion would leave every American open to attack by every bad actor in the world, so advocating against it is not only pointless, it’s counter-productive! The answer to the going dark problem is to shift from trying to tap the data as it flows past, to accessing it before or after it travels, i.e. when the data is at rest. What the FBI continue to campaign against is true full disk encryption, they want Apple and Google to be forced to add a back door, effectively destroying our device security!
OK, so the FBI have not contradicted themselves, have not changed their stance, and this is not really news. So it the statement pointless? Nope! The advice they give is really good, so follow it!
The Good Advice You Should Heed
1. Use Phishing-Resistant MFA for Everything Important
I’ve said for years that you email is your digital crown jewels, because it’s still they key to account recovery, which means it’s a back door into just about everything you do online.
The FBI are advising you to think a little bit bigger, and to expand what you consider your crown jewels to include email, social media & collaboration tools. Email and social media are obvious, email because it is the back door into everything, and social media because it is your reputation that’s at stake, but what about these collaboration tools? That’s fancy speak for email, contacts, calendar, and Slack/Teams. Obviously vitally important with your work hat on, but I doubt I’m alone in relying on these same tools to run my household!
Next up, what do they mean by phishing resistant, they means a type of MFA that doesn’t rely on a human checking the URL in the address bar before entering their details. That means FIDO tokens. In the day-to-day lives of FBI agents, those are probably hardware FIDO tokens, but for us regular folk, that means Passkeys! I can tell you from direct experience that Phishing-as-a-Services crimeware offerings that use Adversary-in-the-Middle (AiTM, formerly Man-in-the-Middle or MiTM) attacks to bypass MFA are now ubiquitous, and very effective π
2. Stay Patched!
Or as they put it “using a cellphone that automatically receives timely operating system updates”. Basically, if your device is not supported by the vendor anymore, stop using it!
No point dwelling on this one, it’s literally my catchphrase for this segment π
3. Enable Full Disk Encryption
There was a time this took effort, and on Windows PCs it still does, but in Apple-land, it now takes effort not to have full disk encryption.
A quick note on full drive encryption on Windows 10 & 11 devices β this is what Microsoft’s documentation says (emphasis mine):
When you first sign in or set up a device with a Microsoft account, or work or school account, Device Encryption is turned on andΒ aΒ recovery keyΒ is attached to that account. If you’re using a local account, Device Encryption isn’t turned on automatically.
4. Use Encrypted Apps for Text & Voice
When it comes to text messaging we’ve talked about E2EE a lot in this segment over the years, but having the FBI emphasise the need to consider E2EE for voice calls too is new. Until now we’ve worked off the assumption that attacking cellular connection is theoretically possible but not practical, but that needs to change. With attacker full infiltration in telecom companies we need to think of all SMS & MMS messages and voice calls to cellular & fixed lines as insecure.
In a work context my advice is simple β let corporate IT figure out the details. As an employee, I would strongly recommend you do 100% of work communications using the accounts and numbers provided by your employer, and never used your personal numbers or accounts for any work communications. In fact, if practical, I’d go further and advice never even using your personal devices for work tasks at all! (Basically, don’t use so-called shadow IT!)
So, with our personal hats on, what should we do?
At the very very least we need to be aware of what is an is not encrypted, and make informed decisions on our uses of unencrypted channels. When it comes to voice and video we’re actually in a pretty good place, with one or two exceptions, most of the most popular apps are E2EE by default now. For chat things are a lot better than they were even just five years ago, but there are two major exceptions you’re both likely to meet, and, likely to hear incomplete or incorrect things about.
No Social Media App Provides True Privacy
Firstly, no social media app gives you any actual privacy, they may allow you to message people in a non-public way, but there is no E2EE on social media apps, that’s just not what their focus is β they’re primarily publishing platforms!
That Means nothing labeled as a private message or direct message on any of these platforms is private:
- Twitter/X
- Mastodon
- Bluesky (but promised for down the road)
- Instagram (may come in the future)
A note on Meta’s other products:
- Threads is currently very simple β there is no direct messaging feature! (But one briefly showed up in beta and then went away again a few months ago)
- Facebook is complicated β if you stick to 1-2-1 messages via the Facebook Messenger app you will get E2EE, but in a weird way using a hybrid of both the Signal Protocol and Meta’s own Labyrinth Protocol.
Why I Recommend Signal & Apple Messages/FaceTime
If we ignore the reality that we only control one side of the conversations we have, and that not all apps have UIs that align with our preferences, my advice is trivially simple β hands down, the best app for safely chatting and calling is Signal!
Why? It does three vitally important things correctly:
- Signal uses E2EE, for everything, by default
- Signal provides full key transparency for those who need to be able to verify no third party has been injected into the conversation via an additional stealthy key
- Signal has no mystery meat β it’s the reference implementation of the well-tested and attested free and open Signal Protocol.
Apple Messages and FaceTime are a close second though. Why second? For three reasons:
- The Messages app hosts encrypted and unencrypted chats side-by-side in the same interface, so users have to mentally remember that blue bubbles are secure, but green bubbles are insecure. It’s not just as simple as everything in this app is truly private π
- As of this year, Messages does provide a mechanism for Key transparency, but it’s a lot more complicated than what Signal offers and for now at least, opt-in with caveats. (Details on Apple’s Support page)
- Although Apple are very transparent about how their apps work, releasing detailed white papers and having their work reviewed by prominent academics, the apps are closed source. It’s unlikely there’s something nefarious and undocumented in there, but we can’t be certain, we must trust Apple.
WhatsApp is also Good! (From an Encryption POV)
As strange as it sounds for me to say this β What’s App is a close third in my opinion! Everything you do in the green app is E2EE by default, and it’s done using the Signal Protocol.
Like Messages and FaceTime, the app is closed source though, so we simply have to trust that Meta are being honest with us and that they really are using the Signal protocol, and really have implemented it correctly. I don’t have any reason to believe they are being in any way dishonest, but I don’t feel Meta have earned my trust as much as Apple have when it comes to privacy. Your mileage may vary π
Why RCS is not Reliably Secure
Particularly in the US, there’s a lot of buzz around RCS, in part because it can support E2EE. It can indeed, but only sometimes!
The official RCS specification does not support E2EE. However, Google have developed an unofficial extension to RCS which does add an encryption layer.
What this means is that it is possible to have properly encrypted conversations over RCS, but it’s completely wrong to say that RCS conversations are encrypted. At best you can say they might be encrypted.
If all the devices taking part in a conversation are using an OS that support Google’s platform, and all are connected to carriers that support RCS, then, and only then, will the conversation be E2EE. If any of these things are untrue, then the entire conversation will fall back to the official RCS protocol which is unencrypted, or worse still, to SMS!
Why Telegram is not Secure
It is possible to have E2EE conversations over Telegram, but itβs most generously described as βclunkyβ. And, when you do, the algorithm is almost pure mystery meat, and has not stood up well to third party testing.
Not only is E2EE not enabled by default, but it can only be used in one-to-one conversations between single devices! In other words, I can’t set up an encrypted chat between myself & Allison, I can only do it between exactly one of my devices, and exactly one of hers.
What this means is that the vast majority of Telegram conversations are not E2EE, and even those few that are, are not robustly encrypted.
β Action Alerts
Worthy Warnings
- A timely reminder: Beware of fake package delivery texts and e-mails! Here’s what to look for β www.intego.com/β¦ (I’ve witnessed this be successful first-hand recently π)
Notable News
- Moonlock,Β the cybersecurity wing of MacPaw, have released their 2024 macOS threat report β moonlock.com/β¦
- Mac malware is becoming more advanced, but generally not yet as ‘full-featured’ as that targetting Windows & Linux
- Malware-as-a-Service for Mac is a rapidly growing market (not a good omen for 2025)
- The initial point of infection remains social engineering β Mac users get tricked into infecting themselves π
- Prompt patching and ever-present vigilance remain the best defences
- iCloud Passwords becomes a little better at being a generic password manager: Apple Takes Over iCloud Passwords Add-On for Firefox β tidbits.com/β¦
- πΊπΈ The US Federal Trade Commission (FTC) have banned the two data brokers Mobilewalla & Gravy Analytics from selling location data connecting US citizens to sensitive locations like churches, healthcare facilities, military installations & schools β www.bleepingcomputer.com/β¦
Excellent Explainers
- π§ Planet Money: How useful, really, are the steps you can take after a data breach? β overcast.fm/β¦ (US-centric but still useful everywhere)
Palate Cleansers
- Bart: The UX of LEGO Interface Panels β interactionmagic.com/β¦
- Bart: A pointless but fun holiday app for the Mac β www.festivitas.app/β¦ (pay-what-you-want)
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| π§ | A link to audio content, probably a podcast. |
| β | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| π | A link to graphical content, probably a chart, graph, or diagram. |
| π§― | A story that has been over-hyped in the media, or, “no need to light your hair on fire” π |
| π΅ | A link to an article behind a paywall. |
| π | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| π© | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| π¦ | A link to video content. |