🇮🇹 🇪🇪 🖥

  • 0 Posts
  • 10 Comments
Joined 8 months ago
cake
Cake day: March 19th, 2024

help-circle
  • I am not proposing anything actually, I am implying that this change won’t modify the threat model in any substantial way. Your comment implied that it kind of did, requiring root access - which is a slightly different tm, not so much on single user machines…

    So my point is that “The data is safe until your user password is safe” is a very tiny change compared to “your data is safe until your device is safe”. There are tons of ways to get the password once you have local access, and what I strongly disagree with is that it requires more work or risk. A sudo fake prompt requires a 10-lines bash script since you control the shell configuration, for example. And you don’t even need to phish, you can simply create a SUID shell and use “sudo chmod +s shell” to any local configuration or script where the user runs a sudo command, and you are root, or you dump the keyring or…etc. Likewise, 99.9% of the users don’t run integrity monitoring tools, or monitor and restrict egress access, so these attacks simply won’t be noticed.

    So what I am saying is that an encrypted storage is better than a plaintext storage for the key, but if this requires substantial energies from the devs that could have been put on work that substantially improved the security posture, it is a net negative in terms of security (I don’t know if it is the case), and that nobody after this change should feel secure about their signal data in case their device would be compromised.




  • I am a security professional. I would personally not care less to make the distinction, as both are very generic terms that are used very liberally in the industry.

    So I don’t see any reason not to call this hacking. This was not an intended feature. It was a gap, which has been used to perform things that the application writer did not intended (not in this form). If fits with the definition of hacking as far as I can tell. In any case, this is not an academic discussion, it is a security advisory or an article that talks about it.





  • Public financing of the press, newspapers stopping being garbage and selling subscriptions like they have always done, pay per article (cents), donations. Just some ideas of economically viable alternatives. There are good niche newspapers which survive with such models, it’s not like I am making it up.

    I would say the opposite: advertising alone is not sustainable for the press because it creates wrong incentives (grab attention, clicks). This is why 90% of newspapers have the same garbage, short, generic articles. This is why you get rage baits, fake news etc. too, to some extent. So yes, you get websites online, but you get no information…