Much has been written about the supposed compromise of Signal as a so-called ‘secure messaging app’, with some sources being a bit better than others on the matter. I’ve had a ton of questions about it over the past couple of days, and almost all of it doesn’t revolve around the issues with an app itself, but rather, the tradecraft errors behind using it.
First things first, almost everyone I come into contact with in the Liberty community, absent those with serious .mil backgrounds requiring at least a primer in tradecraft, have no idea what they’re actually doing. That statement is not meant to deride, far from it; its simply the truth. When it comes to communications, most are looking for a replacement: a methadone for a heroin addiction, if you will- to their incessant need for a phone. This is especially true when it comes to the instant gratification of messaging. I’m reminded of Russell Crowe’s line from a movie long since memory-holed, Body of Lies, saying “we just need al Saleem on the phone. Langley’ll do the rest.”
And they did.
Signal, as a software, does what it claims to do. On top of that, the source code for the app is open source and subject to anyone’s audit or modifications, should your skillset include the expertise in that area. And should you have that level of ability, you can even modify it to suit your needs running a code off the beaten path while still utilizing Signal’s network. It is end-to-end encrypted, after all. And what exactly does that mean? It means that the administrators can see that someone is accessing the network, but not what is being passed along it, much the same way that TOR actually works. Even with audio calls, the system does what it claims to do.
So let’s discuss the actual vulnerability in question.
According to documents filed by the Department of Justice and first obtained by Forbes, Signal’s encrypted messages can be intercepted from iPhone devices when those Apple devices are in a mode called “partial AFU,” which means “after first unlock.”
When phones are in partial AFU mode, Signal messages can be seized by federal authorities and other potentially hostile interests. GrayKey and Cellebrite are the tools typically used by the FBI to gain this sensitive information, an expert has explained.
“It uses some very advanced approach using hardware vulnerabilities,” said Vladimir Katalov, who founded the Russian forensics company ElcomSoft, believing that GrayKey was used by federal authorities to crack Signal.
So its not the app after all, but rather the hardware’s setting. A vulnerability which, since its a hardware exploit, likely applies to every messaging app. So tradecraft, or the lack thereof, is the heart. As per the usual. And the hardware in question is the hipster device of choice, an Apple iPhone. Shocker. But I thought Apple prided itself on user security?
Maybe at one point. But clearly no longer. Must be all that CCP money. And the real kick in the groin is that (shocker, again!) the FBI (or any other domestic security agency) can get into your phone without your handy little thumbprint. And just because they didn’t mention Android, don’t think its not every bit as vulnerable. It is.
So let’s talk about how to mitigate it.
First, understand the levels of data collected from cellular devices. I’ve discussed this ad nausem in the past. Your phone is constantly tracking you, no matter what you do absent putting it in an EMP bag, and if you cannot fully comprehend this reality then you’re really, really far behind the power curve. The lone answer is moving to using wi-fi only mobile devices for communications using open source apps. Wifi is common enough even in rural areas and if the technology is beyond you, so is your usefulness in a direct action cell.
Second, understand how to properly message people. The magic blanket of encryption may conceal our message but it neither conceals our presence nor our patterns of life- and in particular, who’s being messaged. This requires first discipline, and second, a pre-arranged (and trained on) code. One Time Pads work quite well, but a pre-configured Trigram or Brevity matrix works as well. On top of that, messages should be set to delete after a short period of time. Signal enables this, and if the message is important (it should be if you’re using Signal to send it), write it down. Clandestine messages are usually one-way as it is, requiring no overt response. Or if a response is necessary, respond through another backchannel (the same way I teach communicating on two different frequencies simultaneously in the RTO Course). Further, group messages of any more than two individuals is an instant non-starter. This violates even the most basic rules of clandestine cell organization and why Liberty groups feel the need to broadcast everything to everyone, I’ll never understand. Maybe you’ll learn one day. Domestic Black Sites are real.
Last, what you’re using as a so-called daily driver, ie your surface phone, is absolutely not used for this role. One of my own personal objections to Signal is and has always been the requirement of a phone number for registration. My Sudo allows us to bypass this by generating another phone number, but alternative apps such as Wire and Threema register via an email account…far, far better. And on that note you did install it on your own, absent Google play, correct?
So with that said, what do I think of this so-called ‘compromise’? It think its a smoke screen for CCP / Apple to keep their own compromise hidden in the details, as well as a smoke screen for disgruntled feminist intersectionalist IT workers behind the scenes at Signal unhappy that anyone other than AntiFa degenerates and washed up Agency Spooks would be using their app. For me, Signal is the C in my PACE plan- the ability to contact those using cell phones from my own wifi device, should the need arise. I don’t hang my hat on its ability outside my control. Neither should you. And the fact that a lot of people in this community do underscores just how behind the curve some of the louder voices really are. No matter what you’re doing, the correct answer is always using open source systems, have a PACE plan, follow the Moscow Rules and if there’s any doubt, there is no doubt.